THE Jersey Office of the Information Commissioner is the independent regulatory authority that promotes respect for the privacy and information rights of individuals. The JOIC oversees the Data Protection (Jersey) Law 2018, which requires organisations to manage the personal information they hold in a fair, lawful and transparent way. We put your questions to the Island’s Information Commissioner Paul Vane.
As Covid-19 restrictions ease and the recommendation to work from home ends, what privacy considerations should employers be thinking about?
There are a variety of areas of data protection employers need to consider when their employees are returning to the workplace. For example, have all copy files/paperwork been returned and logged back into the office? Have any members of the team processed personal information of staff or customers on their personal (non-work-provided) devices? What is the procedure for capturing the relevant information and ensuring the information is deleted from those personal devices?
Employers might also need to consider their staff handbook and procedures to reflect how they handle Covid-19 health data. Covid-19 health data should be treated with the same considerations as any other health data you collect about your employees. It must be stored securely and only shared with those who need to see it.
If data related to individuals infected by Covid-19 or who are at risk of infection is communicated to individuals who are not authorised/have no need to know that information, there are potential risks of discrimination and damage for the relevant individual. Information should be shared on a ‘need-to-know’ basis.
A procedure should outline the people to which the information on the infection (or the potential infection) should be communicated. For example, even a minor alteration of the record of the body temperature of an employee being visible to other employees could cause embarrassment and would amount to a disclosure of ‘special-category’ health data. The collection of data should occur in a manner able to protect employee confidentiality and in the least intrusive way possible.
What is a data protection impact assessment and how do I know if my organisation needs to complete one?
A data protection impact assessment, often referred to simply as a DPIA, is a process to help organisations identify and minimise the data protection risks of any given project. Under the Data Protection (Jersey) Law 2018, a DPIA is a mandatory preprocessing requirement where the envisaged project, initiative or service involves data processing which is ‘likely to result in a high risk to the rights and freedoms of natural persons’.
This is particularly relevant when a new process or data-processing technology is introduced in your organisation. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still best practice and an extremely useful tool to help data controllers demonstrate their compliance with the data-protection law. DPIAs are scalable and can take different forms, but the law sets out the basic requirement of an effective DPIA.
International transfers: What constitutes a transfer of personal data?
While the Data Protection (Jersey) Law 2018 (and GDPR) does not define what a ‘transfer’ is, previous legislation regards transfers as a ‘disclosure of personal data to a person in a country or territory, or otherwise makes the information contained in the personal data available to another person in a country or territory.’ This means that, even if the personal data does not leave Jersey, if someone in another jurisdiction can access it, then this would constitute a transfer of personal data.
There are strict rules around transfers of personal data to jurisdictions outside the European Economic Area. Organisations should be aware of the relevant data-transfer mechanism they are using to ensure that the rights and freedoms of individuals in the receiving jurisdiction respect of their personal data are protected. The JOIC has published guidance on our website which details what organisations will need to do if transferring personal data to, or allowing access to personal data from, a jurisdiction outside the EEA.
For a wealth of data-protection resources and guidance, visit the Jersey Office of the Information Commissioner’s website at jerseyoic.org.
Do you have a question to Ask The Commissioner?
Email it to firstname.lastname@example.org, or ring the JOIC communications team on 01534 716530.