We have published some updated information about the changes to ODPA registration which are coming in January 2021.
Please visit odpa.gg/2021 to find out what you need to do.Read more >
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Issued: 09:00 2 September 2020
Controller: Sure (Guernsey) Limited
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. Following an inquiry conducted under section 69 of the Law, the Authority determined that Sure (Guernsey) Limited breached the Law in relation to its collation and publication of The Bailiwick of Guernsey Telephone Directory 2019/2020.
4. The Authority has fined Sure (Guernsey) Limited £80,000 for a lack of transparency as to how personal data was to be processed and for publishing personal data which contained inaccuracies and in some cases was contrary to subscribers’ wishes.
5. Sure (Guernsey) Limited has the right to appeal this fine.
6. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.
7. Chairman of the Authority, Richard Thomas CBE, commented:
“This is the first fine that the Data Protection Authority has imposed under the new Law. It was unanimously agreed by all members of the Authority. Although this fine is substantially lower than the maximum which the Law permits, we hope it will bring home the importance of taking great care with people’s personal information.”
8. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:
“The data protection law provides organisations with a range of accountability tools to ensure appropriate technical and organisational measures are in place including being prepared to deal swiftly and effectively with any breach. In taking this action, the Authority has responded appropriately and proportionately to the evidenced compliance failures. We welcome the positive steps Sure have taken since this incident to ensure better data governance of the personal data in their care.”
For more information please refer to the administrative fine order.
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Authority may conduct an Inquiry on its own initiative (under section 69 of the Law) into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
3. In this case, the controller is Sure (Guernsey) Limited.
4. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
6. Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.
7. Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days.Read more >
The Office of the Data Protection Authority (ODPA) has published its annual report for 2019 which details the highlights from the first full year of its activities under The Data Protection (Bailiwick of Guernsey) Law, 2017 which came into effect in May 2018.
The Authority has identified a number of key achievements, including taking steps towards full independence from the States of Guernsey, which ensures statutory duties can be carried out with the highest standards of integrity and accountability, along with project management and delivery of a self-funding model that is to be introduced in 2021.
Commenting on 2019’s activities, Emma Martins, the Bailiwick’s Data Protection Commissioner, said:
“We have seen evidence of a global awakening of the extraordinary scale and impact of personal data processing in this digital area and how it goes to the very core of who and what we are as human beings.
“At its heart, data protection is about protecting and empowering individuals and I am delighted that, despite some early challenges, the law in the Bailiwick is now working well. It is clear that data protection is starting to bed into everyone’s personal and professional lives, not just locally, but across the globe.
“Against the global backdrop of economic and political uncertainty, we want to ensure that the Bailiwick maintains a high-quality, stable and forward-looking regulatory environment which recognises that innovation and good governance are interdependent.”
The ODPA’s report highlights progress made towards its five strategic objectives:
The Chair of the Data Protection Authority, Richard Thomas CBE commented on why data protection matters,
“Data Protection is actually People Protection. In the real world, where personal information has now become incredibly valuable, it protects people’s privacy and it protects them from a wide range of social and economic harms which threaten their well-being. Data protection equally protects organisations. There cannot be any organisation – private, public or voluntary sector – that does not handle personal information. Getting data protection right for their customers, clients, suppliers, patients, citizens and voters is simply a matter of self-interest.
Mr Thomas concluded,
“For the Bailiwick, there is a further reason why data protection matters. Soon, in accordance with the General Data Protection Regulation (GDPR), the European Commission will decide whether the Bailiwick should keep its ‘Adequacy’ status. Loss of that status, which permits the free flows of personal data which underpin the global digital economy, would be devastating for the financial services industry and other parts of the Bailiwick’s economy.
“Of course, the European Commission is scrutinising the 2017 Law to make sure that it closely mirrors GDPR’s provisions. But it is also required to make sure that Guernsey has a genuinely independent supervisory authority that can demonstrate effective functioning.”
See also:Read more >
The Office of the Data Protection Authority (ODPA) is alerting local organisations to take note of a recent judgement from the Court of Justice of the European Union (CJEU) which affects all businesses who transfer personal data outside of the Bailiwick and the EU.
