Authority Meeting 2 December 2019

Jersey Data Protection Authority Meeting

MINUTES

09:00 – 12:30  2 December 2019

Jersey Office of the Information Commissioner Offices [JOIC]

 

Chairman Present:

Jacob Kohnstamm

Voting Members Present:

Gailina Liew

David Smith

Paul Routier MBE

Helen Hatton

Apologies

Clarisse Girot

Non- Voting Members Present:

Dr Jay Fedorak – Information Commissioner

In Attendance:

Paul Vane -  Deputy Data Protection Commissioner

Adrian Hayes – Compliance and Enforcement Manager [& Internal guest speaker]

Anne King  - Communications and Operations Manager [& Note taker]

Guest Speaker:

None

 

 

 

 

 

Item

Action

1.0

Chair call to order, gave apologies and approved the agenda.

 

 

 

Chair requested confirmation of the 2020 Board Meeting Dates (all meetings 09:00 – 13:00);

20 January

24 April

17 August

23 October

 

 

Board approved minutes;

·         19 August 2019 

Board approved minutes.

2.0

Board Governance, Operations and Procedures

 

2.1

Payment of Board Members

Appointment letters are being drawn up by the Minister. A brief discussion followed regarding payments and deductions.

The Board discussed establishing the following sub-committees;

·         Audit & Risk Committee to oversee risk and financial matters (Helen Hatton & Gailina Liew)

·         Remuneration Committee to oversee all Board and senior executive pay and pay structures. (Paul Routier plus one other member)

·         Governance Committee to oversee succession planning and Authority skills (Jacob Kohnstamm plus one other member)

The Board approved the Committees to ensure greater transparency and organisational independence.

 

Board approved establishing three Committees.

2.2

Preparation of Accounts and Appointment of Auditors 2018/19

Chair confirmed full cooperation of the Government of Jersey Treasury to align JDPA account preparation to the requirements of the Comptroller and Auditor General. The accounts are to be presented to comply with the Government of Jersey expectations.

 

 

 

Tenders to be sent out to appoint a local accountancy service.

2.3

Issuing Public Statements.

Commissioner briefed Board regarding a serious breach in a previous meeting. The investigation is closed and the company is being afforded the opportunity to respond to the findings, as per our investigation policy.

In concluding, it is believed that the breach was because of a weakness in policies and procedure plus poor IT advice. Although initially resistant to JOIC the company is now cooperative and is implementing recommendations.

The financial penalty thresholds have not been met, however the benefit of a public statement was discussed to highlight lessons learned.

 

The Board agreed that a Public Statement is part of the enforcement ‘tool kit’ and strategy. Three reasons;

1.    Name the company as a deterrent – not considered as a reasonable or legal sanction.

2.    Educate the public of Jersey. Educational reason is the priority. 

3.    Educate industry. Educational reason is the priority. 

Discussion followed as to our primary purpose of issuing a public statement.

·         Or is it about JDPA demonstrating actions?

 

The issuing of statements is part of the enforcement strategy currently being developed.

The Deputy Commissioner referred to the Articles 20 & 26 of the Data Protection Authority (Jersey) Law 2018. The articles provide ability for the Authority to publish a statement highlighting the details of the breach, if any data subjects involved and the outcome.

The Authority must however, consult any data subjects in advance of the written statement.

The Deputy Commissioner highlighted that it is important where applicable to be able to escalate an order and sanction made.

 

 

Current public reputation and perception of JDPA;

·         To be independent, objective and forthright.

·         Although a regulator, we are striving to educate and help with the practical application of the law.

 

Enforcement Strategy to be updated.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Board to consider Public Statement – agree the trigger criteria and thresholds.

 

January 2020 meeting two papers;  Enforcement Strategy and sanction criteria

3.0

JOIC Update – Commissioner

 

3.1

Performance Statistics /Case Data

New performance and case data measures were presented to the Board.

Commissioner to present ‘Issues of the Day’ at each meeting. To be sent to the Board in the form of an activity report in advance of the meeting.

 

3.2

Compliance and Enforcement Manager updated the Board on an active case relating to a small business being sold to a larger business in the island. The new owners were reluctant to following the requirements of the DP law in relation to the customer database. Advice was given but met with resistance initially. Following greater input from JOIC the situation has now been resolved.

 

 

3.3

Financial Performance

The Commissioner advised the Board;

·         Projected spending on target

·         Contingency draw down ongoing.

 

The 2020 Budget was presented and discussed.  

 

3.4

Staffing Update

Staff remuneration was discussed.

 

 

3.5

Business Plan

The Commissioner requested Board members to identify specific Business Plan ‘directions and requests’. During the meeting Enforcement was noted.

The Business plan should be reflective of our Strategic Plan. Board members also noted that JDPA Business plan should tie in with the Government of Jersey’s - Common Strategic plan’s 10 outcomes. 

 

Draft Business Plan to be presented at January meeting.

3.6

Partnership Agreement

The Commissioner thanked members for their input on the draft partnership agreement. The Government are amending the agreement based on comments from JDPA. The Board highlighted that they need sufficient time to consider that issues of independence are adequately reflected in the agreement.

 

 

4.0

Revenue Model

Deputy Commissioner updated the Board – the Regulation on the Fee Structure is to be debated on the 10 December 2019.

 

The Deputy Commissioner briefed the Board as to the preparation for implementation of the new revenue model including system changes , communications and interpretation.  

 

 

 

 

5.0

Cost of Living Increase for staff – Chair

 

The Chair spoke of his concerns re the proposed 4.7% increase. The Deputy Commissioner provided the Board with a brief staff remuneration process history.

The Board have been made aware of the new pay scales and the cost of living increase is subject fresh discussion.

Recommended that JOIC draft a cost of living policy to consider parallels with market pay levels, Government alignment and benchmarks.  

 

 

 

 

 

 

 

 

 

Commissioner to look at salary comparisons.

6.0

Enforcement Strategy

Work is continuing on the strategy to be discussed the January meeting.  

 

To be discussed at January 2020 meeting.

7.0

Any other business

1.    The Chair highlighted the topics for discussion when meeting with Richard Thomas CBE, Chairman & Emma Martins, Data Protection Commissioner from the Guernsey Office of the Data Protection Authority.

·         Revenue Model

·         Succession Planning

·         Board Structure

2.    Board members discussed how they can more active to support our strategic objectives;

·         GL/CG ‘Ethical use of AI and DP’

o    Including IP, local laws, guidelines, long-term strategy etc.

·         Automated decision making process implications

 

 

 

 

 

3.    Succession planning for 2021 to be considered.

 

 

 

 

 

 

 

 

 

 

 

January Meeting GL Staff Briefing re AI & Ethics.

 

GL & Commissioner propose that AI is in our business plan.

8.0

Board ‘In Camera’ Session