The processing of your personal data, and the way in which it is used, engages several areas of the law:-
1. Your right to respect for your private and family life under Article 8 of Schedule 1 of the Human Rights (Jersey) Law 2000;
2. The Data Protection (Jersey) Law 2005;
3. If your personal data is disclosed to third parties it may also be a breach of confidence.
This briefing deals with the Data Protection (Jersey) Law 2005 (“the DPJL”).
One of the main ways that the DPJL protects your rights, is that it imposes a duty on those who handle your personal data to do so in accordance with the Data Protection principles. There are eight of these principles and they are set out in Schedule 1 to the DPJL. These eight principles govern the way in which the other provisions of the DPJL are applied and interpreted.
The first principle is that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:-
a) at least one of the conditions in Schedule 2 to the DPJL is met; and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 to the DJPL is met.
Processing means collecting, storing, retrieving or organising data.
Schedule 2 contains various conditions, but the first condition in Schedule 2 is that the data controller has obtained your consent. It is possible for your personal data to still be processed without your consent, provided that the data controller can show that one of the other conditions, set out in Schedule 2, is met. For example, processing will be fair and lawful if the processing is necessary to fulfil a contract or comply with other legal obligations.
Schedule sets out the special conditions, which apply to the handling of sensitive personal data. This type of data is defined in Article 2 as information relating to:-
Sensitive personal data cannot be processed in most circumstances, unless you have given your explicit consent to the processing, or the processing is necessary for strictly limited processes, such as the administration of justice, or the processing is necessary to protect the vital interests of the data subject or another person.
“Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose of those purposes.”
In other words the data controller must have a valid reason to collect your personal data and must inform you what that reason is. If data is collected for one reason, it cannot be used for another unrelated purpose without your express consent. If a company holds your name and address for a particular purpose, it cannot give that information to a mail order company without your permission.
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
What this means is that only the data, which is truly necessary for the purpose stated, should be collected. It is not acceptable for a data controller to hold information in case it might be useful in the future, without a view about how it will be used. If the data controller doesn’t keep the information that they hold up to date, it may become inadequate and if they keep it for longer than necessary, it may become irrelevant and excessive.
“Personal data shall be accurate and, where necessary, kept up to date.”
Information that has become obsolete must be removed, as must information that is incorrect. The principle will not be breached if the data controller has taken reasonable steps to ensure the accuracy of the data. In terms of considering whether it is necessary to keep it up-to-date, the purpose for which the data is held is relevant. For example, if the data is intended to be used simply as an historical record, updating it would be inappropriate. On the other hand, where the information is to be used to decide whether to grant credit or some other benefit, it is important that the information is current.
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
Data controllers therefore need to review their personal data regularly, and delete information that is no longer required for their purposes.
“Personal data shall be processed in accordance with the rights of data subjects under this Law.”
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The data controller must take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held, the harm that may be caused to individuals if the security of the information was breached, the cost of implementing security measures and the current state of technological development. The data controller must take reasonable steps to ensure the reliability of the employees of the data controller who have access to the personal data.
“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Whether or not there is an adequate level of protection will depend on various factors, including the law in force in the country or territory in question, the international obligations of that country or territory and the nature of the data to be transferred.
The purpose of these eight principles is to ensure that the rights of the data subject are protected, and that the regime within which data processing operates, is fair.
For advice, assistance or further information please do not hesitate to call 630530.
How Parslows Jersey can help
Our lawyers assist clients with building effective internal compliance programs to reduce risk and promote business, by providing candid and sound legal advice. We offer solutions that are practical and sensitive to your business objectives, while keeping in mind the subtleties of the regulatory requirements.
Parslows Jersey Business Legal Services team is small enough to care but big enough to trust.