Definitions, the Data Protection Principles and Lawful Bases

6. This section explains the key ideas in the Data Protection (Jersey) Law 2018 in simple, everyday language. It is designed for individuals, small organisations, and anyone new to data protection.

7. Data protection is about keeping your personal information safe, using it properly, and treating people fairly.

Key words, phrases and concepts

8. Before we look at the rules and the reasons why organisations can use your information, it helps to understand some key words and phrases. These are simple terms that explain how your personal information should be used and protected.

The Data Protection Principles

9. The data protection principles at Art.8 of the DPJL 2018 are six golden rules that everyone must follow when handling someone’s personal information. They ensure that personal data is used properly, kept safe, and not retained longer than needed.

• Lawfulness, fairness and transparency – you must use personal information lawfully and fairly and tell people clearly how you will use it.
• Purpose limitation – you must only use personal information for the reason you collected it and not for anything else.
• Data minimisation – you must only collect the information you really need.
• Accuracy – you must make sure information is correct and kept up-to-date.
• Storage limitation – you must not keep information longer than necessary and you should delete or anonymise it when it’s no longer needed.
• Integrity and confidentiality – you must keep information safe and protected from loss or unauthorised access.

Example

A local sports club keeps members’ names and contact details to organise activities. It tells members what information it collects and why (Principle 1). It collects only names and contact details (Principle 3). It removes ex-members from its list (Principle 5) and stores data securely (Principle 6).

The Lawful Bases for Processing Personal Data

10. Before an organisation uses (or “processes”) any personal data, it must choose the correct lawful basis in advance. This decision must be made before any information is collected, used, shared, or stored. Different activities may need different lawful bases, so you must pick the one that properly fits what you are doing.

11. For ordinary personal data (such as names, addresses or contact details), an organisation must choose one of the six lawful bases listed in Schedule 2, Part 1 of the law.

12. Some information is more private and needs extra protection. This is called special category data. It includes things like health information, racial or ethnic origin, religious beliefs, biometric data or criminal record data.

13. To use special category data, an organisation must choose one of the specific lawful conditions listed in Schedule 2, Part 2 of the DPJL 2018. These conditions are stricter because this type of information is more sensitive.

14. In simple terms:

• Ordinary personal data → choose one lawful basis from Part 1 before processing.
• Special category data → choose one lawful basis from Part 2 before processing.

These rules help make sure that personal information is always used lawfully, fairly, and with the right level of protection.

Lawful Bases for Ordinary Personal Data (Schedule 2 Part 1)

15. Before you process ordinary personal data, you must choose one lawful basis. In simple terms, this means the data subject has:

• Given consent – they have clearly agreed to you using their information.
• A contract with you – you need their information to provide a service or do something they have asked for.
• A legal requirement – the law says you must use their information.
• A vital interest at risk – you need their information to protect someone’s life.
• A public task involving them – you are carrying out an official duty that affects them.
• A legitimate interest affecting them – you have a genuine, lawful reason to use their information, and this does not unfairly impact them.

Lawful Conditions for Special Category Data (Schedule 2 Part 2)

16. If you are processing special category data, you must identify one condition from Schedule 2 Part 2 before any processing begins. The conditions include where the data subject:

• Has given explicit consent: The individual has clearly and specifically agreed to the use of their sensitive information.
• Needs a legal obligation to be met: The processing is necessary for you to comply with a legal duty that applies to you and involves special category data.
• Has an employment, social security or social protection need: The processing is necessary for employment-related obligations, health and safety requirements, social protection or social-care purposes, carried out under an appropriate duty of confidentiality.
• Is unable to consent and has a vital interest at risk: Processing is necessary to protect someone’s life, and the individual cannot give consent.
• Is a member of a not-for-profit organisation: Processing is necessary for the legitimate activities of a not-for-profit body such as a charity, club, political party or religious organisation, and relates only to members or former members.
• Has made the information public themselves: The data has clearly been made public by the individual.
• Is involved in a legal claim or legal matter: Processing is necessary for establishing, exercising or defending legal rights, or for court or tribunal proceedings.
• Is connected to a public function: Processing is necessary for you to carry out statutory or government-related functions in the public interest.
• Is affected by a substantial public-interest purpose: Processing is necessary for a recognised substantial public-interest reason under Jersey law, with appropriate safeguards.
• Requires medical or social-care support: Processing is necessary for medical diagnosis, health or social-care provision, or the management of health or social-care systems, carried out under professional confidentiality.
• Is affected by a public-health requirement: Processing is necessary for public-health protection, such as preventing or controlling disease, under conditions set by Jersey law.
• Has data used for research, archiving or statistics: Processing is necessary for scientific or historical research, statistical purposes or archiving in the public interest, with strong safeguards such as pseudonymisation.
• Is protected through equality or anti-discrimination monitoring: Processing is necessary to analyse and monitor equality of opportunity or prevent unlawful discrimination.
• Is involved in the prevention or detection of unlawful acts: Processing is necessary to prevent or detect unlawful acts where seeking consent would prejudice the purpose.
• Is affected by malpractice or mismanagement concerns: Processing is necessary to protect the public against dishonesty, malpractice, serious misconduct or mismanagement.
• Is the subject of work published in the public interest: Processing is necessary for journalism, academic, artistic or literary expression where publication is reasonably believed to serve the public interest.
• Is receiving counselling, advice or support: Processing is necessary for the provision of confidential counselling, advice or support services.
• Has data required for insurance or occupational-pension purposes: Processing is necessary for certain insurance or pension-related activities permitted under Jersey law.
• Has data processed by police in non-law-enforcement duties: Processing is necessary for the police to carry out specific statutory functions that are not for law-enforcement purposes (for example safeguarding).

Key words, phrases and concepts

17. This paragraph covers the following key terms and concepts used in connection with the DPJL 2018: data protection; personal data; special categories of personal data; controller; processor; processing.

What is data protection?

18. Data protection is the fair and proper use of information about people and is key to building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.

19. Good practice in data protection is important to ensure public trust in, engagement with, and support for, innovative uses of personal data in the public and private sectors. It also helps remove unnecessary barriers to trade and co-operation.

What is/is not personal data?

20. Personal data is any data relating to an identified natural person or identifiable natural person. This means data which relates to a living individual who:

• Can be identified or who is identifiable, directly from the information in question.
• Can be indirectly identified from that information in combination with other information.

21. If personal data can be truly anonymised then the anonymised data is not subject to the DPJL 2018.

22. Information about a deceased person does not constitute personal data and therefore is not subject to the DPJL 2018.

23. Information about companies or public authorities is not personal data, however, information about individuals acting as sole traders, employees, partners and company directors would be.

24. An individual is identified or identifiable if they can be distinguished from others. You do not need to know their name for a person to be identified/identifiable and examples of identifiers include names, photographs, ID numbers, location data, a combination of significant criteria (e.g. age, occupation, place of residence), online identifiers (e.g. IP addresses and cookie identifiers) but there are many others.

25. If you can distinguish an individual from others by looking just at information you have, this individual will be identified. This may mean the information you hold constitutes personal data.

Example - The individual who works on the front desk of Bank Y every second Saturday.

• You do not need to know an individual’s name in order to identify them. If you hold a piece of information that allows someone to be identified, or multiple pieces of information that in combination can identify someone, this can be sufficient to identify an individual for the purposes of the law.
• FirstName.LastName@BankY.com
• This corporate email address identified an individual who works at Bank Y.

