News

  • 8 steps to protect yourself from identity theft and scams

    We are all producing more personal data than ever before and much of the collection of that data occurs online. This, in turn, has led to a significant rise in criminal activity that seeks to misuse, manipulate and profit from the personal data of their victims. Such activity comes in many forms but could, for example, involve a fraudster taking your personal data and using it to apply for credit in your name.
    Misuse of our personal data is a serious problem but there are some practical steps we can all take to reduce the likelihood of it happening to us:
    1. Always remember that your personal data is valuable.

    2. Scam emails – if you receive an email asking for your personal details or to click on a link, always err on the side of caution. Legitimate organisations will never pressure you into divulging your personal data. If in any doubt, do not reply and do not click on the link.

    3. Shred documents – fraud does not only happen online. Make sure you shred personal data you may have in paper form, such as bank statements, before you throw them away.

    4. Be careful what personal data you make public – information you choose to make public, such as on social media, can be a rich source of data for fraudsters. Do not share information that may help others guess your passwords or answer your security questions.

    5. Check bank statements – review your bank and card statements regularly and be on the look out for suspicious transactions. If you see anything that doesn’t look right, report it to your bank straight away.

    6. Use strong passwords – we rely on passwords for so much of our routine activities these days so it can be hard to be disciplined about using strong passwords and changing them often but it is definitely worth it.

    7. Never share or write down passwords, account details or PINs.

    8. Never be embarrassed about being suspicious or asking for advice from someone you trust.

    Read more >
  • Why Strategy Matters: ODPA publish Strategic Plan (2019-2022)

    We have published our Strategic Plan (2019-2022) which outlines how we plan to deliver effective and independent data protection regulation for the Bailiwick of Guernsey.

    The word strategy is defined as a plan of action designed to achieve a long term or overall aim and it has its origins in Greek (stratēgia) referring to general command and leadership, mostly in a military context.

    In today’s world we often hear it referred to in wider political and management contexts and companies spend a lot of time and money creating and publishing strategic plans.

    But why does having a strategic plan matter?

    Whatever our role, individually or organisationally, we need to know what it is we are seeking or needing to aim for – whether it is selling widgets or running a hospital. A strategy is a way of us thinking about and planning what we need to do to in order to successfully achieve those aims.

    But how many of us know what the strategic direction of our own organisation is and where we may fit within that? Too often these documents, which have often taken considerable energy and resource, are launched in a flourish then neglected on a dusty shelf.

    The new data protection legislation has given us, at the Office of the Data Protection Authority, the opportunity to reflect on what the law requires of us and how we think we can best deliver on those obligations. But data protection regulation poses unique and complex challenges; it gives every citizen rights and it imposes obligations on every organisation that handles personal data. Essentially, that means that every single individual and organisation in this Bailiwick is, in some way, affected.

    The resources available to achieve our intended goals are limited. How we use, or not, those resources has real-world consequences. We cannot do everything or be everywhere. Having a strategy is therefore very important for us because it ensures we are thoughtful, honest and open about how we are approaching our work and utilising our resources.

    If our jurisdiction considers data protection as an administrative burden of little value, or worse, as stifling economic success and innovation, we will have failed before we have even started. We will also be likely to have to deploy our resources in a largely reactive way, managing and investigating breaches and complaints where harm has already been done.

    Conversely, if our jurisdiction engages with and understands the need for and the benefits of, regulation, we can continue to build a culture of good governance and reputation. If organisations get data protection right from the outset, the risks of harm to individuals are greatly reduced which in turn reduces the resources needed to investigate complaints.

    That may sound obvious and straightforward and the reality is that it could be, but we need to create the right environment and as the regulator we recognise the responsibility we have in supporting and enabling this to happen.

    We are clear about where we see the opportunities for the Bailiwick in this modern era. In striving to be a centre of excellence for data, we aim to encourage organisations to build the protection of data into everything they do. We also aim to help them do that by listening, engaging and providing them with relevant information and tools. Equally, we want each and every citizen to benefit from the protections and rights the law gives them and feel empowered to demand that those rights be respected.

    The way in which we do that goes beyond looking at sections of law, it is also informed by the culture and values of our organisation. Our new strategic plan sets out the detail of what we want to achieve and how we think we can do that effectively. Strategy is only ever going to be effective when it actively, purposefully and deliberately shapes events, behaviours and outcomes in the real world.

