8 Hill Street St Helier Jersey JE2 4UA

Print This Post Print This Post

Data Protection Jersey – A Brief Overview

Risk & Regulatory | Jersey Business Legal Services

The processing of your personal data, and the way in which it is used, engages several areas of the law:-

1. Your right to respect for your private and family life under Article 8 of Schedule 1 of the Human Rights (Jersey) Law 2000;

2. The Data Protection (Jersey) Law 2005;

3. If your personal data is disclosed to third parties it may also be a breach of confidence.

This briefing deals with the Data Protection (Jersey) Law 2005 (“the DPJL”).  The DPJL has now been superseded by Data Protection (Jersey) Law 2018.

Overview of data protection principles

One of the main ways that the DPJL protects your rights, is that it imposes a duty on those who handle your personal data to do so in accordance with the Data Protection principles. There are eight of these principles and they are set out in Schedule 1 to the DPJL. These eight principles govern the way in which the other provisions of the DPJL are applied and interpreted.

First principle

The first principle is that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:-

a) at least one of the conditions in Schedule 2 to the DPJL is met; and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DJPL is met.

Processing means collecting, storing, retrieving or organising data.

Schedule 2 contains various conditions, but the first condition in Schedule 2 is that the data controller has obtained your consent. It is possible for your personal data to still be processed without your consent, provided that the data controller can show that one of the other conditions, set out in Schedule 2, is met. For example, processing will be fair and lawful if the processing is necessary to fulfil a contract or comply with other legal obligations.

Schedule sets out the special conditions, which apply to the handling of sensitive personal data. This type of data is defined in Article 2 as information relating to:-

  1. the racial or ethnic origin of the data subject;
  2. the political opinions of the data subject;
  3. the data subject’s religious beliefs or other beliefs of a similar nature;
  4. whether the data subject is a member of a trade union;
  5. the data subject’s physical or mental health or condition;
  6. the data subject’s sexual life;
  7. the data subject’s commission, or alleged commission, of any offence; or
  8. any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in any such proceedings.

Sensitive personal data cannot be processed in most circumstances, unless you have given your explicit consent to the processing, or the processing is necessary for strictly limited processes, such as the administration of justice, or the processing is necessary to protect the vital interests of the data subject or another person.

Second principle

“Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose of those purposes.”

In other words the data controller must have a valid reason to collect your personal data and must inform you what that reason is. If data is collected for one reason, it cannot be used for another unrelated purpose without your express consent. If a company holds your name and address for a particular purpose, it cannot give that information to a mail order company without your permission.

Third principle

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”

What this means is that only the data, which is truly necessary for the purpose stated, should be collected. It is not acceptable for a data controller to hold information in case it might be useful in the future, without a view about how it will be used. If the data controller doesn’t keep the information that they hold up to date, it may become inadequate and if they keep it for longer than necessary, it may become irrelevant and excessive.

Fourth principle

“Personal data shall be accurate and, where necessary, kept up to date.”

Information that has become obsolete must be removed, as must information that is incorrect. The principle will not be breached if the data controller has taken reasonable steps to ensure the accuracy of the data. In terms of considering whether it is necessary to keep it up-to-date, the purpose for which the data is held is relevant. For example, if the data is intended to be used simply as an historical record, updating it would be inappropriate. On the other hand, where the information is to be used to decide whether to grant credit or some other benefit, it is important that the information is current.

Fifth principle

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

Data controllers therefore need to review their personal data regularly, and delete information that is no longer required for their purposes.

Sixth principle

“Personal data shall be processed in accordance with the rights of data subjects under this Law.”

Seventh principle

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The data controller must take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held, the harm that may be caused to individuals if the security of the information was breached, the cost of implementing security measures and the current state of technological development. The data controller must take reasonable steps to ensure the reliability of the employees of the data controller who have access to the personal data.

Eighth principle

“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

Whether or not there is an adequate level of protection will depend on various factors, including the law in force in the country or territory in question, the international obligations of that country or territory and the nature of the data to be transferred.


The purpose of these eight principles is to ensure that the rights of the data subject are protected, and that the regime within which data processing operates, is fair.


For advice, assistance or further information please do not hesitate to call 630530.

How Parslows Jersey can help

Our lawyers assist clients with building effective internal compliance programs to reduce risk and promote business, by providing candid and sound legal advice. We offer solutions that are practical and sensitive to your business objectives, while keeping in mind the subtleties of the regulatory requirements.

Please note that the information provided on this website is for general information purposes only and is designed to provide you with an outline of the legal services we offer.  Whilst we endeavour to ensure our information is correct and useful, we make no representations or warranties regarding the accuracy or completeness of the information offered.  Information on our website does not constitute legal advice and Parslows Jersey accepts no liability for any loss or damage arising out of, or in connection with, the information found in this website.  Please consult a lawyer at Parslows Jersey in the event that you require professional assurance that our information, and your interpretation of the same, is correct.

Parslows Jersey are here to help with all your legal queries call us today on +44 (0) 1534 630530

Or email us on enquiries@parslowsjersey.com