News

  • 6 December 2018: Official office opening event

    On Thursday 6 December, we welcomed invited guests to attend the official opening of our new offices at St Martin’s House. We would like to thank all our guests who braved the elements to attend, it was our pleasure to see you all.

    We reflected on the significance of our office environment, which allows us to now host our own board meetings (the third of which was held during the day yesterday), meet privately with members of the public, and in 2019 – begin holding public events.

    Special thanks also to Ben Fiore and Louise Lawton – both immensely talented local artists whose work depicts our jurisdiction and islanders, in the public areas of our offices.

     

    Read more >
  • Marriott breach: advice published by National Cyber Security Centre

    For any Bailiwick residents who may have been affected by the hotel group, Marriott International’s large data breach, we would like to point you to this NCSC advice.

    A spokesperson for the National Cyber Security Centre said:

    “We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers.

    “The company has confirmed an unauthorised access to a database they say contains information on up to approximately 500 million guests worldwide who made a reservation at a Starwood property.

    “The NCSC website includes advice for people who think they have been affected by the data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.

    “We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.”

    Read full advice from National Cyber Security Centre.

    If you have any concerns please call us on +44 1481 742074, or email enquiries@odpc.gg.

    Read more >
  • Data protection implications of Brexit for the Bailiwick

    We have received an increasing number of queries from organisations exploring the potential impact Brexit may have on Bailiwick organisations and data transfers to and from the UK.

    Following the publication of the draft agreement on Britain’s withdrawal from the European Union on 14 November 2018 we would like to give the following update:

    • Our understanding is that the UK will remain subject to the GDPR during transition (so until December 2020) for data related to EU citizens  unless adequacy is recognised before then. This would seem to indicate that transfers of personal data from EU to UK will continue as at present, although we note that the word ‘transfer’ is absent from that section’s text in the draft agreement.
    • The draft agreement also gives 21 months for the UK to navigate the adequacy process, something recognised in the accompanying Political Declaration document that sets out the relationship between the UK and the EU once the transition period ends.

    Following EU leaders approval of the draft agreement on 25 November, we continue to monitor this position as the agreement makes its way to the UK parliament on 11 December.

    For more in-depth information please refer to: ‘Leaving the EU: the data protection implications of a Hard Brexit for UK businesses with EU data flows and clients‘ (May 2018 document) 

    Read more >
  • Christmas: keeping children safe through data protection

    The festive season is upon us, if you’re worried that data protection is here to ruin Christmas – fear not. Below is some advice on how to ensure you and/or your organisation protect children’s rights, when sharing photographs/videos of school nativity plays or other festive events*.

    Q: I’m a parent/carer/grandparent – does the Data Protection Law stop me taking photos of my children at school?
    A: In short, probably not. The Data Protection Law is unlikely to prevent you from photographing/filming your own children in their school. Remember, if photos are taken for your own personal use they are not covered by the Law. The school may have its own rules around the taking of photographs/video which may reflect safeguarding policies that have been adopted. Also, some schools make a decision to have an official photographer/videographer at events. If in doubt, check directly with the school.

    Q: What about sharing photos/videos of my children on social media?
    A: Again, the law does not prevent you from doing this, as long as you are sharing this content privately with family members/friends.

    Q: What if the photographs/video I’m sharing feature other people’s children too?
    A: When you share this kind of content in a public group or platform, the Law would apply, and you must respect the children’s rights under the Data Protection Law.

    Remember that ‘data protection’ is really ‘people protection’, and that there are children whose family situation is not known to you – if you publicly share content that identifies them as attending a particular school you may be inadvertently compromising their privacy or even putting them in danger. Avoiding scenarios like this goes to the heart of the reason why data protection laws were strengthened in 2018, both locally and in many other jurisdictions worldwide. Also, remember that this applies to other parents/carers that may be taking images of your child. Treat others as you would expect to be treated yourself. The law is not designed to prevent legitimate activity, it is designed to protect the rights of all of us.