    The impact of poor data protection practice is significant; for individuals because their data risks being misused; for businesses because their efficiency and reputation will be compromised; and the Bailiwick because jurisdictions that do not step up will fall behind in this fast moving and data-driven era.

    Data protection is an objective of a successful economy, not an obstacle to it. In setting out our strategic direction, we want to demonstrate that we are committed to doing all we can to build on and enhance the work already done. But the publication of our plan is just the beginning, because strategy is something that needs to be done, not just written.

    READ: ODPA Strategic Plan (2019-2022)

    Next steps

    Our Strategic Plan is a live document borne out of months of considered effort from the Commissioner and The Data Protection Authority Members and Chair.
    We have listened to feedback received from our regulated community during this process, and continue to invite feedback, which will be taken into consideration when we update this
    Strategic Plan in 2020. If you would like to give us feedback please send your comments to communications@odpa.gg.

    Read more >
  • Apple Maps’ Island Visit

    We have recently been informed of the proposed visit to the Island by Apple Maps. A submission has been made to this office by Apple setting out the manner in which data are to be collected, including the way in which they intend to remove personally identifiable data from publicly available images as well as data security and data retention matters. The document also sets out how Apple propose to ensure the public are informed of the collection of mapping imagery, how to access further information and where to direct specific queries. Ensuring all data collected is processed fairly and lawfully is a high priority for us. Apple have undertaken collections across Europe and we expect them to understand and work to the new data protection regulatory environment.

    Read more >
  • Emma Martins to speak at European data protection summit

    The Bailiwick’s Data Protection Commissioner, Emma Martins, has been invited to speak at an international data protection conference next month.

    The European Data Protection Summit and Dinner will take place in London on 3 June 2019 and brings together an international line-up of expert speakers, including representatives from the Bank of England, Google and Mastercard, to explore the latest insights and findings in data protection, governance and security.

    Mrs Martins considers her attendance shows how, despite being a small jurisdiction, the Bailiwick’s approach to data protection legislation is of interest internationally.

    ‘I am delighted to be able to represent the Bailiwick alongside some of Europe’s major organisations. Our presence illustrates just how far we have come as a jurisdiction in providing effective data protection regulation – independently from government – and ensuring high standards within our community.’

    Mrs Martins will speak on the important role played by the Office of Data Protection Authority (ODPA), highlighting how it is developing a forward-looking and thoughtful approach to compliance within the Island’s regulated community for the benefit of individuals, organisations and society as a whole.

    Mrs Martins added,

    ‘The approach regulators take in this data-driven world has the ability to influence outcomes in very real ways. At my office, we are working hard to develop an intelligent, inclusive and ethical regulatory environment that supports good outcomes for everybody. Small jurisdictions like ours are able to contribute meaningfully and positively in this area and I am very much looking forward to the opportunity to talk about our approach with such a wide community of data professionals.’

    The sold-out event takes place at ETC Venues in the City of London with 700 attendees from around Europe.

    Read more >
  • Data protection law turns one year old

    TWELVE months on from the introduction of new data protection legislation, the Office of the Data Protection Authority (ODPA) is focused on ensuring Islanders’ rights are protected.

    25 May 2019 marks the first anniversary of The Data Protection (Bailiwick of Guernsey) Law, 2017, and also the end of ‘transitional relief’, the grace period permitted for certain aspects of the law that did not come into force last year. The new law is now in full force and gives local citizens ten rights. Citizens gain the new right to data portability from 25 May 2019, which makes it much easier to move personal data from one organisation to another.

    The Data Protection Authority (L-R): Simon Entwistle, Jennifer Strachan, Richard Thomas CBE, Emma Martins, Chris Docksey, John Curran. Authority member, Mark Lempriere, is not pictured.

    Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the cultural shift that has moved data protection into the mainstream.

    ‘A year on from the frenzied build-up to GDPR, it feels good to be well on the path towards a more thoughtful approach to compliance with our regulated community. We are encouraged to see more organisations moving towards a state of enlightened compliance, where they understand and believe in the object of our local data protection law. This approach leads to much better outcomes for everyone, transforming compliance from a box-ticking exercise, to an environment that puts the human beings whose rights are at the heart of the legislation centre stage.’

    The ODPA’s mission is to provide effective data protection regulation – independently from government – and ensure high standards of data protection in the community. This is achieved through education and information, preventing poor handling of personal data and taking appropriate enforcement action where necessary against non-compliance. This mission aims to benefit individuals, organisations, and society as a whole.

