JOIC logo

Exemptions - Arts.41-62 Data Protection (Jersey) Law 2018

  1. Data subjects (individuals) have certain rights under the Data Protection (Jersey) Law 2018. These rights are explained in our separate guidance note 'Data subject rights; what they are, how to exercise them and how to respond to them'.

  2. The rights and duties set out in the DPJL 2018 are designed to apply generally, but there are some exemptions from, and modifications to, various provisions of the DPJL 2018. These are contained at Part 7 (Arts.40-63) of the DPJL 2018.

  3. If an exemption applies, then (depending on the circumstances) you may not have to comply with the usual data subject rights such as:

  • The right to be informed.
  • The right of access.
  • Dealing with other individual rights.

  1. Some exemptions only apply to one of the rights listed above, but others can exempt you from more than one thing and your ability to rely on an exemption depends in part on your purpose for processing the personal data in question.

  2. This guidance note will explain how the exemptions are intended to work and when they apply.

What Are Exemptions and How Do They Work?

What is an exemption?

  1. An exemption is a special rule in the DPJL 2018 that allows an organisation (a data controller) not to follow some of the usual data protection rights in certain situations.

  2. Most of the time, you must.

  • Tell people how their data is used.
  • Give people access to their data when they ask.
  • Not share data unless you have a good reason.
  1. But sometimes, following these rules could cause harm, such as stopping the police from investigating a crime, or harming someone’s safety. In those cases, an exemption may apply.

When can an exemption be used?

  1. An organisation can only use an exemption when necessary and only for the smallest amount of information needed. You must think carefully about:
  • Why you need the exemption.
  • What harm would happen if you followed the normal rules.
  • Which parts of the DPJL 2018 you do not need to apply.
  • Whether you could still give some information safely.

Examples of when exemptions might apply

  • National Security (Art.41): Used when giving information would harm Jersey’s national security.
  • Criminal Record Certifications (Art.42): Covers situations where criminal record checks override normal DPJL 2018 rules.
  • Manual Data Held by Public Authorities (Art.43): Applies to paper/manual records not in a filing system, with limited rights still applying.
  • Academic, Journalistic, Literary or Artistic Purposes – “Special Purposes” (Art.44): Protects freedom of expression where data is used with a view to publication in the public interest.
  • Crime and Taxation (Art.45): Used when telling someone about their data would harm crime detection, prevention, prosecution, or tax collection work.
  • Corporate Finance (Art.46): Used by certain financial services firms where disclosure could affect market prices or Jersey’s financial stability.
  • Trusts (Art.47): Applies where trust information (Jersey or foreign) cannot be disclosed under trust law.
  • Financial Loss, Charities, Health and Safety, Maladministration, Fair Trading (Art.48): Used by regulators or public bodies where disclosure would harm their ability to protect the public, charities, safety, or fair competition.
  • Management Forecasts and Planning (Art.49): Protects confidential business planning where disclosure would harm the organisation’s operations.
  • Negotiations (Art.50): Covers information about a controller’s intentions during negotiations where disclosure would harm those negotiations.
  • Information Already Public by Law (Art.51): No need to provide information already required to be made public under legislation.
  • Disclosure Prohibited by Other Laws (Art.52): Used where other Jersey laws forbid releasing certain information (e.g., adoption, proceeds of crime, terrorism).
  • Confidential References Given by the Controller (Art.53): References written by an organisation are exempt from access requests.
  • Examination Scripts (Art.54): A candidate’s written exam script is exempt from access rights (but examiners’ notes are not).
  • Crown or Judicial Appointments and Honours (Art.55): Used when assessing suitability for Crown employment, judicial office, or honours.
  • Armed Forces (Art.56): Used where disclosure would harm the combat effectiveness of the armed forces.
  • Legal Professional Privilege (Art.57): Covers information that is legally privileged (legal advice or litigation material).
  • Self-Incrimination (Art.58): Prevents someone from having to disclose information that would expose them to prosecution.
  • States Assembly Privilege (Art.59): Used to protect the privileges of the States Assembly.
  • Examination Marks – Time Extension (Art.60): Not a true exemption but gives longer deadlines for responding to exam-mark requests.
  • Health, Education and Social Work Information (Art.61): Used where disclosure would cause serious harm, breach a court direction, or breach confidentiality in sensitive reports/records.
  • Credit Reference Agencies (Art.62): Allows people to ask only for financial standing information and requires the agency to explain the rights available.
  • Unstructured Personal Data Held by Public Authorities (Art.63):
  • Regulation-Made Exemptions (Arts.64 and 65): Additional exemptions may be created by Regulations (none currently).

