Data Protection
(Jersey) Law 2005[1]
A LAW to make new provision for the
regulation of the processing of information relating to individuals, including
the obtaining, holding, use or disclosure of such information, and for purposes
incidental thereto and connected therewith.
Commencement
[see endnotes]
PART 1
INTERPRETATION, OBLIGATIONS
AND OFFICES
Interpretation
1 Interpretation
of Law
(1) In
this Law, unless the context otherwise requires –
“business” includes any trade or profession;
“Commissioner” means the holder of the
office of Data Protection Commissioner referred to in Article 6;
“Court” means the Royal Court;
“credit reference agency” means a person who
carries on the business of providing information about the financial standing
of persons;
“data” means information that –
(a) is being processed by means of equipment
operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it
should be processed by means of such equipment;
(c) is recorded as part of a relevant filing
system or with the intention that it should form part of a relevant filing
system; or
(d) is recorded information held by a scheduled
public authority and does not fall within any of sub-paragraphs (a) to
(c);
“data controller” means, except as provided
in paragraph (4), a person who (either alone or jointly or in common with
other persons) determines the purposes for which and the manner in which any
personal data are, or are to be, processed;
“data processor”, in relation to personal
data, means any person who processes the data on behalf of a data controller,
but does not include an employee of the data controller;
“Data Protection Directive” means Directive
95/46/EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data;
“data protection principles” has the meaning
specified in Article 4;
“data subject” means an individual who is
the subject of personal data;
“EEA State” means a State which is a
contracting party to the Agreement on the European Economic Area signed at
Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels
on 17th March 1993;
“enforcement notice” means a notice under
Article 40;
“first transitional period” means the period
that starts on the day on which Schedule 8 comes into force and ends on
the third anniversary of that day;
“function” includes power, authority and
duty;
“health professional” means a person
lawfully practising as a medical practitioner, dentist, optician, pharmacist,
nurse, midwife or health visitor, osteopath, chiropractor, clinical
psychologist, child psychotherapist or speech therapist, or a music therapist
employed by a body lawfully providing health services, or a scientist employed
by such a body as head of a department, or a person that may be prescribed by
Regulations;
“health record” means a record
that –
(a) consists of information relating to the
physical or mental health or condition of an individual; and
(b) has been made by or on behalf of a health
professional in connection with the care of that individual;
“inaccurate”, in relation to data, has the
meaning set out in paragraph (5);
“information notice” means a notice under
Article 43;
“Minister” means the Chief
Minister;
“non-disclosure provisions” means the following
provisions to the extent that they are inconsistent with the disclosure in
question –
(a) the first data protection principle, except
to the extent to which it requires compliance with the conditions in Schedules
2 and 3;
(b) the second, third, fourth and fifth data
protection principles; and
(c) Articles 10 and 14(1) to (3);
“personal data” means data that relate to a
living individual who can be identified –
(a) from those data; or
(b) from those data and other information that
is in the possession of, or is likely to come into the possession of, the
relevant data controller,
and includes any expression of
opinion about an individual who can be so identified and any indication of the
intentions of the data controller or any other person in respect of an
individual who can be so identified;
“processing”, in relation to information or
data, means obtaining, recording or holding the information or data, or
carrying out any operation or set of operations on the information or data,
including –
(a) organizing, adapting or altering the
information or data;
(b) retrieving, consulting or using the
information or data;
(c) disclosing the information or data by
transmission, dissemination or otherwise making it available; or
(d) aligning, combining, blocking, erasing or
destroying the information or data;
“public register” means any register that,
pursuant to a requirement imposed under an enactment or in pursuance of an
international agreement, is open to public inspection or open to inspection by
any person having a legitimate interest in the subject matter of the register;
“publish”, in relation to journalistic,
literary or artistic material, means make available to the public or any
section of the public;
“recipient”, in relation to any personal
data, means any person to whom the data are disclosed, including any person
(such as an employee or agent of the relevant data controller, a relevant data
processor or an employee or agent of a data processor) to whom they are
disclosed in the course of processing the data for the data controller, but
does not include any person to whom disclosure is or may be made as a result
of, or with a view to, a particular inquiry by or on behalf of that person made
in the exercise of any power conferred by law;
“register” means the register maintained
under Article 19;
“registered company” means a company within
the meaning of the
Companies (Jersey) Law 1991;[2]
“Regulations” means Regulations made by the
States under this Law;
“relevant filing system” means any set of
information relating to individuals to the extent that, although the
information is not processed by means of equipment operating automatically in
response to instructions given for that purpose, the set is structured, either
by reference to individuals or by reference to criteria relating to
individuals, in such a way that specific information relating to a particular
individual is readily accessible;
“second transitional period” means the
period that starts when the first transitional period ends and ends on the
sixth anniversary of the day when Schedule 8 comes into force;
“sensitive personal data” has the meaning
set out in Article 2;
“scheduled public
authority” has the same meaning as in the Freedom of Information (Jersey)
Law 2011[3];
“special information notice” means a notice
under Article 44;
“special purposes” has the meaning set out
in Article 3;
“staff” of the Commissioner includes any
person employed in the office of the Commissioner;
“subject information provisions”
means –
(a) the first data protection principle to the
extent to which it requires compliance with paragraph 2 of Schedule 1 Part
2; and
(b) Article 7;
“third party”, in relation to personal data,
means any person other than –
(a) the data subject;
(b) the data controller; or
(c) any data processor or other person
authorized to process data for the data controller or processor;
“Tribunal” means the Tribunal continued by
Article 6 and known as the Data Protection Tribunal.[4]
(1A) In
sub-paragraph (d) of the definition “data” in
sub-paragraph (1), the reference to information “held” by a
scheduled public authority shall be construed in accordance with Article 3
of the Freedom of Information (Jersey) Law 2011[5] (as if that Article referred to a scheduled public authority).[6]
(2) In
this Law, unless the context otherwise requires –
(a) obtaining, or recording, personal data
includes obtaining, or recording, the information to be contained in the data;
and
(b) using, or disclosing, personal data includes
using, or disclosing, the information contained in the data.
(3) In
determining for the purposes of this Law whether any information is recorded
with the intention –
(a) that it should be processed by means of
equipment operating automatically in response to instructions given for that
purpose; or
(b) that it should form part of a relevant
filing system,
it is immaterial that it is
intended to be so processed or to form part of such a system only after being
transferred to a country or territory outside Jersey.
(4) If
personal data are processed only for purposes for which they are required by or
under any enactment to be processed, the person on whom the obligation to
process the data is imposed by or under that enactment is, in relation to the
data, the data controller for the purposes of this Law.
(5) For
the purposes of this Law data are inaccurate if they are incorrect or
misleading as to any matter of fact.
(6) For
the purposes of this Law, a description or class may be framed by reference to
any circumstances whatsoever.
2 Sensitive
personal data
In this Law “sensitive personal data” means, in relation
to a data subject, personal data consisting of information as to –
(a) the
racial or ethnic origin of the data subject;
(b) the
political opinions of the data subject;
(c) the
data subject’s religious beliefs or other beliefs of a similar nature;
(d) whether
the data subject is a member of a trade union;
(e) the
data subject’s physical or mental health or condition;
(f) the
data subject’s sexual life;
(g) the
data subject’s commission, or alleged commission, of any offence; or
(h) any
proceedings for any offence committed, or alleged to have been committed, by
the data subject, the disposal of any such proceedings or any sentence of a
court in any such proceedings.
3 The
special purposes
In this Law “special
purposes” means any one or more of the following –
(a) the
purposes of journalism;
(b) artistic
purposes;
(c) literary
purposes.
Principles, application,
and obligations
4 The
data protection principles: their content, Regulations about them, and duty to
comply with them
(1) References
in this Law to the data protection principles are to the principles set out in
Schedule 1 Part 1.
(2) Those
principles are to be interpreted in accordance with Schedule 1
Part 2.
(3) Paragraph 7 of
Schedule 2, paragraph 11 of Schedule 3 and paragraph 10 of
Schedule 4 shall have effect.
(4) Subject to Article 27(1),
it shall be the duty of a person to comply with the data protection principles
in relation to all personal data with respect to which the person is a data
controller.
5 Application
of Law; duty of data controller outside Jersey to nominate Jersey representative
(1) Except
as otherwise provided by or under Article 54, this Law applies to a data
controller in respect of any data only if –
(a) the data controller is established in Jersey
and the data are processed in the context of that establishment; or
(b) the data controller is not established in
Jersey but uses equipment in Jersey for processing the data otherwise than for
the purposes of transit through Jersey.
(2) A
data controller referred to in paragraph (1)(b) shall nominate for the
purposes of this Law a representative established in Jersey.
(3) For
the purposes of paragraphs (1) and (2), each of the following is to be
treated as established in Jersey –
(a) an individual who is ordinarily resident in
Jersey;
(b) a body incorporated under the law of Jersey;
(c) a partnership or other unincorporated
association formed under the law of Jersey;
(d) any person who does not fall within
sub-paragraph (a), (b) or (c) but maintains in Jersey –
(i) an
office, branch or agency through which the person carries on any activity, or
(ii) a
regular practice.
Offices
6 Commissioner
and Tribunal
(1) The
office originally established by Article 2(1)(a) of the Data Protection (Jersey) Law 1987 as the
office of Data Protection Registrar shall become, and be regarded as one with,
the corporation known as the Data Protection Commissioner.
(2) The
States may from time to time appoint a person to the office of Data Protection
Commissioner, but until the first such appointment takes effect, the person
holding office as Data Protection Registrar immediately before this Article
comes into force shall hold office after then as the Commissioner on the terms
and conditions applying immediately before then.
(3) The
States shall take all reasonable steps to ensure that at all times the office
of Data Protection Commissioner is filled and shall in any case appoint one or
more members of the Commissioner’s staff as vice-Data Protection Commissioners
to act in any absence of the Commissioner.
(4) The
Tribunal originally established by Article 2(1)(b) of the Data Protection (Jersey) Law 1987[7] as the Data Protection Tribunal shall continue to exist for the
purposes of this Law under the same name.
(5) The
Tribunal shall consist of a president, and 4 other members, appointed by the
States on the recommendation of the Minister and on the basis that they evenly
represent the interests of data subjects and of data controllers. Of the 4
other members, one or more shall be appointed as vice-presidents by the States
on the recommendation of the Minister.
(6) Until
the States appoint members of the Tribunal under this Law, a person who is the
chairman or a deputy chairman or other member of the Tribunal immediately
before this Article comes into force shall continue after then as
(respectively) the president or a vice-president or other member of the
Tribunal, on the same terms and conditions as before then.
(7) Schedule
5 shall have effect.
PART 2
RIGHTS OF DATA SUBJECTS AND
OTHERS
7 Fundamental
rights of access to personal data
(1) An
individual is entitled to be informed by any data controller whether personal
data of which that individual is the data subject are being processed by or on
behalf of that data controller, and, if that is the case, to be given by the
data controller a description of –
(a) the personal data being so processed of
which that individual is the data subject;
(b) the purposes for which they are being or are
to be processed by or on behalf of that data controller; and
(c) the recipients or classes of recipients to
whom they are or may be disclosed by or on behalf of that data controller.
(2) An
individual is entitled to the communication in intelligible form, by the
relevant data controller, of –
(a) the information constituting any personal
data of which the individual is the data subject; and
(b) any information available to the relevant
data controller as to the source of those data.
(3) If
the processing by automatic means of personal data of which an individual is
the data subject for the purpose of evaluating matters relating to the
individual (for example, the individual’s performance at work,
creditworthiness, reliability or conduct) has constituted or is likely to
constitute the sole basis for any decision significantly affecting the
individual, the individual is entitled to be informed by the relevant data
controller of the logic involved in that decision-taking.
(4) A
data controller is not obliged under paragraph (1), (2) or (3) to supply
any information unless the data controller has received –
(a) a request in writing; and
(b) except in cases that may be prescribed by
Regulations, such fee (not exceeding any maximum that may be prescribed by
Regulations) as the data controller may require.
(5) The
request may, in such cases as may be prescribed by Regulations, specify that it
is limited to personal data of any description that may be prescribed by
Regulations.
(6) If
a data controller reasonably requires further information in order to be
satisfied as to the identity of the person making the request or to locate the
information that the person seeks, and has informed the person of the
requirement, the data controller is not obliged to comply with the request
unless supplied with that information.
(7) If
a data controller cannot comply with the request without disclosing information
relating to another individual who can be identified from that information, the
controller is not obliged to comply with the request unless –
(a) the other individual has consented to the
disclosure of the information to the person making the request; or
(b) it is reasonable in all the circumstances to
comply with the request without the consent of the other individual.
(8) In
paragraph (7), the reference to information relating to another individual
includes a reference to information identifying that individual as the source
of the information sought in the request.
(9) Paragraph
(7) is not to be construed as excusing a data controller from communicating so
much of the information sought in the request as can be communicated without
disclosing the identity of the other individual concerned, whether by the
omission of names or other identifying particulars or otherwise.
(10) In
determining for the purposes of paragraph (7)(b) whether it is reasonable
in all the circumstances to comply with the request without the consent of the
other individual concerned, regard shall be had, in particular, to –
(a) any duty of confidentiality owed to the
other individual;
(b) any steps taken by the data controller to
seek the consent of the other individual;
(c) whether the other individual is capable of
giving consent; and
(d) any express refusal of consent by the other
individual.
(11) Except
as provided in paragraph (7), a data controller shall comply with a
request under this Article promptly and in any event within such period as may
be prescribed by Regulations, or if no period is so prescribed for the time
being, within the period that –
(a) begins with the day on which the data
controller receives the request under paragraph (4) or, if later, the
first day on which the data controller has both the fee required under that
paragraph and the information referred to in paragraph (6); and
(b) ends on the 40th day after the day on which
the period begins.
(12) If
a court is satisfied on the application of any person who has made a request
under this Article that a data controller has contravened this Article in
failing to comply with the request, the court may order the data controller to
comply with the request.
8 Treatment
of requests under Article 7
(1) The
States may by Regulations provide that, in such cases as may be prescribed by
those Regulations, a request under Article 7 for information referred to
in any provision of Article 7 is to be treated as a request for
information referred to in any other provision of Article 7.
(2) The
obligation imposed by Article 7(2)(a) shall be complied with by supplying
the data subject with a copy of the relevant information in permanent form
unless –
(a) the supply of such a copy is not possible or
would involve disproportionate effort; or
(b) the data subject agrees otherwise.
(3) If
any of the information referred to in Article 7(2)(a) is expressed in
terms that are not intelligible without explanation the copy shall be
accompanied by an explanation of those terms.
(4) If
a data controller has previously complied with a request under Article 7
by an individual, the data controller is not obliged to comply with a
subsequent identical or similar request under that Article by the individual
unless the interval between compliance with the previous request and the making
of the current request is reasonable.