    ‘How we use our regulatory powers fundamentally affects the nature and quality of compliance, so we operate with appropriate governance mechanisms, and the highest standards of ethics embedded into everything we do. We know that our effectiveness as a regulator plays a major role in ensuring data protection standards are met in our regulated community. We are lucky to have a positive relationship with our regulated community, and we appreciate the trust they place in us,’ added Mrs Martins.

    The ODPA has been running a series of events, including fortnightly drop-in sessions, public and industry consultations on its future events programme, published guidance literature and also provided speakers at industry seminars.


    Notes: 

    Object of The Data Protection (Bailiwick of Guernsey) Law, 2017

    The Law exists to:

    1. protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and the Law Enforcement Directive, and
    2. make other provisions considered appropriate in relation to the processing of personal data.

    Citizens’ rights

    Citizens have the following 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017:

    1. Right to information for personal data collected from data subject
    2. Right of access
    3. Right to object to processing for direct marketing purposes
    4. Right to object to processing on grounds of public interest
    5. Right to object to processing for historical or scientific purposes
    6. Right to rectification
    7. Right to erasure
    8. Right to restriction of processing
    9. Right not to be subject to decisions based on automated processing
    10. Right to data portability (can be exercised from 25 May 2019)

    The ODPA’s five strategic objectives for 2019-2022 are:

    1. To develop the ODPA’s capabilities to deliver on their enhanced statutory duties.
    2. To be a relevant, responsive and effective regulator
    3. To support organisations in delivering their obligations and empower individuals to exercise their rights.
    4. To develop and maintain effective relationships.
    5. To elevate discussions around the protection of data to engage the community and individuals in a relevant and positive way, recognising the personal, social, and economic opportunities and threats that the data economy poses.
    Read more >
  • ODPA issues registration reminder

    We are reminding all local entities to check whether they should be registered with us, ahead of some changes to our registration process.

    If an entity is established in the Bailiwick of Guernsey, and is doing anything with personal data The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’), requires them to register with the ODPA and pay a registration fee. This registration fee contributes to funding the ODPA’s activities.

    There are three groups of entities currently exempt from registration:

    1. entities who only process data for accounts and record-keeping for core business purposes, for staff administration and to market their own goods or services;
    2. entities who only process data under instructions given by another entity;
    3. and entities who have charity or not-for-profit status.

    These exemptions were due to end on 25 May 2019, but on 13 May 2019 The Committee for Home Affairs agreed to the extension of these exemptions until 31 December 2019. After that date all currently exempt entities will have to be registered with the ODPA.

    If you currently benefit from an exemption you don’t have to do anything yet. More information will be provided later in the year to tell you what you will need to do.

    The amount of information collected during the ODPA’s registration process will be scaled back considerably from 25 May 2019, meaning entities will no longer have to provide information about:

    • the purposes they process personal data for;
    • the types of personal data they process;
    • the people whose personal data is processed;
    • the organisations data is disclosed to;
    • and where data is transferred to.

    As a result it will be much more straightforward for entities to register, renew, or edit their information.

    The new transparency requirements of the Law mean that entities themselves need to be much more open about the nature of their processing. This reduces the value of a public register that requires the submission and administration of the same information. The register will be removed from the ODPA’s website on 24 May 2019, but will continue to be administered internally by ODPA staff.

    For entities who are already registered, when they renew their registration after 25 May it will be simpler and more straightforward. If an entity does not currently have a copy of their existing registration they can download or print their information from the ODPA’s register before 23 May. After 24 May the ‘search the register’ function of the ODPA website will be removed and entities will only be able to renew or amend their registrations. These changes mean that aspects of the ODPA’s systems will be down for one day on 24 May to allow the technical updates to be made.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, welcomed the developments.

    ‘We recognise that businesses want regulatory administration processes to be as straightforward as possible. We are continuing to think carefully about how best to support our regulated community and make compliance as simple as we can. We want their time to be spent looking after data well, not completing forms that do little to assist in overall compliance standards.’

    From 2020 onwards, it is expected that a new reporting and funding model will be in place. Work is ongoing to devise a fair, simple, and innovative funding model, and more information on this will be available soon.