    Q: As a school are we allowed to share content featuring our pupils in school newsletters, or online?
    A: As a school processing personal information about children, their family and your employees, the Data Protection Law applies. You should have comprehensive, readily-available, and up-to-date data protection policies that detail how you protect your pupils’ personal data (including imagery of them). If you are relying on children (or their legal guardian) consenting to your use of their personal data then you must have a record of how that consent was freely given and what use it applied to. But, remember that consent is not your only option – there are a number of other conditions that you can legally base your handling of personal data on. It is important that parents/guardians of children are fully informed of the way in which you handle all personal data and are given an opportunity to ask you for further information about the processing.

    In summary:

    • Check the rules for recording visual content (photos/videos) at your own school.
    • Treat other people’s children in the same way that you would expect them to treat yours – with respect.
    • Do not record or share visual content of children publicly without making sure that is what all parties are happy with.
    • Enjoy the event!

    If you need any further advice on this, or any other matter related to protecting personal data please call us on 742074 or email enquiries@odpc.gg.

    * This advice applies all year round, to all school events such as sports day, prize givings, open days, fundraisers etc.

    Read more >
  • Data protection law change, 6 months on

    The Office of the Data Protection Commissioner staff (L-R: Tim Loveridge, Leanne Archer, Mike Appelqvist, Emma Martins, Rachel Masterton, Lesley Le Bailly, Lawrence West)

    The Office of the Data Protection Commissioner (ODPC) is marking the six-month anniversary of the introduction of Europe’s General Data Protection Regulation (GDPR), and equivalent local legislation by providing an update on their activities since 25 May, as well as an indication of the road ahead.

    The unprecedented interest in data protection in the lead up to 25 May 2018, combined with a stream of data scandals has ensured the issue of data has remained high on the agenda of business, government and individuals in the six months since implementation of wide-ranging legal reform across Europe and in the Bailiwick.

    The ODPC has, along with other regulatory offices, been focused on ensuring the new legislation is workable and effective. Like any significant legal framework, there remains some ambiguity and uncertainty as society grapples with fast evolving global technological and social change which may take time to work through. That should not deflect from the significance of the reform and a true understanding of why it is needed and what it seeks to deliver.

    The data protection commissioner, Emma Martins, commented on the ODPC’s role and regulatory approach:

    ‘The ‘datification’ of all our lives has brought with it changes to the way we live and how others shape our experiences, relationships and power balances. Regulatory effectiveness plays a major role in ensuring delivery of obligations in respect of data protection standards. How we, as the regulator, use our powers will fundamentally affect the nature and quality of compliance and we want to ensure we do so with integrity and with appropriate accountability and governance mechanisms embedded into everything we do. Part of delivering on that means that we ensure relevant and timely information is published about the law and our activities recognising that we are funded by the community and industries we are here to support.’

    Increase in local organisations registered with ODPC
    Since 25 May 454 local organisations have fulfilled the legal obligation to register with the ODPC. This is on top of the 2,000 who registered prior to that date. It is a criminal offence for local organisations to be handling any information related to any living person without registering, unless a legal exemption applies.

    Enquiries and outreach
    The ODPC answered approximately 400 emails sent to enquiries@odpc.gg since 25 May. Organisations and citizens are welcome to submit any queries they have to the ODPC via email, phone, letter, or in person. Since 25 May the data protection commissioner, and her deputy have undertaken 14 speaking engagements at events held by local industry bodies, associations, charities, schools etc. The ODPC events programme will commence in early 2019 – this is a key aspect of the ODPC’s statutory obligation to raise public awareness of citizens’ rights and to promote awareness of local organisations’ legal duties when handling personal information.

    Funding secured to end of 2019
    On 15 May 2018 Policy & Resources Committee approved the investment case and funding for the establishment of the ODPC and its operational costs through till the end of 2019. Thereafter, there is an intention to move towards a model that is predominantly funded through the collection of fees from local organisations. Our operating budget for 2018 stood at approximately £667,000 with a predicted operating budget for 2019 of ~£1.1 million.

