The Data Protection (Jersey) Law 2018 is an information privacy law in the Crown Dependency of the Bailiwick of Jersey, one of the Channel Islands. The latest version is 2018, updating the previous law from 2005 to mirror the General Data Protection Regulation (GDPR). It was adopted on 25 May 2018.[1]
Eight Principles Data must be...
- fairly and lawfully processed
- processed for one or more specified and lawful purposes
- adequate, relevant and not excessive
- accurate and up to date
- not kept longer than necessary
- processed in accordance with the individual’s rights
- kept safe and secure
- not transferred to countries outside European Economic area unless country has adequate protection for the individual.
2006 Annual Report of the Jersey Office of Data Protection Commissioner[2]
Rights of Individuals
- Rights of access
- Rights to prevent processing
- Rights to prevent processing for direct marketing
- Rights in relation to automated decision-taking
- Right to seek compensation
- Rights to have inaccurate information corrected
- Right to complain to the Commissioner
2006 Annual Report of the Jersey Office of the Data Protection Commissioner[2]
The law implements the European Data Protection Directive of 24 October 1995, which concerns the "protection of individuals with regard to the processing of personal data and on the free movement of such data". These include restrictions on the gathering, collection, and use of personal data, as well as forcing data collectors to let individuals know how their data has been used.[1][3] Gatherers of data are called "data controllers" and must register with the Data Protection Commissioner and pay a yearly fee.[4][2] The law also contains numerous exemptions for journalism, crime investigation, &c.[5] Other Crown dependencies like Guernsey and the Isle of Man have similar laws.[1] The 2005 law was modelled from the UK's Data Protection Act 1998.[4][1] These laws can all trace lineage back to the European Directive on Data Protection, 95/EC/46 of 1995 and the Council of Europe's European Convention 108, passed in 1981.[6][7]
The 2005 overhaul of the Data Protection laws was prompted by the aforementioned Data Protection Directive. It restricted the transmission of protected data to countries outside of the European Economic Area unless they had been certified as having 'adequacy' in their own data protection laws.[4][8] Jersey is considered outside of the European Economic Area, and its 1987 Data Protection law was not adequate, so the restrictions could have harmed Jersey's financial services industry.[4] (Jersey is a major international offshore financial centre[9] and tax haven[10]) In 2008, Jersey achieved 'adequacy status' under the EU rules.[11][12]
Jersey's law is modified to suit this finance industry.[1] One such modification exempts trusts from the law so that they can use the personal information of beneficiaries of the trust without having to disclose certain details of the usage to the beneficiary. This modification was accomplished through a revision called the "Subject Access Exemptions" in 2005.[1][13]
The main office of the law is the Data Protection Commissioner[5][14] (before 2005, called the Data Protection Registrar).[5] The commissioner for the first several years of the law was Emma Martins[4][15] There is also a Data Protection Tribunal.[5] In 2011 an attempt was made to unify the Commission of Guernsey with that of Jersey so that one Commissioner office would serve both Channel Islands.[15]
In 2007 charity groups had to change the way they operated the Jersey Christmas Appeal because they kept a list of the families who were nominated to receive vouchers for food, toys, fuel, and other needs during the holidays. The beneficiaries had to send in signed forms agreeing to be on the list.[16]
The law has been used at least two times against Jersey politicians.
In 2009, Jersey Senator Stuart Syvret was arrested on charges of violating the law after he blogged an old 1999 police report on a suspected serial killer and rapist Nurse that included the suspect's name. The police investigation had been abandoned for lack of evidence and Syvret had at first accepted this. However over the years Syvret came to believe the government of Jersey was incompetent and corrupt, especially after his experiences as Health Minister during the Jersey child abuse investigation 2008. He came to believe that the "Nurse M"[17] (or "Nurse X" in court documents) investigation had been incomplete, that the suspect was still dangerous. This was his alleged motivation for blogging the suspects name in 2009.[18] At trial he argued that his actions fell under the exemptions of the Law, but the Magistrate rejected this. In November 2010 he was convicted of violating Articles 17, 21, and 55 of the Data Protection Law and sentenced to 10 weeks imprisonment and a fine. Assistant Magistrate Bridget Shaw gave the analysis and opinion:[18][19]
"he must have caused distress to X and his family and risked provoking violence either by or against X. The defendant also risked causing great distress to relatives of the deceased. In my opinion this was done to create a totally unfounded scandal to undermine public confidence in the administration of justice."[18]
In 2011, Saint Brélade Deputy and Housing Minister Sean Power was forced to resign after he forwarded an email he pulled off a printer in the States Building. The email discussed Syvret.[20]