• Statement regarding data breach by the Parish of St Helier

    Jersey’s Information Commissioner Emma Martins said: ‘The Parish of St Helier informed my office of a data breach during the afternoon of Friday 14th July 2017. The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

    ‘It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier.’

    She added: ‘The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage.’

    Read more >
  • GDPR: One year to go

    WITH one year to go until the General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25th May 2018, the Office of the Information Commissioner and Data Protection Commissioner is today launching a website, which will contain advice and guidance to help island businesses get to grips with the new legislation.

    ‘With one year to go I’m delighted that industry is talking about GDPR. I’ve spoken at dozens and dozens of briefings, seminars and other events over the past few months and am pleased to say that GDPR is certainly on the radar of the businesses I have spoken with – awareness is far greater than it was even six months ago,’ said Emma Martins, Data Protection Commissioner / Information Commissioner.

    ‘With 365 days to go we have launched a microsite which will become a useful portal for businesses looking for guidance. I urge islanders to keep an eye on this as we will be uploading information as it becomes available. I also want to give reassurance to businesses that GDPR is not a revolution, it’s an evolution of current data legislation, so if you’re compliant currently, you have a great base from which to work.

    ‘Local legislation is currently being drafted and both Jersey and Guernsey’s governments have committed to a harmonised approach to this,’ added Mrs Martins. ‘When this legislation is finalised we can then start to develop more detailed guidance. To date every island business has been sent general guidance on GDPR but we know we’ve got work to do to make sure businesses have access to specific guidance. We are working very hard behind the scenes to make sure that our office is ready for the changes.’

    In order to be prepared, business can begin by ensuring they have a detailed understanding of the data they hold and how they process this. This underpins the accountability aspect of GDPR. Any effective data governance strategy has to begin with a comprehensive data audit, which can be obtained by answering the following key questions:

    • What personal data do you hold? Do you hold any special category data?
    • Where is it from and where is it sent?
    • Why is it processed? For what purpose?
    • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

    When it comes into force, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses. GDPR is set to be the largest change to the protection of personal data across Europe since the implementation, in 1995, of the EU Data Protection Directive, which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the islands.

    The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission, as well as key stakeholders, to ensure the islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

    For more information, business can go to

    Read more >
  • States systems unharmed by ransomware attack

    The States of Jersey have released an official statement following last weekend’s large-scale ransomware attack. The statement talks about what local government has done to protect its own systems, as well as providing advice to Jersey residents on what they can do to protect themselves.

    The full statement can be read by clicking here.

    Read more >
  • Channel Island’s represented at Spring conference of European Data Protection Authorities

    Representatives of European Data Protection Authorities are meeting in Cyprus this week for the annual European Spring Conference.

    The Channel Islands are attending the event which features valuable GDPR preparation discussions together with sessions dedicated to cloud computing, law enforcement and genetics.

    With only one year to go until GDPR implementation, opportunities such as these are vital for developing knowledge and for sharing thoughts, concerns and practice about the future of Data Protection regulation, all of which are of significant benefit not only to the attending regulatory authorities, but also to businesses across the Channel Islands.

    For more details about this year’s conference programme and discussions, please click on the link below:




    Read more >
  • Jersey can benefit economically by becoming a ‘centre of excellence’ but more resources will be needed

    JERSEY can reap major economic benefits by becoming a ‘centre of excellence’, says the island’s Information Commissioner.

    Emma Martins says new data protection laws offer positive opportunities, but that the private and public sectors need to ensure appropriate allocation of resources to ensure they are prepared for the legislation.

    The General Data Protection Regulation (GDPR) is due to come into force in May 2018 in Jersey and Guernsey. It will update data protection rights for the internet and digital age, controlling how governments and businesses process individuals’ information. It will also mean that businesses don’t face significantly different compliance rules if they are conducting business locally and across the European Union (EU).

    Mrs Martins, who recently spoke at a Jersey Chamber of Commerce event on GDPR, said: ‘Data is ever more valuable economically and socially. Businesses are using data in innovative ways, while individuals use it for communications as well as to buy goods and services.

