Financial Services – Guidance for industry, including advisers, customers and other parties
The Data Protection (Jersey) Law 2018 (the DPJL 2018) applies to all controllers and processors of data in Jersey, including those in the financial services industry. Here, we set out guidance for each sector of the financial services industry and the obligations placed on firms and those who operate within or interact with them.
Please note that the guidance does not constitute legal advice and must not be relied upon by anyone as being legal advice. Where a financial services business, those operating within one, customers of or other parties have specific questions regarding the application of the Law they must obtain their own legal advice.
Financial Services sectors covered
This section does not cover the data protection requirements for Banks (and similar financial businesses), Accountancy practices, Legal practices, Estate Agents and other High Value Dealer businesses.
Application of the DPJL 2018
A data controller and / or a data processor established in Jersey must not process personal data without being registered with the Jersey Data Protection Authority. This includes financial service businesses.
Example:
A trust company business is engaged by customers to provide a service / or services. The trust company will be a data controller in respect of data collected in order to identify its customers and so must be registered.
A trust company establishes relevant structures for a customer. The structure is the data controller of the data held in respect of data subjects and the trust company is the data processor. Both must be registered.
For a Fund the General Partner or Trustee will be the data controller. The regulated Fund Services provider will be both data controller and potentially processor.
What other additional obligations are there in respect of data?
The DPJL 2018 sets out all the specific standards from a data protection perspective that controllers and processors are expected to meet. But those within this sector have other regulatory obligations too about the handling of data.
Regulated activity
Financial Services businesses that fall within the scope of the Financial Services (Jersey) Law 1998 are also subject to regulation by the Jersey Financial Services Commission. Accordingly, all regulated businesses are subject to the requirements of specific Codes of Practice as issued by the Jersey Financial Services Commission.
The JFSC Codes of Practice include specific record keeping requirements for these firms, both in respect of the firms themselves (as businesses), their customers and funds. Specifically, firms are required to comply with the DPJL 2018. The relevant section is 3.7 and the requirements include:
These reflect the data protection principles with which all controllers and processors comply as set out at Article 8 of the DPJL 2018.
Anti-money laundering obligations
Regulated financial services are also subject to the requirements of the Money Laundering (Jersey) Order 2008 (the Order) and Handbook for detection and prevention of Money Laundering and countering the financing of terrorism (the Handbook) (together the Handbook).
The Handbook requires that firms identify their customers, whether as part of an ongoing relationship or one-off transactions. This affords firms with a lawful basis upon which to process such data. This is because the Handbook places a legal obligation that firms must meet.
Importantly the requirements of the Handbook include the requirement to maintain a ‘client profile’. Such a profile will include information other than personal data however, is required to meet the legal obligations to prevent money laundering and the financing of terrorism.
Types of data held
The DPJL 2018 refers to “personal data”. This means any data relating to a data subject (individual) who can be identified directly or indirectly from that information.
Types of personal data may include:
Special category data
There is also a further class of personal data that requires greater protection because of its sensitive nature. Such data includes health, sex and religious information and criminal records data. This may be collected as part of the information collected for the client profile. For example, a trustee may collect such data in understanding the settlor, their family and any appointed or discretionary beneficiaries.
Data Protection Officer
The DPJL 2018 stipulates that certain organisations must have a formally designated DPO. Whether a financial services business formally appoints a data protection officer will depend upon whether the organisation meets the requirements set out in the law – click here for more information
What is important is that all regulated financial services businesses have appropriate board oversight of data matters and appoint a senior member of the management team or Board to take responsibility for data compliance. This person may or may not be the appointed DPO or person responsible for data within the organisation however will report to the Board directly on such matters.
Responsibilities of the Board
How long should data be kept for?
The DPJL 2018 stipulates that data is only held for as long as it is required. Financial Services Businesses have legal and regulatory requirements that also cover retention periods and need to adopt these. The maximum period for retention will likely be 10 years from the date that services cease. A longer period could occur if during that period a matter is identified that requires that data to be retained longer. For example, a matter that would be investigated as money laundering, terrorist financing or tax compliance and / or evasion.