On 16 July 2020 the CJEU ruled that the EU-US legal framework for data transfers known as ‘Privacy Shield’ is invalid. This means that local organisations need to take steps outlined below to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.
The now invalid Privacy Shield was a legal framework between the EU and the United States of America (US) that allowed personal data from the EU to be transferred to the US. ‘Standard Contractual Clauses’ (SCCs) are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA).
The CJEU ruled on both Privacy Shield and SCCs in their judgement of 16 July 2020. They concluded in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), that Privacy Shield is invalid but affirmed SCCs’ validity.
The background which led to this CJEU judgement goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.
The ODPA emphasises that the CJEU’s judgement:
The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.
The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgement requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency.
In the meantime, considering the immediate effect of Privacy Shield being invalid, any local organisations that may be affected should do the following:
To mark World Day of International Justice, our commissioner Emma Martins reflects on justice, individuals’ rights, and the fair treatment of human beings.
The World Day of International Justice is celebrated throughout the world on 17 July as part of efforts to recognise the importance of international criminal justice. It marks the date of the adoption of the treaty that created the International Criminal Court (ICC). The ICC investigates crimes of concern to the international community such as genocide, war crimes and crimes against humanity.
Taking a look at the ICC’s website, one of the first things you will see is the following statement –
Justice is a key requisite for lasting peace. International justice can contribute to long-term peace, stability and equitable development in post-conflict societies.
We live in a world where so many people do not have the rights that we, in our community, have and often take for granted. And a day such as this, which you may think has little or nothing to do with you, is a good opportunity to understand and appreciate its relevance to our lives and to the lives of others.
Justice is a word we use and hear a lot – often in the context of ‘fighting for’ or ‘defending’ but how often do we reflect on what we mean by it and what others mean by it as well as the role it plays in our lives?
The root of the word itself, ‘just’, comes from the Latin ‘jus’ meaning right or law and is commonly seen as based on behaving according to what is morally right and fair.
As with the ICC, it is a term often used in the context of law but it is also strongly related to culture. Justice is perceived and applied differently across the globe and what it looks like in any particular place says a lot about that community and culture; what it values; who it values; who has power and who doesn’t.
Early theories of justice came from the Ancient Greek Philosophers. Aristotle considered justice to consist of what is lawful and fair, with fairness involving equitable distributions and the correction of what is inequitable.
In our modern world, the distribution of wealth is largely decided by governments using tax laws and the correction of what is inequitable is largely determined through civil and criminal law. Laws are the basis of much of our lives, shaping and directing so much of our behaviour, sometimes in ways we give little or no thought to. Think how intuitive it is to put a seatbelt on, I very much doubt that when you do so, you are thinking ‘I am only doing this because the law says I must’; you do it because it has simply become embedded in normal, everyday behaviour.
Certainly, law raises important and complex issues around equality, fairness and justice. What sort of society do we want to live in? How do we want to treat each other? How do we want to be treated? Looking at the legislation in place in any jurisdiction will give answers to many of these questions and the fact that we live in a small jurisdiction does not mean that those issues are any less relevant. As Albert Einstein said –
“In matters of truth and justice, there is no difference between large and small problems, for issues concerning the treatment of people are all the same”.
Looking at the legal foundations that underpin our lives, data protection is one of a suite of laws that provides specific rights to individuals (this podcast talks through the seven data protection principles) and is seen as essential for a functioning democracy. Indeed, the link between privacy and democracy is not at all accidental. If you look at those countries with strong data protection and privacy laws, you will also see countries that have committed to strong human and democratic rights.
Not only does the need for proper protection of our personal data becoming increasingly important as we speed into the digital age (listen to this podcast on your digital footprint, and this podcast on cyber security for more context), it is also a right from which other rights derive – rights such as freedom of association and freedom of speech.
In the context of justice, equality and fairness, I want to highlight one specific element of data protection legislation here in the Bailiwick (and across Europe); the fact that certain types of personal data are afforded much higher levels of protection than others.