What must organisations do when using an exemption?

  1. Art.6(1)(a) of the DPAJL 2018 sets out that “a controller is responsible for, and must be able to demonstrate compliance with, the data protection principles”. This means that you are responsible for showing that everything you do is in compliance with the law. This includes responding to requests for information and being able to justify and explain why you have responded to a request in a particular way.

  2. Exemptions cannot be used automatically or for convenience and you must consider each exemption on a case-by-case basis. This is because the exemptions only permit you to depart from the DPJL 2018’s general requirements to the minimum extent necessary to protect the particular functions or activities the exemptions concern.

  3. You should not routinely rely on exemptions or apply them in a blanket fashion – it must be appropriate in the circumstances of the particular request that has been made. Even if the exemption legitimately applies, you may still decide to release that information to the data subject.

  4. Similarly, any exemption should only be applied in reference to the specific subject access right, the exercise of which would prejudice the interest in question (i.e. a controller’s interests in respect of (for example) management forecasting could be prejudiced by the release of information in response to a subject access request, but may not be prejudiced in respect of a request for rectification).

  5. You will need to explain why the exemption is required in each case, and how and by whom this was considered at the time. You should clearly document your decision-making process at the time as you should be able to explain to a data subject (where possible) why exemptions have been applied and may also need to explain your thought process to us.

  6. You must:

  • Show clear reasons why the exemption was needed.
  • Record your decision-making: who decided to apply the exemption, what was considered, why it was necessary.
  • Apply only the minimum needed, not a blanket refusal.
  • Still follow all other parts of the DPJL 2018 that are not part of the exemption.
  • Explain the exemption to the person (where possible) if they ask why some information was withheld.

Do exemptions remove all rights?

  1. No. Exemptions only take away some rights, and only for specific reasons. People still have:
  • The right to complain to the us.
  • The right to challenge incorrect decisions.
  • Protection from unlawful use of their data.

What are exemptions?

  1. In some circumstances, the DPJL 2018 provides an exemption from particular provisions of the law. If an exemption applies, you may not have to comply with all the usual rights and obligations.

  2. There are several different exemptions; these are detailed in Part 7 of the DPJL 2018 and they can relieve you of some of your obligations for things such as:

  • The right to be informed.
  • The right of access.
  • Dealing with other individual rights.
  1. Some exemptions apply to only one of the above, but others can exempt you from several things. Some things are not listed here as exemptions, although in practice they work a bit like an exemption. For example:
  1. Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the DPJL 2018’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the DPJL 2018.
  2. Law enforcement – the processing of personal data by competent authorities for law enforcement purposes is subject to the rules in Schedule 1 of the DPJL 2018. This processing activity is outside the scope of this guidance note.

How do exemptions work?

  1. Whether you can rely on an exemption generally depends on the purpose for which you are processing personal data. Some exemptions apply because of your specific purpose, while others apply only insofar as compliance with the DPJL 2018 would be likely to prejudice that purpose or would prevent or seriously impair you from processing personal data in a way that is required or necessary.

  2. Some exemptions only apply to one of the rights listed, but others can exempt you from more than one thing and your ability to rely on an exemption depends in part on your purpose for processing the personal data in question.

  3. Exemptions must not be used routinely or applied in a blanket fashion; they should always be considered on a case-by-case basis.