(5) In
determining whether the interval is reasonable, regard shall be had to the
nature of the data, the purpose for which the data are processed and the
frequency with which the data are altered.
(6) Article 7(3)
is not to be regarded as requiring the provision of information as to the logic
involved in any decision-taking to the extent that the information constitutes
a trade secret.
(7) Information
supplied under Article 7 shall be supplied by reference to the data in
question at the time when the request for the data is received, except that
account may be taken of any amendment or deletion made between that time and
the time when the information is supplied, being an amendment or deletion that
would have been made regardless of the receipt of the request.
(8) For
the purposes of Article 7(7) and (9), another individual can be identified
from the information being disclosed if the individual can be identified from
that information, or from that and any other information that, in the
reasonable belief of the data controller, is likely to be in, or to come into,
the possession of the data subject making the request.
9 Credit
reference agency as data controller
(1) If a data controller is a credit reference agency, Article 7
applies in relation to that data controller subject to this Article.
(2) An individual may limit a request to a data controller under
Article 7 to personal data relevant to the financial standing of the
individual, and shall be taken to have so limited the request unless the
request shows a contrary intention.
(3) If
personal data are being processed by or on behalf of a data controller who
receives a request under Article 7 from an individual who is the data
subject of those data, the obligation to supply information under that Article
includes an obligation to give the individual a statement of the individual’s
rights under this Law in such form, and to such extent, as may be prescribed by
Regulations.
9A Unstructured
personal data held by scheduled public authorities[8]
(1) In
this Article, “unstructured personal data” means any personal data
falling within sub-paragraph (d) of the definition of data in
Article 1(1).
(2) A
scheduled public authority is not obliged to comply with Article 7(1) in
relation to any unstructured personal data unless the request under that Article
contains a description of the data.
(3) Even
if a request contains a description of data as referred to in
paragraph (2), a scheduled public authority is not obliged to comply with
Article 7(1) in relation to unstructured personal data if the authority
estimates that the cost of complying with the request in so far as it relates
to those data would exceed a limit specified by the States in Regulations.
(4) Paragraph (3)
does not exempt the scheduled public authority from its obligation under
Article 7(1) to inform an individual whether unstructured personal data of
which that individual is the data subject are being processed by or on behalf
of the data controller unless the estimated costs of complying with that
obligation alone in relation to those data would exceed a limit specified by
the States in Regulations.
(5) Any
estimate for the purposes of this Article must be made in accordance with
Regulations under Article 16 of the Freedom of Information (Jersey)
Law 2011[9] (whether or not any limit specified in Regulations for the purposes
of this Article is the same as any amount determined in accordance with
Regulations under Article 16).
10 Right
to stop processing that causes distress or damage
(1) An
individual is entitled at any time by notice in writing to a data controller to
require the data controller at the end of such period as is reasonable in the
circumstances to cease, or not to begin, processing, or processing for a
specified purpose or in a specified manner, any personal data in respect of
which the individual is the data subject, on the ground that, for reasons
specified in the notice –
(a) the processing of those data or their
processing for that purpose or in that manner is causing or is likely to cause
substantial damage or substantial distress to the individual or to another
individual; and
(b) that damage or distress is or would be
unwarranted.
(2) Paragraph
(1) does not apply –
(a) if one or more of the conditions in
paragraphs 1 - 4 of Schedule 2 is met; or
(b) in such other cases as may be prescribed by
Regulations.
(3) The
data controller shall within 21 days of receiving a notice under
paragraph (1) give the individual who gave it a written
notice –
(a) stating that the data controller has
complied or intends to comply with the individual’s notice; or
(b) stating the data controller’s reasons
for regarding the individual’s notice as to any extent unjustified and
the extent (if any) to which the data controller has complied or intends to
comply with it.
(4) If
a court is satisfied, on the application of any person who has given notice
under paragraph (1) –
(a) that the notice is justified to any extent;
and
(b) that the data controller in question has
failed to comply with the notice to that extent,
the court may order the data
controller to take such steps as it thinks fit for complying with the notice to
that extent.
(5) The
failure by a data subject to exercise the right conferred by paragraph (1)
does not affect any other right conferred on the data subject by this Part.
11 Right
to stop processing for direct marketing
(1) An
individual is entitled at any time by notice in writing to a data controller to
require the data controller at the end of such period as is reasonable in the
circumstances to cease, or not to begin, processing for the purposes of direct
marketing personal data in respect of which the individual is the data subject.
(2) If
a court is satisfied, on the application of any person who has given a notice
under paragraph (1), that the data controller has failed to comply with
the notice, the court may order the data controller to take such steps for
complying with the notice as the court thinks fit.
(3) The
failure by a data subject to exercise the right conferred by paragraph (1)
does not affect any other right conferred on the data subject by this Part.
(4) In
this Article, “direct marketing” means the communication (by
whatever means) of any advertising material, or marketing material, that is
directed to particular individuals.
12 Rights
in relation to automated decision-making
(1) An
individual is entitled at any time, by notice in writing to a data controller,
to require the data controller to ensure that no decision taken by or on behalf
of the data controller that significantly affects the individual is based
solely on the processing by automatic means of personal data in respect of
which that individual is the data subject for the purpose of evaluating matters
relating to the individual (for example, the individual’s performance at
work, creditworthiness, reliability or conduct).
(2) If
no such notice has effect and a decision that significantly affects an
individual is based solely on such processing –
(a) the data controller shall as soon as
reasonably practicable notify the individual that the decision was taken on
that basis; and
(b) the individual is entitled, within 21 days
after receiving that notification from the data controller, by notice in
writing to require the data controller to reconsider the decision or to take a
new decision otherwise than on that basis.
(3) The
data controller shall, within 21 days after receiving a notice under
paragraph (2)(b), give the individual a written notice specifying the
steps that the data controller intends to take to comply with the data
subject’s notice.
(4) A
notice under paragraph (1) does not have effect in relation to, and
nothing in paragraph (2) applies to, an exempt decision, that is, a
decision –
(a) in respect of which the conditions in
paragraphs (5) and (6) are both satisfied; or
(b) that is made in such other circumstances as
may be prescribed by Regulations.
(5) The
first condition is that the decision –
(a) is taken in the course of steps
taken –
(i) for
the purpose of considering whether to enter into a contract with the data
subject,
(ii) with
a view to entering into such a contract, or
(iii) in
the course of performing such a contract; or
(b) is authorized or required by or under any
enactment.
(6) The
second condition is that –
(a) the effect of the decision is to grant a
request of the data subject; or
(b) steps have been taken to safeguard the
legitimate interests of the data subject (for example, by allowing the data
subject to make representations).
(7) If
a court is satisfied on the application of a data subject that a person taking
a decision in respect of the data subject has failed to comply with a notice
under paragraph (1) or (2)(b), the court may order the person to
reconsider the decision, or to take a new decision that is not based solely on
such processing as is mentioned in paragraph (1).
(8) An
order under paragraph (7) shall not affect the rights of anyone other than
the data subject and the person.
13 Compensation
for failure to comply with certain requirements
(1) An
individual who suffers damage by reason of any contravention by a data
controller of any requirement of this Law is entitled to compensation from the
data controller for that damage.
(2) An
individual who suffers distress by reason of any contravention by a data
controller of any requirement imposed by or under this Law is entitled to
compensation from the data controller for that distress.
(3) In
proceedings brought against a person by virtue of this Article it is a defence
for the person to prove that the person took such care as in all the
circumstances was reasonably required to comply with the requirement concerned.
14 Rectification,
blocking, erasure and destruction
(1) If
a court is satisfied on the application of a data subject that personal data of
which the applicant is the subject are inaccurate, the court may order a person
who is the data controller of the data to rectify, block, erase or
destroy –
(a) those data; and
(b) any other personal data in respect of which
the person is the data controller and that contain an expression of opinion
that appears to the court to be based on the inaccurate data.
(2) Paragraph
(1) applies whether or not the data accurately record information received or
obtained by the data controller from the data subject or a third party, but if
the data accurately record such information then –
(a) if the conditions referred to in paragraph
7(a) and (b) of Schedule 1 Part 2 have been satisfied in respect of the data -
the court may, instead of making an order under paragraph (1), make an
order requiring the data to be supplemented by such statement of the true facts
relating to the matters dealt with by the data as the court may approve; or
(b) if one or both of those conditions have not
been satisfied in respect of the data - the court may, instead of making an
order under paragraph (1), make such order as it thinks fit for securing
that those conditions are satisfied, with or without a further order requiring
the data to be supplemented by such statement of the true facts relating to the
matters dealt with by the data as the court may approve.
(3) If
a court –
(a) makes an order under paragraph (1); or
(b) is satisfied on the application of a person
that personal data of which the person was the data subject and that have been
rectified, blocked, erased or destroyed were inaccurate,
it may, if it considers it
reasonably practicable, order the data controller to notify third parties to
whom the data have been disclosed of the rectification, blocking, erasure or
destruction.
(4) If
a court is satisfied on the application of a person who is a data
subject –
(a) that the person has suffered damage by
reason of any contravention by a data controller of any of the requirements of,
or under, this Law in respect of any personal data, in circumstances entitling
the person to compensation under Article 13; and
(b) that there is a substantial risk of further
contravention in respect of those data in such circumstances,
the court may order the
rectification, blocking, erasure or destruction of any of those data.
(5) If
a court makes an order under paragraph (4) it may, if it considers it
reasonably practicable, order the data controller to notify third parties to
whom the data have been disclosed of the rectification, blocking, erasure or
destruction.
(6) In
determining whether it is reasonably practicable to require notification under
paragraph (3) or (5), a court shall have regard, in particular, to the
number of persons who would have to be notified.
15 Court
may inspect data
(1) For
the purpose of determining any question relating to whether an applicant under
Article 7(12) is entitled to the information that the applicant seeks
(including any question whether any relevant data are exempt from
Article 7 by virtue of Part 4) a court may require the information constituting
any data processed by or on behalf of the data controller and any information
as to the logic involved in any decision-taking as mentioned in
Article 7(3) to be made available for its own inspection.
(2) The
court shall not, during the course of the proceedings, require the information
sought by the applicant to be disclosed to the applicant or any other person.
PART 3
NOTIFICATIONs and
REGULATIONS
Notification by data controllers
16 Preliminary
(1) In
this Part, “registrable particulars”,
in relation to a data controller, means –
(a) the name and address of the data controller;
(b) in the case of a data controller to whom Article 5(1)(b)
applies - the name and address of a representative of the data controller,
being a representative established in Jersey within the meaning of that
Article;
(c) a description of the personal data being, or
to be, processed by or on behalf of the data controller and of the category or
categories of data subject to which they relate;
(d) a description of the purpose or purposes for
which the data are being or are to be processed;
(e) a description of the recipients (if any) to
whom the data controller intends or may wish to disclose the data;
(f) the names, or a description, of any
countries or territories outside Jersey to which (directly or indirectly) the
data controller transfers, or intends or may wish to transfer, the data; and
(g) if personal data are being, or are intended
to be, processed by a data controller in circumstances in which the prohibition
in Article 17(1) is excluded by Article 17(2) or (3) and a
notification in respect of the data controller under Article 18 does not
extend to those data – a statement of that fact.
(2) For
the purposes of this Part, so far as it relates to the addresses of data
controllers –
(a) the address of a registered company is that
of its registered office; and
(b) the address of a person (other than a
registered company) carrying on a business is that of the person’s
principal place of business in Jersey.
17 No
processing without registration
(1) Personal
data shall not be processed unless an entry in respect of the data controller
who determines the purposes for which and the manner in which the data are so
processed is included (or taken to be included) in the register.
(2) Except
if the processing is assessable processing for the purposes of Article 22,
paragraph (1) does not apply in relation to personal data that consist of
information that does not fall within paragraph (a) or (b) of the
definition of “data” in Article 1(1).
(3) Paragraph
(1) does not apply to processing of a description prescribed by Regulations
under paragraph (5).
(4) Paragraph
(1) does not apply to processing whose sole purpose is the maintenance of a
public register.
(5) If
it appears to the States that processing of a particular description is
unlikely to prejudice the rights and freedoms of data subjects, the States may
by Regulations prescribe processing (in all cases or in specified cases) of
that description as processing to which paragraph (1) shall not apply.
18 Notification
by data controllers
(1) A
data controller who wishes to be included in the register shall give
notification to the Commissioner in accordance with this Article.
(2) The
data controller’s notification shall specify –
(a) the registrable particulars in relation to
the data controller; and
(b) a general description of measures to be
taken for the purpose of complying with the seventh data protection principle,
and the notification shall
specify those matters in accordance with such requirements as may be prescribed
by Regulations.
(3) Those
Regulations may make provision for (or for the determination by the
Commissioner, in accordance with any requirements of the Regulations, of) the
form and detail in which the registrable particulars referred to in Article 16(1)(c)
- (f), and the description referred to in paragraph (2)(b), are to be
specified.
(4) Those
Regulations may make provision as to the giving of notification –
(a) by partnerships; or
(b) in other cases where 2 or more persons are
the data controllers in respect of any personal data.
(5) A
notification is not made in accordance with this Article if the Regulations
prescribe a fee for it and the fee has not been paid.
(6) The
States may by Regulations prescribe fees to accompany notifications under this
Article and may by Regulations provide for any such fee that has been paid to
be refunded in circumstances set out in Regulations.
19 Register
of notifications
(1) The
Commissioner shall –
(a) maintain a register of persons who have
given notifications under Article 18; and
(b) make an entry in the register in pursuance
of each notification received under Article 18 from a person in respect of
whom no entry as data controller was for the time being included in the
register.
(2) Each
entry in the register shall consist of –
(a) the registrable particulars notified under Article 18
or, as the case requires, those particulars as amended under Article 20(4);
and
(b) such other information as the Commissioner
may be authorized or required by Regulations to include in the register.
(3) The
States may make Regulations for the purposes of paragraph (2)(b) and may by
Regulations make provision as to the time when any entry in respect of a data
controller is to be treated for the purposes of Article 17 as having been
included in the register.
(4) No
entry shall be retained in the register for more than such period as may be
prescribed by Regulations (or if no period is prescribed, 12 months) except on
payment of such fee as may be prescribed by Regulations.
(5) The
Commissioner –
(a) shall make the information contained in the
register available for inspection (in visible and legible form) by members of
the public at reasonable hours and free of charge; and
(b) may provide such facilities for making that
information available to the public free of charge as the Commissioner
considers appropriate.
(6) The
Commissioner shall, on application, supply any person with a copy in writing of
the particulars contained in any entry made in the register, being a copy
certified by the Commissioner to be a true copy of those particulars.
(7) An
application is not made in accordance with this Article if the Regulations
prescribe a fee for it and the fee has not been paid.
