Data Protection (Jersey) Law

Last updated

The Data Protection (Jersey) Law 2018 is an information privacy law in the Crown Dependency of the Bailiwick of Jersey, one of the Channel Islands. The latest version is 2018, updating the previous law from 2005 to mirror the General Data Protection Regulation (GDPR). It was adopted on 25 May 2018. [1]

Contents

The law

Eight Principles Data must be...

  1. fairly and lawfully processed
  2. processed for one or more specified and lawful purposes
  3. adequate, relevant and not excessive
  4. accurate and up to date
  5. not kept longer than necessary
  6. processed in accordance with the individual’s rights
  7. kept safe and secure
  8. not transferred to countries outside European Economic area unless country has adequate protection for the individual.

2006 Annual Report of the Jersey Office of Data Protection Commissioner [2]

Rights of Individuals

  • Rights of access
  • Rights to prevent processing
  • Rights to prevent processing for direct marketing
  • Rights in relation to automated decision-taking
  • Right to seek compensation
  • Rights to have inaccurate information corrected
  • Right to complain to the Commissioner

2006 Annual Report of the Jersey Office of the Data Protection Commissioner [2]

The law implements the European Data Protection Directive of 24 October 1995, which concerns the "protection of individuals with regard to the processing of personal data and on the free movement of such data". These include restrictions on the gathering, collection, and use of personal data, as well as forcing data collectors to let individuals know how their data has been used. [1] [3] Gatherers of data are called "data controllers" and must register with the Data Protection Commissioner and pay a yearly fee. [4] [2] The law also contains numerous exemptions for journalism, crime investigation, &c. [5] Other Crown dependencies like Guernsey and the Isle of Man have similar laws. [1] The 2005 law was modelled from the UK's Data Protection Act 1998. [4] [1] These laws can all trace lineage back to the European Directive on Data Protection, 95/EC/46 of 1995 and the Council of Europe's European Convention 108, passed in 1981. [6] [7]

The 2005 overhaul of the Data Protection laws was prompted by the aforementioned Data Protection Directive. It restricted the transmission of protected data to countries outside of the European Economic Area unless they had been certified as having 'adequacy' in their own data protection laws. [4] [8] Jersey is considered outside of the European Economic Area, and its 1987 Data Protection law was not adequate, so the restrictions could have harmed Jersey's financial services industry. [4] (Jersey is a major international offshore financial centre [9] and tax haven [10] ) In 2008, Jersey achieved 'adequacy status' under the EU rules. [11] [12]

Jersey's law is modified to suit this finance industry. [1] One such modification exempts trusts from the law so that they can use the personal information of beneficiaries of the trust without having to disclose certain details of the usage to the beneficiary. This modification was accomplished through a revision called the "Subject Access Exemptions" in 2005. [1] [13]

The main office of the law is the Data Protection Commissioner [5] [14] (before 2005, called the Data Protection Registrar). [5] The commissioner for the first several years of the law was Emma Martins [4] [15] There is also a Data Protection Tribunal. [5] In 2011 an attempt was made to unify the Commission of Guernsey with that of Jersey so that one Commissioner office would serve both Channel Islands. [15]

Notable cases

In 2007 charity groups had to change the way they operated the Jersey Christmas Appeal because they kept a list of the families who were nominated to receive vouchers for food, toys, fuel, and other needs during the holidays. The beneficiaries had to send in signed forms agreeing to be on the list. [16]

The law has been used at least two times against Jersey politicians.

In 2009, Jersey Senator Stuart Syvret was arrested on charges of violating the law after he blogged an old 1999 police report on a suspected serial killer and rapist Nurse that included the suspect's name. The police investigation had been abandoned for lack of evidence and Syvret had at first accepted this. However over the years Syvret came to believe the government of Jersey was incompetent and corrupt, especially after his experiences as Health Minister during the Jersey child abuse investigation 2008. He came to believe that the "Nurse M" [17] (or "Nurse X" in court documents) investigation had been incomplete, that the suspect was still dangerous. This was his alleged motivation for blogging the suspects name in 2009. [18] At trial he argued that his actions fell under the exemptions of the Law, but the Magistrate rejected this. In November 2010 he was convicted of violating Articles 17, 21, and 55 of the Data Protection Law and sentenced to 10 weeks imprisonment and a fine. Assistant Magistrate Bridget Shaw gave the analysis and opinion: [18] [19]

"he must have caused distress to X and his family and risked provoking violence either by or against X. The defendant also risked causing great distress to relatives of the deceased. In my opinion this was done to create a totally unfounded scandal to undermine public confidence in the administration of justice." [18]

In 2011, Saint Brélade Deputy and Housing Minister Sean Power was forced to resign after he forwarded an email he pulled off a printer in the States Building. The email discussed Syvret. [20]

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

<i>Personal Information Protection and Electronic Documents Act</i> 2000 Canadian law

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

<span class="mw-page-title-main">Stuart Syvret</span> Jersey politician

Stuart Syvret is a former Jersey politician. He held elected office as a member of the States of Jersey assembly from 1990 to 2010. From 1999 to 2007, Svyret had executive responsibilities first as President of the Health and Social Services Committee and, after the 2005 constitutional reforms, as Minister for Health and Social Services in the Council of Ministers. He was dismissed from ministerial office in September 2007 and returned to the backbenches until he was disqualified from membership of the States in April 2010 due to his absence from the island. He has been involved in a series of legal proceedings, as a defendant in a criminal prosecution in Jersey and as a claimant in judicial review and civil claims in Jersey and London.