26. Similarly, even if you need additional information to be able to identify someone, they may still be identifiable. That additional information could be information that you already hold, or that you need to obtain from somewhere else.

What is Special Category Data?

27. Certain types of personal data, known as special categories or personal data, receive additional protection under the DPJL 2018 because they are more sensitive. The DPJL 2018 defines the following as special categories of personal data:

• Personal data revealing racial or ethnic origin.
• Personal data revealing political opinions.
• Personal data revealing religious or philosophical beliefs.
• Genetic data.
• Biometric data (where used for identification purposes).
• Data concerning health.
• Data concerning a person’s sex life or sexual orientation.
• Personal data relating to criminal convictions and offences or related security measures.

28. You can only process special categories of personal data if one of the conditions set out in Schedule 2 Part 2 of the DPJL 2018 applies.

Data Controllers and Data Processors

29. The DPJL 2018 distinguishes between two different types of entity when it comes to processing personal data: data controllers and data processors. It is important to understand whether you are acting as a data controller or data processor because each entity has different obligations under the law. You can find more detailed information in our Guidance notes on the Duties and Responsibilities of Data Controllers and Duties and Responsibilitiesof Data Processors, including how to decide if your organisation is a Data Controller or Data Processor.

What are Data Controllers?

30. Art.1(1) of the DPJL 2018 defines a controller as “the natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of processing of personal data.”

31. The key element of being a controller is the element of control. It is the controller that is the decision maker about how personal data is processed, and the purposes for which it is processed.

32. There are some situations where two or more organisations may jointly decide on the processing of personal data and in these situations they are known as “joint controllers”. If these organisations process the same personal data but for different purposes they will not be joint controllers but will be separate data controllers in their own right.

Example - An insurance broker collects information from its customers

An insurance broker collects information from its customers and potential customers which it uses to calculate premiums, and to assess and manage claims made under its policies. The insurance broker is a controller of its customers’ personal data because it decides what information to collect, what it is used for and makes decisions affecting the data subjects as a result of its processing activities. Company Y uses a local consultancy to provide it with advice about a merger, including about the impact of the merger on its employees. The consultancy firm is a controller of the personal data it uses in providing its services. This is because it decides how it used the data and determines the content of the advice it provides. It also has professional responsibilities in relation to the data e.g. obligations relating to confidentiality and record keeping which would mean that it could not simply follow Company Y’s instructions on these matters.

What are Joint Controllers?

33. Two or more controllers will be joint controllers where they jointly determine the purposes and means of processing. This means that they must decide the purposes and means of processing together and that they are processing the data for the same or shared purposes. Controllers will not be joint controllers if they are each processing the same pool of data for different purposes.

34. You can find more information about the duties and obligations of joint controllers in our separate guidance note.

What are Data Processors?

35. Art.1(1) of the DPJL 2018 defines a processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

36. Processors act on behalf of, and only on the instructions of the controller. They do not decide how or why to process personal data and they do not use it for their own purposes. Employees of a controller are not processors.

37. You can find more information about duties and obligations of data processors in our separate guidance note.

What is Processing?

38. The term “processing” is defined in Art.1(1) of the DPJL 2018 as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

39. This is a very wide definition and really encompasses anything which an organisation could do with personal data, including holding/storing it without actively using it for anything, or simply deleting it. If you are doing something with personal data, you will be processing it for the purposes of the law.

40. It should be noted that some laws may require you to process personal data for specific reasons, for example, registering information about company directors. Even though this may be a processing that is required by law, it still falls within the definition of “processing” and you should still consider whether the DPJL 2018 applies.

What activity falls within scope of the DPJL 2018

41. The DPJL 2018 applies to:

• The processing of personal data either wholly or partly by automated means (i.e. data held in an electronic form e.g. on a computer system).
• The processing of personal data, other than by automated means, which forms part of or is intended to form part of a filing system.

42. A filing system is defined in the DPJL 2018 as “any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. This means data held in manual form which is organised in a structured way, such that a person can find particular information by reference to a specific criterion. A good example of data which would fall within this definition is a set of paper-based records where the information is ordered alphabetically per customer.

43. Manual/paper records are only subject to the DPJL 2018 if they are held or intended to be held in a filing system as described above.

44. The DPJL 2018 does not apply to the processing of personal data by a natural person for a purely personal or household activity (e.g. keeping a list of names and addresses in an address book).

Territorial Scope

45. The DPJL 2018 applies to the processing of personal data.

• In the context of a controller or processor established in Jersey;
• By a controller or processor not established in Jersey but who uses equipment in Jersey for processing the data otherwise than for the purposes of transit through Jersey;
• By a controller or processor not established in Jersey where the processing

1. Relates to data subjects who are in Jersey, and
2. Is for the purpose of offering goods or services to persons in Jersey or monitoring the behaviour of such persons.

Example

A Trust company established in Jersey has a branch in South Africa. The South African branch assists with managing the client database and sending out marketing emails about the trust company’s offering. Although this processing by the South African branch does not take place in Jersey, it relates to data subjects in Jersey and for the purposes of offering them goods and services and is therefore subject to the DPJL 2018.

What is an “establishment”

46. An establishment is any authority, body corporate, branch, representative office, institution entity, or project, which is established, registered or licensed to operate or conduct any activity within Jersey.

What does 'in the context of a controller or processer established in Jersey' mean?

47. The processing must take place in the context of the establishment of the controller or processor for the DPJL 2018 to apply. This means Jersey entities established in Jersey will be caught (e.g. they are registered and/or have their base of operations here) but it may also include entities that are not based here if they fulfil certain other criteria in Art.4(4) because the following are also to be treated as “established in Jersey”:

1. A natural person who is ordinarily resident in Jersey;
2. A body incorporated under the law of Jersey;
3. A partnership or other unincorporated association formed under the law of Jersey;
4. Any person who does not fall within sub-paragraph (a), (b) or (c) but maintains in Jersey – An office, branch or agency through which the person carries on any processing of personal data, or A regular practice that carries on any processing of personal data; or
5. Any person engaging in effective and real processing activities through stable arrangements in Jersey.

48. It is not necessary for the processing itself to take place in Jersey for the DPJL 2018 to apply. A controller in Jersey could, for example, contract a processor in a location outside Jersey where the actual processing takes place, and such processing would still be subject to the DPJL 2018.

49. In practical terms, this means the controller would need to comply with all the requirements of the DPJL 2018 in respect of such processing, including requiring the processor to enter into a written contract with it which contains the terms set out in Art.19 of the DPJL 2018. You can find more details about controller-processor terms in our Guidance note.

What do we mean by real and stable arrangements?

50. The two main factors which need to be considered when determining if processing is taking place by means of real and stable arrangements in Jersey are:

• The relationship between the controller or processor outside Jersey and its local establishment in Jersey – if the processing activities of a non-Jersey controller or processor are inextricably linked to an establishment in Jersey, the DPJL 2018 may apply to such processing (even though the organisation doing the processing is outside Jersey itself).
• Revenue raising within Jersey – if revenue raising in Jersey by a Jersey established entity is inextricably linked to the processing of personal data taking place outside of Jersey this may trigger the application of the DPJL 2018 to the processing activities happening outside Jersey.

Example - An e-commerce website is operated by a South African based company.