  4. Where an exemption does apply, you may in some circumstances be obliged to rely on it (e.g. if complying with the Law would cause you to breach another legal requirement) while in other cases you may choose whether or not to rely on it. In keeping with the accountability principle, you should document and be able to justify any decision to rely on an exemption in order to demonstrate compliance.

  5. If no relevant exemption applies, you must comply with the DPJL 2018 in the usual way including that you have a lawful basis for processing under Art.9 of the DPJL 2018.

Division 1 - General and wider exemptions (Arts.40-62 of the DPJL 2018)
National security

(Art.41)

  1. Personal data are exempt from any of the provisions of:
  1. The data protection principles (Art.8) (except lawfulness requirements).
  2. The transparency(Art.12) and subject rights provisions (Part 6).
  3. The offence in Art.71 of the DPJL 2018 (which prohibits the unlawful obtaining etc. of personal data).
  4. Parts 3 and 4 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018). If the exemption from that provision is required for the purpose of safeguarding national security.
  1. National security is not defined in the DPJL 2018, but it can cover processing for:
  • Protection against specific threats, such as from terrorists or hostile states.
  • Protection of potential targets even in the absence of specific threats.
  • International co-operation with other countries.

  1. You must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. When deciding whether to use this exemption, we suggest you consider whether complying with the DPJL 2018 would raise a real possibility of an adverse effect on national security.

  2. A certificate signed by the Minister for Home Affairs is conclusive evidence of the fact that the exemption is required for safeguarding national security. Such a certificate may identify the personal data by describing it in general terms. A person directly affected by the issue of the certificate may apply to the Royal Court for a review of the decision to issue the certificate. If the Royal Court finds that the Minister did not have reasonable grounds to issue the certificate, the court may quash the decision and void the certificate.

Criminal record certifications

(Art.42)

  1. Art.42 overrides the Law in respect of criminal record certifications in certain circumstances. Even though the rest of the law places limits on when you can ask for criminal-record information, this article says that someone is allowed to ask another person to provide any criminal-record certificate that can legally be obtained for them under the relevant part of the UK Police Act 1997 (as it applies in Jersey).
Manual data held by public authorities

(Art.43)

  1. Manual, unstructured personal data (i.e. that not processed automatically, and that is not part of a filing system (or intended to be part of a filing system) held by public authorities are exempt from all aspects of the DPJL 2018 except in relation to the subject rights provisions set out in Arts.28-31of the DPJL 2018 and the other exemptions in Part 7 of the law. Individuals also retain the right to bring proceedings against controllers (Art.68) and offences in respect of the unlawful obtaining of personal data are preserved (Art.71).
Academic, journalistic, literary or artistic material

(Art.44)

  1. This exemption protects freedom of expression in academia, journalism, art and literature (which are known as the ‘special purposes’ as defined in Art.1(1) of the DPJL 2018).

  2. The scope of the exemption is very broad and it can exempt from most provisions of the DPJL 2018, including subject access – but not Arts.68 and 69 of the DPJL 2018 (proceedings against controllers and compensation).

  3. However it does not give an automatic blanket exemption. In order for the exemption to apply:

  • The data must be processed only for academia, journalism, art or literature,
  • It must be being processed with a view to publication,
  • With regard to the importance of freedom of expression, you must have a reasonable belief that the publication is in the public interest, and
  • The public interest outweighs the interests of the data subject and the application of those provisions.

  1. You will need to explain why the exemption is required in each case, and how and by whom this was considered at the time. You should document your decision making process and go through each of the four parts we’ve set out above showing how they took each of those aspects into consideration before making your decision, including the balancing test conducted in weighing up the interests of the data subject against the public interest.

  2. When deciding whether or not publication would be in the public interest, regard may be had to the controller’s compliance with any code of practice relevant to the publication in question and the extent to which the publication is regulated.

