• The Office of the Information Commissioner (OIC) welcomes Jersey’s new Cyber Security Strategy

    With data at the heart of so much economic and social activity in the Island, the security of that data is vitally important in both a professional and personal capacity.

    The major reform of data protection legislation due in early 2018 is, to a significant degree, prompted by the new risks posed to individuals in this digital era.  If Jersey is to respond to those risks, an effective and responsive cyber security strategy is an essential element of data protection and must form part of the broader Island data strategy.

    ‘Whilst it is important for all of us to be aware of the risks, government has a major role to play in ensuring there is a robust policy and a legal and technical framework underpinning digital activity,’ said information commissioner Emma Martins.

    ‘We have seen high profile security breaches in recent years and it is a problem that is only going to increase. Not only do breaches pose very real risks to individuals whose data have been compromised, it also affects the reputation of the organisation and the jurisdiction where the organisation is based. This is why it is so important for government and business to work together and the OIC welcomes the Cyber Security strategy report and consultation.

    ‘For a jurisdiction to benefit from the huge opportunities the digital era presents for government, business and individuals, we need to ensure we have the tools to respond. This is no longer the sole domain of just IT staff.  Digital security is the responsibility of us all, and needs engagement at every level of society so I would urge Islanders to respond, both in a personal and professional capacity. Data security must now be on every board agenda, risk register and education programme,’ added Mrs Martins.

    The States of Jersey’s consultation paper can be found at

    Read more >
  • Data Protection Reform highlighted as key priority for States of Jersey in new Digital Policy Framework

    The States of Jersey have published their Digital Policy Framework; a document that outlines the six core long-term objectives that will determine the approach to digital policy for the next decade.

    Data Protection is one of those core objectives and the document outlines their aims underpinned by principles covering how policy will be developed to achieve these aims.

    More detail can be found at the the Digital Police Framework webpage.

    Read more >
  • Data Protection Day: Businesses urged to prepare for major overhaul of data protection law due in 2018

    As part of International Data Protection Day on 28th January, the Office of the Information Commissioner and Data Protection Commissioner is calling on all businesses in the Channel Islands to ensure they make themselves aware of impending legislative changes that will have significant ramifications for the way that they handle all personal data.

    When it comes into force across the European Union (EU) from May 2018, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses.

    GDPR is set to be the largest change to the protection of personal data across Europe since implementation in 1995 of the EU Data Protection Directive which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the Islands.

    The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission as well as key stakeholders, to ensure the Islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

    The Commissioner is using Data Protection Day, an international day designed to raise awareness and promote privacy and data protection best practices, to start the public conversation about GDPR and its implications.

    Emma Martins, head of the Channel Island Data Protection regulator, said, ‘The introduction of GDPR will be transformative for how businesses handle personal data; we are on the verge of huge change in data regulation. To support businesses of all sizes, we will be preparing information and guidance as the law drafting progresses throughout 2017 and are committed to continuing this conversation with businesses.

    ‘I cannot over emphasise the importance of being prepared for this legislation. I particularly want to stress this to the Islands’ small to medium sized business communities who may not have access to the legal or compliance expertise and resources available to larger organisations. The new regulations are certainly going to up the game in terms of compliance obligations and there is much greater accountability for data controllers and processors. Wherever personal data is involved, whether that is staff, client or any other information relating to individuals, data protection compliance will have to be considered and built in at the beginning of the process and to a more significant and demonstrable degree.’

    Mrs Martins is also clear that GDPR is extremely important for individuals: ‘Whilst this is important for the Channel Islands in that it will ensure we remain a trusted jurisdiction with no restriction on data flows, its importance for all of us in a personal context should not be underestimated. We live in an era where a vast amount of our personal information is being collected and used in ways unimaginable only a few years ago. What happens to that data is a deeply serious question and effective regulation plays a significant part in ensuring we all have the rights we are entitled to and have come to expect living in a democracy.’

    Both governments have committed to GDPR being incorporated into local law with the intention of being ready for implementation for May 2018.

    ‘I have had extremely positive meetings with senior representatives from the States of Jersey and States of Guernsey, both of which are committed to ensuring the Islands are fully compliant with GDPR. In anticipation, we have begun a comprehensive review of the Commission’s structure and resources to ensure we are in in a strong position to support businesses at this time,’ added Mrs Martins.

    Data Protection Day is aimed at individuals, families, consumers and business and encourages people to consider the important of protecting their personal information online.

    For further information about GDPR, please visit the bespoke GDPR section of our website:


    Read more >
  • UK Children’s Commissioner publishes report on children’s interaction with social media providers

    The UK Children’s commissioner has called for greater representation after a recent study found half of eight- to 11-year-olds have agreed opaque T&Cs with social media firms.

