The Data Protection (Jersey) Law 2005
The Data Protection (Jersey) Law 2005 A Law to make provision for the regulation of the processing of information relating to individuals including the obtaining, holding and use or disclosure of such information.
The Data Protection (Jersey) Law 2005 KEY DEFINITIONS: DATA Means information which is: Automatically processed or Recorded with the intention of being automatically processed or Recorded as part of a relevant filing system
The Data Protection (Jersey) Law 2005 KEY DEFINITIONS: Means any set of information relating to individuals to the extent that the set is structured either by reference to individuals, or in such a way that specific information relating to a particular individual is readily accessible. RELEVANT FILING SYSTEM
The Data Protection (Jersey) Law 2005 KEY DEFINITIONS: PERSONAL DATA Data which relates to a living individual who can be identified: From those data or From those data and any information which is in the possession of, or is likely to come into the possession of the data controller
The Data Protection (Jersey) Law 2005 Racial or ethnic origin Political opinions Religious or other beliefs Trade union membership Physical or mental health Sexual life Offences KEY DEFINITIONS: SENSITIVE PERSONAL DATA
The Data Protection (Jersey) Law 2005 includes obtaining, holding and carrying out any operation on the information or data KEY DEFINITIONS: PROCESSING
The Data Protection(Jersey)Law 2005 An individual who is the subject of personal data An individual who is the subject of personal data. KEY DEFINITIONS: DATA SUBJECT
The Data Protection (Jersey) Law 2005 A A person who (either alone or in common with other persons) determines the purposes for which and the manner in which personal data are, or are to be, processed. KEY DEFINITIONS: DATA CONTROLLER
The Data Protection (Jersey) Law 2005 a person (other than an employee) who processes the data on behalf of the data controller KEY DEFINITIONS: DATA PROCESSOR
Notification Data controller’s name and address Name and address of representative (if relevant) Description of personal data being processed Description of the purpose of processing Description of intended recipients List of non-EEA countries data may be transferred to Security Statement…
Security Statement Questions Are the measures based on an assessment of the risks involved in the processing? Do such measures include: - adopting an information security policy? - taking steps to control physical security? - putting in place controls on access to information? - establishing a business continuity plan? - training staff on security systems & procedures? - detecting & investigating security breaches?
The Data Protection (Jersey) Law 2005 There are 8 Data Protection Principles which set enforceable standards for the collection and use of personal data. The Principles
The First Principle: Data Protection (Jersey) Law 2005 Personal data shall be processed fairly and lawfully and in particular shall not be processed unless: Schedule 2 is satisfied for all personal data Schedule 3 is satisfied for all sensitive personal data
The First Principle (Cont’d): Fairness: The identity of the data controller The purpose(s) for which the data are intended to be processed Any other information which is necessary having regard to the specific circumstances in which the data are, or are to be processed The individual must be informed of:
Privacy Policy Statements What information does the site receive and how is it used? Can I choose what information I disclose? Can I choose what information I receive? How can I review, access or change my information? How is my information kept secure? Who has access to my information? What about other companies? Who can I contact if I have a query?
The Second Principle: Personal data shall be obtained for only one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or purposes.
The Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
The Fourth Principle: Personal data shall be accurate and, where necessary, kept up to date.
The Fifth Principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The Sixth Principle: Personal data shall be processed in accordance with the rights of data subjects under this Law.
Individuals Rights Access Correction, erasure, destruction Stop processing Direct marketing Automated decision-making Compensation
The Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Seventh Principle - Interpretation Appropriateness of measures Reliability of employees Reliability of data processor Contract to cover processing
Practical Implementation of the Seventh Principle Clarify responsibilities Assess risks Formulate policy Impose contractual obligations Proactive policy implementation and oversight
The Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Lessons to learn Get involved early Take the initiative Integrated approach Assess outsourcing options Take a proactive approach Reap the rewards of compliance!