Division 2 - Exemptions from transparency and subject rights provisions
Crime and taxation

(Art.45)

  1. The DPJL 2018 recognises that it is sometimes appropriate to disclose personal data for certain purposes to do with criminal justice or the taxation system. In these cases, individuals’ rights may occasionally need to be restricted. In particular, the DPJL 2018 deals with several situations in which personal data is processed for the following 'crime and taxation purposes':
  • The prevention, detection or investigation anywhere of crime.
  • The apprehension or prosecution, anywhere of offenders who have committed or are alleged to have committed, an offence anywhere.
  • The assessment or collection, anywhere of any tax or duty, or imposition of a similar nature, wherever due.
  • The disclosure made to a police officer under Art.32/32A or any Order made under Art.37 of the Proceeds of Crime (Jersey) Law 1999.
  • The reporting of suspicious activities under any Tax Information Exchange Agreement).
  1. Personal data processed for any of these purposes is exempt from the DPJL 2018’s provisions on:
  • The right to be informed.
  • The rights afforded to individuals under Part 6 of the DPJL 2018
    but only in circumstances where the application of those provisions would be likely to prejudice any of those purposes listed at Art.45(1)(a)-(e). If the purposes would not prejudice those purposes, you must comply with the provisions of the DPJL 2018 in the usual way.

Example

A Jersey bank identifies unusual activity on several customer accounts and begins an internal investigation into suspected money laundering and fraud. As part of this investigation, the bank intends to disclose its internal findings — which include the personal data of several individuals — to the Jersey Financial Crimes Unit (JFCU) for further assessment. The bank’s investigation and the proposed disclosure are for the purposes of the prevention and detection of crime, which is one of the purposes covered by Art.45.

The bank considers whether it should inform the individuals concerned about this processing. However, it concludes that doing so would be likely to prejudice the investigation because the individuals might move funds, close accounts, or destroy relevant evidence.

The bank therefore relies on the Art.45 exemption and, in this situation, does not provide privacy information or otherwise comply with the right to be informed, to the extent necessary to avoid prejudicing the investigation.

  1. The DPJL 2018 does not explain 'likely to prejudice'. However, our view is that for these exemptions to apply, there would have to be a substantial chance (rather than a mere risk) that complying with the provision would noticeably damage one or more of the crime and taxation purposes.

  2. If challenged, you must be prepared to defend your decision to apply an exemption, to us or the court. So we advise you to ensure that any such decisions are taken at an appropriately senior level in your organisation and that you document the reasons for the decision.

  3. There is another exemption that is designed to prevent the DPJL 2018 being used to force organisations to disclose information about the operation of crime detection and anti-fraud systems, where such disclosure might undermine the operation of those systems.

  4. Personal data processed by a public authority are also exempt from the transparency and subject rights provisions to the extent which:

  • They consist of a classification applied to the data subject as part of a system of risk assessment operated by that authority for any of the purposes set out in Art.45(4); and
  • The exemption is required in the interests of the operation of the system.
  1. The purposes are:
  • The assessment or collection of any tax or duty or any imposition of a similar nature.
  • The prevention or detection of a crime.
  • The apprehension or prosecution of persons who commit an offence, if the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds.
  1. Essentially, a public authority can refuse to give transparency information or honour data-subject rights if doing so would undermine a risk-assessment system used for tax, crime prevention/detection, or investigating unlawful claims on public funds, and the withheld data is a classification (like a risk rating) assigned to the person for those purposes.
Corporate finance

(Art.46)

