Data Protection Principles

The Data Protection (Jersey) Law applies to both the public and private sectors;

• It helps redress imbalance between the indidividual and companies/government that collect, process and communicate their data to third parties.
• It preserves democracy, but also protects the individual in the face of massive technological change and generate trust in the digital economy

The Data Protection (Jersey) Law 2018 (DPJL) is based around six principles of ‘good information handling’ (the Principles). These principles give people (the data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

The Principles are at the core of the responsibilities placed upon controllers and processors. Whilst compliance with each Principle must be met, they are inextricably linked and therefore should not be read in isolation. A controller must ensure that the processing of personal information/data complies with the data protection principles (Article 8 DPJL);

• FAIR, LAWFUL and TRANSPARENT PROCESSING: Personal data are to be processed lawfully, fairly and in a transparent manner in relation to the data.

• PURPOSE LIMITATION: Personal data must be collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes.

• EXCESSIVE DATA COLLECTION: Personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

• ACCURACY OF DATA: Personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

• STORAGE LIMITATION: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.

• DATA SECURITY, INTEGRITY AND CONFIDENTIALITY: Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

This is part of a series of guidance to help individuals and organisations to understand the principles of the Data Protection (Jersey) Law, as well as to promote good practice.