• An e-commerce website is operated by a South African based company which exclusively carries out the company’s personal data processing activities. However, the company has an office in Jersey which carries out some administrative tasks including sending out marketing emails directed to Jersey-based customers.

Processors in Jersey

51. Processors in Jersey which are processing personal data for a controller which is outside of Jersey must comply with the DPJL 2018 to the extent possible, taking into account whether the controller is subject to similar obligations under the laws of its home jurisdiction.

52. In some cases, the processor will have full control over its own compliance with the DPJL 2018 e.g. ensuring that it applies appropriate technical and organisational (security) measures to the personal data it processes and notifying the controller if it suffers a personal data breach. However, in other circumstances the cooperation of the controller may be needed. A good example of this is the requirement that a processor which is established in Jersey and subject to the DPJL 2018 should enter into terms with the controller to govern the processing being carried out. The general obligations on processors are set out in Art.22 of the DPJL 2018.

The Principles

53. Art.8 of the DPJL 2018 sets out six key principles that all processing of personal data must follow. Art.6(1)(a) adds the accountability requirement – you must be able to demonstrate compliance with these principles.

54. Art.8 requires that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data (“lawfulness, fairness and transparency”);
2. Collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes (“purpose limitation”);
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4. Accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“storage limitation”); and
6. Processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

55. Art.6(1)(a) says that:

• A controller - is responsible for, and must be able to demonstrate compliance with, the data protection principles in the manner provided for in this Law;*

Why are the Principles Important?

56. The principles lie at the heart of the DPJL 2018. They are set out right at the start of the Law and inform everything that follows. They do not set out hard and fast rules for every situation. Instead, they capture the spirit of Jersey’s data protection framework — fairness, lawfulness, transparency, and respect for individuals’ privacy. There are very few exceptions.

57. Complying with both the letter and the spirit of these principles is a fundamental part of good data protection practice. They are the foundation for every other obligation you have under the DPJL 2018 — from obtaining consent and keeping data secure, to responding to access requests and reporting breaches.

58. Following the principles is therefore essential to building trust with individuals and ensuring that personal data is handled responsibly.

59. Failure to comply with the principles is a serious matter and we may take enforcement action where the principles have been breached. This can include formal reprimands, making orders for improvement, and administrative fines. Infringements of the basic principles for processing personal data are subject to the highest level of administrative penalty. Depending on the circumstances, a controller or processor may face a fine of up to £10 million, or 2% of their total worldwide annual turnover, whichever is higher — and for the most serious contraventions, up to £20 million, or 4% of total worldwide annual turnover.

60. Compliance with the principles is therefore not just a legal requirement — it is the foundation of trustworthy, accountable data protection practice in Jersey.

Lawfulness, Fairness and Transparency

61. Art.8(1)(a) of the DPJL 2018 says that data must be: “processed lawfully, fairly and in a transparent manner in relation to the data (“lawfulness, fairness and transparency”)

What is lawfulness?

62. For processing of personal data to be lawful, you need to identify a clear and specific reason (known as a “lawful basis”) for each processing activity. You must decide which lawful basis applies before you begin processing, document your decision and include this information in any privacy notice (subject to any exemptions that may apply).

63. Art.9 of the DPJL 2018 provides that processing is only lawful if at least one of the conditions in Schedule 2 is met:

Lawful processing (1) The processing of personal data that would otherwise be lawful is lawful for the purposes of this Law only if it meets at least one of the conditions specified in Schedule 2. (2) However, in the case of any processing of data that includes special category data, it must meet at least one of the conditions mentioned in Part 2 of Schedule 2.

64. If no lawful basis applies then your processing will be unlawful and in breach of this principle. If you cannot identify a lawful basis you must not go ahead with the processing.

65. Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:

• A breach of a duty of confidence.
• Your organisation exceeding its legal powers or exercising those powers improperly.
• An infringement of copyright.
• A breach of an enforceable contractual agreement.
• A breach of industry-specific legislation or regulations.
• A breach of the Human Rights (Jersey) Law 2000.

These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.

66. Although processing personal data in breach of copyright or industry regulations (for example) will involve unlawful processing in breach of this principle, this does not mean that we can pursue allegations which are primarily about breaches of copyright, financial regulations or other laws outside our remit and expertise as data protection regulator. In this situation there are likely to be other legal or regulatory routes of redress where the issues can be considered in a more appropriate forum.

67. If you have processed personal data unlawfully, the DPJL 2018 gives individuals the right to erase that data or restrict your processing of it.

What is fairness?

68. Processing data fairly means using it in a way that individuals would reasonably expect, and not in a way which produces unjustified negative effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.

69. Processing personal data fairly is closely linked to how you obtained the data in the first place and what you have told data subjects about how you will use their data. If for example you have obtained data by deceiving or misleading people about how it will be used, this is likely to be unfair. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.

Example

A consultancy firm asks for a client’s email address so it can send them a copy of their standard terms of business. It does not tell the client that the email is also going to be added to their marketing list as well. This is unfair because the consultancy has misled the client about why they want certain information and what they will be using it for.

What is transparency?

70. Transparency means being open, clear and honest with people about who you are, what you do with their personal data, and why you use it.

71. Transparency is especially important at the start of your relationship with individuals. When people understand how and why you will use their personal data, they can make an informed choice about whether to share it with you. It is also important when you have no direct relationship with the individual and if you collect information about them from another source. In some cases, it can be even more important - as people may have no idea that you are collecting and using their personal information, and this affects their ability to assert their rights over their information.

72. You must tell individuals how you process their data in a way that is concise, accessible and easy to understand, using clear, plain language. This duty applies even when you process personal data about people you do not deal with directly.

73. Art.12 of the DPJL 2018 sets out the types of information you must provide to people about the information you process about them. For more detail about the privacy information you must provide, see our guidance on the right to be informed.

74. There are some limited exemptions to transparency – for example, where providing information would involve a disproportionate effort, prejudice an ongoing investigation, or compromise another person’s rights and freedoms. Any exemption must be applied carefully and only where it is clearly supported by the law.

75. It is your responsibility to ensure that people can easily find the information you provide and that it enables them to exercise their rights. Further guidance on your transparency obligations and the information you must provide to individuals can be found in our separate guidance note on data subject rights.

Purpose Limitation

76. Art.8(1)(b) says that: collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes (“purpose limitation”)

77. This means that you must collect personal data only for specified, explicit and legitimate purposes and not process it in a way that is incompatible with those purposes. This means that you must be clear from the beginning why you are collecting personal data and how you intend to use it. Your transparency obligations mean you must tell people how and why you are processing their data and you must specify your purposes in the privacy information you give to individuals, and also in your record of processing activities (unless your organisation is exempt).

78. You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified (‘function creep’).

Once we collect personal data for a specified purpose, can we use it for other purposes?

79. If you later want to use data in a way which is different or additional to the purposes you determined and communicated to people initially, you can only go ahead if:

• The new purpose is compatible with the original purpose.
• You get the individual’s consent to the new purpose.
• A provision of law requires or allows the new processing.

80. All processing must also be lawful, so you do need a lawful basis. The original basis you used to collect the data may not always be appropriate for your new use of that data.

