Jersey Office of The Information Commissioner - Data Protection Statement

What this Statement covers

This data protection Statement (the “Statement”) sets out the privacy practices relevant to the Jersey Data Protection Authority (including the Jersey Office of the Information Commissioner (“JOIC”)) who has day-to-day responsibility for carrying out the Authority’s functions (the “Authority”). It explains how information is collected, how it is used, your rights and what controls you have. In particular:
• What information the Authority may collect about you and when;
• How the Authority might use your information;
• How the Authority protects your information; and
• Your rights regarding the information you provide.

It applies to information the Authority collects about you when you use the Authority website (the “Website”). The Authority also has Twitter, LinkedIn, Instagram, Facebook and You Tube accounts.

(This Statement does not apply to Authority staff or those applying for jobs with the Authority and to which a separate policy applies.)

Identity of the data controller

The Authority was established by the Data Protection Authority (Jersey) Law 2018 (the “Authority Law”) and is the relevant data controller in respect of the personal information it holds about you. It is responsible for monitoring compliance with the Data Protection (Jersey) Law 2018 (the “DPJL 2018”), the Authority Law and the Freedom of Information (Jersey) Law 2011.

You can contact us by phone, email, in person, via social media and post.

Our postal address: Jersey Office of the Information Commissioner, 2nd Floor, 5 Castle Street, St Helier Jersey, JE2 3BT

The Data Protection Officer (DPO)

The JOIC’s DPO is Operations Director
Mrs Anne King (+44 1534 716530 / a.king@jerseyoic.org).

Activity and personal
information collection.

How we use your
personal information.

Directly from you

Complaints/enforcement action

Self-reported breach

We also receive personal information indirectly

Social Media

Attend an event, seminar, workshop or hiring our facilities

Responding to our consultation requests and surveys

Third Parties

Registrations & Fees

Children’s information

Visitors Wi-Fi

How long do we keep your information for?

Our lawful basis for processing your personal data

There are a number of lawful (legal) bases upon which we rely to process personal data about you. These are:

For the performance of our public functions including fulfilling our statutory obligations under the DPJL 2018, the Authority Law and the Freedom of Information (Jersey) Law 2011; where the data subject has given consent to the processing of his or her personal data for one or more specific purposes e.g. for inclusion in contact lists and at conferences or events;

where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract e.g. where we engage with third party service providers; and where such is necessary for our legitimate interests (other than where we are performing our regulatory functions and where those interests are not overridden by the interests/rights and freedoms of the data subjects).

Who we share your personal information with

We may need to share your personal information when required to by law, by order of the Court, or with other law enforcement agencies or regulatory bodies where there is a statutory basis to do so (including in relation to cross-border data protection issues where we may be required to liaise with other data protection authorities and also in the context of any formal legal proceedings we are involved in). If you make a complaint to us, we will usually share your identity with the organisation you have complained about and this is so that we can investigate the complaint made and also in order to ensure procedural fairness.

We may also share your information in the event of the non-payment of a fine. If the debt remains outstanding after the specified timeframe for payment, no payment plan is in place or an agreed payment plan is not being adhered to, we may initiate formal proceedings to recover the full amount of the unpaid penalty. As a result the Authority will share personal data with the litigation and recovery specialists it instructs in order for them to identify assets and undertake recovery action through the courts. Please also bear in mind that if you register with us as a data controller or processor, certain information regarding that registration is published on our Register, which is publicly available via the internet. (We do not publish contact details.)

We use certain third parties who provide or support our services and we have appropriate contracts in place with those providers to ensure the safety of your information. For information on these third party vendors and processors please see the 'Third Party Processors' section below. We do not share your information with any third parties for the purposes of direct marketing.

Third-Party Processors

Third Party Processors are other organisations/services carefully chosen by the Authority to allow us to function and operate. In the case of organisations outside of Jersey, the United Kingdom and the European Economic Area (EEA);

(a) we have prior written instructions for the transfer or (b) we have entered into specific contractual terms with them to ensure that they treat your personal data in way equivalent to that in which they would be required if they were established in Jersey.

We will make sure that those organisations are able to keep your information safe.

Social Media
If you interact with us on one of our social media profiles, we might follow you back or respond to any comments you make on our social media posts. We don’t keep any separate records or lists of our social media followers but it’s usually clear when you have connected with us in that way.

If you send a message via social media that needs a response from us, we may process it in our case management system as an enquiry or a complaint. When contacting the JOIC through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.

Publishing information

We publish statistical information relating to work we have carried out (for example in our annual report) but this information is anonymised and does not identify any one person.

We do publish Decision Notices relating to appeals that have been made to our office under the Freedom of Information (Jersey) Law 2011 and we may publish the results of any enforcement action we have taken under the Authority Law, including where we have made a public statement and / or issued an administrative fine.

Security

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default. We’ll also monitor any emails sent to us, including file attachments, for viruses or malicious software.

You must ensure that any email you send is within the bounds of the law.

Website analytics

Our website does not use any internal or third-party data collecting or analytical services. To improve your experience on our website, we do use functional ‘cookies’. Cookies are an industry standard and most major web sites use them. A cookie is a small text file that our site may place on your computer as a tool to remember

your preferences. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Your data protection rights

Data protection legislation provides data subjects with a number of rights. These include:

1. The right to know what type of personal data we hold about you, given details about how we use it and to be provided with a copy of the personal data held;
2. The right to have an errors or omissions corrected;
3. In certain circumstances, the right to request erasure of all your personal data that we hold;
4. The right to request we restrict the processing of your personal data;

5. The right to object to the further processing of your personal data, including the right to object to direct marketing;
6. The right to withdraw consent if you had previously given us consent to process your data;
7. The right to request that personal data that you have given to us be moved to a third party;
8. The right to lodge a complaint.

Please note that Schedule 1 of the DPJL 2018 sets out that certain of rights referred to above may be restricted in certain circumstances, including where it is necessary to avoid obstructing official or legal inquiries, investigation or procedures or to avoid prejudicing the prevention, detection, investigation or prosecution of a criminal offence.

If you wish to exercise any of these rights, please email our DPO a.king@jerseyoic.org. In your request, please make clear (a) what personal information is concerned, and (b) which of the above rights you would like to enforce. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

You can find template letters and additional guidance on our website.

When you make a request, we will consider any lawful exemptions that may apply and that may prevent us from responding to your request in the manner you may wish. It is possible that there is something that may prevent us from responding to your request in the way you would like. If that is the case, we will explain this to you in writing when we respond to your request.

Your right to complain

We aim to meet the highest standards when processing personal data.

If at any stage you became dissatisfied with the manner in which we collect, hold or process your personal data or if you have any questions, please contact us. Any complaints should be addressed to the Information Commissioner at the address below.

How to contact us

If you wish to contact the Office of the Information Commissioner, the DPO or Chair of the Data Protection Authority you may contact us using one of the following methods:

The Jersey Data Protection Authority
5 Castle Street
St Helier
Jersey
JE2 3BT
T. +44 (0)1534 716530
E. enquiries@jerseyoic.org

Version 1.0 July 2021