Authority Meeting 20 January 2020

Jersey Data Protection Authority Meeting

MINUTES

09:00 – 12:30  20 January 2020

Jersey Office of the Information Commissioner Offices [JOIC]

 

Chairman Present:

Jacob Kohnstamm

Voting Members Present:

Gailina Liew

David Smith

Paul Routier MBE

Helen Hatton

Apologies

Clarisse Girot

Non- Voting Members Present:

Dr Jay Fedorak – Information Commissioner

In Attendance:

Paul Vane -  Deputy Data Protection Commissioner

Anne King  - Communications and Operations Manager [& Note taker]

Guest Speaker:

Tony Moretta Digital Jersey  

Collaboration between Digital Jersey & JOIC - a digital sandbox to facilitate the development of new technologies for processing personal data safely and securely

 

 

 

Item

Action

1.0

Call to order and approval of the agenda

Agenda approved

 

Authority approved minutes;

·         2 December 2019 

Minutes approved.

2.0

Authority Governance, Operations and Procedures

 

2.1

Payment of Authority Members

Members confirmed that they had received payment.

 

 

2.2

Preparation of Accounts and Appointment of Auditors 2018/19

JOIC to meet with Jersey Treasury to further discuss the preparation of accounts for the auditors.

JOIC will implement a tender process for the appointment of the auditors and provide the successful proponent with the accounts at the end of February.

 

JOIC is ensuring that the Comptroller and Auditor General remains current on developments.

 

 

JOIC to commence tendering process during first quarter of 2020 to appoint a local accountancy service.

2.2

JOIC Independence

The Authority discussed the evolutions of JOIC’s independence from the Government of Jersey. JOIC is developing the necessary internal systems including setting up independent payroll.

 

3.0

Revenue Model Implementation Update

 

 

 

The Deputy Commissioner briefed the Authority as to the progress of implementing the new model.

The Authority discussed the projections for the numbers of registrations for 2020.

 

4.0

Public Statement

 

The Authority considered the appropriate criteria for determining whether to issue a public statement and how they applied in a particular case.

 

The threshold in the Data Protection Authority Law for warranting a public statement includes: the gravity of the contravention and whether publication would be in the public interest.

 

The Authority agreed that a key consideration in determining whether publication would be in the public interest should be whether disclosure of information is necessary to hold the JDPA to account for the findings of its investigation

The Authority reviewed the facts of the case, including mitigating circumstances, and decided that it was in the public interest to issue a statement that named the data controller involved. It also decided that the circumstances of the case did not warrant a fine to be issued.

 

The Authority decided that the statement and accompanying press release should describe the incident including the nature of the contraventions and the personal data involved.

 

 

 

 

 

 

 

 

 

 

 

Commissioner to formulate a statement and media release for Authority approval.  

Commissioner to be spokesperson

 

4.1

Business Plan

The Authority reviewed and approved the Business Plan with minor amends.

Business Plan approved.

5.0

JOIC Update – Commissioner

 

5.1

Performance Statistics /Case Data

The average time to close a case has decreased to 37 days.

The number of cases in Quarter 4 2019 decreased compared to the previous quarters.

 

 

5.2

Case Study Review

 

The Deputy Commissioner provided brief summaries of two anonymised cases for the information of the Board. There was a complaint about an unregistered taxi company installing CCTV in vehicles. The result was that the company registered and agreed to abide by JOIC guidance on CCTV usage.

 

A public authority received a subject access request from a temporary employee, who was unknowingly subject to a police investigation. When the employee complained about the response that they received, because they believed that they had not received all of the information, JOIC confirmed that the public authority had correctly applied the law.

 

 

 

5.3

Financial Performance

Authority requested a budget 2020 & 2019 comparison paper.   

 

5.4

Staffing Update

The Deputy Commissioner advised that a long serving member of the office is due to retire this first quarter. Recruitment in underway for a replacement role.

The Authority wished to record their thanks and best wishes to the long serving employee due to retire.

JOIC is also considering adding to the casework and communications teams in 2020.

The Deputy Commissioner highlighted the operational and financial benefit of the current approach to securing legal advisory services.  

Appoint an Operations Assistant   

5.5

Issues of the Day

The Deputy Commissioner updated the Authority as to the issues covering conferences, developments and accomplishments.

 

5.6

Enforcement Strategy

First draft is nearing completion.   

JOIC to circulate a completed draft of the strategy via email for approval.

6.0

Any other business

The Authority discussed the proper approach to managing the JDPA Risk Register.

 

The Authority established the following subcommittees:

1.    Remuneration Committee (to meet annually)

a.    Paul Routier

b.    Jacob Kohnstamm

c.    Finance Manager

2.    Governance Committee

a.    Jacob Kohnstamm

b.    Gailina Liew

c.    Information Commissioner

3.    Audit & Risk Committee

a.    Helen Hatton

b.    Gailina Liew

c.    Information Commissioner

d.    Deputy Information Commissioner

e.    Finance Manager

 

The Authority agreed to include updates from the Subcommittees in the agenda for future Authority meetings.‘

 

 

 

 

 

 

 

 

 

 

 

 

8.0

Authority ‘In Camera’ Session

The Authority held a discussion in the absence of the Information Commissioner and staff.

 

 

Guest Speaker

Tony Moretta Digital Jersey  

Collaboration between Digital Jersey & JOIC - a digital sandbox to facilitate the development of new technologies for processing personal data safely and securely