81. When deciding whether a new purpose is compatible with your original purpose you should take into account:

• Whether or not there is a link between your original purpose and the new purpose;
• The circumstances in which you originally collected the personal data. You should consider
• In particular what the data subjects would reasonably expect;
• The sensitivity of the personal data;
• How using the data for the new purpose will affect individuals; and
• Whether you can carry out the new processing with appropriate safeguards in place e.g. encryption or pseudonymisation.

82. If the new purpose is very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose.

Example

You collect emails for event registration. Using them later for unrelated fundraising is not compatible without additional consent.

83. Further processing for the purposes of archiving and research is not considered as incompatible with the initial purposes for which the data was collected (see Art.8(2)(a) and (b)).

Data Minimisation

84. Art.8(1)(c) says:

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)

85. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Adequate

86. If the processing you carry out is not helping you to achieve your purpose then the personal data you have is probably inadequate. You should not process personal data if it is insufficient for its intended purpose.

87. In some circumstances you may need to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question.

88. Data may also be inadequate if you are making decisions about someone based on an incomplete understanding of the facts. In particular, if an individual asks you to supplement incomplete data under their right to rectification, this could indicate that the data might be inadequate for your purpose.

89. A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.

90. However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.

91. If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, you should make this clear.

Example -Recording opinions in an employee grievance

An employee raises a grievance about the behaviour of their line manager. During the investigation, the HR officer interviews the manager and other colleagues and records their views in a summary report. The manager provides an account that the HR officer considers to be an opinion, not an established fact. The HR officer therefore records it as follows:

In the opinion of the line manager (Jane Smith, Department Manager, 12 May 2025), the employee has been underperforming since the start of the year. This is based on informal observations rather than documented performance reviews.

This approach ensures the record: Clearly identifies that it is an opinion rather than a verified fact; Attributes the comment to its author, including name, role and date; Provides context so a reader understands the basis for the opinion; and Makes clear that the view is not necessarily shared by the organisation or supported by evidence.

If the opinion were likely to be sensitive or disputed, it would be particularly important to explain the circumstances and evidence that informed it.

For example, the HR officer might note that the view is based on a single informal conversation rather than a formal appraisal.

By recording opinions in this way, you help ensure that personal data is accurate, adequate and fair, even if the individual disagrees with the content.

Limited to what is necessary

92. You must not collect personal data on the off-chance it might be useful in the future.

93. You should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information but no more than that and you should not keep information simply on the basis that it might be useful in the future but where you have no actual need for it. If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimisation principle. Individuals will also have the right to erasure.

94. In order to assess whether you are holding the right amount of personal data, you will have to be clear about why you are holding and using it.

95. You must avoid collecting unnecessary data, regularly review stored data and remove redundant records.

Accuracy

96. Art.8(1)(d) says data must be:

accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”)

97. This principle requires that you take reasonable steps to ensure the continued accuracy pf the personal data you hold. This might be through routine interactions with customers, certain trigger events or an annual review of customer databases. If the information is used for a purpose that relies on it remaining current, it should be kept up to date i.e. employee payroll records should be updated when the employee receives a payrise.

98. You do not always need to verify every piece of data constantly if the purpose of the processing does not rely on the data being current, frequent updates may not be required, but when you receive information indicating that personal data may be out of date or incorrect (for example a change of address notification, or a returned mailing), you must act without undue delay to correct, update or erase the data as appropriate. If you cannot verify which version is correct, restrict or flag the data until accuracy is confirmed.

99. You should review and update personal data particularly where:

• You use it to make decisions about individuals.
• Inaccurate or outdated information could cause harm or disadvantage.
• You rely on the data to contact individuals or fulfil a contractual or legal duty.
• You hold health, safety, or safeguarding information.

100. Some data may not require regular updates if it is not actively used or if inaccuracies would not affect the individual (for example, archived records held only for historical or legal purposes).

101. You should have systems or routines in place to keep personal data current. This could include:

• Scheduled reviews of core datasets (e.g. HR or client records).
• Prompts to individuals to check and update their details.
• Automated alerts or exception reports to flag anomalies.
• Verification of third-party information, recording the source and date.
• Staff training to ensure understanding of accuracy and consistency.

102. It may be helpful for you to also record the date of last verification for significant items of personal data, such as address or employment status.

What about records of mistakes?

103. There is often confusion about whether it is appropriate to keep records of things that happened which should not have happened. Individuals understandably do not want their records to be tarnished by, for example, a penalty or other charge that was later cancelled or refunded.

104. However, you may legitimately need your records to accurately reflect the order of events – in this example, that a charge was imposed, but later cancelled or refunded. Keeping a record of the mistake and its correction might also be in the individual’s best interests.

Example

A misdiagnosis of a medical condition continues to be held as part of a patient’s medical records even after the diagnosis is corrected, because it is relevant for the purpose of explaining treatment given to the patient, or for other health problems.

Example

An individual is dismissed for alleged misconduct. An Employment Tribunal finds that the dismissal was unfair and the individual is reinstated. The individual demands that the employer deletes all references to misconduct. However, the record of the dismissal is accurate. The Tribunal’s decision was that the employee should not have been dismissed on those grounds. The employer should ensure its records reflect this.

Accuracy of opinions

105. You may hold personal data in the form of a record of opinion about a person. A record of an opinion is not necessarily inaccurate personal data just because the individual disagrees with it, or it is later proved to be wrong. Opinions are, by their very nature, subjective and not intended to record matters of fact.

106. It is important to ensure that you record that something is an opinion, and if appropriate, whose opinion it is. If you later become aware that the opinion is inaccurate, this should also be made clear in the records you hold. If a person challenges the accuracy of an opinion about them, you should record this challenge as well.

107. Individuals have the right to have inaccurate personal data rectified. You can find out more about the right to rectification in our guidance note on data subjects’ rights.

Storage Limitation

108. Art.8(1)(e) of the DPJL 2018 says that data must be:

kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“storage limitation”)

109. In essence, this means that you must not keep personal data for longer than necessary for the purposes for which it is processed.

110. You must think about how long you need to keep personal data to achieve the specific purpose for which it is processed. Once you have achieved this purpose, the data should be anonymised or securely deleted. It is recognised that it can be difficult to delete or erase all traces of data. The key point to bear in mind when seeking to delete data is to put it beyond use. If you delete personal data from live systems, you should also delete it from any back-ups of such system. Alternatively, you might choose to anonymise the data. Data is anonymised if it is in a form which does not permit identification of data subjects.

111. The DPJL 2018 does not set any maximum or minimum retention periods for personal data, although there may be other laws or guidelines applicable to you which do specify particular timeframes. It is up to you to determine the appropriate periods, taking into account your processing and any applicable legal requirements and professional guidelines. It is good practice to have a retention policy or schedule which lists the types of records and in formation you hold and allocates a retention period to each category. This can help you comply with the storage limitation principle. We have a template retention schedule available here.

112. Personal data which is processed for Archiving and Research Purposes may be stored for longer periods than stated in the storage limitation period provided that appropriate technical and organisational measures are used to safeguard the rights of data subjects. Appropriate safeguards could include for example, security measures to limit access to the data, or encrypting or pseudonymising the data.

Integrity and Confidentiality (Security)

113. Art.8(1)(f) says that data must be:

processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”)

114. This means that you must process personal data securely, using appropriate technical and organisational measures. This includes access controls, encryption, secure storage, and staff training.

