The document provides an overview of data protection legislation in Guernsey. It summarizes that the legislation was modeled after the UK's 1998 Data Protection Act and aims to provide uniform standards for data handling. It defines key terms like personal data, data controller, and sensitive personal data. It outlines requirements for data controllers including notification, data subject rights, and adhering to eight data protection principles around fair and lawful processing, data quality, security, and international transfers. Enforcement is through the Data Protection Commissioner who can issue notices but primarily encourages education and compliance.

1. DATA PROTECTION An Overview of Data
Protection Legislation in
Guernsey
Wednesday, 8 October 2008
Friday, 10 October 2008 Jon Barclay, Advocate
Monday, 13 October 2008
AO Hall Advocates

2. Background: The EC Directive
● Sets out uniform standards for good data handling
practice.
● Implemented in UK by Data Protection Act 1998.
● Not binding on Guernsey, but implemented here for
business reasons.
● The Data Protection (Bailiwick of Guernsey) Law, 2001
is modelled on the 1998 Act.
● European Commission Decision of 21 November
2003: Guernsey has “adequate” data protection.

3. Guernsey’s Data Protection
Law
Main Features -
● Notification Requirements for Data Controllers
● Data Subject Rights
● Good Data Handling Practices
● Supervision and Enforcement Procedures

4. Definitions
● “Data” – information stored or processed electronically,
or manually if stored on a “relevant filing system”.
● “Relevant Filing System” – a set of information which
is structured, either by reference to individuals or by
reference to criteria related to individuals, in such a way that
specific information relating to a particular individual is
readily accessible.

5. Definitions continued…
● “Personal Data” – must relate to a living individual
who can be identified from those data or from those
data and other information which is in possession of the
data controller.
● “Data Controller” – a person who determines the
manner in which personal data is processed.
● “Data Processor” – any person other than an
employee who holds data on behalf of the data controller.

6. Definitions continued…
● “Data Subject” – a living individual who is the subject
of personal data.
● “Processing” – obtaining, recording or holding the data
or information and carrying out any operation in relation to it.
● “Sensitive Personal Data” – personal data which
consists of information about the subject’s racial or ethnic
origin, political opinions, religious beliefs, trade union affiliation,
physical or mental health, sex life, criminal activities or
criminal record.

7. Scope
● All data controllers in the Bailiwick.
● All personal data.
● Foreign controllers who process data here.
● Focus on privacy.
● There is no Freedom of Information legislation in
Guernsey.

8. Personal Data
● Email and other addresses
● Telephone subscriber details
● Credit record
● Banking details
● Employment references
● Criminal convictions
● Biometric data
● Medical data
● CCTV footage
● Records of personal telephone calls
● Recorded expressions of personal opinion
● etc

9. Notification Requirement
● Annual notification unless exempt
● Public register
● Transparency and openness

10. Notification Details
● Contact details
● General purposes of processing
● Types of data subject
● Types of data
● Potential recipients
● Other jurisdictions
● Security measures

11. Useful addresses
• www.dpr.gov.gg
• www.gov.gg

12. Data Subject Rights
● Subject access
● Rectification, blocking, erasure and destruction
● To prevent processing likely to cause distress
● To prevent processing for direct marketing
purposes
● Compensation
● Automated decision-making
● Request for an assessment

13. Subject Access Requests
Individuals are entitled to request a data controller to provide
them with -
● a description of any data which is being processed by
reference to them
● a description of the purposes for which it is being
processed
● a description of any potential recipients of the data
● information as to the source of the data

14. Exemptions
● Public Security
● Investigation of Crime
● Regulatory Activity
● etc

15. Conflict of Subject Rights and Controller
Duties
• STRs
• Third party privacy
• etc

16. Automated Decision Making
• Significant?

17. Objections to Data Processing
• Damage or distress
• Direct Marketing – Preference Services

18. Other Rights
• Rectification, blocking, erasure and destruction
• Compensation
• Assessments

19. Data controllers: duty to follow good data
handling practices
• All data controllers must observe the
Data Protection Principles
• Even if exempt from notification

20. The Data Protection Principles
Personal data must be :
1. processed fairly and lawfully
2. obtained for specified and lawful purposes only
3. adequate, relevant and not excessive
4. accurate and kept up to date
5. kept for no longer than is necessary
6. processed in accordance with the rights of data
subjects
7. kept secure
8. transferred to third countries only if they ensure
an adequate level of data protection

21. First and Second Principles: “Lawful”?
● Breach of Privacy
● Hacking
● Breach of Confidentiality
● Rehabilitation of Offenders
● Theft
● Obtaining by Deception (“Blagging”)
● Unlawful Interception of Communications

22. First and Second Principles: “Fair”?
Consider:
● The method by which the data was obtained
● Statutory authority or requirement
● Informed consent
Also:
● Is a Schedule 2 condition met?
● Sensitive personal data: Is a Schedule 3
condition met?

23. Quality Standards
Third Principle: relevant, adequate and not
excessive.
Fourth Principle: accurate and kept up to date.
Fifth Principle: kept for no longer than is
necessary.

24. Sixth Principle: Data Subject Rights
● Subject access rights
● Privacy
● Security

25. Seventh Principle: Security
Security Measures –
● Passwords (which should be changed regularly)
● Careful location of computer screens
● Procedures to verify caller identity
● Clear, written data protection procedures
● Making breach of data protection procedures a disciplinary
offence
● Use of encryption
● Other technical and operational measures

26. Eighth Principle: Data export
• EEA
• “Adequate” Countries
• Elsewhere
•Data Transfer Agreements
•Model Clauses

27. Enforcement Authorities
•The Commissioner
•The Police
•The Courts

28. The Data Protection Commissioner
● Role
● Enforcement Powers
● Requests for Assessment

29. Offences
• Failure to notify
• Unauthorised disclosure, selling or obtaining
• Failure to comply with a notice
• Blagging
• Unsolicited communications
• Enforced SARs

30. The Commissioner’s Role
• Promote good information handling practices
• Encourage respect for privacy
• Enforce the legislation
• Inform and direct policy

31. The Commissioner’s Powers
• Limited
• Enforcement notices
• Encouragement and Education rather than
coersion

32. Requests for Assessment
• Unverified
• Verified
• Enforcement Notices
• Information Notices and Warrants

33. DATA PROTECTION An Overview of Data
Protection Legislation in
Guernsey
Wednesday, 8 October 2008
Friday, 10 October 2008 Jon Barclay, Advocate
Monday, 13 October 2008
AO Hall Advocates