    Online breach reporting introduced
    A secure, online system was developed to allow organisations to perform their new legal duty of reporting data breaches to the ODPC. This was in place for 25 May 2018, and in the six months to date we have received 71 breach notifications via this system.

    Independent status
    The ODPC’s board is The Data Protection Authority which officially became a fully independent regulator on 25 May 2018. This Board provides independent governance and oversight of the Office of the Data Protection Commissioner which performs the day-to-day regulatory function. The Board has met twice in the 6 months since 25 May to formalise the governance arrangements for delivery of its statutory functions.

    The Board retains the power to fine organisations up to a maximum of £10 million, for any data protection breaches that are deemed deliberate, wilful, repeated, seriously negligent or having caused significant harm.

    New recruits
    To assist in delivering on their statutory duties, between June and August 2018 three members of staff were recruited: an interim Chief Operating Officer, an Office Manager, and a Communications Manager, bringing the total headcount to 7.

    Office move
    In July 2018 the ODPC moved into new premises that allow sufficient office space for current staff and future growth. An event space was created within the office which will allow the ODPC to deliver on their statutory requirement to raise public awareness of citizens’ data protection rights and to promote awareness of data controllers/processors’ legal duties.

    Systems and data migration
    A key part of the ODPC’s independence from the States has been establishing stand-alone systems, financial controls and infrastructure. This took place during May – August 2018.

    Project work
    Work has commenced on the following projects: what the ODPC funding model from 2020 will look like; re-development of web-based services to bring in-line with upcoming statutory requirements; best practice in investigation and compliance; best practice in data forensics; public/industry engagement via an events programme; and establishing Memoranda of Understanding with key entities.

    The next 6 months
    The key change ahead for local organisations and citizens to be aware of is the end of what the Law calls ‘transitional relief’. Transitional relief relates to the period of time from when the Law was introduced (25 May 2018), to when every aspect of it comes into force (25 May 2019). The year delay was built into our local Law specifically to give local organisations sufficient time to fully prepare for the more complicated areas which are subject to this transitional relief.

    — Notes —

     

    Key statistics: in the 6 months since 25 May law change

    454 Number of additional local organisations who have fulfilled their legal obligation to register with the ODPC
    400 Number of email enquiries ODPC have answered
    14 Number of speaking engagements by the commissioner and deputy commissioner
    £667,000 The ODPC’s operating budget for 2018
    2 Number of board meetings held by The Data Protection Authority
    3 Number of additional staff recruited to ODPC

     

    Infographic of key milestones (May 2018 – May 2019)

     

     

     

     

     

     

     

     

     

    Transitional relief

    As its name suggests ‘transitional relief’ refers to the year-long grace period following the introduction of the new Law in May 2018. When the Data Protection (Bailiwick of Guernsey) Law, 2017 was introduced the following nine areas did not fully come into force because they are subject to ‘transitional relief’:

    1. Duty to notify pre-collected data (sections 12 & 13)
    2. Duties of joint controllers (section 33)
    3. Duty to carry our impact assessment (sections 44 & 45)
    4. Processor-use duty (section 34)
    5. Processor duty to establish measures (sections 35 & 36)
    6. Duty of processor to obtain controller authorisation (section 36)
    7. Delay of right to data portability (section 14)
    8. Validity of consents obtained before 25 May 2018
    9. New registration requirements (sections 39 & 40)

    What does the end of transitional relief mean for organisations?
    Local organisations should use the remaining 6 months of transitional relief to review how the nine areas impact them and fully prepare themselves to be compliant. A good place to start is to read the ODPC guidance note published in June 2018 at www.odpc.gg/transition.

    What does the end of transitional relief mean for citizens?
    When the transition period ends in May 2019, all islanders will gain a new right of ‘data portability’. This means that they will be legally entitled to request an organisation who holds their personal data to transport it to another organisation. This data must be provided in a format that is easy to download, organise, tag, and be machine-readable.

    Over the next 6 months the ODPC will be publishing and disseminating further guidance to support local organisations. To ensure you receive this guidance you are encouraged to sign up to the ODPC’s monthly newsletter at: www.odpc.gg/newsletter.

