DATA PROTECTION                  An Overview of Data
                                Protection Legislation in
           ...
Background: The EC Directive

●  Sets out uniform standards for good data handling
practice.
●   Implemented in UK by Data...
Guernsey’s Data Protection
                Law

Main Features -
●   Notification Requirements for Data Controllers
●   Dat...
Definitions


●       “Data” – information stored or processed electronically,

or manually if stored on a “relevant filin...
Definitions continued…

●      “Personal Data” – must relate to a living individual
       who can be identified from thos...
Definitions continued…

●       “Data Subject” – a living individual who is the subject
of personal data.


●       “Proce...
Scope

● All data controllers in the Bailiwick.

● All personal data.

● Foreign controllers who process data here.

● Foc...
Personal Data
●   Email and other addresses
●   Telephone subscriber details
●   Credit record
●   Banking details
●   Emp...
Notification Requirement

● Annual notification unless exempt


● Public register


● Transparency and openness
Notification Details

● Contact details
● General purposes of processing
● Types of data subject
● Types of data
● Potenti...
Useful addresses



• www.dpr.gov.gg
• www.gov.gg
Data Subject Rights


●   Subject access
●   Rectification, blocking, erasure and destruction
●   To prevent processing li...
Subject Access Requests

Individuals are entitled to request a data controller to provide
them with -
●   a description of...
Exemptions


●   Public Security
●   Investigation of Crime
●   Regulatory Activity
●   etc
Conflict of Subject Rights and Controller
                 Duties


•   STRs

•   Third party privacy

•   etc
Automated Decision Making



•   Significant?
Objections to Data Processing

• Damage or distress

•   Direct Marketing – Preference Services
Other Rights

• Rectification, blocking, erasure and destruction

•   Compensation

•   Assessments
Data controllers: duty to follow good data
           handling practices


•   All data controllers must observe the
    D...
The Data Protection Principles
Personal data must be :
   1. processed fairly and lawfully
   2. obtained for specified an...
First and Second Principles: “Lawful”?


●   Breach of Privacy
●   Hacking
●   Breach of Confidentiality
●   Rehabilitatio...
First and Second Principles: “Fair”?

Consider:
●       The method by which the data was obtained

●       Statutory autho...
Quality Standards


Third Principle:      relevant, adequate and not
                      excessive.

Fourth Principle:  ...
Sixth Principle: Data Subject Rights



● Subject access rights
● Privacy
● Security
Seventh Principle: Security
Security Measures –
●   Passwords (which should be changed regularly)
●   Careful location of ...
Eighth Principle: Data export




•   EEA
•   “Adequate” Countries
•   Elsewhere
      •Data Transfer Agreements
      •Mo...
Enforcement Authorities

•The Commissioner
•The Police
•The Courts
The Data Protection Commissioner



  ● Role

  ● Enforcement Powers

  ● Requests for Assessment
Offences

•   Failure to notify
•   Unauthorised disclosure, selling or obtaining
•   Failure to comply with a notice
•   ...
The Commissioner’s Role

•   Promote good information handling practices
•   Encourage respect for privacy
•   Enforce the...
The Commissioner’s Powers

• Limited
• Enforcement notices
• Encouragement and Education rather than
  coersion
Requests for Assessment

•   Unverified
•   Verified
•   Enforcement Notices
•   Information Notices and Warrants
DATA PROTECTION                  An Overview of Data
                                Protection Legislation in
           ...
Upcoming SlideShare
Loading in …5
×

Guernsey Data Protection Legislation

1,331 views
1,182 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,331
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Guernsey Data Protection Legislation