The law calls this special category data and it consists of the following –
It is a list of data types that, for those working in data protection, will likely have been discussed at length on training courses and studied and memorised for exams. I would, however, like to encourage us to think a little deeper about this list, not from a perspective of law or legal text, but from the perspective of a human being.
I have picked out a few examples to help illustrate –
These few examples illustrate how interwoven the question of individual’s rights are with the way in which identifying information is collected, recorded and used and the profound affect it can have on people’s lives and on how justly they are treated.
Relating personally to these events may feel like a bit of a leap because they are so alien compared to the world in which we live. But the public health crisis has brought into stark focus that, as much as we are part of a strong local community, we are also part of a wider global community.
Our lives connect in so many ways, so to end with another quote, this time from Martin Luther King,
Read more >
“Injustice anywhere is a threat to justice everywhere”.
The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for learning and improvement to better safeguard personal data handled in the Bailiwick and build a culture of compliance.
Thirty-four personal data breaches were reported to the ODPA in the two months leading up to 30 June 2020. Just under three-quarters of these (22) happened when personal data was accidentally sent to the wrong person by email. There were two instances where data was sent to the incorrect recipient by post.
Other self-reported breaches for the two-month period included three of inappropriate access, three cyber incidents, two unauthorised disclosure, one unauthorised access and one loss of data/paperwork/device.
The 34 breaches were split across a variety of sectors, five from public authorities, four from fiduciary entities and three each from banking, insurance and retail/wholesale establishments. Charities/not for profits, education/training organisations, investment organisations and legal practices all reported two each with the remaining eight split across five other sectors.
This is the second group of statistics covering the Covid-19 lockdown period and again, the figures show a similar number of breaches reported since collation of the data began two years ago.
The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the continuing trend.
‘We would like to offer our thanks to those businesses and organisations that have managed to continue to fulfil their statutory duties under the recent challenging circumstances. Whilst it’s largely reassuring that the number of reported breaches is remaining consistent, perhaps it’s time to ask organisations that don’t routinely report to us to have another look at their procedures to ensure that there aren’t breaches occurring that we should be advised of.’
Mrs Martins continued by highlighting that the Authority’s mandate is to educate and engage not just enforce.
‘Our aim is to help and empower all organisations, large or small, to handle personal data correctly because first and foremost we want to prevent breaches from happening in the first place. If we are going to do that effectively we need to have good knowledge and understanding of the nature of incidents and how often they are occurring. That in turn will enable us to provide more relevant and targeted support and guidance to those most at risk. Now that lockdown has eased, our fortnightly drop-in sessions to support our local regulated community are starting again on 22 July so local businesses and organisations can visit our offices and meet with a member of staff for advice. We are committed to building a culture of compliance for the Bailiwick; one that recognises that we’re all only human and we all make mistakes, but by learning from those mistakes and improving how we work, we can strive for better levels of data protection, benefitting our community and our economy.’
|1||Loss of data/paperwork/device||accidental|
|2||Data sent to incorrect recipient – email||accidental|
|3||Data sent to incorrect recipient – post||accidental|
|4||Data sent to incorrect recipient – fax||accidental|
|8||Cyber incidents||accidental or deliberate|
|11||Other||accidental or deliberate|
The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. Its new self-funding model means that, from January 2021, most of its operational costs will be met by annual fees paid by the regulated community (i.e. local businesses and other organisations who handle personal data), with the States of Guernsey contributing around £300,000 per year.
The way the ODPA is funded has changed because it is legally and politically obliged to operate independently of the States of Guernsey. Reinforcing this independence is an important part of the ODPA’s effective regulatory oversight, and being able to demonstrate this independence is critical to the Bailiwick retaining its ‘adequacy’ status with the European Commission. This status allows the free-flow of data between the islands and the EU which is crucial to the Bailiwick’s current and future economic success.
