• New UK Data Protection Bill introduced into the House of Lords

    The UK Government has yesterday introduced the new UK Data Protection Bill to the House of Lords which, if passed, will overhaul the current UK data protection regime.

    In most respects the bill, which will come into force next May, will transfer the European Union’s General Data Protection Regulation into UK law. The legislation will also be maintained after Brexit.

    Whilst the proposals impose much heavier fines on those who do not protect personal data, the government said it had negotiated “vital” exemptions to create a more “proportionate” regime for Britain.

    The government had already unveiled other key provisions of the Data Protection Bill in August, including:

    • Making it simpler for people to withdraw consent for their personal data to be used
    • Letting people ask for data to be deleted
    • And making re-identifying people from anonymised or pseudonymised data a criminal offence

    In addition, UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover.

    The current maximum fine firms can suffer for breaking data protection laws is £500,000.

    To read the proposed UK Data Protection Bill in full, please click here.

    Read more >
  • Grand Chamber judgment Barbulescu v. Romania – monitoring of an employee’s electronic communications

    The Grand Chamber of the European Court of Human Rights this week released its judgment that the monitoring of an employee’s electronic communications had amounted to a breach of his right to a private life.

    The judgment (attached in full here) found that the individual had not been made aware that there would be monitoring of his electronic communications, prior to its commencement or the nature and extent of the monitoring which included the possibility of the employer seeing the full contents of such communication.

    Read more >
  • Government to strengthen UK data protection law

    People to have more control over their personal data and be better protected in the digital age under new measures announced by Digital Minister Matt Hancock.

    In a statement of intent the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill. It will provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80 per cent of people feel that they do not have complete control over their data online.

    The full article from the UK Government website can viewed here.

    Read more >
  • Shadow Chair for Data Protection Authority

    The States of Jersey and Guernsey are recruiting a Shadow Chair for the Data Protection Supervisory Authorities of the Channel Islands. The Shadow Chair will help shape the way data protection is regulated in the Channel Islands, and will provide independent advice to the respective States, as well as to the Supervisory Authorities, on exercising their responsibilities under new data protection legislation. The Shadow Chair will be recruited from outside Jersey and Guernsey.

    The full article can be found by following the link below:

    Read more >
  • Statement regarding data breach by the Parish of St Helier

    Jersey’s Information Commissioner Emma Martins said: ‘The Parish of St Helier informed my office of a data breach during the afternoon of Friday 14th July 2017. The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

    ‘It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier.’

    She added: ‘The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage.’

    Read more >
  • GDPR: One year to go

    WITH one year to go until the General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25th May 2018, the Office of the Information Commissioner and Data Protection Commissioner is today launching a website, which will contain advice and guidance to help island businesses get to grips with the new legislation.

    ‘With one year to go I’m delighted that industry is talking about GDPR. I’ve spoken at dozens and dozens of briefings, seminars and other events over the past few months and am pleased to say that GDPR is certainly on the radar of the businesses I have spoken with – awareness is far greater than it was even six months ago,’ said Emma Martins, Data Protection Commissioner / Information Commissioner.

    ‘With 365 days to go we have launched a microsite which will become a useful portal for businesses looking for guidance. I urge islanders to keep an eye on this as we will be uploading information as it becomes available. I also want to give reassurance to businesses that GDPR is not a revolution, it’s an evolution of current data legislation, so if you’re compliant currently, you have a great base from which to work.

    ‘Local legislation is currently being drafted and both Jersey and Guernsey’s governments have committed to a harmonised approach to this,’ added Mrs Martins. ‘When this legislation is finalised we can then start to develop more detailed guidance. To date every island business has been sent general guidance on GDPR but we know we’ve got work to do to make sure businesses have access to specific guidance. We are working very hard behind the scenes to make sure that our office is ready for the changes.’

    In order to be prepared, business can begin by ensuring they have a detailed understanding of the data they hold and how they process this. This underpins the accountability aspect of GDPR. Any effective data governance strategy has to begin with a comprehensive data audit, which can be obtained by answering the following key questions:

    • What personal data do you hold? Do you hold any special category data?
    • Where is it from and where is it sent?
    • Why is it processed? For what purpose?
    • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

    When it comes into force, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses. GDPR is set to be the largest change to the protection of personal data across Europe since the implementation, in 1995, of the EU Data Protection Directive, which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the islands.