(8) The
States may by Regulations prescribe such a fee and may by Regulations provide
for any fee paid under this Article to be refunded in circumstances set out in
Regulations.[10]
20 Duty
to notify changes
(1) For
the purpose specified in paragraph (2), the States may by Regulations require
every person in respect of whom an entry as a data controller is for the time
being included in the register to notify the Commissioner, in such
circumstances, at such times and in such form as the Regulations prescribe, of
such matters relating to the registrable particulars and measures taken as
referred to in Article 18(2)(b) as the Regulations prescribe.
(2) The
purpose referred to in paragraph (1) is that of ensuring, so far as
practicable, that at any time –
(a) the entries in the register contain current
names and addresses and describe the current practice or intentions of the data
controller with respect to the processing of personal data; and
(b) the Commissioner is provided with a general
description of measures currently being taken as referred to in Article 18(2)(b).
(3) Regulations
under this Article may make provision for (or for the determination by the
Commissioner, in accordance with any requirements of the Regulations, of) the
form and detail in which the matters and measures referred to in paragraph (1)
are to be notified.
(4) The
Commissioner shall amend the relevant entry in the register as soon as
practicable after being notified of those matters and measures.
21 Offences
and defence
(1) If
personal data are processed in contravention of Article 17(1), the data
controller who determines the purposes for which and the manner in which the
data are so processed shall be guilty of an offence.
(2) A
person who fails to comply with the duty imposed under Article 20(1) shall
be guilty of an offence.
(3) It
shall be a defence for a person charged with an offence under paragraph (2)
to show that the person exercised all due diligence to comply with that duty.
22 Preliminary
assessment by Commissioner
(1) In
this Article “assessable processing” means processing prescribed as
such by Regulations.
(2) The
States may by Regulations prescribe as assessable processing any processing
that they consider particularly likely –
(a) to cause substantial damage or substantial
distress to data subjects; or
(b) otherwise significantly to prejudice the
rights and freedoms of data subjects.
(3) On
receiving notification from any data controller under Article 18 or under
Regulations made under Article 20, the Commissioner shall consider –
(a) whether any of the processing to which the
notification relates is assessable processing; and
(b) whether the assessable processing (if any)
is likely to comply with this Law.
(4) The
Commissioner shall, within 28 days beginning with the day on which such
notification is received from a data controller, give notice to the data
controller stating the extent to which the Commissioner considers that the
processing is likely or unlikely to comply with this Law.
(5) Before
the end of that period of 28 days, the Commissioner may, by reason of
special circumstances, extend that period (on one occasion only) by notice to
the data controller by such further period not exceeding 14 days as the
Commissioner may specify in the notice.
(6) No
assessable processing in respect of which notification has been given to the
Commissioner as referred to in paragraph (3) shall be carried on unless –
(a) the period for the Commissioner’s
giving notice under paragraph (4), including any extension of that period,
has elapsed; or
(b) the data controller has received notice from
the Commissioner under paragraph (4) in respect of the processing.
(7) If
paragraph (6) is contravened, the relevant data controller is guilty of an
offence.
(8) The
States may by Regulations amend any expression of time in this Article.
23 Power
to make provision for appointment of data protection supervisors
(1) The
States may by Regulations –
(a) make provision under which a data controller
may appoint a person to act as a data protection supervisor responsible in
particular for monitoring in an independent manner the data controller’s
compliance with this Law; and
(b) provide that, in relation to any data
controller who has appointed a data protection supervisor in accordance with
the Regulations and who complies with such conditions as may be specified in
the Regulations, this Part is to have effect subject to such exemptions or
other modifications as may be specified in the Regulations.
(2) Regulations
under this Article may –
(a) impose duties on data protection supervisors
in relation to the Commissioner; and
(b) confer functions on the Commissioner in
relation to data protection supervisors.
24 Duty
of certain data controllers to make certain information available
(1) If
personal data are processed in a case where –
(a) because of Article 17(2) or (3), Article 17(1)
does not apply to the processing; and
(b) the relevant data controller has not, under Article 18,
notified the registrable particulars referred to in Article 16(1)(a) - (f)
in respect of that processing,
the data controller shall, within
21 days after receiving a written request from any person, make those
particulars available to that person in writing free of charge.
(2) The
States may, by Regulations, make provision for exemptions from the operation of
this Article, and this Article has effect subject to any such exemptions.
(3) A
data controller who fails to comply with the duty imposed by paragraph (1)
is guilty of an offence.
(4) It
shall be a defence for a person charged with such an offence to show that the
person exercised all due diligence to comply with the duty.
Regulations in general and
about fees
25 Preparation
of Regulations
(1) As
soon as practicable after this Law has been passed by the States, the
Commissioner shall submit to the Minister proposals as to the provisions to be
included in the first Regulations to be made under this Law.
(2) Once
the first Regulations, or any replacement of them, are in force, the
Commissioner shall keep their working under review and may from time to time
submit to the Minister proposals as to amendments to be made to the
Regulations.
(3) The
Minister may from time to time require the Commissioner to consider any matter
relating to the Regulations and to submit to the Minister proposals as to amendments
to be made to the Regulations in connection with that matter.
(4) Before
the Minister decides that any projet for the making of Regulations be lodged in
the States, the Minister shall –
(a) consider any proposals made to the Minister
by the Commissioner under this Article; and
(b) consult the Commissioner.
26 Fees
(1) The
States may by Regulations require fees to be paid and may provide for different
fees to be payable in different cases.
(2) In
the case of fees payable to (or in respect of the functions of) the
Commissioner or the Tribunal, the States may by Regulations prescribe fees that
may, but need not, be sufficient to offset –
(a) the expenses incurred by the Commissioner
and the Tribunal in discharging their functions and any expenses of the States
or the Minister that relate to the Commissioner or the Tribunal (including
expenses relating to salaries, other remuneration, pensions and office
accommodation); and
(b) any deficit incurred before the making of
the Regulations (whether before or after the passing of this Law) in respect of
the expenses referred to in sub-paragraph (a), and expenses incurred or to
be incurred in respect of any transfer of superannuation membership, or of
entitlements, of the staff of the Commissioner.
PART 4
EXEMPTIONS
27 Effect
of this Part
(1) References
in any of the data protection principles, or in any provision of Parts 2 and 3,
to personal data, or to the processing of personal data, do not include
references to data, or processing, that by virtue of this Part are exempt from
that principle or provision.
(2) Except
as provided by or under this Part, the subject information provisions shall
have effect notwithstanding any enactment or rule of law (whether an enactment
or rule of law of Jersey or of another jurisdiction) prohibiting or restricting
the disclosure, or authorizing the withholding, of information.[11]
28 Exemption
based on national security
(1) Personal
data are exempt from any of the provisions of –
(a) the data protection principles;
(b) Parts 2, 3 and 5; and
(c) Article 55,
if the exemption from that
provision is required for the purpose of safeguarding national security.
(2) A
certificate signed by the Minister for Home Affairs certifying that exemption
from all or any of those provisions is or at any time was required for the
purpose there mentioned in respect of any personal data shall be sufficient
evidence of that fact.
(3) The
certificate may identify the personal data to which it applies by means of a
general description and may, but need not, be expressed to have prospective
effect.
(4) A
person directly affected by the issue of the certificate may apply to the Court
for review of the decision to issue the certificate.
(5) If
on such an application, the Court finds that the Minister for Home Affairs did
not have reasonable grounds for the decision to issue the certificate, the Court
may quash the decision and avoid the certificate.
(6) If
in any proceedings before the Tribunal (or a court) under or by virtue of this
Law it is claimed by a data controller that a certificate under this Article
that identifies the personal data to which it applies by means of a general
description applies to any personal data, any other party to the proceedings
may appeal to the Tribunal (or court, as the case may be) on the ground that
the certificate does not apply to the personal data in question. However,
unless the Tribunal (or court) makes a determination under paragraph (7),
the certificate shall be conclusively presumed so to apply.
(7) On
any appeal under paragraph (6), the Tribunal (or court) may determine that
the certificate does not so apply.
(8) A
document purporting to be a certificate under this Article shall be received in
evidence and taken to be such a certificate unless the contrary is proved.
(9) A
document that purports to be certified by or on behalf of the Minister for Home
Affairs as a true copy of a certificate issued by the President under this
Article shall in any legal proceedings be evidence of that certificate.
(10) No
power conferred by any provision of Part 5 may be exercised in relation to
personal data that by virtue of this Article are exempt from that provision.
(11) Schedule
6 has effect in relation to any appeal to the Tribunal under paragraph (6).
(12) The
States may, by Regulations, modify any reference to the Minister for Home
Affairs in this Article by substituting a reference to another person.
29 Exemption:
crime and taxation
(1) Personal
data processed for any of the following purposes –
(a) the prevention, detection, or investigation,
anywhere of crime;
(b) the apprehension, or prosecution, anywhere
of persons who have committed an offence anywhere; or
(c) the assessment, or collection, anywhere of
any tax or duty, or of any imposition of a similar nature, wherever due,
are exempt from the first data
protection principle (except to the extent to which it requires compliance with
the conditions in Schedules 2 and 3) and Article 7 in any case to the
extent to which the application of those provisions to the data would be likely
to prejudice any of the matters referred to in sub-paragraphs (a)-(c).
(2) Personal
data that –
(a) are processed for the purpose of discharging
functions under any Law; and
(b) consist of information obtained for such a
purpose from a person who had it in the person’s possession for any of
the purposes referred to in paragraph (1)(a)-(c),
are exempt from the subject
information provisions to the same extent as personal data processed for any of
the purposes referred to in paragraph (1)(a)-(c).
(3) Personal
data are exempt from the non-disclosure provisions in any case in which –
(a) the disclosure is for any of the purposes
referred to in paragraph (1)(a)-(c); and
(b) the application of those provisions in
relation to the disclosure would be likely to prejudice any of the matters
referred to in paragraph (1)(a)-(c).
(4) Personal
data in respect of which the data controller is an authority (being an
administration of the States, or one of the 12 parishes of Jersey, or an
authority that may be prescribed by Regulations) and that –
(a) consist of a classification applied to the
data subject as part of a system of risk assessment operated by that authority
for the purpose of the assessment or collection of any tax or duty or any
imposition of a similar nature, or for the purpose of the prevention or
detection of crime, or the apprehension or prosecution of persons who commit an
offence, if the offence concerned involves any unlawful claim for any payment
out of, or any unlawful application of, public funds; and
(b) are processed for either of those purposes,
are exempt from Article 7 to
the extent to which the exemption is required in the interests of the operation
of the system.
30 Exemption
or modification for sake of health, education or social work
(1) The
States may by Regulations exempt from the subject information provisions (or
modify those provisions in relation to) personal data consisting of information
as to the physical or mental health or condition of the data subject.
(2) The
States may by Regulations exempt from the subject information provisions (or
modify those provisions in relation to) personal data in respect of which the
data controller is the proprietor, governor, governing body, director or
manager of, or a principal or teacher at, a school, and that consist of
information relating to persons who are or have been pupils at the school.
(3) The
States may by Regulations exempt from the subject information provisions (or
modify those provisions in relation to) personal data of such other
descriptions as may be specified in the Regulations, being information –
(a) processed by any administration of the
States, any of the 12 parishes of Jersey, any voluntary organization, or any
body prescribed by the Regulations; and
(b) appearing to the States to be processed in
the course of, or for the purposes of, carrying out social work in relation to
the data subject or other individuals,
to the extent that the States
consider that the application to the data of those provisions (or of those
provisions without modification) would be likely to prejudice the carrying out
of social work.
31 Exemption
for sake of regulatory activity: charities, health and safety, protection
against financial loss; maladministration or practices contrary to fair trading
(1) Personal
data processed for the purposes of discharging any of the following functions
are exempt from the subject information provisions in any case to the extent to
which the application of those provisions to the data would be likely to
prejudice the proper discharge of the function –
(a) a function designed for protecting members
of the public against –
(i) financial
loss due to dishonesty, malpractice or other seriously improper conduct by, or
the unfitness or incompetence of, persons concerned in the provision of
banking, insurance, investment or other financial services or in the management
of bodies corporate,
(ii) financial
loss due to the conduct of discharged or undischarged bankrupts, or
(iii) dishonesty,
malpractice or other seriously improper conduct by, or the unfitness or
incompetence of, persons authorized to carry on any profession or other
activity;
(b) a function designed for protecting charities
against misconduct or mismanagement (whether by trustees or other persons) in
their administration;
(c) a function designed for protecting the
property of charities from loss or misapplication;
(d) a function designed for the recovery of the
property of charities;
(e) a function designed for securing the health,
safety or welfare of persons at work;
(f) a function designed for protecting
persons other than persons at work against risk to health or safety arising out
of or in connection with the actions of persons at work.
(2) Paragraph
(1) applies to –
(a) a function conferred on any person by or
under any enactment;
(b) a function of the Crown, the States or a Minister,
or administration, of the States; or
(c) any other function of a public nature and
exercised in the public interest.
(3) Personal
data processed for the purpose of discharging any function to which this paragraph
applies are exempt from the subject information provisions to the extent to
which the application of those provisions to the data would be likely to
prejudice the proper discharge of that function.
(4) Paragraph
(3) applies to a function that is conferred by or under any enactment on a
person, or body, that may be prescribed by Regulations and is designed –
(a) for protecting members of the public against –
(i) maladministration
by public bodies,
(ii) failures
in services provided by public bodies, or
(iii) a
failure of a public body to provide a service which it was a function of the
body to provide;
(b) for protecting members of the public against
conduct that may adversely affect their interests by persons carrying on a
business;
(c) for regulating agreements, or conduct, that
have as their object or effect the prevention, restriction or distortion of
competition in connection with any commercial activity; or
(d) for regulating conduct on the part of one or
more undertakings that amounts to the abuse of a dominant position in a market.
(5) Paragraph
(3) also applies to the following functions –
(a) any function relating to an investigation under
Article 22 of the Collective
Investment Funds (Jersey) Law 1988,[12] Article 28 of the Banking
Business (Jersey) Law 1991,[13] Part 19 of the Companies
(Jersey) Law 1991,[14] Article 11 of the Insurance
Business (Jersey) Law 1996[15] or Article 33 of the Financial
Services (Jersey) Law 1998,[16] including the functions of appointment, investigation and reporting
under any of those Articles;
(aa) any function conferred on the Office of the
Financial Services Ombudsman or on an Ombudsman, under the Financial Services
Ombudsman (Jersey) Law 2014[17];
(b) any function (whether or not under any of
the Laws referred to in sub-paragraph (a)) that may be prescribed by
Regulations.[18]
32 Exemption
for sake of journalism, literature or art
(1) Personal
data which are processed only for the special purposes are exempt from any
provision to which this Article relates if –
(a) the processing is undertaken with a view to
the publication by any person of any journalistic, literary or artistic
material;
(b) the data controller reasonably believes
that, having regard in particular to the special importance of the public
interest in freedom of expression, publication would be in the public interest;
and
(c) the data controller reasonably believes
that, in all the circumstances, compliance with that provision is incompatible
with the special purposes.