    Read more >
  • The philosophy of privacy

    Thursday 15th November is World Philosophy Day, below our commissioner Emma Martins outlines why it is imperative that we apply a philosophical approach to matters of privacy.

    Philosophy is, I would argue, something of interest in every area of our lives and privacy is no exception.

    The word ‘philosophy’ comes from the Greek ‘philo’ – meaning love, and ‘sophos’ – meaning wisdom, so, philosophy is literally ‘love of wisdom’.

    Philosophy is important because it allows us to develop critical and logical thinking skills which help us to decide what is and what isn’t true. Although it can be used to improve critical thinking and most people want to reason properly, it is often not given the priority it deserves because people who know the least about logic think they know quite a lot thanks to a cognitive bias known as the Dunning-Kruger effect. Most people think they reason properly and understand logic but very few feel a need to improve their understanding of these things.

    But we surely need wisdom in all aspects of our lives? Especially when we are talking about subjects which get to the very heart of what it is to be human, to understand our world, our values, and ourselves?

    Privacy has historical origins in philosophical discourse, most notably Aristotle’s distinction between the public sphere of political activity and the private sphere relating to family and domestic life.

    Although the modern world would be unrecognisable to early philosophers, the principles and importance of philosophy; of wisdom and thought, have never been more relevant and the tools of philosophy can help us to think better, more clearly, and with greater perspective about almost everything.

    Technology is giving rise to new and fundamental questions about human relationships, autonomy and liberty. A philosophical analysis of the social dimension of these advances will ensure that we have technology serving humankind, rather than humankind serving technology.

    Privacy is increasingly a matter of real daily concern with revelations around surveillance, manipulation and security breaches. We live in a big data society where our ‘digital exhaust’ leaves behind a trail of data which gives a comprehensive picture of our lives in its wake – who we know, how we are feeling, our shopping habits, our travel plans…everything! The way in which that information can be scrutinised, profited from, and manipulated has the potential to affect individuals and societies. So how, as individuals and societies, should we frame discussions around rights and responsibilities in our data driven world? The answer must begin with a love of wisdom. Because at its heart, privacy is fundamentally a philosophical question as it relates to treating people fairly (or not) and what the right thing to do is.

    Privacy itself is undeniably difficult to define and measure. If we are talking about the importance of privacy rights, where do those rights come from, what are they designed to do, can they be trumped and if so, by whom and in what circumstances? Philosophy in many cases is about deciding which goals and values are worthy to pursue – what ends are important. We can be scientific or pragmatic about pursuing goals in the most efficient manner, but it is important to have the right or most reasonable goals in the first place. Philosophy is a way of scrutinising ideas about which goals are the most important ones.

    There are many challenging questions that surround the notion of privacy, but that is exactly why philosophical input is vital. If we reduce questions of privacy rights to binary matters of law, we risk hindering important discussions around the human condition.

    Unlike other disciplines, philosophy does not seek to examine empirical facts. The tools of philosophy are important to individuals and to society because as long as we are not omniscient, facts by themselves are not a substitute for philosophy, just as philosophy is not a substitute for facts. Rather, it is about the intelligent and rational uses of those facts, and it is about the objective scrutiny of beliefs to see how clear and how reasonable they are in the light of the facts we have.

    So philosophy encompasses not only logic but notions of a moral and ethical means of understanding. This goes a long way to explain the recent heightened interest around the role of ethics in matters of data privacy by data protection regulators, representing a long overdue acknowledgement that these are as much human, sociological challenges as they are legal and technical. Such interest is to be welcomed and nurtured.

    So, whatever your profession or interest, let’s celebrate World Philosophy Day. For privacy professionals, do not underestimate the importance of wisdom. We must apply philosophical as well as legal analysis to the fast-evolving social, political and technological landscape if we are to engage with them as intelligent human beings.

    Facts, knowledge and science help us live longer, philosophy helps us live better.