    ‘How that data are handled and protected is more important than ever. Being seen as a well-regulated, safe jurisdiction for data is crucial – especially when you consider the important role of the financial services sector and the growing digital industry.

    ‘There is no reason why Jersey, and the Channel Islands, cannot become a centre of excellence for data and benefit from all the economic advantages that come from that. The GDPR is an opportunity to develop a high professional standard in data protection compliance.’

    Mrs Martins, who holds the role of Information Commissioner in Jersey (with responsibility for regulating Data Protection and Freedom of Information legislation) and Data Protection Commissioner in Guernsey, stressed the need for action from the private and public sector in relation to GDPR.

    ‘Businesses need to be ready for the new legislation and devote more resources to meet the requirements and the opportunities. The public sector also needs to be similarly prepared. The Office of the Information Commissioner is supporting both the private sector and the authorities, and a government review is underway looking at how this office can resource this work going forward,’ said Mrs Martins.

    Read more >
  • Data Protection qualifications for six States of Jersey staff members

    Five States of Jersey employees, along with a member of staff from Ports of Jersey, have recently passed the Practitioner Certificate in Data Protection qualification, which means they are now fully up-to-date with the requirements of the European Data Protection Directive and the Data Protection (Jersey) Law 2005.

    Julie Hinault (Taxes Office), Karen Wellman (Social Security), Andy Cousins (States of Jersey Police), Tracey Fullerton (Health and Social Services), Susie Gomes (Economic Development, Tourism, Sport and Culture) and Claire Brown (Ports of Jersey) had to complete five days of training and pass an exam to qualify.

    The Practitioner Certificate (PC.dp) is the practical qualification for those who work in the fields of data protection and privacy. Those holding the qualification will be instrumental in the practical implementation of the new General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.

    Governance Officer for Social Security, Karen Wellman, said, “It has been a good experience to spend time with colleagues from different departments working in this area, so as well as now being formally qualified, I have also gained a good network of likeminded people with whom I can liaise. I would recommend the course, and with the introduction of GDPR, think that this is important to ensure confidence with compliance in this very important area for all businesses.

    The Commissioner extends her congratulations to all of them, who join Colin Renouf from States of Jersey Police and Mel Pardoe from Education, who already hold this qualification.

    Read more >
  • Personal data vulnerable to cyber attack

    The annual assessment of the biggest cyber threats to UK businesses has been published today, after being produced jointly for the first time by the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and industry partners from multiple sectors.

    The report emphasises the need for increased collaboration between industry, government and law enforcement in the face of a growing and fast-changing threat, and discusses the trend of criminals imitating the way suspected nation state actors attack organisations such as financial institutions, and the risk posed by the ever-increasing number of connected devices, many of which are not always made secure by manufacturers or users.

    The report notes the cyber security challenges faced by businesses, and urges them to report all cyber crime to ensure the UK has an accurate intelligence picture and highlights the resources available to companies of all sizes, particularly the large firms which often present the most attractive targets for attackers.

    The report will be presented at the NCSC’s Cyber UK Conference in Liverpool, today (14 March). For further details and to see the full report, click here.

    Read more >
  • Channel Island delegation updates European Commission on its commitment to new data protection regime

    THE European Commission has pledged to further strengthen relations with Jersey and Guernsey on data privacy and protection.

    The islands are among the small group of non-EU countries that are the subject of an ‘adequacy decision’ by the Commission, which is an official certification that the islands meet essentially equivalent data protection standards to those applying in the EU.

    At a recent meeting in Brussels, a pan-Channel Island delegation updated the Commission on legislative, regulatory and policy developments since our original adequacy decisions were adopted and explained the efforts being made in both Bailiwicks to implement the GDPR and the new directive.

    ‘Much work has been done in recent months across the Channel Islands to ensure we are strongly positioned to respond to the impending reform of data protection regulation. The visit by representatives of the islands and this office was a significant step for us all,’ said Emma Martins, Jersey’s Information Commissioner.