(2) This
Article relates to the following provisions –
(a) the data protection principles except the
seventh data protection principle;
(b) Article 7;
(c) Article 10;
(d) Article 12;
(e) Article 14(1), (2) and (3).
(3) In
considering for the purposes of paragraph (1)(b) whether the belief of a
data controller that publication would be in the public interest was or is a
reasonable one, regard may be had to the data controller’s compliance
with any code of practice that is relevant to the publication in question and may
be prescribed by Regulations.
(4) If
at any time in any proceedings against a data controller under Article 7(12),
10(4), 12(7) or 14, or by virtue of Article 13, the data controller
claims, or it appears to a court, that any personal data to which the proceedings
relate are being processed –
(a) only for the special purposes; and
(b) with a view to the publication by any person
of any journalistic, literary or artistic material that, at the point 24 hours
immediately before that time, had not previously been published by the data
controller,
the court shall stay the
proceedings until (in any case) a determination of the Commissioner under Article 45
with respect to the data in question takes effect or (in a case where the
proceedings were stayed on the making of a claim) the claim is withdrawn,
whichever first occurs.
33 Exemption
for sake of research, history or statistics
(1) In
this Article –
“relevant conditions”, in relation to any
processing of personal data, means the conditions –
(a) that the data are not processed to support
measures or decisions with respect to particular individuals; and
(b) that the data are not processed in such a
way that substantial damage or substantial distress is, or is likely to be,
caused to any data subject;
“research purposes” includes statistical or
historical purposes.
(2) For
the purposes of the second data protection principle, the further processing of
personal data only for research purposes in compliance with the relevant
conditions is not to be regarded as incompatible with the purposes for which
they were obtained.
(3) Personal
data processed only for research purposes in compliance with the relevant
conditions may, notwithstanding the fifth data protection principle, be kept
indefinitely.
(4) Personal
data processed only for research purposes are exempt from Article 7 if –
(a) they are processed in compliance with the
relevant conditions; and
(b) the results of the research or any resulting
statistics are not made available in a form that identifies one or more of the
data subjects.
(5) For
the purposes of paragraphs (2)-(4), personal data are not to be treated as
processed otherwise than for research purposes merely because the data are
disclosed –
(a) to any person, for research purposes only;
(b) to the data subject or a person acting on
the data subject’s behalf;
(c) at the request, or with the consent, of the
data subject or a person acting on the data subject’s behalf; or
(d) in circumstances in which the person making
the disclosure has reasonable grounds for believing that the disclosure falls
within sub-paragraph (a), (b) or (c).
33A Manual
data held by scheduled public authorities[19]
(1) Personal
data falling within paragraph (d) of the definition “data” in
Article 1(d) are exempt from –
(a) the first, second, third, fourth, fifth,
seventh and eighth data protection principles;
(b) the sixth data protection principle except
so far as it relates to the rights conferred on data subjects by
Articles 7 and 14;
(c) Articles 10 to 13;
(d) Part 3; and
(e) Article 55.
34 Exemption
for information available to public by or under enactment
Personal data are exempt from –
(a) the
subject information provisions;
(b) the
fourth data protection principle and Article 14(1)-(3); and
(c) the
non-disclosure provisions,
if the data consist of information
that the data controller is obliged by or under any enactment to make available
to the public, whether by making it available for inspection, publishing it in
another sense or otherwise and whether gratuitously or on payment of a fee.
35 Disclosures
required by law or made in connection with legal proceedings
(1) Personal
data are exempt from the non-disclosure provisions if the disclosure is
required by or under any enactment, by any rule of law or by the order of a
court.
(2) Personal
data are exempt from the non-disclosure provisions if their disclosure is
necessary –
(a) for the purpose of, in connection with, or
in contemplation of, any legal proceedings;
(b) for the purpose of obtaining legal advice;
or
(c) otherwise for the purposes of establishing,
exercising or defending legal rights.
36 Exemption
for data processed for domestic purposes
Personal data processed by an
individual only for the purposes of that individual’s personal, family or
household affairs (including recreational purposes) are exempt from the data
protection principles and Parts 2 and 3.
37 Miscellaneous
exemptions
Schedule 7 has effect.
38 Exemptions
by Regulations
(1) The
States may by Regulations exempt from the subject information provisions personal
data consisting of information –
(a) the disclosure of which is prohibited or
restricted, or
(b) the withholding of which is authorized,
by or under any enactment or rule
of law (whether an enactment or rule of law of Jersey or of another
jurisdiction) to the extent that they consider it necessary, for safeguarding
the interests of the data subject or the rights and freedoms of any other
individual, that the prohibition, restriction, or authority to withhold,
prevail over the subject information provisions.[20]
(2) The
States may by Regulations exempt from the non-disclosure provisions any
disclosures of personal data made in circumstances specified in the Regulations,
if they consider the exemption is necessary for safeguarding the interests of
the data subject or the rights and freedoms of any other individual.
39 Transitional
relief
Schedule 8 has effect.
PART 5
ENFORCEMENT
40 Enforcement
notices
(1) If
the Commissioner is satisfied that a data controller has contravened or is
contravening any of the data protection principles, the Commissioner may by
notice served on the data controller require the data controller to do one or
both of the following, for complying with the principles contravened –
(a) to take specified steps within a specified
time, or to refrain from taking specified steps after a specified time; or
(b) to refrain from processing any personal
data, or any personal data of a specified description, or to refrain from
processing them for a specified purpose or in a specified manner, after a specified
time.
(2) In
deciding whether to serve an enforcement notice, the Commissioner shall
consider whether the contravention has caused or is likely to cause any person
damage or distress.
(3) An
enforcement notice in respect of a contravention of the fourth data protection
principle, being a notice that requires a data controller to rectify, block,
erase or destroy any inaccurate data may also require the data controller to
rectify, block, erase or destroy any other data held by the data controller that
contain an expression of opinion that appears to the Commissioner to be based
on the inaccurate data.
(4) An
enforcement notice in respect of a contravention of the fourth data protection
principle, in the case of data that accurately record information received or
obtained by the data controller from the data subject or a third party, may
require the data controller –
(a) to rectify, block, erase or destroy any
inaccurate data and any other data held by the data controller that contain an
expression of opinion that appears to the Commissioner to be based on the
inaccurate data; or
(b) to take such steps as are specified in the
notice for securing compliance with the requirements specified in
paragraph 7 of Schedule 1 Part 2 and, if the Commissioner thinks
fit, for supplementing the data with such statement of the true facts relating
to the matters dealt with by the data as the Commissioner may approve.
(5) If –
(a) an enforcement notice requires a data
controller to rectify, block, erase or destroy any personal data; or
(b) the Commissioner is satisfied that personal
data that have been rectified, blocked, erased or destroyed had been processed
in contravention of any of the data protection principles,
an enforcement notice may, if
reasonably practicable, require the data controller to notify third parties to
whom the data have been disclosed of the rectification, blocking, erasure or
destruction.
(6) The
Commissioner shall, in determining whether it is reasonably practicable to
require such notification, have regard in particular to the number of persons
who would have to be notified.
(7) An
enforcement notice shall contain –
(a) a statement of the data protection
principles that the Commissioner is satisfied have been or are being
contravened and the reasons for reaching that conclusion; and
(b) particulars of the rights of appeal
conferred by Article 48.
(8) An
enforcement notice shall not require any of the provisions of the notice to be
complied with before the end of the period within which an appeal can be
brought against the notice and, if such an appeal is brought, the notice need
not be complied with until the determination or withdrawal of the appeal.
(9) However,
if by reason of special circumstances the Commissioner considers that an
enforcement notice should be complied with as a matter of urgency, the
Commissioner may include in the notice a statement to that effect and a
statement of the reasons for reaching that conclusion.
(10) In
that case, paragraph (8) shall not apply but the notice shall not require
compliance before the end of the period of 7 days beginning with the day
on which the notice is served.
(11) The
States may by Regulations make provision as to the effect of the service of an
enforcement notice on a register entry that relates to the data controller on
whom the notice is served.
41 Cancellation
or variation of enforcement notices
(1) If
the Commissioner considers that all or any of the provisions of an enforcement
notice need not be complied with in order to ensure compliance with the data
protection principle or principles to which it relates, the Commissioner may
cancel or vary the notice by further written notice served on the person on
whom the enforcement notice was served.
(2) The
cancellation or variation takes effect on service of the further notice or at
such later time as is specified in the further notice.
(3) A
person on whom an enforcement notice has been served may, at any time after the
expiry of the period during which an appeal can be brought against that notice,
apply in writing to the Commissioner for the cancellation or variation of that
notice on the ground that, by reason of a change of circumstances, all or any
of the provisions of that notice need not be complied with in order to ensure
compliance with the data protection principle or principles to which that
notice relates.
42 Request
for assessment
(1) A
request may be made to the Commissioner by or on behalf of any person who is,
or believes himself to be, directly affected by any processing of personal data
for an assessment as to whether it is likely or unlikely that the processing
has been or is being carried out in compliance with the provisions of this Law.
(2) On
receiving the request, the Commissioner shall make an assessment in such manner
as the Commissioner considers appropriate, unless the Commissioner has not been
supplied with such information as may reasonably be required in order to –
(a) be satisfied as to the identity of the
person making the request; and
(b) identify the processing in question.
(3) The
matters to which the Commissioner may have regard in determining in what manner
it is appropriate to make an assessment include –
(a) the extent to which the request appears to
the Commissioner to raise a matter of substance;
(b) any undue delay in making the request; and
(c) whether or not the person making the request
is entitled to make request under Article 7 in respect of the personal
data in question.
(4) The
Commissioner shall notify the person who made the request –
(a) whether the Commissioner has made an
assessment in response to the request; and
(b) to the extent that the Commissioner
considers appropriate, having regard in particular to any exemption from Article 7
applying in relation to the personal data concerned, of any view formed or
action taken as a result of the request.
43 Information
notices
(1) If
the Commissioner –
(a) has received a request under Article 42
in respect of any processing of personal data; or
(b) reasonably requires any information for the
purpose of determining whether a data controller has complied, or is complying,
with the data protection principles,
the Commissioner may by notice
served on the relevant data controller (or on a data processor who processes
data on behalf of the data controller, being data or processing relevant to the
request or the determination, as the case may be) require the person served
with the notice to furnish the Commissioner, in a specified form (if any) and
within a specified period, with specified information relating to the request
or to compliance with the principles.
(2) An
information notice shall contain –
(a) in the case referred to in paragraph (1)(a),
a statement that the Commissioner has received a request under Article 42
in relation to the processing; or
(b) in the case referred to in paragraph (1)(b),
a statement that the Commissioner regards the specified information as relevant
for the purpose of determining whether the data controller has complied, or is
complying, with the data protection principles and the Commissioner’s
reasons for regarding it as relevant for that purpose.
(3) An
information notice shall also contain particulars of the rights of appeal
conferred by Article 48.
(4) An
information notice shall not require any of the provisions of the notice to be
complied with before the end of the period within which an appeal can be
brought against the notice and, if such an appeal is brought, the notice need
not be complied with until the determination or withdrawal of the appeal.
(5) However,
if by reason of special circumstances the Commissioner considers that an information
notice should be complied with as a matter of urgency, the Commissioner may
include in the notice a statement to that effect and a statement of the reasons
for reaching that conclusion.
(6) In
that case, paragraph (4) shall not apply but the notice shall not require
compliance before the end of the period of 7 days beginning with the day
on which the notice is served.
(7) A
person shall not be required by virtue of this Article to furnish the
Commissioner with any information in respect of –
(a) any communication between a professional
legal adviser and a client in connection with the giving of legal advice to the
client with respect to the latter’s obligations, liabilities or rights
under this Law; or
(b) any communication between a professional
legal adviser and a client, or between such an adviser or client and any other
person, made in connection with or in contemplation of proceedings under or
arising out of this Law (including proceedings before the Tribunal) and
for the purposes of such proceedings.
(8) In
paragraph (7), references to a client of a professional legal adviser
include references to any person representing such a client.
(9) A
person shall not be required by virtue of this Article to furnish the
Commissioner with any information if the furnishing of that information would,
by revealing evidence of the commission of any offence other than an offence
under this Law, expose the person to proceedings for that offence.
(10) The
Commissioner may cancel an information notice by written notice served on the
person on whom the information notice was served.
(11) Nothing
in paragraph (1) prevents the Commissioner from serving notices under that
paragraph on both a data controller and a data processor.
(12) If
the Commissioner serves a notice on a data processor under this Article, the
Commissioner shall serve a copy of the notice on the data controller on whose
behalf the data processor processes data (being data or processing relevant to
the information notice).
44 Special
information notices
(1) If
the Commissioner –
(a) has received a request under Article 42
in respect of any processing of personal data; or
(b) has reasonable grounds for suspecting, in a
case in which proceedings have been stayed under Article 32, that the
personal data to which the proceedings relate –
(i) are
not being processed only for the special purposes, or
(ii) are
not being processed with a view to the publication by any person of any
journalistic, literary or artistic material that has not previously been
published by the data controller,
the Commissioner may by notice
served on the data processor concerned in the processing (or on the data
controller on behalf of whom the processing is carried out) require the person
served with the notice to furnish the Commissioner within a specified time and
in a specified form (if any) with specified information for the purpose
specified in paragraph (2).
(2) That
purpose is the purpose of ascertaining –
(a) whether the personal data are being
processed only for the special purposes; or
(b) whether they are being processed with a view
to the publication by any person of any journalistic, literary or artistic
material that has not previously been published by the data controller.
(3) A
special information notice shall contain –
(a) in a case falling within paragraph (1)(a) –
a statement that the Commissioner has received a request under Article 42
in relation to the specified processing; or
(b) in a case falling within paragraph (1)(b),
a statement of the Commissioner’s grounds for suspecting that the
personal data are not being processed as mentioned in that sub-paragraph.
(4) A
special information notice shall also contain particulars of the rights of
appeal conferred by Article 48.
(5) A
special information notice shall not require any of the provisions of the
notice to be complied with before the end of the period within which an appeal
can be brought against the notice and, if such an appeal is brought, the notice
need not be complied with until the determination or withdrawal of the appeal.
(6) However,
if by reason of special circumstances the Commissioner considers that a special
information notice should be complied with as a matter of urgency, the
Commissioner may include in the notice a statement to that effect and a
statement of the reasons for reaching that conclusion.
(7) In
that case, paragraph (5) shall not apply but the notice shall not require
compliance before the end of the period of 7 days beginning with the day
on which the notice is served.