  1. The DPJL 2018 provides for an exemption from the transparency and subject rights provisions if certain personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person. It exempts a controller from the DPJL 2018’s provisions on:
  • Transparency.
  • Subject rights provisions (see Part 6 of the DPJL 2018, Arts. 27-39)
  1. But only to the extent that complying with those provisions:
  • Could affect the price of any instrument already in existence or that is to be or may be created, or the controller reasonably believes that the application of those provisions to the data could affect the price of any such instrument; or
  • Is required for the purpose of safeguarding an important economic or financial interest of Jersey.
  1. As noted under Art.46(1), the corporate finance exemption to transparency and subject right provisions applies only “for the purposes of, or in connection with, a corporate finance service provided by a relevant person”. A “corporate finance service” means a service consisting of
  1. Underwriting in respect of issues of, or the placing of issues of, any instrument.
  2. Advice to businesses on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of businesses.
  3. Services relating to such underwriting.
  1. As noted under Art.46(1), the corporate finance exemption to transparency and subject right provisions applies only 'for the purposes of, or in connection with, a corporate finance service provided by a relevant person'. A 'corporate finance service' means a service consisting of
  1. Underwriting in respect of issues of, or the placing of issues of, any instrument.
  2. Advice to businesses on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of businesses.
  3. Services relating to such underwriting.
  1. A 'corporate finance service' means a service consisting in –
  1. Underwriting in respect of issues of, or the placing of issues of, any instrument.
  2. Advice to businesses on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of businesses.
  3. Services relating to such underwriting as is mentioned in paragraph (a).
  1. 'A relevant person' means:
  1. A registered person within the meaning of the Financial Services (Jersey) Law 1998;
  2. A person authorised under the Financial Services and Markets Act 2000 or is an exempt person in respect of investment business;
  3. A person prescribed by Regulations;
  4. A person who in the course of their employment provides their employer with a services of paragraphs (b) or (c) of the definition of corporate finance service; or
  5. A partner who provides to other partners in the partnership a service falling within either of those paragraphs.

  1. 'Instrument' means an instrument listed in section B of the Annex to the European Council Directive on investment services in the securities field (93/22/EEC) or an investment within the meaning of the Financial Services (Jersey) Law 1998.

  2. There are no Regulations in force at the present time and so Art.46 can only be relied on by controllers/processors involved in financial services business i.e. only those which fall within the definition of “corporate finance service” as set out under Article 46(4) of the DPJL 2018 and that are registered/authorised persons under the applicable financial services legislation.

  3. The exemption is only available to the limited pool of controllers that carry out the type of business described above and only to the extent to which the application of the transparency and subject rights provisions could affect the price of particular instruments already in existence (or that is to be or may be created or the controller reasonably believes that the price could be affected). In order to rely on this exemption, the controller must be able to show that on the balance of probabilities, if it made the relevant personal information available, this could affect the price of instruments already in existence. It also would only apply to the information that could affect the price of the instrument – not to all information held by the controller about the data subject.

  4. The exemption is also available if required for the purpose of safeguarding an important or economic financial interest of Jersey. This means that where data are not exempt from the transparency and subject rights provisions in connection with the price of an instrument, the only way that it could become exempt under this provision is if releasing the information could impact on an important economic or financial interest of Jersey.

  5. For the purposes of paragraph (1)(b) a matter may adversely affect an important economic or financial interest of Jersey if it has an inevitable prejudicial effect on –

  • The orderly functioning of financial markets within Jersey or elsewhere; or
  • The efficient allocation of capital within an economy whether in Jersey or elsewhere,

that would result from the application (whether on an occasional or on a regular basis) of the transparency and subject rights provisions to data to which paragraph (3) applies.

  1. The threshold for this exemption to be used is very high because:
  • The controller would need to show that release of the information would have an “inevitable prejudicial effect” on Jersey’s economic and financial interests; and
  • Only in relation to the orderly functioning of the financial markets or the efficient allocation of capital.

All the above criteria would need to be met and it would only apply to that particular piece of information, not the data subject’s information more widely.

Trusts

(Art.47)

  1. Personal data in respect of a Jersey trust are exempt from the transparency and subject rights provisions to the extent that the controller is permitted to withhold the information pursuant to Art.29 of the Trusts (Jersey) Law 1984 or its disclosure, erasure or rectification would be contrary to a prohibition or restriction under Jersey law.

  2. Where personal data relates to a trust other than a Jersey trust, the information is exempt from the transparency and subject rights provisions if that information could be withheld by the controller in the relevant jurisdiction, or if the disclosure, erasure or rectification would be contrary to a prohibition or restriction under the law of that jurisdiction.