    ‘Maintaining the islands’ reputation as a well-regulated jurisdiction, in respect of data protection, is more important than ever. Ensuring the Channel Islands provide a robust framework of protection for personal data is vital not only for established businesses, as when done well it is also fundamental for economic growth and innovation in this digital era.

    ‘I am delighted that both the States of Jersey and the States of Guernsey have committed to high quality legislative reform for the islands and my team and I are equally committed to delivering a meaningful and effective regulatory regime.’

    In May 2018 a new data protection regime will come into force in the EU – the General Data Protection Regulation (GDPR) together with the Law Enforcement Directive, which applies a similar regime to exchanges of personal data between law enforcement authorities. Jersey and Guernsey have committed to implementing into domestic law, by May 2018, essentially equivalent provisions to the GDPR and the new Law Enforcement Directive.

    Senator Paul Routier, assistant minister, Chief Ministers Department, Jersey, added: ‘Ensuring that we are ready for the EU’s new data protection regime next year is important for Jersey’s continued access to European markets. I was therefore pleased that officials were able to update the Commission on the good progress that is being made in Jersey and Guernsey to implement this new regime, and I was particularly encouraged to learn that the Commission is committed to ensuring the continuity of the Islands’ adequacy findings in respect of data protection.

    ‘This project is an excellent example of pan-Island cooperation and I will be supporting efforts to further strengthen our relations in the area of data privacy and data protection.’

    Read more >
  • Sir Tim Berners-Lee: “We’ve lost control of our personal data”.

    As the world wide web celebrates it’s 28th birthday, founder and web inventor Sir Tim Berners-Lee explains how the internet has developed, and voices his concerns about recent trends that he believes need to be tackled immediately for the internet to fulfil its true potential.

    One of those concerns is the loss of control of our personal data, and how many consumers seem happy to give away their personal information in exchange for services without realising that their information will be shared with other companies. In his open letter on his Web Foundation website, Mr Berners-Lee makes some suggestions as to how we can regain some of that control.

    Click here to see the full letter.


    Read more >
  • Governments urged to be more proactive about making information public

    TRANSPARENCY and open government is more important than ever in what has been called a ‘post truth’ age of information rights.

    At a recent meeting for national and regional Freedom of Information Commissioners and Ombudsmen held in Berlin, delegates – including Emma Martins, head of the Channel Island Data Protection regulator – were told about the importance of government being more proactive about making information public.

    Much of the discussion during the meeting centred on government taking the initiative and being more proactive about making information public. Graham Smith from the EU Ombudsman talked about the work of his office in encouraging wider access and the easier exercising of rights together with the promotion of good administrative practices, where decisions are taken as openly and as close to the citizen as possible.

    Attending in her capacity as Jersey’s Information Commissioner charged with regulation of the Freedom of Information (Jersey) Law 2011, Mrs Martins said: ‘Openness contributes to the strengthening of principles of democracy and respect for fundamental rights, and the right of access to documents is only one small part of accountability and showing transparency.

    ‘Many jurisdictions across Europe have adopted Freedom of Information legislation, with Jersey implementing its own Law in 2015. The Bailiwick of Guernsey does not have legislation in place, however, does have a code of practice for access to government information, underpinned by the core principles of a presumption of disclosure; a corporate approach; a culture of openness; proactive publication; and effective records management.

    ‘The overarching message arising from the meeting was that a strong information access regime can only be fully effective if supported by mediators acting between the state and its citizens, and in a resolution agreed by the participants, governments have been called upon to enforce freedom of information and strengthen those charged with oversight of those laws.’

    The Berlin meeting was the first of this group with the main purpose being to provide a forum for international cooperation between regulatory authorities and Ombudsmen across Europe and the Crown Dependencies.

    The full resolution can be found by clicking on the link below. For further information, please contact the Office of the Information Commissioner at

    2017 Resolution

    Read more >