The processing of your personal data and the way in which it is used engages numerous areas of the law;
This briefing deals with the Data Protection (Jersey) Law 2005 (“the DPJL”)
Overview of data protection principles
One of the main ways that the DPJL protects your rights is that it imposes a duty on those who handle your personal data to do so in accordance with the Data Protection principles. There are eight of these principles and they are set out in Schedule 1 to the DPJL. These eight principles govern the way in which the other provisions of the DPJL are applied and interpreted.
The first principle is that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a at least one of the conditions in Schedule 2 to the DPJL is met; and
Processing means collecting storing, retrieving or organising data.
Schedule 2 contains various conditions, but the first condition in Schedule 2 is that the data controller has obtained your consent. It is possible for your personal data to still be processed without your consent provided that the data controller can show that one of the other conditions, set out in Schedule 2, is met. For example processing will be fair and lawful if the processing is necessary to fulfil a contract or comply with other legal obligations.
Schedule sets out the special conditions, which apply to the handling of sensitive personal data. This type of data is defined in Article 2 as information relating to:
Sensitive personal data cannot be processed in most circumstances unless you have given your explicit consent to the processing, or the processing is necessary for strictly limited processes such as the administration of justice, or the processing is necessary to protect the vital interests of the data subject or another person.
“Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose of those purposes.”
In other words the data controller must have a valid reason to collect your personal data and must inform you what that reason is. If data is collected for one reason, it cannot be used for another unrelated purpose without your express consent. If a company holds your name and address for a particular purpose, it cannot give that information to a mail order company without your permission.
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
What this means is that only the data, which is truly necessary for the purpose stated, should be collected. It is not acceptable for a data controller to hold information in case it might be useful in the future, without a view about how it will be used. If the data controller doesn’t keep the information that they hold up to date, it may become inadequate and if they keep it for longer than necessary, it may become irrelevant and excessive.
“Personal data shall be accurate and, where necessary, kept up to date.”
Information that has become obsolete must be removed, as must information that is incorrect. The principle will not be breached if the data controller has taken reasonable steps to ensure the accuracy of the data. In terms of considering whether it is necessary to keep it up to date, the purpose for which the data is held is relevant. For example, if the data is intended to be used simply as an historical record, updating it would be inappropriate. On the other hand, where the information is to be used to decide whether to grant credit of some other benefit it is important that the information is current.
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
Data controllers therefore need to review their personal data regularly and delete information, which is no longer required for their purposes.
“Personal data shall be processed in accordance with the rights of data subjects under this Law”
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The data controller must take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held; the harm that may be caused to individuals if the security of the information was breached; the cost of implementing security measures and the current state of technological development. The data controller must take reasonable steps to ensure the reliability of the employees of the data controller who have access to the personal data.
“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Whether or not there is an adequate level of protection will depend on various factors including the law in force in the country or territory in question, the international obligations of that country or territory and the nature of the data to be transferred.
The purpose of these eight principles is to ensure that the rights of the data subject are protected and that the regime within which data processing operates, is fair.
How Parslows can help
Our lawyers assist clients with building effective internal compliance programs to reduce risk and promote business by providing candid and sound legal advice. We offer solutions that are practical and sensitive to your business objectives while keeping in mind the subtleties of these regulatory requirements
Our clients are pleased with our service and fees, we are confident you will too.
For further information please do not hesitate to email us at email@example.com or call 630530;
The information and opinion expressed in this briefing does not purport to be definitive or comprehensive and are not intended to provide professional advice. For specific advice, please contact Parslows, We are not responsible for, and do not accept any responsibility or liability in connection with, the content of this document or any reliance upon it