Financial loss, charities, health and safety, maladministration and practices contrary to fair trading

(Art.48)

  1. The DPJL 2018 provides an exemption from the transparency and subject rights provisions for the processing of personal data by reference to numerous different categories of function that are conferred on any person by any enactment, conferred on the Crown or a public authority; or of a public nature and exercised in the public interest. The functions are variously concerned with:
  • Protecting members of the public against financial loss due to dishonesty, malpractice, or other seriously improper conduct.
  • Protecting charities against misconduct or mismanagement and protecting their property from loss or misapplication.
  • Recovering charity property.
  • Securing the health, safety or welfare of persons at work.
  • Protecting persons other than those at work against risk to health or safety arising out of or in connection with the actions of a person at work.
  1. In addition, the DPJL 2018 provides exemptions to a prescribed person or body, which are all variously concerned with:
  • Protecting members of the public against maladministration by public bodies, failures in services provided by public bodies; or a failure by a public body to provide a service which it was a function of the body to provide.
  • Protecting members of the public against conduct that may adversely affect their interests by persons carrying on a business.
  • Regulating agreements or conduct, that have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity.
  • Regulating conduct on the part of one or more businesses that amounts to the abuse of a dominant position in a market and to other functions provided for under other enactments.
  1. This is not a blanket exemption from the transparency and subject rights provisions. It is only available to the extent that the application of any or all of such provisions would be likely to prejudice the proper discharge of the functions set out above. If you can comply with these provisions and discharge your functions as normal, you cannot rely on the exemption.
Management forecasts etc.

(Art.49)

  1. The exemption is available to businesses to protect confidentiality of personal data processed for the purposes of management forecasting or management planning. In any case to the extent to which the application of any of the transparency and subject rights provisions to personal data processed for such purposes would be likely to prejudice the conduct of that business or other activity, such personal data are exempt from the transparency and subject rights provisions.

  2. This exemption can only apply to controllers that would likely suffer a harmful effect in the conduct of their operations as a result of having to comply with the transparency and/or subject rights provisions.

Example

The senior management of an organisation is planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans.

Before the plans are revealed to the workforce, an employee makes a subject access request.

In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced).

  1. The harm must also be 'likely' to prejudice that is to say, it must be more than a theoretical risk and the controller must be able to evidence why this is likely the case. It cannot rely on the exemption simply by saying that harm 'might' happen – it must be likely that prejudice will be suffered by releasing the information and there must be a causal link between the disclosure and the prejudice claimed. There must be more than a mere assertion or belief that disclosure would lead to prejudice. There must be a logical connection between the disclosure and the prejudice in order to engage the exemption.

  2. This interpretation is based on the judgment of Mr Justice Munby in the UK case of R (on the application of Lord) v. Secretary of State for the Home Office [2003] EWHC 2073 (Admin) (a UK Data Protection Act case) who said:

    'Likely connotes a degree of probability that there is a very significant and weighty chance of prejudice to the identified public interests. The degree of risk must be such that there ‘may very well’ be prejudice to those interests, even if the risk falls short of being more probable than not.' (Paragraph 100)

  3. This interpretation was relied on by the UK Information Tribunal in John Connor Press Associates v. Information Commissioner (EA/2005/0005, 25 January 2006), who said at paragraph 15:

    'We interpret the expression 'likely to prejudice' as meaning that the chance of prejudice being suffered should be more than a hypothetical or remote possibility; there must have been a real and significant risk.'

    (Whilst it should be noted that judgments from the Courts of England and Wales are not binding in Jersey, they may be viewed by the Royal Court as being persuasive particularly in circumstances where there are similarities between the wording of the Jersey and UK legislation.)