Deputy Mary Lowe, President of the Committee for Home Affairs said,
‘Data is an essential part of the modern economy. It is a precious commodity in both our business and personal lives and needs to be properly safeguarded. The Committee has been working closely with the Authority and we are in agreement that moving the ODPA to become self-funding will prove important in demonstrating that while the States creates the Data Protection legislation, the Authority is able to act without fear or favour in its investigations.’
Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the work that has led to this point,
‘The States of Guernsey civil servants, politicians, as well as ODPA staff and board members have worked hard since 2018 to reach agreement on how best to fund the ODPA. Our focus was always on ensuring that we agreed on a low-cost, low-admin model that is as fair as possible to local businesses. Especially at this challenging time for everyone, we want people to focus their efforts on running their businesses well, rather than filling in bureaucratic forms. We are pleased to finally be in a position to start work preparing for the changes ahead and we will publish further details over the coming months.’
FREQUENTLY ASKED QUESTIONS
Q: What is personal data?
It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.
Q: What is ‘processing’ personal data?
‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
*An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.
Q. What is changing?
From 2021, a new registration regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime means that all controllers and processors established in the Bailiwick that process personal data will be legally required to register with the ODPA and pay a fee each year.
Q. Why is the registration regime changing?
The new data protection legislation that came into force for the Bailiwick in 2018 (The Data Protection (Bailiwick of Guernsey) Law, 2017) provided for the creation of an independent regulator. The funding mechanism that was in place prior to that time was maintained until the end of 2020 to allow for political agreement on a sustainable and efficient funding model for the future.
Q. Who decided to make these changes?
The States of Guernsey agreed that the ODPA should be self-funding to ensure full independence.
Since legislation came into force in 2018, the ODPA has been working with the States of Guernsey to agree a new registration regime to enable this. All parties have focused on providing a regime that is as low cost and administratively straightforward as possible for organisations.
The Committee for Home Affairs agreed the new model in February 2020 and the Policy and Resources Committee agreed it in March 2020. The ODPA was then tasked with implementing the model ready for January 2021.
Q. I am registered with the ODPA now, what does it mean for me?
If you are currently registered with the ODPA, you will need to provide the ODPA with new information confirming your registration, between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you can simply register directly via the ODPA’s website.
Q. I am not currently registered with the ODPA, what will I have to do?
If you are not currently required to register with the ODPA because you benefit from the limited exemptions (see odpa.gg/exemptions for details), those exemptions will end at the end of 2020 (the only exception is for domestic/household purposes). You will therefore need to register and pay between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you will be able to register directly via the ODPA website. You will need to do this between January-March 2021.
Q. I am a charity/not-for-profit, what does this mean for me?
You will need to complete the registration process as above between January-March 2021, but you do not need to pay.
Q. How much will it cost?
It is recognised that no one wants to pay large administrative costs for running a business, however big or small. The ODPA has always been absolutely clear that its funding model should be as cost effective as possible. The 2020 economic climate has redoubled efforts to ensure that all expenditure is proportionate, necessary and has the highest standards of financial and operational governance built in. The ODPA has worked hard, together with the States of Guernsey, to keep the cost organisations are required to pay as low as possible.
With all of that in mind, there is a simple two-tier cost structure:
* The Regulation will include details on how to calculate your total FTE.
All charities/not-for profits will pay zero fee, but must still register and review this each year.
Q.Where will the money go?
The new fees regime will allow the ODPA to move towards self-funding status, giving it full financial independence from the States of Guernsey. This independent status is both a political and legal requirement. The ODPA’s statutory responsibilities are set out at odpa.gg/about-us (under ‘Functions of The Authority and ODPA’) and you can see its plan for performing these tasks via the ODPA Strategic Plan (2019-2022) at odpa.gg/strategic-plan.
The Bailiwick has had a data protection regulator for many years. Up to now, it has received funding from the States of Guernsey with some income also coming directly from registration fees paid by local organisations. The strengthened data protection regulatory framework has enhanced individuals’ rights to reflect the scale of personal data processing in this digital era. It has also strengthened the role of the regulator to provide for appropriate powers and ensuring independence.