Accountability

115. Under Art.6 of the DPJL 2018, controllers are responsible for complying with all the principles and must be able to demonstrate this. This is known as the accountability principle. It means that you must take a proactive approach towards data protection and be able to evidence the steps you have taken to comply.

116. The accountability principle is linked to the requirements in Arts.3, 8, 14, 15, 19, 20, 21, 22, 23, 26, 32 of the DPJL 2018 which requires controllers to implement technical and organisational measures to ensure that their processing complies with the law’s requirements, and to review and update those measures where necessary. Compliance with the DPJL 2018 is not a one-off exercise but rather an ongoing process.

117. Where appropriate, taking into account the processing activities taking place, you will need to implement data protection policies as part of ensuring that your processing meets the requirements of the DPJL 2018.

118. What will be appropriate in terms of accountably measures will depend on the size of your organisation, the sensitivity and amount of personal data you process and the purposes for which you use personal data.

119. Larger organisations which carry out significant processing may need to put in place a privacy management framework. This might include:

• Robust program controls informed by the requirements of the DPJL 2018.
• Appropriate reporting structures.
• Assessment and evaluation procedures.

120. Smaller organisations may decide to approach accountability on a smaller scale and focus on things such as:

• Ensuring that staff are aware of and understand their responsibilities in relation to data protection.
• Developing proportionate policies and procedures for handling personal data.
• Keeping records of what they are doing and why.

Lawful bases for processing personal data and special category data

121. To process any personal data you need to be able identify a relevant lawful basis for your processing. There are six lawful bases for processing non special category data, which are set out in Schedule 2 Part 1 of the DPJL 2018. (If you are processing special category personal data you need to identify a lawful basis from Schedule 2 Part 2 of the DPJL 2018).

122. You must determine your lawful basis before processing and document this. You will also need to tell people what lawful basis you are using in your transparency information (e.g. your privacy notice). You should not swap between lawful bases once you have started processing unless you have a good reason for this.

123. Most lawful bases require that processing is ‘necessary’ for a specific purpose. This doesn’t mean that the processing must be essential or the only way to achieve your purpose but if you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

Lawful bases for processing personal data (Schedule 1 Part 1 of the DPJL 2018)

124. This legal basis applies where the data subject has given consent to the processing of their personal data for one or more specific purposes. Art.11 of the DPJL 2018 sets out specific conditions for consent and if you do not meet these conditions, any consent you have obtained will be invalid.

125. Specifically, consent must be:

• Freely given – this means that the data subject must have a genuine, free choice about whether they want to consent to the processing. This may not be the case if:

1. refusing consent leads the individual to suffer a detriment.
2. the performance of a contract is conditional on the data subject consenting, in circumstances where the processing is not necessary for the performance of that contract.
3. there is an imbalance of power in the relationship between the controller and data subject such that the data subject may not feel they can refuse (e.g. as may be the case in the relationship between an employer and employee or a public authority and citizen).

• Specific – specific consent means consent which relates to a particular processing activity/activities. The data subject needs to understand the purposes for which you intend to process their data before they are asked for or give consent. If you are asking for consent to more than one processing activity, it may be appropriate to offer a granular choice, meaning that the individual can choose whether or not to consent on a per-activity basis.
• Informed – this means telling data subjects about the processing before you ask for their consent. As a minimum you should tell individuals the identity of the controller(s) that will rely on the consent, the purposes for which the personal data will be processed and that they can withdraw their consent at any time.

126. Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair and you should use another lawful basis to rely on. Similarly if you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

127. An unambiguous indication of the data subject’s wishes given by way of a statement or clear, affirmative (i.e. positive) action – consent can be given in writing, electronically (e.g. by submitting a form, ticking a box etc.) or orally. What is important is that there is some action required by the data subject and the data subject understands that by doing the action, they are indicating consent. Silence, inaction and pre-ticked boxes do not constitute consent.

128. If consent is given as part of a written declaration which also covers other things, the consent request to the processing of personal data must be separate and clearly distinguishable from the other matters. You must also use clear and plain language when requesting consent.

129. Data subjects have the right to withdraw their consent at any time, and it must be as easy to withdraw consent as it was to give it in the first place. You must ensure you tell people how they can withdraw their consent. You need to keep records of consent and withdrawals of consent so that you can demonstrate that data subjects have consented to your processing.

Performance of a contract

(Schedule 1 Part 1 Para.2)

130. This legal basis applies where processing is necessary:

• For the performance of a contract to which the data subject is a party; or
• The taking of steps at the request of the data subject with a view to entering into a contract.

131. This legal basis is likely to apply where you process personal data so that you can comply with your obligations under a contract with the data subject, or you process personal data to enable a data subject to comply with their obligations under a contract with you (e.g. you process payment details so that the individual can pay you). It also applies where you do not yet have a contract with the individual but the individual has asked you to do something because they are considering entering into a contract with you (e.g. asking for a quote), even if they don’t enter the contract in the end.

132. Processing must be necessary and whilst this doesn’t mean processing must be absolutely essential, or the only way to perform a contract or to take the relevant pre-contractual steps, it must be more than simply useful and needs to be a targeted and proportionate step which is integral to delivering the contractual service.

133. The performance of a contract legal basis only applies where you are processing the personal data of the person with whom you have or may in future have a contract. It does not apply if you need to process one person’s data but your contract is with another person. Nor can it be relied upon where you take steps at your own initiative, rather than at an individual’s request, prior to entering into a contract with that individual.

134. In Jersey, a contract does not have to be set out in a formal signed document or even be written but it does require four essential elements:

• Consent: Both parties must agree to the terms of the contract. This agreement can be assessed through an objective or subjective approach, though the objective approach is more commonly applied.
• Capacity: The parties involved must have the legal ability to enter into a contract. This includes being of legal age and having the mental capacity to understand the contract's implications.
• Cause: This refers to the reason or purpose behind entering into the contract. It must be lawful and not against public policy.
• Object: The object of the contract must be sufficiently certain and lawful. It represents what the parties are agreeing to undertake.

Vital interests

(Schedule 1 Part 1 Para.3)

135. This legal basis applies where the processing is necessary to protect the vital interests of the data subject or of another natural person. Although not defined in the DPJL 2018, vital interests are intended to cover interests which are essential to someone’s life, i.e. a matter of life or death. Recital 46 of the EU GDPR says that;

The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…

136. It is likely to be particularly relevant in the context of the provision of emergency medical care.

Example

An employee working in a warehouse suffers a serious head injury after an accident and becomes unresponsive. The site supervisor immediately calls emergency services and provides the paramedics with the employee’s name, known medical conditions recorded for health and safety purposes, and details of how the injury occurred. The disclosure is necessary to protect the employee’s vital interests.

In contrast, for pre-planned medical care, consent is likely to be the appropriate legal basis.

137. You should be aware that where you are processing personal data relating to health, you also need to find an additional condition for the processing of special category personal data from Schedule 2 Part 2 of the DPJL 2018.

Public functions

(Schedule 1 Part 1 para.4)

138. This legal basis applies where processing is necessary for:

• The administration of justice.
• The exercise of any functions conferred on any person by or under any enactment.
• The exercise of any functions of the Crown, the States or any public authority.
• The exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is subject and exercised in the public interest by any person.

139. Essentially, this basis will apply when processing is necessary for official legal, government, or public-interest responsibilities - not for private or commercial reasons. This legal basis will mainly apply to public authorities, and the bodies in Jersey but in some cases it may also apply to private sector organisations but only where they are acting under official authority. For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.