(8) A
person shall not be required by virtue of this Article to furnish the
Commissioner with any information in respect of –
(a) any communication between a professional
legal adviser and a client in connection with the giving of legal advice to the
client with respect to the latter’s obligations, liabilities or rights
under this Law; or
(b) any communication between a professional
legal adviser and a client, or between such an adviser or client and any other
person, made in connection with or in contemplation of proceedings under or
arising out of this Law (including proceedings before the Tribunal) and
for the purposes of such proceedings.
(9) In
paragraph (8), references to a client of a professional legal adviser include
references to any person representing such a client.
(10) A
person shall not be required by virtue of this Article to furnish the
Commissioner with any information if the furnishing of that information would,
by revealing evidence of the commission of any offence other than an offence
under this Law, expose the person to proceedings for that offence.
(11) The
Commissioner may cancel a special information notice by written notice served
on the person on whom the special information notice was served.
(12) Nothing
in paragraph (1) prevents the Commissioner from serving notices under that
paragraph on both a data controller and a data processor.
(13) If
the Commissioner serves a notice on a data processor under this Article, the
Commissioner shall serve a copy of the notice on the data controller on whose
behalf the data processor processes data (being processing relevant to the
notice).
45 Determination
by Commissioner as to the special purposes
(1) If
it appears to the Commissioner (whether following the service of a special
information notice or otherwise) that any personal data –
(a) are not being processed only for the special
purposes; or
(b) are not being processed with a view to the
publication by any person of any journalistic, literary or artistic material
that has not previously been published by the data controller,
the Commissioner may make a
determination in writing to that effect.
(2) The
Commissioner shall give notice of the determination to the relevant data
controller.
(3) The
notice shall contain particulars of the right of appeal conferred by Article 48.
(4) The
determination shall not take effect until the end of the period within which an
appeal can be brought against the determination and, if such an appeal is
brought, the determination shall not take effect until the determination or
withdrawal of the appeal.
46 Special
purposes: no notices without prior determination etc.
(1) The
Commissioner shall not serve an enforcement notice on a data controller with
respect to the processing of personal data for the special purposes unless –
(a) a determination under Article 45(1)
with respect to those data has taken effect; and
(b) the Court has granted leave for the notice
to be served.
(2) The
Court shall not grant such leave unless it is satisfied –
(a) that the Commissioner has reason to suspect
a contravention of the data protection principles that is of substantial public
importance; and
(b) except where the case is one of urgency,
that the data controller has been given notice, in accordance with rules of
court, of the application for leave.
(3) The
Commissioner shall not serve an information notice with respect to the
processing of personal data for the special purposes unless a determination
under Article 45(1) with respect to those data has taken effect.
47 Failure
to comply with notice
(1) A
person who fails to comply with an enforcement notice, information notice or
special information notice is guilty of an offence.
(2) A
person is guilty of an offence if the person, in purported compliance with an
information notice or special information notice –
(a) makes a statement that the person knows to
be false in a material respect; or
(b) recklessly makes a statement that is false
in a material respect.
(3) It
is a defence for a person charged with an offence under paragraph (1) to
prove that the person exercised all due diligence to comply with the notice in
question.
48 Rights
of appeal
(1) A
person on whom an enforcement notice, information notice or special information
notice (or a copy of an information notice or of a special information notice)
has been served under this Law may appeal to the Tribunal against the notice.
(2) A
person on whom an enforcement notice has been served may appeal to the Tribunal
against the refusal of an application under Article 41(3) for cancellation
or variation of the notice.
(3) If
an enforcement notice, information notice or special information notice
contains a statement by the Commissioner in accordance with (respectively) Article 40(9),
43(5) or 44(6) then, whether or not a person entitled to appeal against the
notice does so, the person may appeal against –
(a) the Commissioner’s decision to include
the statement in the notice; or
(b) the effect of the inclusion of the statement
as respects any part of the notice.
(4) A
data controller in respect of whom a determination has been made under Article 45
may appeal to the Tribunal against the determination.
(5) Schedule
6 has effect in relation to appeals under this Article and the proceedings of
the Tribunal in respect of any such appeal.
49 Determination
of appeal
(1) The
Tribunal shall allow an appeal under Article 48(1) if it decides –
(a) that the notice against which the appeal is
brought is not in accordance with the law; or
(b) to the extent that the notice involved an
exercise of discretion by the Commissioner, that the Commissioner ought to have
exercised the discretion differently.
(2) If
it does not come to such a decision on an appeal under Article 48(1), the
Tribunal shall dismiss the appeal.
(3) In
allowing such an appeal, the Tribunal may, but need not, substitute such other
notice or decision as could have been served or made by the Commissioner.
(4) On
an appeal under Article 48(1), the Tribunal may review any determination
of fact on which the notice in question was based.
(5) If
on an appeal under Article 48(2) the Tribunal considers that the
enforcement notice ought to be cancelled or varied by reason of a change in
circumstances, the Tribunal shall cancel or vary the notice.
(6) On
an appeal under Article 48(3) the Tribunal may direct –
(a) that the notice in question shall have
effect as if it did not contain any such statement as is mentioned in that
paragraph; or
(b) that the inclusion of the statement shall
not have effect in relation to any part of the notice,
and may make such modifications
to the notice as may be required for giving effect to the direction.
(7) On
an appeal under Article 48(4), the Tribunal may cancel the determination
of the Commissioner.
(8) A
party to an appeal to the Tribunal under Article 48 may appeal from the
decision of the Tribunal on a question of law to the Court.
50 Entry
and search of premises, obtaining of information
Schedule 9 has effect.
PART 6
GENERAL
Functions of Commissioner
51 General
duties of Commissioner
(1) It
shall be the duty of the Commissioner to promote the following of good practice
by data controllers and, in particular, so to perform the Commissioner’s
functions under this Law as to promote the observance of the requirements of
this Law by data controllers.
(2) The
Commissioner shall arrange for the dissemination in such form and manner as the
Commissioner considers appropriate of such information as it may appear to the
Commissioner expedient to give to the public about the operation of this Law,
about good practice, and about other matters within the scope of the
Commissioner’s functions under this Law, and may give advice to any
person as to any of those matters.
(3) If
the Minister so directs, or the Commissioner considers it appropriate to do so,
the Commissioner shall, after such consultation with trade associations, data
subjects or persons representing data subjects as appears to the Commissioner
appropriate, prepare and disseminate to such persons as the Commissioner
considers appropriate codes of practice for guidance as to good practice.
(4) A
direction under paragraph (3) shall describe the personal data or
processing to which the code of practice is to relate, and may also describe
the persons or classes of persons to whom it is to relate.
(5) The
Commissioner shall also –
(a) if the Commissioner considers it appropriate
to do so - encourage trade associations to prepare, and to disseminate to their
members, codes of practice for guidance as to good practice; and
(b) if a trade association submits a code of
practice for the Commissioner’s consideration - consider the code and,
after such consultation with data subjects or persons representing data
subjects as appears to the Commissioner to be appropriate, notify the trade
association whether in the Commissioner’s opinion the code promotes good
practice.
(6) The
Commissioner shall arrange for the dissemination in such form and manner as the
Commissioner considers appropriate of –
(a) any EU finding as defined by paragraph 15(2)
of Schedule 1 Part 2;
(b) any decision of the European Commission,
under the procedure provided for in Article 31(2) of the Data Protection
Directive, made for the purposes of Article 26(3) or (4) of the Directive;
and
(c) such other information as it may appear to
the Commissioner to be expedient to give to data controllers (in relation to
any personal data) about the protection of the rights and freedoms of data
subjects in relation to the processing of personal data in countries and
territories outside the European Economic Area.[21]
(7) The
Commissioner may, with the consent of the relevant data controller, assess any
processing of personal data for the following of good practice and shall inform
the data controller of the results of the assessment.
(8) The
Commissioner may charge such fees as the Commissioner thinks fit for any
services provided by the Commissioner under this Law.
(9) In
this Article –
“good practice” means such practice in the
processing of personal data as appears to the Commissioner to be desirable
having regard to the interests of data subjects and others, and includes (but
is not limited to) compliance with the requirements of this Law;
“trade association” includes any body
representing data controllers.
52 Reports
and codes of practice to be laid before Minister and States
(1) The
Commissioner shall prepare a report on the activities of the Commissioner in
each financial year.
(2) The
Commissioner shall provide the Minister with the report as soon as practicable
after the end of the financial year to which the report relates, but in no case
later than 6 months after the end of that year.
(3) The
Commissioner may also provide the Minister with other reports relating to the
Commissioner’s functions or activities.
(4) The
Commissioner shall also provide the Minister with a copy of any code of
practice prepared under Article 51(3), unless the code is included in any
report provided to the Minister.
(5) The
Minister shall lay a copy of a report, or of a code, so provided before the
States as soon as practicable after the Minister receives the report or a copy
of the code.
53 Assistance
by Commissioner in cases involving processing for the special purposes
(1) An
individual who is an actual or prospective party to proceedings (whether actual
or prospective) under Article 7(12), 10(4), 12(7) or 14, or by virtue of Article 13,
that relate to personal data processed for the special purposes may apply to
the Commissioner for assistance in relation to those proceedings.
(2) The
Commissioner shall, as soon as reasonably practicable after receiving an
application under paragraph (1), consider it and decide to what extent to
grant it, but shall not grant the application unless, in the opinion of the
Commissioner, the case involves a matter of substantial public importance.
(3) If
the Commissioner decides to provide assistance, the Commissioner shall, as soon
as reasonably practicable after making the decision, notify the applicant,
stating the extent of the assistance to be provided.
(4) If
the Commissioner decides not to provide assistance, the Commissioner shall, as
soon as reasonably practicable after making the decision, notify the applicant
of the decision and give reasons for it.
(5) In
this Article –
“prospective party”, in relation to actual
or prospective proceedings, means an individual who, in the opinion of the
Commissioner, has a reasonable prospect of success in those proceedings or a
reasonable interest in those proceedings;
“prospective proceedings” means proceedings
that, if they took place, would, in the opinion of the Commissioner, have a
reasonable basis.
(6) Schedule
10 has effect.
54 International
co-operation
(1) The
Commissioner shall continue to be the designated authority in Jersey for the
purposes of Article 13 of the Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data, which was opened for
signature on 28th January 1981.
(2) The
States may by Regulations make provision as to the functions to be performed by
the Commissioner as the designated authority in Jersey for the purposes of Article 13
of the Convention.
(3) The
States may by Regulations make provision enabling, or as to, co-operation by
the Commissioner with the European Commission and with supervisory authorities
in EEA States in connection with the performance of their respective duties
and, in particular, enabling or as to –
(a) the exchange of information with supervisory
authorities in EEA States or with the European Commission; and
(b) the exercise within Jersey at the request of
a supervisory authority in an EEA State, in cases excluded by Article 5
from the application of the other provisions of this Law, of functions of the
Commissioner specified in the Regulations.
(4) The
Commissioner shall also carry out any data protection functions (that is,
functions relating to the protection of individuals with respect to the
processing of personal information) that the States may by Regulations direct
for the purpose of enabling Jersey to give effect to any of its international
obligations.
Unlawful obtaining etc. of
personal data
55 Unlawful
obtaining etc. of personal data
(1) A
person shall not knowingly or recklessly, without the consent of the relevant
data controller –
(a) obtain or disclose personal data or the
information contained in personal data; or
(b) procure the disclosure to another person of
the information contained in personal data.
(2) A
person who contravenes paragraph (1) is guilty of an offence.
(3) A
person does not contravene paragraph (1) if the person shows that –
(a) the obtaining, disclosing or procuring was
necessary for the purpose of preventing or detecting crime, or was required or
authorized by or under any enactment, by any rule of law or by the order of a
court;
(b) the person acted in the reasonable belief
that the person had in law the right to obtain or disclose the data or information
or, as the case may be, to procure the disclosure of the information to the
other person;
(c) the person acted in the reasonable belief
that the person would have had the consent of the data controller if the data
controller had known of the obtaining, disclosing or procuring and the
circumstances of it; or
(d) in the circumstances of the case, the
obtaining, disclosing or procuring was justified as being in the public
interest.
(4) A
person who sells personal data is guilty of an offence if the person has
obtained the data in contravention of paragraph (1).
(5) A
person who offers to sell personal data is guilty of an offence if –
(a) the person has obtained the data in
contravention of paragraph (1); or
(b) the person subsequently obtains the data in
contravention of that paragraph.
(6) For
the purposes of paragraph (5), an advertisement indicating that personal
data are or may be for sale is an offer to sell the data.
(7) For
the purposes of this Article, Article 1(2) does not apply.
(8) For
the purposes of paragraphs (4) to (6), “personal data”
includes information extracted from personal data.
Records obtained under data
subject’s right of access
56 Requirement
to produce certain records illegal
(1)
(2)
(3)
(4) [22]
(5) For
the purposes of this Article, a record that states that a data controller is
not processing any personal data relating to a particular matter shall be taken
to be a record containing information relating to that matter.
(6) In
this Article (including the Table to this Article) –
“caution” means a caution given to any
person in Jersey in respect of an offence that, at the time when the caution is
given, is admitted;
“conviction” has the same meaning as in the Rehabilitation of Offenders (Jersey) Law 2001;[23]
“employee” means an individual who works
under a contract of employment, or holds any office, whether or not entitled to
remuneration and “employment”
shall be construed accordingly;
“relevant record” means any record that –
(a) has been or is to be obtained by a data
subject from a data controller specified in the first column of the Table to
this Article in the exercise of the right conferred by Article 7; and
(b) contains information relating to a matter
specified in relation to the data controller in the second column of that
Table,
and includes a copy of such a
record or a part of such a record.
(6A) A
record is not a relevant record to the extent that it relates, or is to relate,
only to personal data falling within paragraph (d) of the definition “data”
in Article 1(1).[24]
(7) The
States may by Regulations amend the Table to this Article and the definitions
of “caution” and “conviction” in paragraph (6).
TABLE
|
Data controller
|
Subject-matter
|
1. Chief
Officer of the States of Jersey Police Force
|
Convictions,
cautions
|
2. A member of
the honorary police of any of the 12 Parishes of Jersey
|
Cautions
|
3. Minister for
Home Affairs
|
Convictions, cautions, functions of
that Minister under the Prison (Jersey)
Law 1957[25]
|
4. Minister for
Social Security
|
Convictions, cautions, functions of
that Minister under any enactment of Jersey
|
57 Certain
contractual terms relating to health records void
(1) A
term, or condition, of a contract is void in so far as it purports to require
an individual to supply, or produce, to any other person a record to which this
Article applies, or with a copy of such a record or a part of such a record.
(2) This
Article applies to any record that may be obtained by a data subject in the
exercise of the right conferred by Article 7 and consists of the
information contained in any health record.
