SlideShare a Scribd company logo

Guernsey Data Protection Legislation

Download as PPT, PDF
J
jonbarclay

The document provides an overview of data protection legislation in Guernsey. It summarizes that the legislation was modeled after the UK's 1998 Data Protection Act and aims to provide uniform standards for data handling. It defines key terms like personal data, data controller, and sensitive personal data. It outlines requirements for data controllers including notification, data subject rights, and adhering to eight data protection principles around fair and lawful processing, data quality, security, and international transfers. Enforcement is through the Data Protection Commissioner who can issue notices but primarily encourages education and compliance.

1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates
Background: The EC Directive ● Sets out uniform standards for good data handling practice. ● Implemented in UK by Data Protection Act 1998. ● Not binding on Guernsey, but implemented here for business reasons. ● The Data Protection (Bailiwick of Guernsey) Law, 2001 is modelled on the 1998 Act. ● European Commission Decision of 21 November 2003: Guernsey has “adequate” data protection.
Guernsey’s Data Protection Law Main Features - ● Notification Requirements for Data Controllers ● Data Subject Rights ● Good Data Handling Practices ● Supervision and Enforcement Procedures
Definitions ● “Data” – information stored or processed electronically, or manually if stored on a “relevant filing system”. ● “Relevant Filing System” – a set of information which is structured, either by reference to individuals or by reference to criteria related to individuals, in such a way that specific information relating to a particular individual is readily accessible.
Definitions continued… ● “Personal Data” – must relate to a living individual who can be identified from those data or from those data and other information which is in possession of the data controller. ● “Data Controller” – a person who determines the manner in which personal data is processed. ● “Data Processor” – any person other than an employee who holds data on behalf of the data controller.
Definitions continued… ● “Data Subject” – a living individual who is the subject of personal data. ● “Processing” – obtaining, recording or holding the data or information and carrying out any operation in relation to it. ● “Sensitive Personal Data” – personal data which consists of information about the subject’s racial or ethnic origin, political opinions, religious beliefs, trade union affiliation, physical or mental health, sex life, criminal activities or criminal record.
Scope ● All data controllers in the Bailiwick. ● All personal data. ● Foreign controllers who process data here. ● Focus on privacy. ● There is no Freedom of Information legislation in Guernsey.
Personal Data ● Email and other addresses ● Telephone subscriber details ● Credit record ● Banking details ● Employment references ● Criminal convictions ● Biometric data ● Medical data ● CCTV footage ● Records of personal telephone calls ● Recorded expressions of personal opinion ● etc
Notification Requirement ● Annual notification unless exempt ● Public register ● Transparency and openness
Notification Details ● Contact details ● General purposes of processing ● Types of data subject ● Types of data ● Potential recipients ● Other jurisdictions ● Security measures
Useful addresses • www.dpr.gov.gg • www.gov.gg
Data Subject Rights ● Subject access ● Rectification, blocking, erasure and destruction ● To prevent processing likely to cause distress ● To prevent processing for direct marketing purposes ● Compensation ● Automated decision-making ● Request for an assessment
Subject Access Requests Individuals are entitled to request a data controller to provide them with - ● a description of any data which is being processed by reference to them ● a description of the purposes for which it is being processed ● a description of any potential recipients of the data ● information as to the source of the data
Exemptions ● Public Security ● Investigation of Crime ● Regulatory Activity ● etc
Conflict of Subject Rights and Controller Duties • STRs • Third party privacy • etc
Automated Decision Making • Significant?
Objections to Data Processing • Damage or distress • Direct Marketing – Preference Services
Other Rights • Rectification, blocking, erasure and destruction • Compensation • Assessments
Data controllers: duty to follow good data handling practices • All data controllers must observe the Data Protection Principles • Even if exempt from notification
The Data Protection Principles Personal data must be : 1. processed fairly and lawfully 2. obtained for specified and lawful purposes only 3. adequate, relevant and not excessive 4. accurate and kept up to date 5. kept for no longer than is necessary 6. processed in accordance with the rights of data subjects 7. kept secure 8. transferred to third countries only if they ensure an adequate level of data protection
First and Second Principles: “Lawful”? ● Breach of Privacy ● Hacking ● Breach of Confidentiality ● Rehabilitation of Offenders ● Theft ● Obtaining by Deception (“Blagging”) ● Unlawful Interception of Communications
First and Second Principles: “Fair”? Consider: ● The method by which the data was obtained ● Statutory authority or requirement ● Informed consent Also: ● Is a Schedule 2 condition met? ● Sensitive personal data: Is a Schedule 3 condition met?
Quality Standards Third Principle: relevant, adequate and not excessive. Fourth Principle: accurate and kept up to date. Fifth Principle: kept for no longer than is necessary.
Sixth Principle: Data Subject Rights ● Subject access rights ● Privacy ● Security
Seventh Principle: Security Security Measures – ● Passwords (which should be changed regularly) ● Careful location of computer screens ● Procedures to verify caller identity ● Clear, written data protection procedures ● Making breach of data protection procedures a disciplinary offence ● Use of encryption ● Other technical and operational measures
Eighth Principle: Data export • EEA • “Adequate” Countries • Elsewhere •Data Transfer Agreements •Model Clauses
Enforcement Authorities •The Commissioner •The Police •The Courts
The Data Protection Commissioner ● Role ● Enforcement Powers ● Requests for Assessment
Offences • Failure to notify • Unauthorised disclosure, selling or obtaining • Failure to comply with a notice • Blagging • Unsolicited communications • Enforced SARs
The Commissioner’s Role • Promote good information handling practices • Encourage respect for privacy • Enforce the legislation • Inform and direct policy
The Commissioner’s Powers • Limited • Enforcement notices • Encouragement and Education rather than coersion
Requests for Assessment • Unverified • Verified • Enforcement Notices • Information Notices and Warrants
DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates

More Related Content

PPTX
Niall Rooney FD Event 05.09.19
Niall Rooney
 
PDF
GDPR Overview
Trish McGinity, CCSK
 
PPTX
Simple GDPR Overview
Gydeline Ltd
 
PPTX
GDPR: The Catalyst for Customer 360
DataStax
 
PPTX
Privacy 101
Trish McGinity, CCSK
 
PPTX
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
CloudWATCH Consortium
 
PDF
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
PPTX
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 
Niall Rooney FD Event 05.09.19
Niall Rooney
 
GDPR Overview
Trish McGinity, CCSK
 
Simple GDPR Overview
Gydeline Ltd
 
GDPR: The Catalyst for Customer 360
DataStax
 
Privacy 101
Trish McGinity, CCSK
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
CloudWATCH Consortium
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
Data Protection GDPR Basics
Elizabeth Dunne B.L. PC.dp
 

What's hot (19)

PDF
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
PDF
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
PDF
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
PDF
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
ictseserv
 
PDF
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
PPTX
Overview Data Privacy Bill India
ITS Technology Solution Private Limited
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
PPT
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
PPTX
What is the General Data Protection Regulation (GDPR)?
TAG Alliances
 
PPTX
Privacy in simple
Aurora Computer Studies
 
PPT
Data protection-training
James Wright
 
PPT
Safety And Security Of Data 4
Wynthorpe
 
PDF
IT Perspectives in Implementing Privacy Framework
Shankar Subramaniyan
 
PDF
POPI_Overview_E
Samm V. Cooper - Dunstan
 
PDF
POPI_Overview_E
Bruce Hudson
 
PPTX
GDPR Summary
Martyn Ripley
 
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
Aleksandra kuczerawy privacy issues in future internet - seserv se workshop...
ictseserv
 
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
Harrison Clark Rickerbys
 
Overview Data Privacy Bill India
ITS Technology Solution Private Limited
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
What is the General Data Protection Regulation (GDPR)?
TAG Alliances
 