<span class="mw-page-title-main">Law of Jersey</span>

The law of Jersey has been influenced by several different legal traditions, in particular Norman customary law, English common law and modern French civil law. The Bailiwick of Jersey is a separate jurisdiction from that of the United Kingdom, and is also distinct from that of the other Channel Islands such as Guernsey, although they do share some historical developments. Jersey's legal system is 'mixed' or 'pluralistic', and sources of law are in French and English languages, although since the 1950s the main working language of the legal system is English.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

<span class="mw-page-title-main">Council of Ministers (Jersey)</span> Collective institution of executive government in Jersey

The Council of Ministers is the collective decision-making body of the Government of Jersey, formed by the Ministers of the States of Jersey and the Chief Minister. The council co-ordinates policies and administration, especially policy affecting two or more ministers, prioritises executive and legislative proposals, and presents a "Strategic Plan for Jersey" for approval by the States Assembly.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

There are several national data protection authorities across the world, tasked with protecting information privacy. In the European Union and the EFTA member countries, their status was formalized by the Data Protection Directive and they were involved in the Madrid Resolution.

<span class="mw-page-title-main">Max Schrems</span> Austrian author and privacy activist

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

<span class="mw-page-title-main">Data Protection Act 2018</span> United Kingdom legislation

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

References

  1. 1 2 3 4 5 6 Jersey: Data Protection In Jersey And Other Offshore Jurisdictions 23 July 2008 Article by Wendy Benjamin, mondaq.com, retrieved 2012-09-14
  2. 1 2 3 Annual Reports Archived 16 July 2006 at the Wayback Machine , 2006, Office of the Data Protection Commissioner, Jersey, retrieved 2012-9-15
  3. See the UK Act data protection article for a complete breakdown of the Eight Principles
  4. 1 2 3 4 5 Annual Reports Archived 16 July 2006 at the Wayback Machine , 2005, Office of the Data Protection Commissioner, Jersey, retrieved 2012-9-15
  5. 1 2 3 4 "DATA PROTECTION (JERSEY) LAW 2005". Jersey Legal Information Board . Retrieved 30 March 2022.
  6. A Brief History of Data Protection in Jersey Archived 28 August 2006 at the Wayback Machine , Jersey Office of the Data Protection Commissioner. retrieved 2012-9-14
  7. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Council of Europe, Strasbourg, 28.I.1981, coe.int, retrieved 2012-9-14
  8. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Eur-Lex.europa.eu, retrieved 2012-9-15
  9. "The Global Financial Centres Index 8" (PDF). Z/Yen. 2010. Archived from the original (PDF) on 11 October 2010. Retrieved 15 September 2012.
  10. Jersey: Tax haven or international finance centre? 2009 2 3, BBC.co.uk, retrieved 2012-9-14
  11. Annual Reports Archived 16 July 2006 at the Wayback Machine , 2008, Office of the Data Protection Commissioner, Jersey, retrieved 2012-9-15
  12. Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey, Eur-Lex, europa.eu, retrieved 2012-9-15
  13. Subject Access Exemptions, 2005/2006, from jerseylaw.je
  14. Office of the Data Protection Commissioner Archived 24 July 2008 at the Wayback Machine , Jersey government, gov.je, retrieved 2012-9-14
  15. 1 2 Islands to join forces on data protection [usurped] Monday 19 September 2011, thisisjersey.com, retrieved 2012-9-15
  16. Now Data Protection threatens Christmas [usurped] Saturday 24 November 2007, thisisjersey.com, retrieved 2012-9-14
  17. Syvret replaced the name of the Nurse with the term "Nurse M" on his blog. See for example Thursday, 19 March 2009, A MASS-MURDERER, blogspot.com, retrieved 2012-9-14
  18. 1 2 3 Before: Assistant Magistrate Mrs B. Shaw, Between Stuart Syvret and the Attorney General and the Connetable of Grouville, retrieved 2012-09-14
  19. Jersey politician Stuart Syvret bailed pending appeal 18 November 2010, bbc.co.uk, retrieved 2012-09-14
  20. Minister resigns after breaching data protection code. 2 February 2011. bbc.co.uk. retrieved 2012-9-14