    Notes: 

    • When The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force in May 2018 there were several complex areas that were given ‘transitional relief’. This means that organisations were given an additional year (the transition period) before they had to comply with those more complex aspects.
    • Under the old (2001) Law controllers were required to ‘notify’ the Data Protection Commissioner (i.e. formally let them know via the ODPA online notification form) that they were processing personal data, and to provide certain details about this processing. During transition and following the introduction of the new Law, entities meeting certain conditions were exempt from this need to notify.
    • Under the new 2017 Law, the ‘notification’ process is now known as ‘registration’.
    • The term ‘entities’ in the context of this press release refers to any organisation or person who acts as a ‘controller’ of personal data, this means they are responsible for the decisions made about how they use personal data about staff, customers, suppliers, or any other people.
    Read more >
  • The ‘right to data portability’ comes into force on 25 May

    Moving personal data between organisations will soon be much easier for local citizens. On the first anniversary of the Bailiwick’s new data protection legislation the ‘right to data portability’ comes into effect.

    From 25 May, this legal right allows Islanders to request an organisation that holds their data to transport it to another organisation. This must be provided in a format that is easy to download, transfer between systems and be machine readable.

    This could include moving medical records from one doctor’s surgery to another, transferring insurance policy information or retrieving a contact list from a web application. It is expected that the type of local organisations receiving data portability requests will include insurance companies, banks, travel agents, along with medical practices such as doctors’ surgeries and dentists.

    Under the legislation, citizens can make requests verbally or in writing. The organisation is required to respond within one month of receipt and supply the client’s personal data in a machine readable format such as CSV or XML so that it can be easily transported and entered into another organisation’s IT systems. For complex requests, this can be extended by a further two months, but an initial response must still be given within a month. In most cases there is no fee chargeable to the individual making the request.

    Emma Martins, Guernsey’s Data Protection Commissioner, confirmed that this aspect of The Data Protection (Bailiwick of Guernsey) Law, 2017 will make it easier for individuals to transfer their information and ensure companies recognise the importance of looking after their clients’ data.

     ‘Data portability means it will be simpler for Islanders to move their personal details from one organisation to another. Organisations themselves will be required to respond to such requests without undue delay and show they respect the legal rights of the people the data relates to.’

    ‘What we are seeing is when data protection is done well, it helps build and maintain trust between organisations and the individuals whose data they hold.’

    The difference between data portability and the more commonly recognised ‘subject access request’ is that data portability relates to the personal data supplied or generated by the individual and not details organisations have created themselves. It also only applies to data processed electronically. When responding to a data portability request, the data must be provided in a machine readable format and not necessarily provided in a format understandable by a person.

    Mrs Martins explained why organisations were given an extra 12 months commencing 25 May 2018 in which to comply with this aspect of the law.

    ‘As there is not one universal way that personal data is recorded and stored across all organisations it was recognised that more time was needed to prepare, so the one year transition period, which expires 25 May 2019, was granted.’

    READ: guidance note on data portability

    Read more >
  • Message for all currently registered entities: changes to ODPA registration process

    The ODPA sent this email to all its registered entities (text reproduced below) on 17 May 2019 to inform them of some important changes to the registration process and some action they may need to take before 23 May 2019.

    Background

    • On 25 May 2019 the transition period of our local data protection law comes to an end; find out what this means for you here.
    • There is a specific aspect of transition that we need to draw your attention to as you are currently on our list of registered entities: the changes to our registration process.
    • The good news is, it’s going to be much simpler after 24 May 2019.
    • The Committee for Home Affairs approved these changes to the registration process on 13 May 2019.

    What’s changing?
    The three changes are:

    1. We will be collecting less information from you as part of your registration.
    2. We will be removing the public search function of our register.
    3. We will be using the term ‘registration’ instead of ‘notification’.

    Why is this happening?
    Looking at each of the changes in turn:

    1. After 24 May 2019 we no longer need to collect the following information from you, as you should be keeping your own record of it:

    • The purposes you process personal data for
    • Types of personal data you process
    • People whose personal data you process
    • Organisations you disclose this data to
    • Where you transfer data to

    Since its introduction in May 2018 The Data Protection (Bailiwick of Guernsey) Law, 2017 (sections 12 and 13) states that you must provide the above information in your own publicly available privacy statement. Read guidance on information to be given in privacy statements here. It also forms the basis of the record keeping required under section 37 of the Law, and Regulation 8 of The Data Protection General Provisions (Bailiwick of Guernsey) Regulations, 2018. This template of a controller’s duty to keep records may be useful for you.

    This is good news, because it means that now you only need to maintain this information yourselves in one place, in your preferred format, rather than having to amend the information we hold too. As a result the act of renewing, and editing your registration with us will be much simpler after 24 May 2019.