Information provided to
Commissioner or Tribunal
58 Disclosure
of information
An enactment or rule of law
prohibiting or restricting the disclosure of information shall not prevent a
person from furnishing the Commissioner or the Tribunal with any information
necessary for the discharge of their functions under this Law.
59 Confidentiality
of information
(1) A
person who is or has been the Commissioner, a member of the
Commissioner’s staff or an agent of the Commissioner shall not, except
with lawful authority, disclose information that –
(a) has been obtained by, or furnished to, the
Commissioner under or for the purposes of this Law;
(b) relates to an identified or identifiable
individual or business; and
(c) is not at the time of the disclosure, and
has not previously been, available to the public from other sources.
(2) For
the purposes of paragraph (1), a disclosure of information is made with
lawful authority if –
(a) the disclosure is made with the consent of
the individual or of the person for the time being carrying on the business;
(b) the information was provided for the purpose
of its being made available to the public (in whatever manner) under this Law;
(c) the disclosure is made for the purposes of,
and is necessary for, the discharge of a function under this Law, or of an
obligation under an agreement, or other instrument, of the EU;
(d) the disclosure is made for the purposes of
any proceedings, whether criminal or civil and whether arising under, or by
virtue of, this Law or otherwise; or
(e) having regard to the rights and freedoms or
legitimate interests of any person, the disclosure is necessary in the public
interest.[26]
(3) A person who knowingly or recklessly discloses information in
contravention of paragraph (1) is guilty of an offence.
60 False
information
(1) Any
person who knowingly or recklessly provides the Commissioner, or any other
person entitled to information under this Law, or under Regulations made under
this Law, with information that is false or misleading in a material particular
shall be guilty of an offence if the information is provided –
(a) in purported compliance with a requirement
imposed under this Law or under Regulations made under this Law; or
(b) otherwise than as mentioned in sub-paragraph (a)
but in circumstances in which the person providing the information intends, or
could reasonably be expected to know, that the information would be used by the
Commissioner for the purpose of carrying out the Commissioner’s functions
under this Law.
(2) Any
person who knowingly or recklessly provides the Commissioner, or any other
person entitled to information under this Law, with information that is false
or misleading in a material particular shall be guilty of an offence if the
information is provided in connection with an application under this Law.
(3) A
person who is guilty of an offence against this Article shall be liable to a
term of imprisonment of 5 years and to a fine.
61 General
provisions relating to offences
(1) Proceedings
for an offence under this Law shall be not be instituted except by or with the
consent of the Attorney General.
(2) A
person guilty of an offence under this Law shall be liable to a fine, except
where this Law otherwise provides.[27]
(3) A
court by or before which a person is convicted of –
(a) an offence under Article 21(1), 22(7),
55 or 56;
(b) an offence under Article 21(2) relating
to processing that is assessable processing for the purposes of Article 22;
or
(c) an offence under Article 47(1) relating
to an enforcement notice,
may order any document or other
material used in connection with the processing of personal data and appearing
to the court to be connected with the commission of the offence to be forfeited,
destroyed or erased.
(4) A
court shall not make an order under paragraph (3) in relation to any
material if a person (other than the offender) claiming to be the owner of, or
otherwise interested in, the material applies to be heard by the court, unless an
opportunity is given to the person to show cause why the order should not be
made.
62 Liability
for offences
(1) Where
an offence under this Law, or under Regulations made under this Law, committed
by a limited liability partnership or body corporate is proved to have been
committed with the consent or connivance of, or to be attributable to any
neglect on the part of –
(a) a person who is a partner of the
partnership, or director, manager, secretary or other similar officer of the
body corporate; or
(b) any person purporting to act in any such
capacity,
the person shall also be guilty
of the offence and liable in the same manner as the partnership or body
corporate to the penalty provided for that offence.
(2) If
the affairs of a body corporate are managed by its members, paragraph (1)
shall apply in relation to acts and defaults of a member in connection with the
member’s functions of management as if the member were a director of the
body corporate.
(3) A
person who aids, abets, counsels or procures the commission of an offence under
this Law shall also be guilty of the offence and liable in the same manner as a
principal offender to the penalty provided for that offence.
General
63 Application
to public sector
(1) This
Law binds the Crown.
(2) The
application of this Law extends to the States and any Minister, department, or
administration, of the States.[28]
(3) For
the purposes of this Law, each department, or administration, of the States
shall be taken to be a separate person.
(4) For
the purposes of this Law, if an order, requirement, direction, notice or other
instrument is imposed or served on the head of a department of the States or
the head of an administration of the States, it is taken to have been imposed
or served on the department or administration, and the head shall ensure that
if it requires compliance, it is complied with.
64 Transmission
of notices etc. by electronic or other means
(1) This
Article applies to –
(a) a notice or request under Part 2;
(b) a written request under Article 24(1)
and particulars made available under that paragraph; and
(c) an application under Article 41(3),
but does not apply to anything
required to be served in accordance with rules of court.
(2) The
requirement that any notice, request, particulars or application to which this
Article applies should be in writing is satisfied if the text of the notice,
request, particulars or application –
(a) is transmitted by electronic means;
(b) is received in legible form; and
(c) is capable of being used for subsequent reference.
(3) The
States may by Regulations provide that any requirement that any notice,
request, particulars or application to which this Article applies should be in
writing is not to apply in such circumstances as may be prescribed by the
Regulations.
65 Service
of notices etc.
(1) A
notice required by this Law to be given to the Commissioner shall not be
regarded as given until it is in fact received by the Commissioner.
(2) A
notice or other document required or authorized under this Law or under Regulations
made under this Law to be given to the Commissioner may be given by facsimile,
other electronic transmission, or by any other means by which the Commissioner
may obtain or recreate the notice or document in a form legible to the naked
eye.
(3) Any
notice, direction or other document required or authorized by or under this Law
to be given to or served on any person other than the Commissioner may be given
or served –
(a) by delivering it to the person;
(b) by leaving it at the person’s proper
address;
(c) by sending it by post to the person at that
address; or
(d) by sending it to the person at that address
by facsimile, other electronic transmission, or by any other means by which the
notice, direction or document may be obtained or recreated in a form legible to
the naked eye.
(4) Without
limiting the generality of paragraph (3), any such notice, direction or
other document may be given to or served on a partnership, company incorporated
outside Jersey or unincorporated association by being given to or served –
(a) in any case – on a person who is,
or purports (under whatever description) to act as, its secretary, clerk or
other similar officer;
(b) in the case of a partnership – on
the person having the control or management of the partnership business;
(c) in the case of a partnership or company
incorporated outside Jersey – on a person who is a principal person
in relation to it (within the meaning of the Financial Services (Jersey) Law 1998[29]); or
(d) by being delivered to the registered or administrative
office of a person referred to in sub-paragraph (a), (b) or (c) if the
person is a body corporate.
(5) For
the purposes of this Article and of Article 17 of the Interpretation (Jersey) Law 1954,[30] the proper address of any person to or on whom a notice, direction
or other document is to be given or served by post shall be the person’s
last known address, except that –
(a) in the case of a company (or person referred
to in paragraph (4) in relation to a company incorporated outside Jersey) –
it shall be the address of the registered or principal office of the company in
Jersey; and
(b) in the case of a partnership (or person
referred to in paragraph (4) in relation to a partnership) – it
shall be the address of the principal office of the partnership in Jersey.
(6) If
the person to or on whom any notice, direction or other document referred to in
paragraph (3) is to be given or served has notified the Commissioner of an
address within Jersey, other than the person’s proper address within the
meaning of paragraph (5), as the one at which the person or someone on the
person’s behalf will accept documents of the same description as that
notice, direction or other document, that address shall also be treated for the
purposes of this Article and Article 7 of the Interpretation (Jersey) Law 1954[31] as the person’s proper address.
(7) If
the name or the address of any owner, lessee or occupier of premises on whom
any notice, direction or other document referred to in paragraph (3) is to
be served cannot after reasonable enquiry be ascertained it may be served by –
(a) addressing it to the person on whom it is to
be served by the description of “owner”, “lessee” or
“occupier” of the premises;
(b) specifying the premises on it; and
(c) delivering it to some responsible person
resident or appearing to be resident on the premises or, if there is no person
to whom it can be delivered, by affixing it, or a copy of it, to some
conspicuous part of the premises.
66 Limitation
of civil liability for administration of Law
(1) A
person or body to whom this paragraph applies shall not be liable in damages
for anything done or omitted in the discharge or purported discharge of any
functions under this Law or under Regulations made under this Law unless it is
shown that the act or omission was in bad faith.
(2) Paragraph
(1) applies to –
(a) the Commissioner; and
(b) any member of the staff of the Commissioner.
67 Regulations
(1) The
States may by Regulations make provision for the purpose of carrying this Law
into effect and, in particular, but without prejudice to the generality of the
foregoing, for or with respect to any matter that may be prescribed under this
Law by Regulations.
(2) Regulations
made under this Law may –
(a) make different provision in relation to different
cases or circumstances;
(b) apply in respect of particular persons or
particular cases or particular classes of persons or particular classes of
cases, and define a class by reference to any circumstances whatsoever; or
(c) contain such transitional, consequential,
incidental or supplementary provisions as appear to the States to be necessary
or expedient for the purposes of the Regulations.
(3) Regulations
made under this Law may create an offence punishable by a fine of up to level 3
on the standard scale.[32]
68 Interim
modifications of Law
Before the end of the second
transitional period, this Law shall have effect subject to the modifications
set out in Schedule 11.
69 Transitional
provisions and savings
Schedule 12 has effect.
70 Consequential
amendments
The enactments specified in
Schedule 13 shall be amended as set out in that Schedule.
71 Citation
and commencement
(1) This
Law may be cited as the Data Protection
(Jersey) Law 2005.
(2) Articles 1-3,
25(1) and (4), 26 and 69, this Article and paragraph 13 of Schedule 5, as
well as so much of any other provision of this Law as confers any power to make
Regulations, shall come into force on the day on which this Law is passed.
(3) Except
as provided by paragraph (2), this Law shall come into force on such day
as the States may by Act appoint, and different days may be appointed for
different purposes.
SCHEDULE
1[33]
(Article 4(1))
PART
1
THE
DATA PROTECTION PRINCIPLES
1 First
principle
Personal data shall be processed
fairly and lawfully and, in particular, shall not be processed unless –
(a) in
every case – at least one of the conditions set out in paragraphs
1-6 of Schedule 2 is met; and
(b) in
the case of sensitive personal data – at least one of the conditions
in paragraphs 1-10 of Schedule 3 is also met.
2 Second
principle
Personal data shall be obtained
only for one or more specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose or those purposes.
3 Third
principle
Personal data shall be adequate,
relevant and not excessive in relation to the purpose or purposes for which
they are processed.
4 Fourth
principle
Personal data shall be accurate
and, where necessary, kept up to date.
5 Fifth
principle
Personal data processed for any
purpose or purposes shall not be kept for longer than is necessary for that
purpose or those purposes.
6 Sixth
principle
Personal data shall be processed in
accordance with the rights of data subjects under this Law.
7 Seventh
principle
Appropriate technical and
organisational measures shall be taken against unauthorized or unlawful
processing of personal data and against accidental loss or destruction of, or damage
to, personal data.
8 Eighth
principle
Personal data shall not be
transferred to a country or territory outside the European Economic Area unless
that country or territory ensures an adequate level of protection for the
rights and freedoms of data subjects in relation to the processing of personal
data.
PART
2
(Article 4(2))
INTERPRETATION
OF DATA PROTECTION PRINCIPLES
1 First
principle: source
(1) In
determining for the purposes of the first principle whether personal data are
processed fairly, regard is to be had to the method by which they are obtained,
including in particular whether any person from whom they are obtained is
deceived or misled as to the purpose or purposes for which they are to be
processed.
(2) Subject
to paragraph 2, for the purposes of the first principle data are to be
treated as obtained fairly if they consist of information obtained from a
person who –
(a) is authorized by or under any enactment to
supply it; or
(b) is required to supply it by or under any
enactment or by any convention or other instrument imposing an international
obligation on Jersey.
2 First
principle: specified information at relevant time
(1) Subject
to paragraph 3, for the purposes of the first principle personal data are
not to be treated as processed fairly unless –
(a) in the case of data obtained from the data
subject – the data controller ensures so far as practicable that the data
subject has, is provided with, or has made readily available to him or her, the
specified information; or
(b) in any other case – the data
controller ensures so far as practicable that, before the relevant time or as
soon as practicable after that time, the data subject has, is provided with, or
has made readily available to him or her, the specified information.
(2) For
the purposes of this paragraph, the relevant time is –
(a) in any case – the time when the data
controller first processes the data; or
(b) in a case where, at the time when the data
controller first processes the data, disclosure of the data to a third party
within a reasonable period is envisaged –
(i) if
the data are in fact disclosed to a third party within a reasonable
period – the time when the data are first disclosed,
(ii) if
within that period the data controller becomes, or ought to become, aware that
the data are unlikely to be disclosed to such a person within that period –
the time when the data controller does become, or ought to become, so aware, or
(iii) in
any other case - the end of that period.
(3) For
the purposes of this paragraph, the specified information is all of the
following –
(a) the identity of the data controller;
(b) the identity of the representative (if any)
nominated by the data controller under Article 5;
(c) the purpose or purposes for which the data
are intended to be processed; and
(d) any further information that is necessary,
having regard to the specific circumstances in which the data are or are to be
processed, to enable processing in respect of the data subject to be fair.
3 First
principle: primary and other conditions
(1) Paragraph 2(1)(b)
does not apply if either of the primary conditions, together with such further
conditions as may be prescribed by Regulations, are met.
(2) For
the purposes of this paragraph, the primary conditions are –
(a) that the provision of the specified
information would involve a disproportionate effort on the part of the data
controller; and
(b) that the recording of the information to be
contained in the data by, or the disclosure of the data by, the data controller
is necessary for compliance with any legal obligation to which the data
controller is subject, other than an obligation imposed by contract.
4 First
principle: general identifier
(1) For
the purposes of the first principle, personal data that contain a general
identifier falling within such description as may be prescribed by Regulations
are not to be treated as processed fairly and lawfully unless they are
processed in compliance with any conditions so prescribed in relation to
general identifiers of that description.
(2) In
this paragraph, “general identifier” means any identifier (for
example, a number or code used for identification purposes) that relates to an
individual and forms part of a set of similar identifiers that is of general
application.
5 Second
principle: how purpose specified
For the purposes of the second
principle, the purpose or purposes for which personal data are obtained may in
particular be specified –
(a) in
a notice (if any) given for the purposes of paragraph 2 by the data
controller to the data subject; or
(b) in
a notification given to the Commissioner under Part 3 of this Law.
6 Second
principle: purpose of processing after disclosure
For the purposes of the second
principle, in determining whether any disclosure of personal data is compatible
with the purpose or purposes for which the data were obtained, regard is to be
had to the purpose or purposes for which the personal data are intended to be
processed by any person to whom they are disclosed.
