WHY do businesses, clubs and associations in Jersey need to register with the JOIC?
Individuals must be able to trust industry to treat them fairly and in accordance with a law which is all about people protection, the Data Protection (Jersey) Law 2018. It is that law that my office, the Jersey Office of the Information Commissioner, oversees.
Trust becomes even more essential in an era of rapidly advancing technology that poses increasingly higher risks to the rights and freedoms of individuals. New technologies are improving the quality of life in many ways, including facilitating advances in medical treatments. Large volumes of personal data of varying levels of sensitivity being stored electronically, however, are increasing the risk of financial loss or personal humiliation through the loss or theft of that data.
All businesses, charities, public bodies, clubs and associations must ensure that they respect the personal information they use within their activities and allow individuals to exercise greater control over their personal data as a basic human right. The first step in achieving that is registration with our office. Registration is part of a suite of data protection obligations which any organisation, regardless of size, needs to embrace. The Law provides that proportionality is key.
What do I get in return for the registration fee?
The JOIC office and website – jerseyoic.org – offers unlimited resources of guidance and checklists to help organisations meet compliance needs and we are at the end of a telephone to help with any query. Data protection is about keeping personal information safe – not only your personal information but also that of friends and family.
Our work is funded by the fees organisations pay when registering their data-processing activities with our office. That work involves ensuring that every organisation in Jersey complies with the data protection laws. It also includes an extensive education programme raising awareness of information rights, public awareness campaigns and enforcing non-compliance where appropriate and necessary.
Compliance in safeguarding personal information is critical for the industry and the Island’s reputation as a safe place to live and do business. Without a data protection regulator, Jersey would be unable to ensure data flows in and out of the Island are protected, and we would not be able to flourish on the international finance stage.
Our office is independent of the Government of Jersey and is the regulatory authority that promotes respect for the privacy and information rights of Islanders and is responsible for overseeing the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018. The registration fee is a legal requirement in law passed by the States Assembly. Personal information covers many types of information from which an individual can be identified, for example images, voice, blood type, DNA, health, political beliefs.
All organisations using one or more types of personal information must comply with the principles of the Data Protection Law.
Once registered, what are the other obligations businesses, charities, public bodies, clubs and associations need to adhere to?
The Data Protection (Jersey) Law 2018 is based around six principles of ‘good information handling’. These principles identify the obligations imposed on all organisations using personal information and are as follows:
- Fair and transparent processing: This means personal information must be processed lawfully, fairly and transparently.
- Purpose limitation: This refers to the fact personal information must be collected for specified and legitimate purposes.
- Excessive data collection: Personal information collected must be relevant and limited to what is necessary for the purposes for which it was collected.
- Accuracy of data: Personal information must be accurate and, where necessary, kept up to date.
- Storage limitation – Personal information must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it was being processed.
- Data security, integrity and confidentiality – Personal information must be processed in a way that ensures it is secure and protected against unlawful processing, accidental loss, destruction or damage.
I’m a delivery driver and keep my delivery details in a book, not on a computer. Do I need to register with JOIC?
Yes. You are required to be registered with our office, as you are established in Jersey and are using personal information about individuals. You are keeping the information on paper and in an organised manner to be able to operate your rounds, collect payment, and make notes of any specific instructions.
You have an obligation to keep your customer information safe and secure, as does a larger retailer or finance business. That said, the levels of security, systems and sophistication you adopt will be proportionate to the volume and type of personal information held.
Do you have any tips for anyone who may be new to the world of data protection?
Yes. I would recommend knowing exactly what personal information you use in your operational activities. Know how you receive it, what happens to it, what you need the information for and when you no longer need it. We recognise this sounds rather daunting; however, we all want our personal information to be respected and used fairly. As an example:
1. Sit and note down all the different pieces of personal information you rely upon to fulfil your activities. This will include customer, staff, volunteer and supplier information.
2. Note down how you get the information. Where do you get it from?
3. Then add in if you share it with anyone outside of your business and why.
4. Next, consider how long you are keeping the personal information and why it is being kept for this period.
5. Consider how you are keeping it safe. Do you need to invest in measures to protect the information?
- Do you have a question to ask the commissioner? Email it to communications@jerseyoic.org or ring the JOIC communications team on 01534 716530.
What does the JOIC do?
The Jersey Office of the Information Commissioner is the independent regulatory authority that promotes respect for the privacy and information rights of individuals. The JOIC oversees the Data Protection (Jersey) Law 2018, which requires organisations to manage the personal information they hold in a fair, lawful and transparent way (and also has regulatory oversight for the Freedom of Information (Jersey) Law 2011). Our mission is to provide the people of Jersey with the highest level of data protection.