Legitimate interest

(Schedule 1 Part 1 para.5)

140. This legal basis applies where the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject which require protection of personal data, in particular where the data subject is a child or where the controller is a public authority.

141. In this context “child” means a person under 18 and “third parties” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

142. The legitimate interest legal basis is the most flexible but this does not mean it will always be available for any processing you want to carry out. A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well ones which benefit society more widely.

143. If you want to rely on the legitimate interest basis you need to identify your legitimate interest and balance these against the interests of the data subjects. This can be done by carrying out the three-part test explained below:

Purpose test: identify the relevant legitimate interest that you are pursuing:

• Why do you want to process the data – what are you trying to achieve?
• Who benefits from the processing? In what way?
• Are there any wider public benefits to the processing?
• What would the impact be on you and the data subject if you couldn’t go ahead?
• Would your use of the data be unethical or unlawful in any way?

Necessity test: consider whether your processing is necessary to achieve the purpose/interest:

• Does your processing actually help you achieve the interest?
• Is it a reasonable way to go about it?
• Is there another less intrusive way to achieve the same result?

Balancing test: consider whether the data subject’s interests override your legitimate interest:

• What is the nature of your relationship with the individual?
• Is any of the data particularly sensitive or private?
• Would people expect you to use their data in this way?
• Are you happy to explain it to them?
• Are some people likely to object or find it intrusive?
• What is the possible impact on the individual and how big is the impact?
• Are any of the individuals children or vulnerable in any other way?
• Can you adopt any safeguards to minimise the impact?
• Can you offer an opt-out?

144. You can only rely on the legitimate interest basis where you have satisfied the above three-part test. It is recommended that you document this consideration in writing. This is referred to as a legitimate interest assessment or LIA. You should keep your LIA under review and update it if there is a significant change in the nature or context of the processing. If the processing is high risk, you may need to carry out a formal DPIA.

145. If you process personal data on this basis you also need to tell individuals that you are doing so, and explain the nature of your legitimate interest. You can do this in the privacy information you give to people to meet your transparency obligations. We have a checklist you can use when undertaking the LIA and a template that will help you record your decision-making process.

Lawful bases for processing special category data

(Schedule 2 Part 2 of the DPJL 2018)

146. As set out above, special category data is that kind of data that is more sensitive and therefore requires greater protection. Art.1(1) of the DPJL 2018 defines special category data as:

• Personal data revealing racial or ethnic origin.
• Personal data revealing political opinions.
• Personal data revealing religious or philosophical beliefs.
• Personal data revealing trade union membership.
• Genetic or biometric data (where used for identification purposes).
• Data concerning health.
• Data concerning a person’s sex life or sexual orientation.
• Personal data relating to criminal record or alleged criminal activity.

147. If you want to process special category data you cannot use any of the bases listed in Schedule 2 Part 1 of the DPJL 2018; you must identify a lawful bases under Schedule 2 Part 2 of the DPJL 2018 instead.

148. Remember that you must carry out a DPIA for any type of processing that is likely to be high risk. You are more likely to need a DPIA for processing of special category data. You can find more information in our Guidance Note and we have a template DPIA available for you to use here.

Consent

(Schedule 2 Part 2 para.6)

149. You can process special category personal data if the data subject has given explicit consent to the processing for one or more specified purposes. All the points made in para.125 above in relation to consent will apply equally to explicit consent (e.g. it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time).

150. The DPJL 2018 does not define what is meant by “explicit consent” although explicit consent must be confirmed in a clear statement rather than inferred from an action. The consent statement must specify the element of the processing which requires consent e.g. the nature of the special category personal data. If you obtain explicit consent orally you must keep a record of the wording used and the response provided by the data subject.

Example - Explicit Consent: Good vs Bad

GOOD EXPLICIT CONSENT (Valid)

An employee chooses to participate in an optional workplace health assessment. They are given full information about what health data will be collected, how it will be used, who will see it, and how long it will be kept. The employee signs a statement saying: ‘I explicitly consent to my health data being collected and used for the purposes of this health assessment.’

The employee has a genuine choice, receives clear information, and provides a written, explicit confirmation. This is valid explicit consent for processing special category data.

Example - Explicit Consent: Good vs Bad

BAD CONSENT (Invalid – Forced Consent)

An employer launches a wellbeing programme and tells employees they must consent to sharing their medical history and mental-health information or they will lose access to workplace benefits. There is no option to refuse, and participation is effectively mandatory.

Because the employee cannot freely choose and is pressured into agreeing, this is not valid explicit consent. It is an example of false or coerced consent, especially concerning special category health data.

Other legal obligations

(Schedule 2 Part 2 para.7)

151. You can process someone’s personal data if you need to use it to follow a law that applies to your organisation (not employment related). This must be a genuine legal requirement set out in legislation or regulation — not something you invented internally or something that only appears in a contract. If the law says you must collect, keep, or share certain information, then you are allowed to process the data for that purpose without needing consent.

Example

A business that sells age-restricted products is legally required to check and record proof-of-age information before completing certain transactions. To comply with this legal requirement, the business may need to view and record details from a customer’s ID document. This processing is allowed because it is necessary to meet a legal obligation, not because the customer agreed to it in a contract.

Employment and Social Fields (Schedule 2 Part 2 para.8)

152. This condition applies where the processing of special category data is necessary for the controller to exercise or perform a right, obligation, or public function that is conferred or imposed by Jersey law in connection with employment, social security, social services, or social care. It recognises that organisations may need to handle sensitive information (such as health data or information about an individual’s circumstances) in order to meet statutory duties, protect individuals, or ensure compliance with regulatory obligations. The processing must be genuinely required for that legal purpose and must be proportionate and properly safeguarded.

153. Examples of when this condition may apply

• Employment-related legal duties: Where an organisation must process medical or health-related information to comply with health and safety obligations, risk assessments, or statutory reporting requirements under Jersey employment or safety legislation.
• Workplace adjustments: When an employer processes information about an employee’s medical condition to determine or implement reasonable workplace adjustments required by law to protect health, safety, or welfare.
• Statutory reporting or compliance: Where a body must handle special category information in order to meet a mandatory requirement created by Jersey law (for example, reporting certain incidents or risks to a regulator, or maintaining legally required records relevant to employment or protection duties).
• Social care and welfare functions: Where an organisation or public body processes special category data to provide or manage social services, support, or care, or to carry out statutory safeguarding responsibilities.
• Social protection measures: When processing is needed to administer or support lawful benefits, protections, or support schemes (for example, assessing needs, eligibility, or risk in relation to social support functions authorised by Jersey law).

Example

A home-care provider is legally required, to assess whether its staff are medically fit to carry out certain duties — such as lifting clients or administering medication. To meet this obligation, the provider collects and reviews relevant health information from the staff member’s GP or occupational health professional.

Vital Interests

(Schedule 2 Part 2 para.9)

154. You can process special category personal data where necessary to protect vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. Although vital interests are not defined in the DPJL 2018, these are intended to cover interests that are essential for someone’s life, i.e. matters of life or death. This condition can only be relied upon where the data subject is physically or legally unable to give consent. This means you should ask for explicit consent if possible. If a data subject refuses consent, you cannot rely on vital interests as a fallback condition, unless they are not legally competent to make that decision.