  4. A controller must be able to show how the disclosure of the specific information identified as falling within the scope of the exemption would be likely to lead to the prejudice. If the consequences of disclosure would be trivial or insignificant there is no prejudice and the information must be released (unless some other exemption applies). Accordingly, a controller should:

  • Identify the specific information that falls within the scope of the exemption.
  • Identify the nature of the prejudice (what would happen if the information was released).
  • Explain why the prejudice is likely to occur if that information was released (i.e. why is it more likely than not that this will be the case?).
Negotiations

(Art.50)

  1. Where personal data consist of records of your intentions in relation to any negotiations with the data subject, such personal data are exempt from the transparency and subject rights provisions to the extent to which the application of those provisions would be likely to prejudice those negotiations.

Example

An employee brings a formal grievance against his employer, alleging unfair treatment and seeking financial compensation as part of the resolution.

The employer disputes parts of the claim and prepares an internal document setting out its assessment of the issues, its negotiating position, and the maximum amount it would be prepared to offer in order to settle the matter without it escalating to the Jersey Employment and Discrimination Tribunal.

If the employee makes a subject access request, the employer would not be required to disclose this internal document, as releasing it would be likely to prejudice the employer’s position in the ongoing settlement negotiations.
Information available to public by or under enactment

(Art.51)

  1. Art.51 of the DPJL 2018 provides that when data consist of information which the data controller is obliged by, or under, any enactment to make available to the public (making it available for inspection or publishing it in another manner), such data are exempt from the transparency and subject access provisions.

  2. This exemption only applies to the information that the data controller is required to publish. If the data controller holds additional data about the individual concerned, the additional data would not be exempt even if the organisation does publish that information.

Disclosure contrary to certain enactments

(Art.52)

  1. If disclosing certain information is prohibited or restricted under the following laws, it is exempt from the transparency and subject rights provisions:
  • Arts.24(5), 27(1) and 30(4)(b) of the Adoption (Jersey) Law 1961.
  • Art.19B of the Misuse of Drugs (Jersey) Law 1978.
  • Art.35 of the Proceeds of Crim (Jersey) Law 1999.
  • Art.35 of the Terrorism (Jersey) Law 2002.
Confidential references given by the controller

(Art.53)

  1. Personal data in the form of a reference given in confidence to the data controller for the purposes of:
  • The education, training or employment (or prospective education, training or employment) of the data subject;
  • The appointment or prospective appointment of the data subject to any office; or
  • The provision or prospective provision by the data subject of any service; are exempt from the transparency and subject rights provisions
  • are exempt from the transparency and subject rights provisions.
  1. This exemption is not available to the entity receiving the reference. If an employee makes a subject access request to the company giving the reference, the reference will be exempted from disclosure. If, however, the employee makes a subject access request to their new company then the reference is not automatically exempt from disclosure and the usual right of access rules apply.
Examination scripts etc.

(Art.54)

  1. Where personal data consist of information recorded by candidates during an academic, professional or other examination they are exempt from the transparency and subject rights requirements.

  2. Any comments recorded by an examiner in the margins of the script would not fall within the ambit of the exemption however, and as such would need to be provided (even if they may not appear to the data controller to be of much value without the script itself.)

Crown or judicial appointments and honours

(Art.55)

  1. Personal data processed for three specific purposes:
  1. Assessing suitability for employment by or under the Crown or any office to which appointments are made by Her Majesty.
  2. Assessing suitability for any judicial officer or the office of Queen’s Counsel.
  3. The conferring of any honour or dignity. Are exempt from the transparency and subject rights provisions.
Armed forces

(Art.56)

  1. Where the application of the transparency and subject rights provisions to personal data would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown, then such data are exempt from the transparency and subject rights provisions.

(Art.57)

  1. If personal data consist of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings, the personal data are exempt from the transparency and subject rights provisions.
Self-incrimination

(Art.58)

  1. If by complying with any of the transparency and subject rights provisions a person would reveal evidence of the commission of any offence, other than an offence under the DPJL 2018 or DPAJL 2018, exposing you to proceedings for that offence, you need not comply with the transparency or subject rights provisions.