Privacy in simple
Aurora Computer Studies
 
Data protection-training
James Wright
 
Safety And Security Of Data 4
Wynthorpe
 
IT Perspectives in Implementing Privacy Framework
Shankar Subramaniyan
 
POPI_Overview_E
Samm V. Cooper - Dunstan
 
POPI_Overview_E
Bruce Hudson
 
GDPR Summary
Martyn Ripley
 
Ad

Similar to Guernsey Data Protection Legislation (20)

PPT
3e - Data Protection
MISY
 
PPTX
General Data Protection Regulation or GDPR
Nupur Samaddar
 
PDF
Administrative and public law seminar
Browne Jacobson LLP
 
PPT
Data protection act new 13 12-11
mrmwood
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
PPT
Gary Davis
dri_ireland
 
PPT
Auditing your EU entities for data protection compliance 5661651 1
rtjbond
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
PDF
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
PPT
Dataprotectionactnew13 12-11-111213033116-phpapp02
tinkusing
 
PPTX
Media_644046_smxx (1).pptx
MichelleSaver
 
PPT
Data Protection (Download for slideshow)
Andrew Sharpe
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
PPTX
Data protection
RaviPrashant5
 
PPT
Data Protection Act
Yizi
 
PDF
GDPR 11/1/2017
isc2-hellenic
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PDF
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 
3e - Data Protection
MISY
 
General Data Protection Regulation or GDPR
Nupur Samaddar
 
Administrative and public law seminar
Browne Jacobson LLP
 
Data protection act new 13 12-11
mrmwood
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
Gary Davis
dri_ireland
 
Auditing your EU entities for data protection compliance 5661651 1
rtjbond
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Data Protection Guide – What are your rights as a citizen?
Edouard Nguyen
 
Dataprotectionactnew13 12-11-111213033116-phpapp02
tinkusing
 
Media_644046_smxx (1).pptx
MichelleSaver
 
Data Protection (Download for slideshow)
Andrew Sharpe
 
GDPR Introduction and overview
Jane Lambert
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Data protection
RaviPrashant5
 
Data Protection Act
Yizi
 
GDPR 11/1/2017
isc2-hellenic
 
3A – DATA PROTECTION: ADVICE
CFG
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Forums financiers de Wallonie
 