Q. How often do I need to pay?
Following your initial registration fee, payable by all (except charities/not-for-profits) in January-March 2021 an annual levy (of either £50 or £2,000 depending on your organisation’s size) will be due during the first quarter of each following year.
Q. I am responsible for registering a number of entities. What are the changes for us?
The ODPA is aware that where an organisation is responsible for registering a number of controllers and/or processors a simpler bulk registration process would be helpful. Consideration is being given to this and more information will be released when available.
Q. I complete an annual validation via Guernsey Registry, how will this process work for me?
The ODPA want to make the registration process as easy as possible. This ensures that costs are kept to a minimum and it also does not divert you with administrative processes which do little to support overall data protection compliance.
To this end, the ODPA has worked with Guernsey Registry to make sure you are given a timely prompt to register with the ODPA once you have completed your annual validation with the Guernsey Registry. This allows the process to be as straightforward as possible for you.
If you prefer, you can of course disregard the prompt at the end of the Guernsey Registry process and simply register directly with the ODPA at a time convenient to you between January-March 2021.
Q. I do not complete an annual validation with Guernsey Registry, how will this process work for me?
You will be able to register directly via the ODPA website. The process is designed to be as straightforward as possible whilst recognising that the ODPA have a statutory requirement to collect certain information from you.
Q. What does the ODPA do with the data it collects for the registration process?
Following changes to legislation in May 2019, the ODPA is no longer required to maintain a public-facing register of controllers and processors. Therefore, all registration data will be processed internally for administrative purposes only.
Q. Why do we need to fund a data protection regulator?
Data increasingly powers the economy as well as affecting our own individual lives, both personally and professionally. The Bailiwick relies on the free flow of data to support and develop the current economy as well as to ensure it is well positioned to take advantage of the emerging digital economy.
Our government recognises how important data protection standards are for our jurisdiction and has therefore provided high quality legislation to ensure appropriate safeguards sit around the personal data that resides and flows through the Islands. As with any legislation, there needs to be effective oversight – both to ensure people and businesses are supported in complying with the requirements, as well as to ensure that complaints are investigated independently and robustly.
Whilst most funding has come from the States of Guernsey up until now, it raised challenges in relation to ensuring the ODPA’s independence (both actual and perceived). With government responsible for handling some of the highest volumes and most sensitive personal data in the Bailiwick, fully independent oversight is essential. Once government made the decision to move the ODPA to a self-funding model, a lot of effort went into devising a fair, low-cost, simple registration model that provides the ODPA with sufficient funding.
Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy.Read more >
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Issued: 12:00 6 July 2020
Controller: The Isle of Sark Shipping Company Ltd
Read more >
(a) a reprimand,
(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
(c) an order under subsection (2) including an administrative fine.
UPDATE (27 March 2020):
ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’
UPDATE (23 March 2020):
The ODPA premises is currently closed.
During our office closure our staff are working remotely and can be contacted via: email@example.com.
Read more >
Local media have asked the ODPA to comment regarding the new data collection requirements for businesses and organisations in light of the move to Phase 4 of the exit and recovery strategy.
The States of Guernsey have a dedicated data protection team who are responsible for the operational implementation of the data protection law in all areas of government activity. Whilst the ODPA have not been involved in the implementation of this aspect of Phase 4, we are always keen to support the whole regulated community with their compliance duties.
As part of the Bailiwick community the ODPA welcome the very positive news that we have been able to move to the next phase so swiftly. The ODPA also recognise that a key element of the next phase is going to be efficient, effective and timely contact tracing.
From Saturday 30 May local businesses and organisations are required to keep records of the names and contact details of all those who visit their premises.
As with all processing of personal data, it is important that individuals are given information and details about that processing including what personal data is being collected, how it will be used and who else will have access to it. The principles contained within the data protection legislation are there simply to ensure that these elements are included in all processing activities, regardless of their context.
The reasons for data collection in this context are self-evident and ensuring all personal data is handled in compliant manner will ensure that individuals have trust and confidence in the process as well as in the people directing that process.
For more information about compliance with the local data protection law please see our Advice, Guidance, and Resources page.Read more >