7 Fourth
principle
The fourth principle is not to be
regarded as being contravened by reason of any inaccuracy in personal data that
accurately record information obtained by the data controller from the data
subject or a third party in a case where –
(a) having
regard to the purpose or purposes for which the data were obtained and further
processed, the data controller has taken reasonable steps to ensure the
accuracy of the data; and
(b) if
the data subject has notified the data controller of the data subject’s
view that the data are inaccurate – the data indicate that fact.
8 Sixth
principle
A person is to be regarded as
contravening the sixth principle if the person fails –
(a) to
supply information in accordance with Article 7;
(b) to
comply with a notice given under Article 10(1) to the extent that the
notice is justified;
(c) to
give a notice under Article 10(3);
(d) to
comply with a notice given under Article 11(1);
(e) to
comply with a notice given under Article 12(1) or (2)(b); or
(f) to
give a notification under Article 12(2)(a) or a notice under Article 12(3).
9 Seventh
principle: appropriateness of measures
For the purposes of the seventh
principle, the measures shall ensure, having regard to the state of
technological development and the cost of implementing any measures, a level of
security appropriate to –
(a) the
harm that might result from unauthorized or unlawful processing of, or
accidental loss, destruction or damage to, the personal data; and
(b) the
nature of the personal data to be protected.
10 Seventh
principle: reliability of employees
For the purposes of the seventh
principle, the data controller shall take reasonable steps to ensure the
reliability of any employees of the data controller who have access to the
personal data.
11 Seventh
principle: reliability of data processor
If processing of personal data is
carried out by a data processor on behalf of a data controller, the data
controller shall in order to comply with the seventh principle –
(a) choose
a data processor providing sufficient guarantees in respect of the technical
and organisational security measures governing the processing to be carried
out; and
(b) take
reasonable steps to ensure compliance with those measures.
12 Seventh
principle: processing contract to ensure reliability
If processing of personal data is
carried out by a data processor on behalf of a data controller, the data
controller is not to be regarded as complying with the seventh principle unless
the processing is carried out under a contract –
(a) that
is made or evidenced in writing;
(b) under
which the data processor is to act only on instructions from the data
controller; and
(c) that
requires the data processor to comply with obligations equivalent to those
imposed on a data controller by the seventh principle.
13 Eighth principle:
what is adequate protection in foreign country
For the purposes of the eighth
principle, an adequate level of protection is one that is adequate in all the
circumstances of the case, having regard in particular to –
(a) the
nature of the personal data;
(b) the
country or territory of origin of the information contained in the data;
(c) the
country or territory of final destination of that information;
(d) the
purposes for which and period during which the data are intended to be
processed;
(e) the
law in force in the country or territory in question;
(f) the
international obligations of that country or territory;
(g) any
relevant codes of conduct or other rules that are enforceable in that country
or territory (whether generally or by arrangement in particular cases); and
(h) any
security measures taken in respect of the data in that country or territory.
14 Exceptions to eighth
principle
The eighth principle does not apply
to a transfer falling within any of paragraphs 1-9 of Schedule 4, except
in such circumstances and to such extent as may be prescribed by Regulations.
15 Eighth principle:
EU finding decisive
(1) If
in any proceedings under this Law any question arises as to whether the
requirement of the eighth principle as to an adequate level of protection is
met in relation to the transfer of any personal data to a country or territory
outside the European Economic Area, and a EU finding has been made in relation
to transfers of the kind in question, that question is to be determined in
accordance with that finding.
(2) In
this paragraph “EU finding” means a finding of the European
Commission, under the procedure provided for in Article 31(2) of the Data
Protection Directive, that a country or territory outside the European Economic
Area does, or does not, ensure an adequate level of protection within the
meaning of Article 25(2) of the Directive.
SCHEDULE
2
(Article 4(3) and Schedule
1 Part 1, paragraph 1(a))
FIRST
PRINCIPLE: CONDITIONS FOR PROCESSING OF ANY PERSONAL DATA
1 Consent
The data subject has consented to
the processing.
2 Processing
necessary for contract
The processing is necessary for –
(a) the
performance of a contract to which the data subject is a party; or
(b) the
taking of steps at the request of the data subject with a view to entering into
a contract.
3 Processing
under legal obligation
The processing is necessary for
compliance with any legal obligation to which the data controller is subject,
other than an obligation imposed by contract.
4 Processing
to protect vital interests
The processing is necessary in
order to protect the vital interests of the data subject.
5 Processing
necessary for exercise of public functions
The processing is necessary for –
(a) the
administration of justice;
(b) the
exercise of any functions conferred on any person by or under any enactment;
(c) the
exercise of any functions of the Crown, the States or any public authority; or
(d) the
exercise of any other functions of a public nature exercised in the public
interest by any person.
6 Processing
for legitimate interests
The processing is necessary for the
purposes of legitimate interests pursued by the data controller or by the third
party or parties to whom the data are disclosed, except if the processing is
unwarranted in any particular case by reason of prejudice to the rights and
freedoms or legitimate interests of the data subject.
7 Regulations
about legitimate interests
The States may by Regulations
specify particular circumstances in which the condition set out in paragraph 6
is, or is not, to be taken to be satisfied.
SCHEDULE
3
(Article 4(3) and Schedule
1 Part 1, paragraph 1(b))
FIRST
PRINCIPLE: CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA
1 Consent
The data subject has given explicit
consent to the processing of the personal data.
2 Employment
The processing is necessary for the
purposes of exercising or performing any right, or obligation, conferred or
imposed by law on the data controller in connection with employment.
3 Vital
interests
The processing is necessary –
(a) in
order to protect the vital interests of the data subject or another person, in
a case where consent cannot be given by or on behalf of the data subject, or
the data controller cannot reasonably be expected to obtain the consent of the
data subject; or
(b) in
order to protect the vital interests of another person, in a case where consent
by or on behalf of the data subject has been unreasonably withheld.
4 Non-profit
associations
The processing –
(a) is
carried out in the course of its legitimate activities by any body, or association,
that is not established or conducted for profit, and exists for political,
philosophical, religious or trade-union purposes;
(b) is
carried out with appropriate safeguards for the rights and freedoms of data
subjects;
(c) relates
only to individuals who are members of the body or association or have regular
contact with it in connection with its purposes; and
(d) does
not involve disclosure of the personal data to a third party without the
consent of the data subject.
5 Data
subject has made information public
The information contained in the
personal data has been made public as a result of steps deliberately taken by
the data subject.
6 Legal
proceedings etc.
The processing –
(a) is
necessary for the purpose of, or in connection with, any legal proceedings;
(b) is
necessary for the purpose of obtaining legal advice; or
(c) is
otherwise necessary for the purposes of establishing, exercising or defending
legal rights.
7 Public
functions
The processing is necessary for –
(a) the
administration of justice;
(b) the
exercise of any functions conferred on any person by or under an enactment; or
(c) the
exercise of any functions of the Crown, the States, any administration of the
States or any public authority.
8 Medical
purposes
(1) The
processing is necessary for medical purposes and is undertaken by –
(a) a health professional; or
(b) a person who in the circumstances owes a
duty of confidentiality equivalent to that which would arise if that person
were a health professional.
(2) In
this paragraph “medical purposes” includes the purposes of
preventative medicine, medical diagnosis, medical research, the provision of
care and treatment, and the management of healthcare services.
9 Equal
opportunity research
The processing –
(a) is
of sensitive personal data consisting of information as to racial or ethnic
origin;
(b) is
necessary for the purpose of identifying or keeping under review the existence
or absence of equality of opportunity or treatment between persons of different
racial or ethnic origins, with a view to enabling such equality to be promoted
or maintained; and
(c) is
carried out with appropriate safeguards for the rights and freedoms of data
subjects.
10 Circumstances
prescribed by Regulations
The personal data are processed in such
circumstances as may be prescribed by Regulations.
11 Regulations about
paragraph 2, 7 or 9
(1) The
States may by Regulations –
(a) exclude the application of paragraph 2 or 7
in such cases as may be specified; or
(b) provide that, in such cases as may be
specified, the condition in paragraph 2 or 7 is not to be regarded as satisfied
unless such further conditions as may be specified in the Regulations are also
satisfied.
(2) The
States may by Regulations specify circumstances in which processing falling
within paragraph 9(a) and (b) is, or is not, to be taken for the purposes of
paragraph 9(c) to be carried out with appropriate safeguards for the rights and
freedoms of data subjects.
SCHEDULE
4
(Article 4(3) and Schedule
1 Part 2, paragraph 14)
TRANSFERS
TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY
1 Consent
The data subject has consented to
the transfer.
2 Contract
between data subject and data controller
The transfer is necessary for –
(a) the
performance of a contract between the data subject and the data controller; or
(b) the
taking of steps at the request of the data subject with a view to the data
subject’s entering into a contract with the data controller.
3 Third-party
contract in interest of data subject
The transfer is necessary for –
(a) the
conclusion of a contract between the data controller and a person other than
the data subject, being a contract that is entered into at the request of the
data subject, or is in the interests of the data subject; or
(b) the
performance of such a contract.
4 Public
interest
The transfer is necessary for
reasons of substantial public interest.
5 Legal
proceedings etc.
The transfer –
(a) is
necessary for the purpose of, or in connection with, any legal proceedings;
(b) is
necessary for the purpose of obtaining legal advice; or
(c) is
otherwise necessary for the purposes of establishing, exercising or defending
legal rights.
6 Vital
interests
The transfer is necessary in order
to protect the vital interests of the data subject.
7 Public
register
The transfer is of part of the personal
data on a public register and any conditions subject to which the register is
open to inspection are complied with by any person to whom the data are or may
be disclosed after the transfer.
8 Transfer
made on terms generally approved by Commissioner
The transfer is made on terms of a
kind approved by the Commissioner as ensuring adequate safeguards for the
rights and freedoms of data subjects.
9 Commissioner
has authorized transfer
The transfer has been authorized by
the Commissioner as being made in such a manner as to ensure adequate
safeguards for the rights and freedoms of data subjects.
10 Regulations
specify what is or is not public interest
The States may by Regulations
specify –
(a) circumstances
in which a transfer is to be taken for the purposes paragraph 4 to be necessary
for reasons of substantial public interest; and
(b) circumstances
in which a transfer not required by or under an enactment is not to be taken
for the purposes of paragraph 4 to be necessary for reasons of substantial
public interest.
SCHEDULE
5[34]
(Article 6(7))
DATA
PROTECTION COMMISSIONER AND DATA PROTECTION TRIBUNAL
PART
1
COMMISSIONER
1 Status
and capacity
(1) The
Commissioner shall be a corporation sole by the name of the “Data
Protection Commissioner”.
(2) The
terms and conditions of appointment to the office of Commissioner shall be consistent
with this Law and determined by the States at the time of the appointment.
2 Nature
and tenure of office
(1) A
person may hold the office of Commissioner for such term not exceeding 5 years
as the States determine at the time of the person’s appointment.
(2) The
person may resign from that office by notice in writing to the Minister.
(3) Only
the States may remove the person from that office before the expiry of the person’s
term of office as Commissioner.
(4) A
person who ceases to hold that office shall be eligible for re-appointment.
(5) The
terms and conditions of the appointment shall not be construed so as to create
a contract of employment or agency between the States (or the Minister) and the
person appointed.
3 Salary
etc.
(1) The
person appointed to the office of Commissioner shall be paid out of the annual
income of the States a salary and other remuneration in accordance with the
terms of the person’s appointment.
(2) The
person shall be entitled to superannuation in accordance with the terms of the
person’s appointment.
4 Staff
(1) The
Minister shall make available to the Commissioner such number and descriptions
of staff as the Commissioner may reasonably require for the proper and
effective discharge of the Commissioner’s functions under this Law.
(2) To
the extent that any employee of the States performs functions under the
direction of the Commissioner because of sub-paragraph (1), the employee
is a member of the Commissioner’s staff.
(3) Any
functions of the Commissioner may, to the extent authorized by the
Commissioner, be exercised by any staff referred to in paragraph (1).
(4) The
Minister shall provide such accommodation and equipment as the Commissioner may
reasonably require for the proper and effective discharge of the
Commissioner’s functions under this Law.
(5) The
cost of providing staff, accommodation and equipment under this paragraph shall
be met out of the annual income of the States.
5 Authentication
of seal of the Commissioner
The application of the seal of the
Commissioner shall be of no effect unless authenticated by the signature of the
person holding the office of Commissioner or by the signature of some other
person authorized by the Commissioner for the purpose.
6 Presumption
of authenticity of documents issued by the Commissioner
A document purporting to be an
instrument issued by the Commissioner and to be duly executed under the
Commissioner’s seal or to be signed by or on behalf of the Commissioner
shall be received in evidence and shall be taken to be such an instrument
unless the contrary is shown.
7 Money
All fees and other sums received by
the Commissioner in the exercise of functions under this Law shall be paid to
the income of the States.
8
PART
2
TRIBUNAL
9 Appointment
to office and vacation of office
(1) The
States may appoint a person to the office of member of the Tribunal on such
terms and conditions as are consistent with this Law and as the States
determine at the time of the appointment.
(2) A
member of the Tribunal may hold office for such term not exceeding 6 years
as the States determine at the time of the person’s appointment.
(3) The
member may resign from that office by giving at least one month’s notice
in writing to the Minister.
(4) Only
the States may remove a member from that office before the expiry of its term.
(5) A
member who ceases to hold that office shall be eligible for re-appointment.
(6) A
member vacates office if the member –
(a) dies;
(b) has become bankrupt;
(c) is incapacitated by physical or mental
illness; or
(d) is otherwise unable or unfit to discharge
the functions of a member.
(7) A
person appointed as president of the Tribunal shall continue to hold
appointment as such until –
(a) the person resigns from that appointment by
notice in writing delivered to the Minister;
(b) that appointment is revoked by the States;
or
(c) the person ceases to be a member of the
Tribunal.
(8) The
president of the Tribunal shall be an advocate or solicitor of at least 7 years’
standing.
10 Procedure
(1) In
the absence of the president of the Tribunal, a vice-president shall preside
over the Tribunal.
(2) If
no vice-president is available so to preside during the absence of the
president, the members of the Tribunal shall appoint one of their number to act
as president during that absence.
(3) The
Tribunal may, subject to this Law, govern its own procedure.
11 Allowances
A member of the Tribunal shall be
paid by the Minister such remuneration and allowances as the Minister may from
time to time determine.
PART 3
TRANSITIONAL
PROVISIONS
12 References to
Registrar
A reference in any enactment,
instrument or other document to the Data Protection Registrar (within the
meaning of the Data Protection (Jersey)
Law 1987[35]) shall be construed, in relation to any time after the commencement
of Article 6(1), as a reference to the Commissioner.
