The Data Protection (Jersey) Law 2005 Jersey Occupational Safety & Health Association

www.dataprotection.gov.je

The Data Protection (Jersey)

Law 2005Jersey Occupational Safety & Health

Association

27th November 2007

www.dataprotection.gov.je

• Human Rights

• Employment

• Regulation of Investigatory Powers

• Data Protection

• Health & Safety

• Rehabilitation of Offenders

• Public Records

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

A Law to make provision for the regulation of the processing of information relating to

individuals including the obtaining, holding and use or disclosure of such information.

www.dataprotection.gov.je

Key new Features of the new Jersey Law

• Definition of data includes structured manual personal information

• Must meet minimum criteria before processing commences

• Still 8 enforceable basic Principles

• Principles are strengthened

• Principles apply – notified (registered) or not

www.dataprotection.gov.je

Key new Features of the new Jersey Law (Cont’d)

• Individuals’ Rights enhanced

• Limited Exemptions

• Establishes an independent DP Commissioner with increased powers

• Enforcement – pre-assessments

• Transition period for currently exempt data when processing already underway

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005 KEY DEFINITIONS:

DATA Means information which is:

Automatically processedor

Recorded with the intention of being automatically processed

orRecorded as part of a relevant filing system

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005 KEY DEFINITIONS:

Means any set of information relating to individuals to the extent that the set is structured either by reference to individuals, or in such a way that

specific information relating to a particular individual is readily accessible.

RELEVANT FILING SYSTEM

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005 KEY DEFINITIONS:

PERSONAL DATA

Data which relates to a living individual who canbe identified:

From those dataor

From those data and any information which is in the possession

of, or is likely to come into the possession of the data controller

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

• Racial or ethnic origin• Political opinions• Religious or other beliefs• Trade union membership• Physical or mental health• Sexual life• Offences

KEY DEFINITIONS:

SENSITIVE PERSONAL DATA

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

includes obtaining, holding and carrying out any operation on the information or

data

KEY DEFINITIONS:

PROCESSING

www.dataprotection.gov.je

The Data Protection(Jersey)Law 2005

An individual who is the subject of personal dataAn individual who is the subject of personal data.

KEY DEFINITIONS:

DATA SUBJECT

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

A A person who (either alone or in common with other persons) determines the purposes for which

and the manner in which personal data are, or are to be, processed.

KEY DEFINITIONS:

DATA CONTROLLER

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

a person (other than an employee) who processes the data on behalf of the data controller

KEY DEFINITIONS:

DATA PROCESSOR

www.dataprotection.gov.je

The Data Protection (Jersey) Law 2005

There are 8 Data Protection Principles which set enforceable standards for the collection and use

of personal data.

The Principles

www.dataprotection.gov.je

The First Principle:

Data Protection (Jersey) Law 2005

Personal data shall be processed fairly and lawfully and in particular shall not be processed unless:

• Schedule 2 is satisfied for all personal data

• Schedule 3 is satisfied for all sensitive personal data

www.dataprotection.gov.je

The First Principle (Cont’d):

Fairness:

• The identity of the data controller

• The purpose(s) for which the data are intended to be processed

• Any other information which is necessary having regard to the specific circumstances in which the data are, or are to be processed

The individual must be informed of:

www.dataprotection.gov.je

The First Principle (Cont’d):Conditions for the processing of any Personal Data:Schedule 2:

• Consent• Performance of a contract to which

the data subject is a party or has requested

• Legal obligation• Vital interests• Public functions and administration of

justice• Legitimate interests

At least one of the following conditions must be satisfied before processing can commence:

www.dataprotection.gov.je

The First Principle (Cont’d):Conditions for the processing of any Sensitive Personal Data:

Schedule 3:At least one of the following conditions must be satisfied before processing can commence:

• Explicit consent• Employment purposes• Vital interests• Non Profit Organisations• Information already made public• Legal proceedings• Public functions• Medical purposes• Equal opportunity research

www.dataprotection.gov.je

The Second Principle:

Personal data shall be obtained for only one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or purposes.

www.dataprotection.gov.je

The Third Principle:

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

www.dataprotection.gov.je

The Fourth Principle:

Personal data shall be accurate and, where necessary, kept up to date.

www.dataprotection.gov.je

The Fifth Principle:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

www.dataprotection.gov.je

The Sixth Principle:

Personal data shall be processed in accordance with the rights of data subjects under this Law.

www.dataprotection.gov.je

Individuals Rights

• Access *

• Correction, erasure, destruction

• Stop processing

• Direct marketing

• Automated decision-making

• Compensation

www.dataprotection.gov.je

Individuals Rights cont.

Access

Article 31

Exemption for the sake of regulatory activity

If access request would prejudice the proper discharge of a function designed for securing health, safety and welfare of persons at work

www.dataprotection.gov.je

The Seventh Principle:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

www.dataprotection.gov.je

The Eighth Principle:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

www.dataprotection.gov.je

EnforcementThe Commissioner has legal powers to ensure that Data Controllers comply with the Law.

1. Failing to Notify or Notify Changes

3. Breaching an Information/Enforcement /Special Information Notice issued by the Commissioner

4. Making a false statement (intentional or reckless) in purported compliance with an Information Notice

2. Failing to make information available when requested by a data subject (when not notified)

5. Unlawful obtaining or selling of personal data

6. Providing false or misleading information to the Commissioner

www.dataprotection.gov.je

Contact details:

Emma Martins

Morier HouseHalkett Place

St HelierJersey JEI IDD

Telephone – 441064Website – www.dataprotection.gov.je