Learnings from a JOIC Virtual Data Protection Compliance Audit

By JOIC
24 March 2025

“Our relationship with the data controllers developed positively throughout the audit process. The findings are insightful and applicable to all data controllers."
Jersey Office of the Information Commissioner

The Jersey Office of the Information Commissioner (JOIC) completed a Virtual Compliance Audit focusing on a health service sector which processes significant volumes of special category personal data.

The Data Protection Authority (Jersey) Law 2018 gives JOIC the power to conduct data protection audits of any part of the operations of the data controller or data processor itself.

The aims of the JOIC’S audit process are to:

  • Assess a data controller/processor’s policies and processes.
  • Assess the level of compliance with the Data Protection (Jersey) Law 2018.
  • Highlight any areas of potential risk.
  • Set a timeframe for any necessary remedial work.

The lessons learned are instructive to all organisations in Jersey that are handling the personal data of individuals. The lessons learned and key findings are summarised on the JOIC’s website.

JOIC Operations Director Anne King said: “Personal information, if mishandled, can lead to significant consequences for data subjects; including prejudice in relation to special category data, for example, incorrect sharing of incorrect information can influence life changing decisions. With proper controls and policies in place however, organisations can manage access to data, prevent unauthorised use, and respond effectively to security breaches.

Our audit programme is an integral part of our compliance and enforcement activity. Organisations must have in place robust controls, policies, procedures and technology and provide appropriate training to ensure the safety of individuals' data and mitigate potential risks.

We want every organisation in Jersey to feel confident in their understanding of their data protection obligations. We consider it important to highlight areas of good practice in industry, as well as areas for improvement and to explain what remedial action was required, and why, so lessons can be learned. We see auditing as a constructive process with real benefits for data controllers/processors and we aim to establish a participative approach whether the audit is conducted on a compulsory or consensual basis.”

For more information about this specific audit, what the JOIC found and lessons learned, please visit the JOIC's website.

Stay in Touch

News

Blogs

Search the Website

JERSEY OFFICE OF THE INFORMATION COMMISSIONER

2nd Floor
5 Castle Street
St. Helier
Jersey
JE2 3BT

enquiries@jerseyoic.org+44 (0) 1534 716530
for organisations
Overview for Organisations
Manage Registration
Report a Breach
Do I need to Register for Data Protection?
Resources for Organisations
GDPR and the Relationship with Local Data Protection
Registration & Charges FAQs
Small Organisation Self-Assessment
for individuals
Overview for Individuals
Information for Young People
Raise a Concern
How we Deal with Formal Complaints
Make a Freedom of Information Appeal
Resources for Individuals
Requesting Your Personal Information
How can we help you?
About
Resource Room
News
Events
Careers
Contact
Stay in Touch
DP & FOI Laws
Service Complaint Policy
Data Protection Statement © Jersey Office of the Information Commissioner 2025 v7.0.0000