Jersey Office of the Information Commissioner – Data Protection Statement

Make an enquiry/in person or online

If you reach out to us via our contact page and give us your name and contact email address, we will contact you separately (usually by email) using the details you have provided. If you visit our office to speak to us we keep a record of your enquiry and also our response.

We will email or telephone you in order to respond to the query you have raised and to engage with you and we need enough information to deal properly with the issue you have raised. We do not audio record or retain audio recordings of phone conversations. However, where an individual contacts the JOIC by phone, caller numbers are automatically stored on the recipient phone for a limited period of time in a list of inbound and outbound calls, but no further processing of this data (caller numbers) is carried out by us and the information is automatically deleted after 1 month.

We will keep a record of the contents of relevant phone calls in the form of notes made on the relevant case file.

Depending on the purpose of your visit, we may ask you for identification. For example, an ad hoc visit to test our fire alarms or water quality. If we ask you to show some form of identification, this will not be recorded anywhere and is purely for identification verification.

If you raise a complaint with the JOIC, we will use the information you give us to investigate your complaint. If you have made a complaint against an organisation, we will usually need to disclose your identity to them. This is so we can advise them of the nature of the complaint you have made and so that they can respond to that complaint. (This may also mean that we receive information from the organisation about you.)

We need this information in order to investigate the complaint and/or carry out any conciliation.

Under the Authority Law, we may investigate and sanction individuals and organisations for alleged breaches of the legislations we regulate (including DPJL 2018 and the Freedom of Information (Jersey) Law 2011).

This includes the prevention, investigation, and/or detection of criminal offences where we may carry out investigations jointly with the States of Jersey Police. (Please note that the Information Commissioner does not have the power to bring any criminal prosecution; that power lies solely with HM Attorney General for Jersey. Whilst we can assist in any investigation any decision to prosecute lies with the Attorney General alone. Similarly, there is no power to bring private prosecutions in Jersey.)

Self-reported breach

If you make a report to us about a data breach, please complete our online breach reporting form.

We will use the information you give us to investigate your breach.

We also receive personal information indirectly if:

• We have contacted an organisation about a complaint you have made and it gives us your personal information as part of its response.
• Your personal information is contained in reports from organisations about breaches of data protection law.
• A complainant refers to you as part of their complaint.
• ‘Whistleblowers’ include your information in their report to us.
• We have seized information as part of an investigation and it includes your personal information.
• Other regulators or law enforcement bodies have given information to us.

If it is not disproportionate or prejudicial, we will contact you to let you know we are processing your personal information.

If you interact with us on one of our social media profiles, we might follow you back or respond to any comments you make on our social media posts. We don’t keep any separate records or lists of our social media followers but it’s usually clear when you have connected with us in that way.

In that context, we consider that we have a legitimate reason to use your information here because of how you have interacted with us and if you contact us on social media, we consider that you are happy for us to either engage with you via that platform or take the conversation offline, using the information you have provided in order to contact you via email, for example.

Social media platforms allow users to block, report and/or unfollow other users so those methods are available to you if you decide that you no longer want to engage with us in that way.

If you sign up for one of our events you will give us your name, contact details, the name of the organisation you represent and depending on the nature of the event about any dietary requirements, you have.

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service. We don’t publish delegate lists for events.

We need this information to get in touch with you about the event and, on the day of the event, for safety reasons (e.g. in the event of a fire drill). If we operate a waiting list for oversubscribed events we will hold your details just in case a place becomes available.

If you respond to a consultation/survey we launch then we will give you the option to submit it anonymously. If you provide us with us with your contact details, we may need to get in touch with you about your submission in order to clarify part of your submission or ask you for further information.

We will publish a summary of the consultation responses/survey outcomes and, in some cases, the responses themselves but these will not contain any personal data. The consultation documentation/survey information will make it clear what we plan to publish.

The lawful basis we are relying on to process your personal data is when this is necessary to perform our public tasks as a regulator.

Breach investigations
If an organisation has suffered a data breach, we may receive information regarding the individuals whose data has been compromised.

Investigations and Inquiries – data protection
The Authority may carry out an investigation and/or an inquiry regarding the practices and procedures of data controllers and processors and we may get personal data about you which is contained in records or submissions received by us from data controllers and processors. This personal data could be wide ranging and may include special category data.

We need this information in order to investigate the complaint.

Investigations and appeals – Freedom of Information (FOI)
The Commissioner may carry out investigation into the practices and procedures of FOI bodies. It may also carry out an appeal when an individual makes a complaint to us that a public authority has not complied with a request made for information. In conducting an investigation and/or an appeal, we could get personal data about you which is contained in records or submissions received by us from FOI bodies. This personal data could be wide ranging and may include special category personal data depending on the investigation.

Occasionally, in carrying out research during an investigation we get personal data from publicly available sources (such as, public registers or information available online).

Investigations – law enforcement
We may investigate alleged criminal offences under the legislation we regulate. This will usually be jointly with the States of Jersey Police and sometimes with the Jersey Financial Services Commission. In order to establish whether offences have been committed and decide upon an appropriate course of action we need to gather appropriate information to assist with that investigation. This might include witness statements from affected individuals (suspects and victims).

Our purpose for collecting personal data during the registration and/or fee payment process is so that we can contact you about your registration or about any other queries relating to your compliance with the legislation we oversee. We may also contact the nominated DPO/DP lead to advise them of upcoming JOIC initiatives and to invite them to take part in relevant workshops, consultations etc. which we feel would be of interest to them and which forms part of the Authority’s obligations to promote compliance with and knowledge of the relevant legislation,

If you are required to pay a fee, we need to take certain personal information from you during the course of the process. This includes the name and contact details of the person who is responsible for paying the fee and your Data Protection Officer (DPO) if you have one. We will also take payment information including account details if you are paying via direct debit.

This applies to all organisations required to register with the Authority.

We do not provide services directly to children or proactively collect their personal information. Young people have rights under the DPJL 2018 and in the exercising of their rights, we need their information in order to investigate the complaint or enquiry. However, we are sometimes given information about children while handling a complaint or conducting an investigation.

As part of our education and awareness programmes, we regularly visit children in supervised lessons in schools. We do not obtain or use any of their personal information (we do not take names of attendees, for example).

We have Wi-Fi on site for the use of visitors. We’ll provide you with the address and password. We do not record the sites visited, duration etc. when someone is connected to our Wi-Fi.

We don’t ask you to agree to terms, just to acknowledge the fact that we have no responsibility or control over your use of the internet while you are on site, and we don’t ask you to provide any of your information to access this service.

All data is retained securely and only used for the purposes set out in the Law. Data is retained to comply with our statutory obligations and in accordance with our retention schedule.

We process your personal data (email address and optional organisation type) in relation to our newsletter sign-up process under Schedule 2, Part I, paragraph 1 of the DPJL 2018 i.e. we rely on your consent and when you sign-up, you can tell us which of our newsletters you want to sign up to.

We will only use your email address for the sole purpose of sending you the newsletter(s) you have signed up to. During the sign-up process you will receive an email to verify your details.

We use the legal basis of ‘consent’ to process your data in this way, and you are free to withdraw your consent at any time. A manage subscriptions link is included in each newsletter email to enable you to manage your subscriptions. Or you can email communications@jerseyoic.org from the email address you subscribed to our newsletter(s) with and ask us to unsubscribe you from the relevant newsletter(s).