    Excellence is never an accident. It is always the result of high intention, sincere effort, and intelligent execution. It represents the wise choice of many alternatives – choice, not chance determines your destiny.” – Aristotle

    Read more >
  • ODPC offers advice after increase in local data breaches

    Twenty-six personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 18 October 2018.

    The number of breaches has increased slightly, when compared with the previous reporting period of 32 reported breaches over three months up to 18 August. The increase is likely due to organisations being more aware of their legal obligation to report breaches to the ODPC.

    Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPC of any personal data breach within 72 hours of becoming aware of it.

    Most breaches received were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require further action.

    There has also been a specific increase in hacking-related incidents and in particular, hackers gaining control of email accounts.

    Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and its value in achieving regulatory compliance.

    ‘The continued high levels of compliance by local organisations when reporting these incidents is to be welcomed. We recognise that it may not come naturally for organisations to inform regulators when things don’t go to plan and we understand that having confidence in my Office and the way in which such matters are handled is vital. Taking a proactive approach in this area will help to enhance confidence in the organisations handling our personal data. It also provides my Office with extremely useful insight about the types and nature of breaches, which in turn enables us to target our education and compliance programme in a meaningful and effective way.’

    The breach reports received suggest that organisations are exposed to the greatest risk of breach when personal data leaves their direct control, either by post or email.

    The ODPC offers the following advice to local organisations.

    When using postal or email systems for sending personal information:

    • Regularly check your email security: update patches, and if you are making any significant changes think about whether penetration testing is necessary.
    • Pause – think and check before you send: remind all staff members who are posting or emailing letters/documents that contain personal data to slow down, to always double check the recipients are correct and appropriate.
    • Avoid complacency: consider the potential implications of the information you are handling falling into the wrong hands and take all reasonable precautions to prevent this from happening.

    Download infographic version of this advice here. 

     When letting ODPC know that your organisation has experienced a breach:

    • Beware of the secondary breach: if you experience a breach and report it to the ODPC, take care not to commit a secondary breach in the process. For instance, as part of an initial self-reported breach you don’t need to send ODPC the specific evidence of the breach, you just need to disclose how it happened, what personal data has been put at risk, how many people’s data are affected, the category of person affected (i.e. staff members, customers, suppliers), and the category of personal information affected.

    For example: 

    If you sent a breach report similar to the below, it would constitute a secondary breach, as it exposes the data and individuals concerned.

    I’ve sent details related to Mrs A. Bloggs positive pregnancy test results to Mrs C. Bloggs.”

    Instead, you should submit a breach report in the below format, which protects the data and identities concerned.

    At 13:10 on 19 October 2018, I sent special category medical data related to a patient’s pregnancy to an individual with a similar name in error.”

    Download infographic version of this example here

    The Office of the Data Protection Commissioner is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via enquiries@odpc.gg.

     

    What is a breach?
    A personal data breach is defined in section 111(1) of the Law as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There will likely be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    Action points for organisations after a personal data breach

    • Read: our breach reporting guidance document (includes checklists and templates)
    • Let us know the breach has occurred – via our secure online breach reporting mechanism
    • Take steps to limit the damage. Where appropriate, advise the person who received the data in error that they should delete the data and must not make use of or disclose the data to anyone else
    • Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency
    • In some cases you will need to notify the person whose data was disclosed in the breach
    • Ensure your organisation reviews and learns from what has happened

    Action we take following a reported breach

    • We record the breach, securely and confidentially, and assess its severity.
    • We contact the organisation to confirm receipt of their breach report and discuss what happens next (each report is assessed on a case by case basis).
    • Where necessary we may need to communicate with other data protection authorities, if the breach is likely to affect people outside of our jurisdiction.
    Read more >
  • Set-up and operating cost for 2018 and 2019 published

    The States of Guernsey have approved additional funding for the ODPC for 2018 and 2019 to enable implementation of the new data protection legislation which came into force for the Bailiwick in May 2018.

    Our commissioner, Emma Martins, gave context to the funding increase:

    “The increased funding reflects the States’ commitment to ensuring the Bailiwick continues to operate as a high quality regulatory environment and to be recognised as an ‘adequate’ jurisdiction by the EU underpinning its role on the international stage. This in turn protects vital data flows to the Islands as well as ensuring local citizens are provided with the highest levels of protection for their own personal data in this increasingly data-driven era.”

    Breakdown of funding:

      Set up (£k) 2018 (£k) 2019 (£k) *
    Staff and Board 61 390 595
    Premises 90 20 82
    Insurances n/a 3.5 8
    IT 73 25 40
    Other (e.g. travel, legal, staff training, office supplies) n/a 112 295

    * The 2019 figures above are projected costs, and as such they are under review.

    We are performing a comprehensive review of our funding model for 2020 onwards and commit to consulting with industry and government as part of this.

    The recently constituted Board (the Guernsey Data Protection Authority) provides leadership and governance to the ODPC and demonstrates accountability for our newly independent status.

    Please contact us if you have any questions.

    Read more >
  • New appointments

    We have recruited three staff in key roles as we continue to oversee and develop the Bailiwick’s new data protection laws, and ensure islanders’ rights are respected and their personal data are handled appropriately:

    1. Leanne Archer has started as Communications Manager with responsibility for internal and external communications.
    2. Mikael (Mike) Appelqvist joins as Office Manager to ensure the smooth running of our office, along with managing the Guernsey Data Protection Register.
    3. Tim Loveridge, has taken up our Interim Chief Operating Officer role. Tim brings valuable experience, especially from his prior roles as Chief Transformation Officer and Chief Risk Officer at the Guernsey Financial Services Commission. In his new role, Tim will be responsible for putting in place the necessary infrastructure to enable us to be an effective regulator.

    Emma Martins, Guernsey’s Data Protection Commissioner, says the appointments are very important for the Island as the world of data protection evolves:

    ‘I’m delighted to welcome Leanne, Tim and Mike to the Office at this challenging but exciting time. Businesses in the Bailiwick expect and deserve high quality, proportionate and effective regulatory oversight. Equally, our residents deserve to have their personal data handled in fair and appropriate ways. All three individuals bring valuable experience and energy for the considerable work ahead. To find people who have both an interest in the work we do, together with the high level of skill we demand, demonstrates again how, even though we are a small jurisdiction, we can punch above our weight in this area.’

    Leanne brings considerable experience in technical writing, including knowledge transfer work with UK government laboratories. She has a particular interest in plain English and is working to ensure all our communications are clear, concise and useful.

    Mikael, originally from Sweden, has diverse skills and experience, and has held senior positions within the civil service, including working in the prison service and setting up the mental health law, including its code of practice and tribunals.

    Tim has been working with us up until recently as project manager. He is a highly experienced change manager and technologist with experience of working in a regulatory environment in senior positions.

    Read more >
  • ODPC to publish monthly newsletter

    As part of our communications strategy, we will start publishing a monthly newsletter at the end of October 2018 which you can sign up to here.

    The first newsletter will include updates on:

    • operational progress we’ve made since the change of data protection law that came into force on 25 May 2018
    • what we know (and don’t know) about how data transfers between UK and Guernsey will be affected by Brexit
    • details of developing plans for our events programme commencing in 2019

    Future newsletters will include: commentary on data protection issues; overview of specific issues; profiles of staff; profiles of data protection officers at local organisations; details of upcoming events; official guidance; success stories etc.

    The newsletter forms part of our communications strategy and will be a key channel for us to fulfil our commitment to transparency around publishing regular information and statistics related to our activities and governance.

    More broadly, our communications activity seeks to:

    1. Promote public awareness of risks, rules, safeguards and rights in relation to processing of personal information, especially in relation to children.
    2. Promote Guernsey’s position as a jurisdiction with excellent and innovative data protection standards which retains its ‘adequacy’ recognition from the EU
    3. Promote awareness of the legal duties placed on organisations who are controlling or processing personal information.
    4. Protect the ODPC / Data Protection Authority’s reputation by communicating in-line with our mission, vision and values.

     

    Sign up to our monthly newsletter

    Read our Communications Strategy

    Follow ODPC on LinkedIn

    Read more >