    Children are being left to fend for themselves in the digital world, regularly signing over rights to their private messages and pictures unknowingly and with scant advice from parents or schools, according to commissioner.

    Almost half of eight- to 11-year-olds have agreed impenetrable terms and conditions to give social media giants such as Facebook and Instagram control over their data, without any accountability, according to the commissioner’s Growing Up Digital taskforce.

    The year-long study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.

    The full report can be found by clicking here.

    Read more >
  • CJEU issues important ruling on data retention

    An important ruling was issued yesterday by the Court of Justice of the European Union (CJEU) on two joined cases, one from Sweden and one from the UK. In a 2014 ruling, the CJEU declared the 2006 EU Data Retention Directive invalid on the grounds that the general obligation to retain communications and location data imposed by that directive went beyond what was strictly necessary for its purposes and was in breach of citizens’ rights with respect to privacy and the protection of personal data. Following that judgment, two references were made to the CJEU in relation to the general obligation imposed in Sweden and in the UK on providers of electronic communications services to retain similar data to that which had been required to be retained in the EU Directive. The case in the UK concerned the UK Data Retention and Investigative Powers Act (DRIPA). The case was referred to the CJEU by the UK Court of Appeal for clarification on whether an EU ruling which prohibits indiscriminate data retention has to be respected in domestic law. Yesterday’s ruling says that indeed it should be. The matter will now revert back to the UK Court of Appeal.

    The ruling and CJEU’s press release can be accessed by clicking on the below link.

    Read more >
  • Freedom of Information Law Appeal – Decision Notice issued

    The Information Commissioner (‘the Commissioner’) has ruled that the Chief Minister’s Department will have to make further disclosure connected to a request under the Freedom of Information (Jersey) Law 2011 (‘the Law’) made by the applicant for all emails between members of the then Council of Ministers in the month of October, 2014.

    In its initial response to the applicant’s request, the Chief Minister’s Department, as the ‘scheduled public authority’ under the Law (‘the SPA’), provided the applicant with a number of emails, some of which were fully or partly redacted (the SPA relying on a number of exemptions under the Law). The applicant subsequently appealed to the Information Commissioner under Article 46 of the Law, seeking a review of the SPA’s decision to rely on certain of those exemptions, details of which are contained within the Commissioner’s Decision Notice.

    Following enquiry it is the Commissioner’s decision that ‘whilst the SPA is entitled to rely on some of these exemptions to withhold certain of the emails (or parts thereof), some of the exemptions are not engaged and thus the SPA must disclose such information in order to comply with the legislation.’ The Commissioner therefore finds that ‘The complaint is therefore partly upheld.

    The Decision Notice requires the SPA to make certain further disclosures within 35 calendar days of the date of the notice.

    In making this finding the Commissioner also records, within the appendix to the Decision Notice, that a significant number of emails which were subject of the request were appropriately fully or partly redacted and in accordance with exemptions under the Law.

    Anyone can apply for information held by a “scheduled public authority” (States departments, parishes, police and judicial bodies) under the law, which states that information held by a scheduled public authority must be disclosed on request unless it meets specific exemption criteria set out in the Law.
    The legislation provides a two-stage appeal process, firstly to the authority that holds the information, and secondly to the independent Commissioner.

    (To view the full Decision Notice – Select the ‘Freedom of Information’ tab on the above menu and then select ‘Decision Notices’ on the following page.)

    In light of Article 47 of the Law, which allows for appeal to the Royal Court against a decision of the Information Commissioner, no further comment will be made at this time.

    The Information Commissioner has responsibility for promoting and enforcing the Data Protection (Jersey) Law 2005 (DPL) and the Freedom of Information (Jersey) Law 2011 (FOIL). She is Jersey’s independent authority tasked with upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner does this by providing guidance to individuals and organisations, solving problems where she can and taking appropriate action where the law is broken.

    Read more >
  • UK halts Facebook’s WhatsApp data dip

    Facebook has been told it must not use data gathered from UK members of its WhatsApp messaging app to target ads on its core social network.

    The UK’s Information Commissioner said she did not believe the firm had obtained valid consent for the move and added that people must be given “ongoing control” over their data.

    Elizabeth Denham said that Facebook had agreed to “pause” its rollout but had not met all her demands.

    Facebook has yet to publicly comment.

    For the full report, please click on the link below:

    Read more >
  • How the UK ICO will be supporting the implementation of the GDPR

    The UK government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). The Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

    “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

    For more information, please click on the link below:

    Read more >