  1. 1. DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates
  2. 2. Background: The EC Directive ● Sets out uniform standards for good data handling practice. ● Implemented in UK by Data Protection Act 1998. ● Not binding on Guernsey, but implemented here for business reasons. ● The Data Protection (Bailiwick of Guernsey) Law, 2001 is modelled on the 1998 Act. ● European Commission Decision of 21 November 2003: Guernsey has “adequate” data protection.
  3. 3. Guernsey’s Data Protection Law Main Features - ● Notification Requirements for Data Controllers ● Data Subject Rights ● Good Data Handling Practices ● Supervision and Enforcement Procedures
  4. 4. Definitions ● “Data” – information stored or processed electronically, or manually if stored on a “relevant filing system”. ● “Relevant Filing System” – a set of information which is structured, either by reference to individuals or by reference to criteria related to individuals, in such a way that specific information relating to a particular individual is readily accessible.
  5. 5. Definitions continued… ● “Personal Data” – must relate to a living individual who can be identified from those data or from those data and other information which is in possession of the data controller. ● “Data Controller” – a person who determines the manner in which personal data is processed. ● “Data Processor” – any person other than an employee who holds data on behalf of the data controller.
  6. 6. Definitions continued… ● “Data Subject” – a living individual who is the subject of personal data. ● “Processing” – obtaining, recording or holding the data or information and carrying out any operation in relation to it. ● “Sensitive Personal Data” – personal data which consists of information about the subject’s racial or ethnic origin, political opinions, religious beliefs, trade union affiliation, physical or mental health, sex life, criminal activities or criminal record.
  7. 7. Scope ● All data controllers in the Bailiwick. ● All personal data. ● Foreign controllers who process data here. ● Focus on privacy. ● There is no Freedom of Information legislation in Guernsey.
  8. 8. Personal Data ● Email and other addresses ● Telephone subscriber details ● Credit record ● Banking details ● Employment references ● Criminal convictions ● Biometric data ● Medical data ● CCTV footage ● Records of personal telephone calls ● Recorded expressions of personal opinion ● etc
  9. 9. Notification Requirement ● Annual notification unless exempt ● Public register ● Transparency and openness
  10. 10. Notification Details ● Contact details ● General purposes of processing ● Types of data subject ● Types of data ● Potential recipients ● Other jurisdictions ● Security measures
  11. 11. Useful addresses • www.dpr.gov.gg • www.gov.gg
  12. 12. Data Subject Rights ● Subject access ● Rectification, blocking, erasure and destruction ● To prevent processing likely to cause distress ● To prevent processing for direct marketing purposes ● Compensation ● Automated decision-making ● Request for an assessment
  13. 13. Subject Access Requests Individuals are entitled to request a data controller to provide them with - ● a description of any data which is being processed by reference to them ● a description of the purposes for which it is being processed ● a description of any potential recipients of the data ● information as to the source of the data
  14. 14. Exemptions ● Public Security ● Investigation of Crime ● Regulatory Activity ● etc
  15. 15. Conflict of Subject Rights and Controller Duties • STRs • Third party privacy • etc
  16. 16. Automated Decision Making • Significant?
  17. 17. Objections to Data Processing • Damage or distress • Direct Marketing – Preference Services
  18. 18. Other Rights • Rectification, blocking, erasure and destruction • Compensation • Assessments
  19. 19. Data controllers: duty to follow good data handling practices • All data controllers must observe the Data Protection Principles • Even if exempt from notification
  20. 20. The Data Protection Principles Personal data must be : 1. processed fairly and lawfully 2. obtained for specified and lawful purposes only 3. adequate, relevant and not excessive 4. accurate and kept up to date 5. kept for no longer than is necessary 6. processed in accordance with the rights of data subjects 7. kept secure 8. transferred to third countries only if they ensure an adequate level of data protection
  21. 21. First and Second Principles: “Lawful”? ● Breach of Privacy ● Hacking ● Breach of Confidentiality ● Rehabilitation of Offenders ● Theft ● Obtaining by Deception (“Blagging”) ● Unlawful Interception of Communications
  22. 22. First and Second Principles: “Fair”? Consider: ● The method by which the data was obtained ● Statutory authority or requirement ● Informed consent Also: ● Is a Schedule 2 condition met? ● Sensitive personal data: Is a Schedule 3 condition met?
  23. 23. Quality Standards Third Principle: relevant, adequate and not excessive. Fourth Principle: accurate and kept up to date. Fifth Principle: kept for no longer than is necessary.
  24. 24. Sixth Principle: Data Subject Rights ● Subject access rights ● Privacy ● Security
  25. 25. Seventh Principle: Security Security Measures – ● Passwords (which should be changed regularly) ● Careful location of computer screens ● Procedures to verify caller identity ● Clear, written data protection procedures ● Making breach of data protection procedures a disciplinary offence ● Use of encryption ● Other technical and operational measures
  26. 26. Eighth Principle: Data export • EEA • “Adequate” Countries • Elsewhere •Data Transfer Agreements •Model Clauses
  27. 27. Enforcement Authorities •The Commissioner •The Police •The Courts
  28. 28. The Data Protection Commissioner ● Role ● Enforcement Powers ● Requests for Assessment
  29. 29. Offences • Failure to notify • Unauthorised disclosure, selling or obtaining • Failure to comply with a notice • Blagging • Unsolicited communications • Enforced SARs
  30. 30. The Commissioner’s Role • Promote good information handling practices • Encourage respect for privacy • Enforce the legislation • Inform and direct policy
  31. 31. The Commissioner’s Powers • Limited • Enforcement notices • Encouragement and Education rather than coersion
  32. 32. Requests for Assessment • Unverified • Verified • Enforcement Notices • Information Notices and Warrants
  33. 33. DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates

×