    The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission, as well as key stakeholders, to ensure the islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

    For more information, business can go to

    Read more >
  • States systems unharmed by ransomware attack

    The States of Jersey have released an official statement following last weekend’s large-scale ransomware attack. The statement talks about what local government has done to protect its own systems, as well as providing advice to Jersey residents on what they can do to protect themselves.

    The full statement can be read by clicking here.

    Read more >
  • Channel Island’s represented at Spring conference of European Data Protection Authorities

    Representatives of European Data Protection Authorities are meeting in Cyprus this week for the annual European Spring Conference.

    The Channel Islands are attending the event which features valuable GDPR preparation discussions together with sessions dedicated to cloud computing, law enforcement and genetics.

    With only one year to go until GDPR implementation, opportunities such as these are vital for developing knowledge and for sharing thoughts, concerns and practice about the future of Data Protection regulation, all of which are of significant benefit not only to the attending regulatory authorities, but also to businesses across the Channel Islands.

    For more details about this year’s conference programme and discussions, please click on the link below:




    Read more >
  • Jersey can benefit economically by becoming a ‘centre of excellence’ but more resources will be needed

    JERSEY can reap major economic benefits by becoming a ‘centre of excellence’, says the island’s Information Commissioner.

    Emma Martins says new data protection laws offer positive opportunities, but that the private and public sectors need to ensure appropriate allocation of resources to ensure they are prepared for the legislation.

    The General Data Protection Regulation (GDPR) is due to come into force in May 2018 in Jersey and Guernsey. It will update data protection rights for the internet and digital age, controlling how governments and businesses process individuals’ information. It will also mean that businesses don’t face significantly different compliance rules if they are conducting business locally and across the European Union (EU).

    Mrs Martins, who recently spoke at a Jersey Chamber of Commerce event on GDPR, said: ‘Data is ever more valuable economically and socially. Businesses are using data in innovative ways, while individuals use it for communications as well as to buy goods and services.

    ‘How that data are handled and protected is more important than ever. Being seen as a well-regulated, safe jurisdiction for data is crucial – especially when you consider the important role of the financial services sector and the growing digital industry.

    ‘There is no reason why Jersey, and the Channel Islands, cannot become a centre of excellence for data and benefit from all the economic advantages that come from that. The GDPR is an opportunity to develop a high professional standard in data protection compliance.’

    Mrs Martins, who holds the role of Information Commissioner in Jersey (with responsibility for regulating Data Protection and Freedom of Information legislation) and Data Protection Commissioner in Guernsey, stressed the need for action from the private and public sector in relation to GDPR.

    ‘Businesses need to be ready for the new legislation and devote more resources to meet the requirements and the opportunities. The public sector also needs to be similarly prepared. The Office of the Information Commissioner is supporting both the private sector and the authorities, and a government review is underway looking at how this office can resource this work going forward,’ said Mrs Martins.

    Read more >
  • Data Protection qualifications for six States of Jersey staff members

    Five States of Jersey employees, along with a member of staff from Ports of Jersey, have recently passed the Practitioner Certificate in Data Protection qualification, which means they are now fully up-to-date with the requirements of the European Data Protection Directive and the Data Protection (Jersey) Law 2005.

    Julie Hinault (Taxes Office), Karen Wellman (Social Security), Andy Cousins (States of Jersey Police), Tracey Fullerton (Health and Social Services), Susie Gomes (Economic Development, Tourism, Sport and Culture) and Claire Brown (Ports of Jersey) had to complete five days of training and pass an exam to qualify.

    The Practitioner Certificate (PC.dp) is the practical qualification for those who work in the fields of data protection and privacy. Those holding the qualification will be instrumental in the practical implementation of the new General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.

    Governance Officer for Social Security, Karen Wellman, said, “It has been a good experience to spend time with colleagues from different departments working in this area, so as well as now being formally qualified, I have also gained a good network of likeminded people with whom I can liaise. I would recommend the course, and with the introduction of GDPR, think that this is important to ensure confidence with compliance in this very important area for all businesses.

    The Commissioner extends her congratulations to all of them, who join Colin Renouf from States of Jersey Police and Mel Pardoe from Education, who already hold this qualification.

    Read more >