155. This condition is likely to be most relevant where there is an urgent need to use a person’ personal data for medical care, but they are unconscious or otherwise incapable of giving consent.

Non-profit associations (Schedule 2 Part 2 para.10)

156. You can rely on this condition where the processing is carried out by any body, or association, that is not established or conducted for profit, and exists for political, philosophical, religious or trade union purposes and on condition that:

• The processing is carried out with appropriate safeguards for the rights and freedoms of data subjects.
• Relates solely to the members of the body or association or to persons who have regular contact with it in connection with its purposes.
• The personal data is not disclosed outside that body without the consent of the data subjects.

157. This condition is not purpose based like most of the others. Rather it applies to certain processing carried out by not-for-profit organisations. Because it is not purpose based, there is no necessity test.

158. The phrase “legitimate activities” is not defined in the DPJL 2018, however, the processing must be within the confines of the purposes and powers of the organisation as set out in its constitution or other similar document, and must not be unlawful or unethical in any way.

159. Nor does the DPJL 2018 define what is meant by appropriate safeguards in this context, however, these are likely to be measures such as limiting access to the data, applying short retention periods, and providing individuals with the opportunity to opt out of processing

Example

A Jersey-based amateur sports club, run entirely on a non-profit basis, keeps a membership list containing players’ contact details, dates of birth, and emergency-contact information. The club uses this information to organise training sessions, notify members about fixtures, arrange transport, and manage player welfare under its safeguarding policy. The data is only used for the club’s legitimate activities, and access is restricted to the volunteer committee members who need it. The club stores the information securely and does not share it with third parties (such as sponsors or other clubs) unless a member gives clear consent – for example, to be included in a league registration list. The processing relates only to current members and regular participants, and is carried out with safeguards such as password-protected systems, limited access, and clear retention rules.

Information made public (Schedule 2 Part 2 para.11)

160. You can rely on this condition where you are processing personal data which is intentionally made public by the data subject. Please note that this condition does not allow you to process all special category personal data about an individual that is in the public domain but only that which the data subject him/herself has made public. Note that the individual must also have made the data public intentionally for you to be able to rely on this condition. If you rely on this condition, you should keep a record of where and how you obtained the publicly available information.

161. If you rely on this condition you should think about:

• Can a member of the public realistically access it in practice?
• Who made the data public – was it the individual themselves or was it someone else? In what context was it made public – for example was it due to them giving an interview, standing for public office, or writing a book, blog or social media post?
• Did the individual deliberately take the steps which made this special category data public, or was it accidental or unintentional? Did they make a clear decision? Is the individual likely to have understood that their action means that their special category data is in the public domain?

Legal proceedings, etc. (Schedule 2 Part 2 para.12)

162. You can rely on this condition where the processing is necessary for any legal proceedings, the obtaining of legal advice or for the establishment, exercise or defence of legal claims.

Example

• Legal proceedings A Jersey landlord receives notice of a tribunal claim made by a former tenant. To prepare for the hearing, the landlord’s advocate requests copies of the tenant’s rent-payment history and correspondence relating to the tenancy. The landlord processes this personal data because it is necessary for the legal proceedings and directly linked to the case.

• Obtaining legal advice A local charity becomes aware of a dispute involving one of its volunteers. The charity shares relevant personal information (emails, incident reports, and witness statements) with its Jersey law firm so the advocate can advise on the charity’s obligations and potential liabilities. The processing is permitted because it is necessary to obtain legal advice.

• Establishing, exercising or defending legal rights A small Jersey business receives a formal complaint alleging discrimination. The business reviews and collates internal records, including staff schedules and meeting notes containing personal data, to demonstrate that its actions were lawful. This processing is allowed because it is necessary to establish, exercise or defend the organisation’s legal rights.

Public functions

(Schedule 2 Para 2 para.13)

163. This condition applies where personal data must be processed because it is genuinely necessary for a public function established under Jersey law. This includes situations where the data is needed for the administration of justice (such as court processes), where an organisation or individual is carrying out functions given to them under a Jersey enactment, or where the processing is required for the proper exercise of the functions of the Crown, the States, Government of Jersey departments, or any public authority. In these cases, the organisation is performing duties that exist in the public interest and are grounded in law, so the processing does not depend on consent and must take place to allow those official or statutory responsibilities to be fulfilled.

Public interest

(Schedule 2 Part 2 para.14)

164. This condition applies where the processing of personal data is necessary for a substantial public interest that is recognised in Jersey law, and where appropriate safeguards are in place to protect individuals. It covers situations where the law allows or requires certain types of processing because doing so benefits the wider public e.g. safeguarding vulnerable people, ensuring public safety, or supporting important regulatory or oversight functions. The processing must genuinely be needed for that public interest purpose, must be proportionate, and must include strong protections such as limited access, clear retention controls, confidentiality measures, and transparency. These safeguards help ensure that individuals’ rights and interests remain protected even where the public interest justifies more sensitive or intrusive processing.

Medical purposes

(Schedule 2 Part 2 para.15)

165. This condition applies where the processing of personal data is necessary for medical purposes and is carried out either by a health professional or by someone who is bound by an equivalent duty of confidentiality, such as a regulated healthcare provider, approved researcher, or contracted clinical service.

166. 'Medical purposes' is interpreted broadly under Jersey law and includes activities such as preventative medicine, medical diagnosis, medical research, the provision of care or treatment, the management of health or social-care services, occupational health, and assessing an employee’s fitness for work. This condition ensures that doctors, nurses, allied health professionals, care providers, and others working under strict confidentiality obligations can process the information they need to deliver safe, lawful and effective healthcare or related services, without requiring explicit consent in situations where doing so would be impractical or inconsistent with clinical or operational needs.

167. To rely on this condition, the processing must be carried out by or under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality.

168. The term health professional is not defined in the DPJL 2018 but will likely include: doctors, nurses, midwives, dentists, opticians and optometrists, osteopaths, chiropractors, arts therapists, chiropodists, clinical scientists, dieticians, medical laboratory technicians, occupational therapists, orthoptists, paramedics, physiotherapists, prosthetists and orthotists, radiographers, speech and language therapists, pharmacists and pharmacy technicians and psychotherapists.

Public Health

(Schedule 2 Part 2 para.16)

169. This condition applies where personal data must be processed for reasons of public interest in the field of public health, as recognised or required by Jersey law. This may include activities such as monitoring and responding to public health risks, managing cross-border threats to health, supporting infection-control measures, or ensuring the quality, safety and effectiveness of health or social-care services.

170. If you rely on this condition, you must be able to demonstrate that there is a genuine public interest in the area of public health in the processing you are carrying out. Although the term “public interest” is not formally defined, you need to show that the processing provides a benefit to wider society or the public as a whole, not just to your organisation. Any processing under this condition must also be carried out with appropriate safeguards to protect individuals’ rights and freedoms, such as confidentiality controls, limited access, and robust security and retention measures.

Archiving and Research

(Schedule 2 Part 2 para.17)

171. This condition applies where personal data is processed for archiving or for statistical, scientific, or historical research purposes, and where that activity is genuinely carried out in the public interest. To rely on this condition, you must be able to show that the research or archiving work delivers a broader benefit to society, not just an internal or commercial advantage. Importantly, not all research qualifies: you need to demonstrate that what you are doing is truly scientific or historical in nature and meets a clear public-interest purpose.

