Jersey Office of The Information Commissioner - Data Protection Statement
What this Statement covers
This data protection Statement (the “Statement”) sets out the privacy practices relevant
to the Jersey Data Protection Authority (including the Jersey Office of the Information
Commissioner (“JOIC”)) who has day-to-day responsibility for carrying out the Authority’s
functions (the “Authority”). It explains how information is collected, how it is used, your
rights and what controls you have. In particular:
• What information the Authority may collect about you and when;
• How the Authority might use your information;
• How the Authority protects your information; and
• Your rights regarding the information you provide.
It applies to information the Authority collects about you when you use the Authority website (the “Website”). The Authority also has Twitter, LinkedIn, Instagram, Facebook and You Tube accounts.
(This Statement does not apply to Authority staff or those applying for jobs with the Authority and to which a separate policy applies.)
Identity of the data controller
The Authority was established by the Data Protection Authority (Jersey) Law 2018 (the “Authority Law”) and is the relevant data controller in respect of the personal information it holds about you. It is responsible for monitoring compliance with the Data Protection (Jersey) Law 2018 (the “DPJL 2018”), the Authority Law and the Freedom of Information (Jersey) Law 2011.
You can contact us by phone, email, in person, via social media and post.
Our postal address: Jersey Office of the Information Commissioner, 2nd Floor, 5 Castle Street, St Helier Jersey, JE2 3BT
Activity and personal
How we use your
Directly from you
We also receive personal information indirectly
Attend an event, seminar, workshop or hiring our facilities
Responding to our consultation requests and surveys
Registrations & Fees
How long do we keep your information for?
Our lawful basis for processing your personal data
There are a number of lawful (legal) bases upon which we rely to process personal data about you. These are:
For the performance of our public functions including fulfilling our statutory obligations under the DPJL 2018, the Authority Law and the Freedom of Information (Jersey) Law 2011; where the data subject has given consent to the processing of his or her personal data for one or more specific purposes e.g. for inclusion in contact lists and at conferences or events;
where the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract e.g. where we engage with third party service providers; and where such is necessary for our legitimate interests (other than where we are performing our regulatory functions and where those interests are not overridden by the interests/rights and freedoms of the data subjects).
Third Party Processors are other organisations/services carefully chosen by the Authority to allow us to function and operate. In the case of organisations outside of Jersey, the United Kingdom and the European Economic Area (EEA);
(a) we have prior written instructions for the transfer or (b) we have entered into specific contractual terms with them to ensure that they treat your personal data in way equivalent to that in which they would be required if they were established in Jersey.
We will make sure that those organisations are able to keep your information safe.
If you interact with us on one of our social media profiles, we might follow you back or respond to any comments you make on our social media posts. We don’t keep any separate records or lists of our social media followers but it’s usually clear when you have connected with us in that way.
If you send a message via social media that needs a response from us, we may process it in our case management system as an enquiry or a complaint. When contacting the JOIC through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.
We publish statistical information relating to work we have carried out (for example in our annual report) but this information is anonymised and does not identify any one person.
We do publish Decision Notices relating to appeals that have been made to our office under the Freedom of Information (Jersey) Law 2011 and we may publish the results of any enforcement action we have taken under the Authority Law, including where we have made a public statement and / or issued an administrative fine.
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default. We’ll also monitor any emails sent to us, including file attachments, for viruses or malicious software.
You must ensure that any email you send is within the bounds of the law.
Our website does not use any internal or third-party data collecting or analytical services. To improve your experience on our website, we do use functional ‘cookies’. Cookies are an industry standard and most major web sites use them. A cookie is a small text file that our site may place on your computer as a tool to remember
Your data protection rights
Data protection legislation provides data subjects with a number of rights. These include:
1. The right to know what type of personal data we hold about you, given details about how we use it and to be provided with a copy of the personal data held;
2. The right to have an errors or omissions corrected;
3. In certain circumstances, the right to request erasure of all your personal data that we hold;
4. The right to request we restrict the processing of your personal data;
5. The right to object to the further processing of your personal data, including the right to object to direct marketing;
6. The right to withdraw consent if you had previously given us consent to process your data;
7. The right to request that personal data that you have given to us be moved to a third party;
8. The right to lodge a complaint.
Please note that Schedule 1 of the DPJL 2018 sets out that certain of rights referred to above may be restricted in certain circumstances, including where it is necessary to avoid obstructing official or legal inquiries, investigation or procedures or to avoid prejudicing the prevention, detection, investigation or prosecution of a criminal offence.
If you wish to exercise any of these rights, please email our DPO at firstname.lastname@example.org. In your request, please make clear (a) what personal information is concerned, and (b) which of the above rights you would like to enforce. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.
You can find template letters and additional guidance on our website.
When you make a request, we will consider any lawful exemptions that may apply and that may prevent us from responding to your request in the manner you may wish. It is possible that there is something that may prevent us from responding to your request in the way you would like. If that is the case, we will explain this to you in writing when we respond to your request.
Your right to complain
We aim to meet the highest standards when processing personal data.
If at any stage you became dissatisfied with the manner in which we collect, hold or process your personal data or if you have any questions, please contact us. Any complaints should be addressed to the Information Commissioner at the address below.
How to contact us
If you wish to contact the Office of the Information Commissioner, the DPO or Chair of the Data Protection Authority you may contact us using one of the following methods:
The Jersey Data Protection Authority
5 Castle Street
T. +44 (0)1534 716530
Version 1.0 July 2021