Guernsey Data Protection Legislation
Upcoming SlideShare
Loading in...5

Guernsey Data Protection Legislation






Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Guernsey Data Protection Legislation Guernsey Data Protection Legislation Presentation Transcript

  • DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates
  • Background: The EC Directive ● Sets out uniform standards for good data handling practice. ● Implemented in UK by Data Protection Act 1998. ● Not binding on Guernsey, but implemented here for business reasons. ● The Data Protection (Bailiwick of Guernsey) Law, 2001 is modelled on the 1998 Act. ● European Commission Decision of 21 November 2003: Guernsey has “adequate” data protection.
  • Guernsey’s Data Protection Law Main Features - ● Notification Requirements for Data Controllers ● Data Subject Rights ● Good Data Handling Practices ● Supervision and Enforcement Procedures
  • Definitions ● “Data” – information stored or processed electronically, or manually if stored on a “relevant filing system”. ● “Relevant Filing System” – a set of information which is structured, either by reference to individuals or by reference to criteria related to individuals, in such a way that specific information relating to a particular individual is readily accessible.
  • Definitions continued… ● “Personal Data” – must relate to a living individual who can be identified from those data or from those data and other information which is in possession of the data controller. ● “Data Controller” – a person who determines the manner in which personal data is processed. ● “Data Processor” – any person other than an employee who holds data on behalf of the data controller.
  • Definitions continued… ● “Data Subject” – a living individual who is the subject of personal data. ● “Processing” – obtaining, recording or holding the data or information and carrying out any operation in relation to it. ● “Sensitive Personal Data” – personal data which consists of information about the subject’s racial or ethnic origin, political opinions, religious beliefs, trade union affiliation, physical or mental health, sex life, criminal activities or criminal record.
  • Scope ● All data controllers in the Bailiwick. ● All personal data. ● Foreign controllers who process data here. ● Focus on privacy. ● There is no Freedom of Information legislation in Guernsey.
  • Personal Data ● Email and other addresses ● Telephone subscriber details ● Credit record ● Banking details ● Employment references ● Criminal convictions ● Biometric data ● Medical data ● CCTV footage ● Records of personal telephone calls ● Recorded expressions of personal opinion ● etc
  • Notification Requirement ● Annual notification unless exempt ● Public register ● Transparency and openness
  • Notification Details ● Contact details ● General purposes of processing ● Types of data subject ● Types of data ● Potential recipients ● Other jurisdictions ● Security measures
  • Useful addresses • •
  • Data Subject Rights ● Subject access ● Rectification, blocking, erasure and destruction ● To prevent processing likely to cause distress ● To prevent processing for direct marketing purposes ● Compensation ● Automated decision-making ● Request for an assessment
  • Subject Access Requests Individuals are entitled to request a data controller to provide them with - ● a description of any data which is being processed by reference to them ● a description of the purposes for which it is being processed ● a description of any potential recipients of the data ● information as to the source of the data
  • Exemptions ● Public Security ● Investigation of Crime ● Regulatory Activity ● etc
  • Conflict of Subject Rights and Controller Duties • STRs • Third party privacy • etc
  • Automated Decision Making • Significant?
  • Objections to Data Processing • Damage or distress • Direct Marketing – Preference Services
  • Other Rights • Rectification, blocking, erasure and destruction • Compensation • Assessments
  • Data controllers: duty to follow good data handling practices • All data controllers must observe the Data Protection Principles • Even if exempt from notification
  • The Data Protection Principles Personal data must be : 1. processed fairly and lawfully 2. obtained for specified and lawful purposes only 3. adequate, relevant and not excessive 4. accurate and kept up to date 5. kept for no longer than is necessary 6. processed in accordance with the rights of data subjects 7. kept secure 8. transferred to third countries only if they ensure an adequate level of data protection
  • First and Second Principles: “Lawful”? ● Breach of Privacy ● Hacking ● Breach of Confidentiality ● Rehabilitation of Offenders ● Theft ● Obtaining by Deception (“Blagging”) ● Unlawful Interception of Communications
  • First and Second Principles: “Fair”? Consider: ● The method by which the data was obtained ● Statutory authority or requirement ● Informed consent Also: ● Is a Schedule 2 condition met? ● Sensitive personal data: Is a Schedule 3 condition met?
  • Quality Standards Third Principle: relevant, adequate and not excessive. Fourth Principle: accurate and kept up to date. Fifth Principle: kept for no longer than is necessary.
  • Sixth Principle: Data Subject Rights ● Subject access rights ● Privacy ● Security
  • Seventh Principle: Security Security Measures – ● Passwords (which should be changed regularly) ● Careful location of computer screens ● Procedures to verify caller identity ● Clear, written data protection procedures ● Making breach of data protection procedures a disciplinary offence ● Use of encryption ● Other technical and operational measures
  • Eighth Principle: Data export • EEA • “Adequate” Countries • Elsewhere •Data Transfer Agreements •Model Clauses
  • Enforcement Authorities •The Commissioner •The Police •The Courts
  • The Data Protection Commissioner ● Role ● Enforcement Powers ● Requests for Assessment
  • Offences • Failure to notify • Unauthorised disclosure, selling or obtaining • Failure to comply with a notice • Blagging • Unsolicited communications • Enforced SARs
  • The Commissioner’s Role • Promote good information handling practices • Encourage respect for privacy • Enforce the legislation • Inform and direct policy
  • The Commissioner’s Powers • Limited • Enforcement notices • Encouragement and Education rather than coersion
  • Requests for Assessment • Unverified • Verified • Enforcement Notices • Information Notices and Warrants
  • DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates