With the evolution of the digital age and its knock-on effect in terms of the ease with which information is collected (including in ever-increasing amounts), it’s now more important than ever for individuals to have clarity and certainty about how their personal data is used, and for organisations to be clear about exactly why they need an individuals’ data and what they’re going to do with it.
A key obligation when it comes to data protection is transparency.
Transparency is defined as a process which involves decisions and processes being completely visible and open to scrutiny, so that it's clear that nothing is being hidden.
Article 12 of the Data Protection (Jersey) Law 2018 (DPJL 2018) states that, as a data controller for an organisation, it is necessary to be clear about exactly what information is being collected and for what purpose, and that the data is being used in a lawful and transparent way. Not only that, but this intent must be communicated in a concise, intelligible and easy to understand way, using clear and plain language that is appropriate for the individual whose information is to be processed. This generally needs to be done at the time the data is obtained from the individual.
The easiest and most direct way to communicate to your data subjects that you are abiding with Article 12 of the Law before collecting their data, is through writing a clear statement (usually called a ‘privacy policy’ or ‘data protection statement’ or similar) which is made easily accessible to those individuals. Many organisations choose to make this information available on their website so that individuals can access this information easily and freely.
Constructing a Privacy Policy
When constructing a privacy policy, remember to make sure that it includes all of the information set out in Article 12(4) of the law. As a guide, think about what it is you are trying to tell the individual: this can be broken down simply as follows;
Don’t forget to also explain that individuals have certain rights under the law and give them a contact point, letting them know who they need to contact to exercise those rights.
Achieving Transparency
However, even with a privacy policy in place there are still some common issues we see which can obstruct achieving transparency:
Tip: Having information represented in an unambiguous way is important to be transparent. Words such as “may”, “might”, “often” and “most commonly” should be avoided. If you are doing something – you should say it. If you’re not, then you don’t need to mention it.
Tip: For retention periods, phrases “as long as necessary to fulfil the purposes…” are unlikely to be sufficient to fulfil the transparency obligations. Be specific. It is key that data subjects can clearly understand how their data is being used in each specific case, including the specific retention period or criteria.
Tip: Create a mechanism to review your privacy policy regularly to make sure that information is up to date. This might be a time-based review schedule or a mechanism to review after a change in processing operations. Although achieving transparency is the primary aim when communicating your intentions with data collection, it must be done in accordance with Article 12. There are a few common issues when it comes to achieving Article 12.
Article 12
Tip: We have in the past suggested controllers consider using a table structure to present this information to subjects. This way, data subjects can easily search for the relevant purpose and check the relevant information. This table can also contain retention information for each purpose.
Tip: Any use of legitimate interests must be accompanied by an explanation of the legitimate interests.
Tip: Controllers need to provide the recipients or categories of recipients of personal data to subjects. This should include processors like software providers and other recipients like group companies and government departments. If the recipients are not named, the controller should provide as much information as possible and be able to demonstrate why this is fair.
Tip: Have a look at our Tools and International Transfers guidance. Remember that there must be adequate protection for any transfer to a third country to be lawful.
Tip: Use the Privacy Policy Checklist on our website and check Article 12 of the law to ensure that you are providing all the required information.
We want you to be data protection confident. If you are looking for further guidance to assist with constructing a robust privacy policy or are concerned that your organisation is not currently abiding by Article 12, you can contact our team via email to enquiries@jerseyoic.org or you can view our Privacy Policy Checklist.