172. This requirement applies to research by both public bodies and private organisations, and it can include a broad range of legitimate activities such as technology development, testing or demonstrating new methods, or fundamental and applied scientific studies, whether publicly or privately funded. Commercial scientific work may fall within this condition if it follows recognised, rigorous methods and contributes meaningfully to the public good. In contrast, typical commercial market research (for example, activities undertaken solely to support sales or marketing decisions) is unlikely to meet the necessary threshold unless a genuine public-interest benefit can be clearly shown.

173. The processing must also be necessary for the research or archiving purpose, must not be used to make decisions about identifiable individuals without their explicit consent, and must be carried out with robust safeguards such as anonymisation or pseudonymisation, restricted access, secure storage, and proportionate retention periods.

Avoidance of discrimination

(Schedule 2 Part 2 para.18)

174. This condition applies where it is necessary to avoid discrimination, meaning the processing helps ensure individuals are not treated unfairly or unequally on the basis of protected characteristics recognised under Jersey law. It applies when an organisation needs to use personal data specifically to prevent, identify, or address discriminatory practices or outcomes (for example, monitoring diversity, ensuring fair access to services, or reviewing decisions to check for bias).

175. To rely on this condition, the controller must show that the processing is genuinely required for this purpose and is supported by appropriate safeguards to protect individuals’ rights. Although the activity may involve sensitive data, the aim must be to prevent discrimination, not contribute to it, and the processing must remain proportionate and necessary.

Example

A Jersey housing association reviews applications for supported accommodation. To ensure its allocation process is fair and compliant with discrimination laws, it analyses certain personal data (such as age, disability status, and ethnicity) to check whether any groups are being unintentionally disadvantaged by eligibility criteria or assessment scoring. The processing is limited to what is necessary for this fairness review, and the results are used only to identify and correct potential bias in the system. This is a valid use of the avoidance of discrimination condition because the processing is required to ensure applicants are not treated less favourably due to protected characteristics and supports fair access to housing services.

Prevention of unlawful acts

(Schedule 2 Part 2 para.19)

176. This condition allows personal data to be processed where it is genuinely in the substantial public interest and necessary for the prevention or detection of an unlawful act or unlawful omission under Jersey law. It recognises that, in some situations, organisations cannot seek an individual’s explicit consent without undermining the purpose of the activity - for example, where doing so might alert someone to an investigation or frustrate efforts to prevent wrongdoing.

177. To rely on this condition, the controller must be able to show that the processing is proportionate, targeted, and clearly linked to preventing or detecting unlawful behaviour, and that bypassing explicit consent is essential to avoid prejudicing those aims. Appropriate safeguards must still be in place to ensure that the processing is carried out responsibly and that individuals’ rights are protected as far as possible.

Protection against malpractice and mismanagement

(Schedule 2 Part 2 para.20)

178. This condition permits the processing of personal data where it is in the substantial public interest and is necessary for carrying out functions designed to protect the public from risks such as dishonesty, malpractice, serious misconduct, professional incompetence, or mismanagement in the administration of services provided by an organisation. It applies, for example, where regulators, oversight bodies, or organisations with statutory or public-interest responsibilities need to investigate concerns about improper behaviour or systemic failures.

179. The condition recognises that seeking explicit consent from the individual could undermine or prejudice the investigation, and therefore allows the processing to take place without consent where this is essential to ensuring the integrity of the function.

180. Any use of this condition must still be proportionate and supported by appropriate safeguards to protect individuals’ rights while enabling proper scrutiny and public protection.

Publication about malpractice and mismanagement

(Schedule 2 Part 2 para.21)

181. This condition allows personal data to be disclosed for the purpose of publication where doing so is in the substantial public interest and relates to matters such as unlawful acts, malpractice, seriously improper conduct, professional unfitness or incompetence, or mismanagement or failures in the provision of services by an organisation.

182. The disclosure must be for the special purposes (that is, journalism, academic, artistic or literary purposes) and made with the intention that the information will be published. The controller must also hold a reasonable belief that the publication itself would be in the public interest.

183. This condition recognises that, in some situations, transparency and public reporting play an important role in exposing wrongdoing, protecting the public, and holding individuals or bodies to account. Any disclosure under this condition must still be proportionate and carried out with appropriate regard for the rights and freedoms of those concerned.

Counselling

(Schedule 2 Part 2 para.22)

184. This condition permits the processing of personal data where it is in the substantial public interest and is necessary for delivering a confidential counselling, advice, support, or similar service.

185. It recognises that such services often rely on handling sensitive information and that seeking explicit consent may not always be possible or appropriate. The condition may be used where the individual cannot give consent, where obtaining consent would be unreasonable or impractical, or where seeking consent would undermine or prejudice the provision of the confidential service itself (for example, where privacy, immediacy, or trust is essential to the support being offered). Any use of this condition must still be proportionate, carried out with strong confidentiality safeguards, and clearly linked to the proper delivery of the counselling or support function.

Insurance and pensions (general determinations)

(Schedule 2 Part 2 para.23)

186. This condition applies where a data controller is carrying on insurance business falling within Class I, III or IV of Part 1 of Schedule 1 to the Insurance Business (Jersey) Law 1996, or Class 1 or 2 of Part 2 of that Schedule, and the processing is necessary for the proper functioning of that insurance activity. It also applies where a controller is making determinations connected with an occupational pension scheme, such as assessing eligibility or benefits. In these limited situations, the controller may process health information about certain close relatives of the insured person or pension scheme member—specifically their parent, grandparent, great-grandparent or sibling—where this is required for actuarial or benefit-related assessments and where explicit consent from the relative cannot reasonably be obtained. The processing must not be used to make decisions about the relative themselves and is strictly limited to these specified family relationships.

Insurance and pensions: current processing

(Schedule 2 Part 2, para.24)

187. This condition operated as a transitional provision to allow certain insurance and occupational-pension processing that was already taking place immediately before the DPJL 2018 came into force to continue without interruption. It applied where the same controller was already processing personal data about the same data subject, and where that processing remained necessary for carrying on insurance business within the specified classes of the Insurance Business (Jersey) Law 1996 or for establishing or administering an occupational pension scheme. The condition recognised that controllers might not reasonably be able to obtain explicit consent from individuals for ongoing work that had begun under the previous legal framework, or that seeking consent could prejudice the continuity or integrity of the insurance or pension function. It therefore permitted the continuation of that processing provided the individual had not refused consent and the processing remained essential for the relevant insurance or pension purpose.

Functions of a police officer

(Schedule 2 Part 2, para.25)

188. This condition permits the processing of special category data where it is necessary for a police officer to carry out a function given to them by Jersey law. It sits within the general processing framework of the DPJL 2018 and applies to policing functions that are not being carried out for “law enforcement purposes” as defined in Art.1(1) of the DPJL 2018 namely: Law enforcement purpose” means any of the following purposes, namely the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against, and the prevention of, threats to public security.

189. Where police process personal data for the prevention, investigation, detection or prosecution of criminal offences, the law enforcement regime (including the modified processing conditions set out in Schedule 1) applies instead. This provision is therefore used for other statutory policing activities - such as safeguarding duties, welfare checks, community protection functions or operational tasks that do not involve criminal law enforcement - where officers still need to handle sensitive data to perform their legal responsibilities.