Ad

Guernsey Data Protection Legislation

  • 1. DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates
  • 2. Background: The EC Directive ● Sets out uniform standards for good data handling practice. ● Implemented in UK by Data Protection Act 1998. ● Not binding on Guernsey, but implemented here for business reasons. ● The Data Protection (Bailiwick of Guernsey) Law, 2001 is modelled on the 1998 Act. ● European Commission Decision of 21 November 2003: Guernsey has “adequate” data protection.
  • 3. Guernsey’s Data Protection Law Main Features - ● Notification Requirements for Data Controllers ● Data Subject Rights ● Good Data Handling Practices ● Supervision and Enforcement Procedures
  • 4. Definitions ● “Data” – information stored or processed electronically, or manually if stored on a “relevant filing system”. ● “Relevant Filing System” – a set of information which is structured, either by reference to individuals or by reference to criteria related to individuals, in such a way that specific information relating to a particular individual is readily accessible.
  • 5. Definitions continued… ● “Personal Data” – must relate to a living individual who can be identified from those data or from those data and other information which is in possession of the data controller. ● “Data Controller” – a person who determines the manner in which personal data is processed. ● “Data Processor” – any person other than an employee who holds data on behalf of the data controller.
  • 6. Definitions continued… ● “Data Subject” – a living individual who is the subject of personal data. ● “Processing” – obtaining, recording or holding the data or information and carrying out any operation in relation to it. ● “Sensitive Personal Data” – personal data which consists of information about the subject’s racial or ethnic origin, political opinions, religious beliefs, trade union affiliation, physical or mental health, sex life, criminal activities or criminal record.
  • 7. Scope ● All data controllers in the Bailiwick. ● All personal data. ● Foreign controllers who process data here. ● Focus on privacy. ● There is no Freedom of Information legislation in Guernsey.
  • 8. Personal Data ● Email and other addresses ● Telephone subscriber details ● Credit record ● Banking details ● Employment references ● Criminal convictions ● Biometric data ● Medical data ● CCTV footage ● Records of personal telephone calls ● Recorded expressions of personal opinion ● etc
  • 9. Notification Requirement ● Annual notification unless exempt ● Public register ● Transparency and openness
  • 10. Notification Details ● Contact details ● General purposes of processing ● Types of data subject ● Types of data ● Potential recipients ● Other jurisdictions ● Security measures
  • 12. Data Subject Rights ● Subject access ● Rectification, blocking, erasure and destruction ● To prevent processing likely to cause distress ● To prevent processing for direct marketing purposes ● Compensation ● Automated decision-making ● Request for an assessment
  • 13. Subject Access Requests Individuals are entitled to request a data controller to provide them with - ● a description of any data which is being processed by reference to them ● a description of the purposes for which it is being processed ● a description of any potential recipients of the data ● information as to the source of the data
  • 14. Exemptions ● Public Security ● Investigation of Crime ● Regulatory Activity ● etc
  • 15. Conflict of Subject Rights and Controller Duties • STRs • Third party privacy • etc
  • 17. Objections to Data Processing • Damage or distress • Direct Marketing – Preference Services
  • 18. Other Rights • Rectification, blocking, erasure and destruction • Compensation • Assessments
  • 19. Data controllers: duty to follow good data handling practices • All data controllers must observe the Data Protection Principles • Even if exempt from notification
  • 20. The Data Protection Principles Personal data must be : 1. processed fairly and lawfully 2. obtained for specified and lawful purposes only 3. adequate, relevant and not excessive 4. accurate and kept up to date 5. kept for no longer than is necessary 6. processed in accordance with the rights of data subjects 7. kept secure 8. transferred to third countries only if they ensure an adequate level of data protection
  • 21. First and Second Principles: “Lawful”? ● Breach of Privacy ● Hacking ● Breach of Confidentiality ● Rehabilitation of Offenders ● Theft ● Obtaining by Deception (“Blagging”) ● Unlawful Interception of Communications
  • 22. First and Second Principles: “Fair”? Consider: ● The method by which the data was obtained ● Statutory authority or requirement ● Informed consent Also: ● Is a Schedule 2 condition met? ● Sensitive personal data: Is a Schedule 3 condition met?
  • 23. Quality Standards Third Principle: relevant, adequate and not excessive. Fourth Principle: accurate and kept up to date. Fifth Principle: kept for no longer than is necessary.
  • 24. Sixth Principle: Data Subject Rights ● Subject access rights ● Privacy ● Security
  • 25. Seventh Principle: Security Security Measures – ● Passwords (which should be changed regularly) ● Careful location of computer screens ● Procedures to verify caller identity ● Clear, written data protection procedures ● Making breach of data protection procedures a disciplinary offence ● Use of encryption ● Other technical and operational measures
  • 26. Eighth Principle: Data export • EEA • “Adequate” Countries • Elsewhere •Data Transfer Agreements •Model Clauses
  • 28. The Data Protection Commissioner ● Role ● Enforcement Powers ● Requests for Assessment
  • 29. Offences • Failure to notify • Unauthorised disclosure, selling or obtaining • Failure to comply with a notice • Blagging • Unsolicited communications • Enforced SARs
  • 30. The Commissioner’s Role • Promote good information handling practices • Encourage respect for privacy • Enforce the legislation • Inform and direct policy
  • 31. The Commissioner’s Powers • Limited • Enforcement notices • Encouragement and Education rather than coersion
  • 32. Requests for Assessment • Unverified • Verified • Enforcement Notices • Information Notices and Warrants
  • 33. DATA PROTECTION An Overview of Data Protection Legislation in Guernsey Wednesday, 8 October 2008 Friday, 10 October 2008 Jon Barclay, Advocate Monday, 13 October 2008 AO Hall Advocates