  2. If in complying with the transparency or subject rights provisions a person provides information in response to a request (or any order enforcing them) then such information shall not be admissible in evidence against them in respect of proceedings under the DPJL 2018 or DPAJL 2018.

States Assembly privilege

(Art.59)

  1. Personal data are exempt from the transparency and subject rights provisions to the extent required to avoid an infringement of the privileges of the States Assembly.

  2. A certificate signed by the Greffier of the States certifying that the application of the exemption is necessary in order to avoid an infringement of the privileges of the States of Assembly stands as conclusive evidence of that fact.

  3. Any person aggrieved by the decision of the Greffier to issue a certificate may appeal to the Royal Court on the grounds that the Greffier did not have reasonable grounds for issuing the certificate. The decision of the Royal Court is final.

Division 3 - Exemptions to Art.27 or 28 of the DPJL 2018
Examination marks

(Art.60)

  1. This is not an exemption as such but is rather an adaptation of the requirements in Art.28 to comply with a request for access within a specified period of time (four weeks from receipt of the requestor, or if later, receipt of the information required to comply with the request). In the case of a subject access request made in relation to examination marks (“marking data”), the timescale is extended to either:
  1. 20 weeks of the receipt of the request; or
  2. Within 4 weeks of the publication day, Whichever ends first.
Health, education and social work

(Art.61)

  1. Personal data are exempt from the right of access provisions if the data are processed by a court and consist of health, education or social work information that:
  1. Is supplied in a report or other evidence given to the Court in the course of proceedings relating to families or children; and
  2. the Court directs that such should be withheld from the data subject on the grounds that it is either impracticable to disclose the information in light of the individual’s age and understanding or it is undesirable to disclose the information on the basis that serious harm might be suffered by the individual.

  1. Personal data consisting of health, education or social work information are exempt from the right of access provisions if disclosure would be likely to cause serious harm to the physical or mental health of the data subject (or any other person). This exemption applies to someone who is able to make an application on the data subject’s behalf for the information (a “defined person” i.e. someone with parental responsibility or who has been appointed by the court to manage that person’s affairs).

  2. The exemptions extends to information contained in a health record or social work information if disclosure would result in:

  • Disclosure of information that had been provided by the data subject in the expectation that it would not be disclosed to the person making the request;
  • Disclosing information obtained as a result of any examination or investigation to which the data subject consented on the expectation that it would not be disclosed;
  • Disclosing information the data subject has expressly said should not be disclose.
  1. In the case of an educational record, the exemption extends to information about whether the data subject (when a child) is or has been the subject of or may be at risk of abuse (physical, emotional and sexual).
Credit reference agency as controller

(Art.62)

  1. An individual may limit a request to a controller that is a credit reference agency to personal data relating to the financial standing of the individual and will be taken to have made such a limited request unless the request shows a contrary intention.

  2. A data controller receiving such a request must also give the individual a statement of any other rights the individual has in respect of a credit reference agency.

Unstructured personal data held by scheduled public authorities

(Art.63)

  1. A scheduled public authority (SPA) is not obliged to comply with Art.28(1) in relation to any unstructured personal data unless the request contains a description of the data. In essence, this provision limits how SPAs must deal with subject access requests when the request relates to unstructured personal data - that is, loose or unindexed records that are not held electronically or as part of any filing system. A SPA does not have to search this kind of material unless the requester gives a clear description of what they are looking for, and even then it may refuse to provide the information if the cost of locating it would exceed a prescribed limit set in line with FOI cost-calculation rules. However, the SPA must still tell the individual whether it holds any such unstructured personal data about them, unless even confirming that point alone would exceed the cost threshold.

  2. For information about cost limits under the Freedom of Information (Jersey) Law 2011, see our guidance here.

Division 4 – Permissions and Exemptions by Regulations
  1. These provisions are outside the scope of this Guidance Note.
Related Downloads

No related downloads available.

Related Downloads

No related downloads available.