    2. We are removing the public search function of entities registered with us because the responsibility for the public record of this information has switched to the registered entity themselves, and hence there is no statutory need for us to maintain a public register. The onus is now on the registered entity themselves to make this information publicly-available in their own way.

    3. The last change is simply a terminology change to reflect the legislation wording: what we used to call ‘notification’, we will now refer to as ‘registration’. This simply means that what was your ‘notification number’, will now be called your ‘registration number’.

    What do you need to do?
    Again, taking each change in turn:

    1. ACTION REQUIRED: You need to maintain your own publicly-available record of all the information previously detailed in your registration. It is your responsibility to ensure your privacy statement is kept up-to-date and that it includes all the required information. If you do not currently have one, please take a copy of your existing registration by going to ‘Search the Register’ before 23 May 2019. After 24 May 2019 the ‘search the register’ function of our website will be removed and you will only be able to renew or amend your registration.
    2. AWARENESS ONLY: You need to be aware that you will not be able to search our register after 24 May 2019.
    3. AWARENESS ONLY: You just need to be aware of the change in terminology to replace the word ‘notification’ with the word ‘registration’.

    What’s next?
    From 2020 onwards, it is expected that a new model will be in place to fund the ODPA’s work. Work is ongoing to devise a fair, simple, and innovative funding model, more information on this will be available soon.

    Questions?
    If you need any assistance, or more information please contact us.

    Read more >
  • Human error remains biggest risk in data protection locally

    Forty personal data breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 22 April 2019, with almost all (35) occurring due to human error.

    The reports received indicate that human error poses the greatest risk to organisations’ safe handling of personal data. Whilst the majority of breaches were of a low-level with no further action required, the ODPA has an ongoing caseload and a number will be subject to further investigation.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the trends observed in the nature of the breaches reported.

    ‘This period continues to demonstrate a trend of human error being one of the biggest hurdles to good data protection and there is much work to be done to better understand this and how best to mitigate it. We are focused on what we can learn from the breaches reported to us by the regulated community and how we can use this information to predict and prevent future breaches and in turn how best to prevent harm.’

    Acknowledging the human error factor in data breaches, the ODPA has reiterated advice it first issued in October 2018 which include taking all reasonable precautions to avoid complacency in the workplace by reminding staff to slow down, and double check recipients of emails and documentation.

    Mrs Martins also confirmed that nearly half of recent breaches were reported by the Bailiwick’s financial sector.

    ‘It is no surprise that 18 of the 40 breaches reported have come from the finance sector as this part of the local economy employs ~22% of the island’s workforce and is well-accustomed to adhering to tight regulatory standards. It is reassuring to us that this sector is taking its statutory obligation to report personal data breaches to us seriously.’

    All organisations are encouraged to take a proactive approach to their breach reporting obligations in the knowledge that this will assist them in understanding and managing their own risk, as well as providing the ODPA with valuable information to support its work.

    Notes
    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

     Number of personal data breaches* by sector:

    Finance 18
    Healthcare 15
    Other 4
    Public authorities 3
    TOTAL 40

    *Period: 23 February 2019 – 22 April 2019

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • Bailiwick’s adequacy re-assessment by the European Commission is underway

    The European Commission (EC) have begun the process of reassessing the Bailiwick’s ‘adequacy’ as a non-EU country in relation to how well we meet the standards of data protection laid out in the EU’s General Data Protection Regulation (GDPR).

    Why is this important?
    Data plays a vital role for all business sectors. An adequacy decision from the EC is essential to the continued success of the Bailiwick’s economy as it allows EU organisations to easily transfer data to the islands of the Bailiwick.

    How did the Bailiwick achieve its current ‘adequate’ status?
    By implementing its own data protection legislation that protects local citizens’ rights and ensuring local organisations offer goods or services to people within the EU in a way that is compliant with the standards of data protection laid out in the GDPR.

    The Bailiwick is one of thirteen jurisdictions that the EC currently recognises as offering an adequate standard of data protection. This recognition was given to our 2001 Law and whilst ‘grandfathered’ across to the GDPR regime, it was acknowledged that a review of our adequacy would be needed, at a time chosen by the EC.

    What happens now?
    The EC has recently requested that that we embark on the adequacy review process.

    In April 2019 The Office of the Data Protection Authority submitted a report to the States of Guernsey which will form part of the detailed adequacy report being compiled for submission to the EC in early May 2019.

    It is expected that all adequate jurisdictions will be subject to regular ongoing review by the EC.

    Read more >