13 References to
Commissioner
A reference in this Law, or in any
instrument made under this Law, to the Commissioner shall be construed, in
relation to any time before the commencement of Article 6(1), as a
reference to the Data Protection Registrar (within the meaning of the Data Protection (Jersey) Law 1987).
SCHEDULE
6
(Articles 28(11) and
48(5))
APPEAL
PROCEEDINGS
1 Hearing
of appeals
For the purpose of hearing and
determining appeals or any matter preliminary or incidental to an appeal the
Tribunal shall sit at such times and in such places as the president or a
vice-president may direct and may sit in 2 or more divisions.
2 Constitution
of Tribunal
Subject to any Regulations made
under paragraph 5, the Tribunal shall be duly constituted for an appeal under Article 28(6)
or 48 if it consists of –
(a) the
president or a vice-president (who shall preside); and
(b) 2
other members (each of whom may be an ordinary member or a vice-president who
does not preside) appointed by the person presiding.
3 Determination
of questions by Tribunal
The determination of any question
before the Tribunal shall be according to the opinion of the majority of the
members hearing the appeal.
4 Ex
parte proceedings
Subject to any Regulations made
under paragraph 5, the jurisdiction of the Tribunal in respect of an appeal
under Article 48(3) shall be exercised ex parte by the president or a
vice-president sitting alone.
5 Procedure
(1) The
States may make Regulations for regulating the exercise of the rights of appeal
conferred by Articles 28(6) and 48 and the practice and procedure of the
Tribunal.
(2) The
Regulations may in particular make provision –
(a) with respect to the period within which an
appeal can be brought and the burden of proof on an appeal;
(b) for the summoning of witnesses and the
administration of oaths;
(c) for securing the production of documents and
material used for the processing of personal data;
(d) for the inspection, examination, operation
and testing of any equipment or material used in connection with the processing
of personal data;
(e) for the hearing of an appeal wholly or
partly in camera;
(f) for hearing an appeal in the absence
of the appellant or for determining an appeal without a hearing;
(g) for enabling an appeal under Article 48(1)
against an information notice to be determined by the president or a
vice-president;
(h) for enabling any matter preliminary or
incidental to an appeal to be dealt with by the president or a vice-president;
(i) for the award of costs;
(j) for the publication of reports of the
Tribunal’s decisions; and
(k) for conferring on the Tribunal such
ancillary powers as the States think necessary for the proper discharge of its
functions.
(3) In
making Regulations under this paragraph that relate to appeals under Article 28(6)
the States shall have regard, in particular, to the need to ensure that
information is not disclosed contrary to the public interest.
6 Obstruction
etc.
(1) If
a person is guilty of an act or omission in relation to proceedings before the
Tribunal that, if those proceedings were proceedings before a court having
power to commit for contempt, would constitute contempt of court, the Tribunal
may certify the offence to the Court.
(2) If
an offence is so certified, the Court may inquire into the matter and, after
hearing any witness who may be produced against or on behalf of the person
charged with the offence, and after hearing any statement that may be offered
in defence, deal with the person in any manner in which it could if the person
had committed the like offence in relation to the Court.
SCHEDULE
7
(Article 37)
MISCELLANEOUS
EXEMPTIONS
1 Confidential
references given by the data controller
Personal data are exempt from Article 7
if they consist of a reference given or to be given in confidence by the data
controller for the purposes of –
(a) the
education, training or employment, or prospective education, training or
employment, of the data subject;
(b) the
appointment, or prospective appointment, of the data subject to any office; or
(c) the
provision, or prospective provision, by the data subject of any service.
2 Armed
forces
Personal data are exempt from the
subject information provisions in any case to the extent to which the
application of those provisions would be likely to prejudice the combat
effectiveness of any of the armed forces of the Crown.
3 Judicial
appointments and honours
Personal data are exempt from the
subject information provisions if processed for the purposes of –
(a) assessing
any person’s suitability for judicial office or the office of
Queen’s Counsel; or
(b) the
conferring by the Crown of any honour or dignity.
4 Crown
employment and Crown appointments
The States may by Regulations
exempt from the subject information provisions personal data processed for the
purposes of assessing any person’s suitability for –
(a) employment
by or under the Crown; or
(b) any
office to which appointments are made by Her Majesty.
5 Management
forecasts etc.
Personal data processed for the
purposes of management forecasting or management planning to assist the data
controller in the conduct of any business or other activity are exempt from the
subject information provisions in any case to the extent to which the application
of those provisions would be likely to prejudice the conduct of that business
or other activity.
6 Corporate
finance
(1) If
personal data are processed for the purposes of, or in connection with, a
corporate finance service provided by a relevant person –
(a) the data are exempt from the subject
information provisions in any case to the extent to which either –
(i) the
application of those provisions to the data could affect the price of any
instrument already in existence or that is to be or may be created, or
(ii) the
data controller reasonably believes that the application of those provisions to
the data could affect the price of any such instrument; and
(b) to the extent that the data are not exempt
from the subject information provisions by virtue of clause (a), they are
exempt from those provisions if the exemption is required for the purpose of
safeguarding an important economic or financial interest of Jersey.
(2) For
the purposes of sub-paragraph (1)(b) the States may by Regulations specify –
(a) matters to be taken into account in
determining whether exemption from the subject information provisions is
required for the purpose of safeguarding an important economic or financial
interest of Jersey; or
(b) circumstances in which exemption from those
provisions is, or is not, to be taken to be required for that purpose.
(3) In
this paragraph –
“corporate finance service” means a service
consisting in –
(a) underwriting in respect of issues of, or the
placing of issues of, any instrument;
(b) advice to undertakings on capital structure,
industrial strategy and related matters and advice and service relating to
mergers and the purchase of undertakings; or
(c) services relating to such underwriting as is
mentioned in clause (a);
“instrument” means an instrument listed in
Article B of the Annex to the European Council Directive on investment services
in the securities field (93/22/EEC) or an investment within the meaning of the
Financial Services (Jersey) Law 1998[36];
“price” includes value;
“relevant person” means –
(a) a registered person within the meaning of
the Financial Services (Jersey)
Law 1998 (being a person registered under that Law in respect of
investment business within the meaning of that Law) or a person who is exempted
by that Law from the obligation to be registered under that Law in respect of
such investment business;
(b) a person who is an authorised person under
the Financial Services and Markets Act 2000 of the United Kingdom, or is
an exempt person under that Act, in respect of such investment business;
(c) a person who may be prescribed by
Regulations for the purposes of this paragraph;
(d) a person who, in the course of the
person’s employment, provides to the person’s employer a service
falling within clause (b) or (c) of the definition of “corporate finance
service”; or
(e) a partner who provides to other partners in
the partnership a service falling within either of those clauses.
7 Negotiations
Personal data that consist of
records of the intentions of the data controller in relation to any
negotiations with the data subject are exempt from the subject information
provisions in any case to the extent to which the application of those
provisions would be likely to prejudice those negotiations.
8 Examination
marks
(1) Article 7
shall have effect subject to sub-paragraphs (2) to (4) in the case of
personal data consisting of marks or other information processed by a data
controller –
(a) for the purpose of determining the results
of an academic, professional or other examination or of enabling the results of
any such examination to be determined; or
(b) in consequence of the determination of any
such results.
(2) If
the relevant day falls before the day on which the results of the examination
are announced, the period mentioned in Article 7(11) shall be extended
until the earlier of the following –
(a) the end of 5 months beginning with the
relevant day; or
(b) the end of 40 days beginning with the date
of the announcement.
(3) If
by virtue of sub-paragraph (2) a period longer than the prescribed period
elapses after the relevant day before the request is complied with, the
information to be supplied pursuant to the request shall be supplied both by
reference to the data in question at the time when the request is received and
(if different) by reference to the data as from time to time held in the period
beginning when the request is received and ending when it is complied with.
(4) For
the purposes of this paragraph the results of an examination shall be treated
as announced when they are first published or (if not published) when they are
first made available or communicated to the candidate in question.
(5) In
this paragraph –
“examination” includes any process for
determining the knowledge, intelligence, skill or ability of a candidate by
reference to his or her performance in any test, work or other activity;
“prescribed period” means 40 days or such
other period as is for the time being prescribed under Article 7 in
relation to the personal data in question;
“relevant day” means the day referred to in Article 7(11)(a).
9 Examination
scripts etc.
Personal data consisting of
information recorded by candidates during an academic, professional or other
examination (within the meaning of paragraph 8) are exempt from Article 7.
10 Legal
professional privilege
Personal data are exempt from the
subject information provisions if the data consist of information in respect of
which a claim to legal professional privilege, as between client and
professional legal adviser, could be maintained in legal proceedings.
11 Self-incrimination
(1) A
person need not comply with any request or order under Article 7 to the
extent that compliance would, by revealing evidence of the commission of any
offence other than an offence under this Law, expose the person to proceedings
for that offence.
(2) Information
disclosed by any person in compliance with any request or order under Article 7
shall not be admissible against the person in proceedings for an offence under
this Law.
SCHEDULE
8
(Article 39)
TRANSITIONAL
RELIEF
PART 1
INTERPRETATION
1 Interpretation
(1) For
the purposes of this Schedule, personal data are “eligible data” at
any time to the extent that they are at that time subject to processing that is
already under way immediately before the Schedule comes into force.
(2) In
this Schedule –
“eligible automated data” means eligible
data that fall within paragraph (a) or (b) of the definition of
“data” in Article 1(1);
“eligible manual data” means eligible data
that are not eligible automated data.
PART 2
EXEMPTIONS
DURING FIRST TRANSITIONAL PERIOD
2 Certain
eligible manual data
(1) Eligible
manual data are exempt from the data protection principles and Parts 2 and 3 of
this Law during the first transitional period.
(2) This
paragraph does not apply to eligible manual data to which paragraph 3
applies.
3 Eligible
manual data about financial standing
(1) This
paragraph applies to eligible manual data that consist of information relevant
to the financial standing of the data subject and in respect of which the data
controller is a credit reference agency.
(2) During
the first transitional period, data to which this paragraph applies are exempt
from –
(a) the data protection principles, except the
sixth principle so far as it relates to Articles 7 and 12A;
(b) Part 2 of this Law, except –
(i) Article 7
(as it has effect subject to Articles 8 and 9) and Article 12A, and
(ii) Article 15
so far as it relates to those Articles; and
(c) Part 3 of this Law.
4 Eligible
automated data processed otherwise than by reference to the data subject
During the first transitional
period, for the purposes of this Law (apart from paragraph 1), eligible
automated data are not to be regarded as being processed unless the processing
is by reference to the data subject.
5 Eligible
automated data: payrolls and accounts
(1) Eligible
automated data are exempt from the data protection principles and Parts 2 and 3
of this Law during the first transitional period if processed by a data
controller for one or more of the following purposes –
(a) calculating amounts payable by way of
remuneration or pensions in respect of service in any employment or office or
making payments of, or of sums deducted from, such remuneration or pensions; or
(b) keeping accounts relating to any business or
other activity carried on by the data controller or keeping records of
purchases, sales or other transactions for the purpose of ensuring that the
requisite payments are made by or to the data controller in respect of those
transactions or for the purpose of making financial or management forecasts to
assist the data controller in the conduct of any such business or activity.
(2) It
shall be a condition of the exemption of any eligible automated data under this
paragraph that the data are not processed for any other purpose, but the
exemption is not lost by any processing of the eligible data for any other
purpose if the data controller shows that the data controller had taken such
care to prevent it as in all the circumstances was reasonably necessary.
(3) Data
processed only for one or more of the purposes mentioned in sub-paragraph (1)(a)
may be disclosed –
(a) to any person, other than the data
controller, by whom the remuneration or pensions in question are payable;
(b) for the purpose of obtaining actuarial
advice;
(c) for the purpose of giving information as to
the persons in any employment or office for use in medical research into the
health of, or injuries suffered by, persons engaged in particular occupations
or working in particular places or areas;
(d) if the data subject (or a person acting on
the latter’s behalf) has requested or consented to the disclosure of the
data either generally or in the circumstances in which the disclosure in
question is made; or
(e) if the person making the disclosure has
reasonable grounds for believing that the disclosure falls within clause (d).
(4) Data
processed for any of the purposes mentioned in sub-paragraph (1) may be
disclosed –
(a) for the purpose of audit or if the
disclosure is for the purpose only of giving information about the data
controller’s financial affairs; or
(b) in any case in which disclosure would be
permitted by any other provision of this Schedule or any provision of Schedule
7 or any provision of Part 4 of this Law if sub-paragraph (2) were
included in the relevant non-disclosure provisions.
(5) In
this paragraph “remuneration” includes remuneration in kind and
“pensions” includes gratuities or similar benefits.
6 Eligible
automated data: unincorporated members’ clubs
Eligible automated data processed
by an unincorporated members’ club and relating only to the members of
the club are exempt from the data protection principles and Parts 2 and 3 of
this Law during the first transitional period.
7 Eligible
automated data: unincorporated members’ clubs’ mailing lists
Eligible automated data processed
by a data controller only for the purposes of distributing, or recording the
distribution of, articles or information to the data subjects (being members of
the clubs) and consisting only of their names, addresses or other particulars
necessary for effecting the distribution, are exempt from the data protection
principles and Parts 2 and 3 of this Law during the first transitional period.
8 Eligible
automated data: unincorporated members’ clubs: right to object
Neither paragraph 6 nor paragraph 7
applies to personal data relating to any data subject unless the data subject
has been asked by the club or data controller whether the data subject objects
to the data relating to the data subject being processed as mentioned in that
paragraph and has not objected.
9 Eligible
automated data: unincorporated members’ clubs: due care
(1) It
shall be a condition of the exemption of any data under paragraph 6 that
the data are not disclosed except as permitted by paragraph 10, but the
exemption shall not be lost by any disclosure in breach of that condition if
the data controller shows that the data controller had taken such care to
prevent the disclosure as in all the circumstances was reasonably necessary.
(2) It
shall be a condition of the exemption under paragraph 7 that the data are
not processed for any purpose other than that mentioned in paragraph 7 or
as permitted by paragraph 10, but the exemption under paragraph 7
shall not be lost by any processing in breach of that condition if the data
controller shows that the data controller had taken such care to prevent the
processing as in all the circumstances was reasonably necessary.
10 Eligible
automated data: unincorporated members’ clubs: consensual or permitted
disclosure
Data to which paragraph 9 applies
may be disclosed –
(a) if
the data subject (or a person acting on the data subject’s behalf) has
requested or consented to the disclosure of the data either generally or in the
circumstances in which the disclosure in question is made;
(b) if
the person making the disclosure has reasonable grounds for believing that such
a request or consent has been given; or
(c) in
any case in which disclosure would be permitted by any other provision of this
Schedule or any provision of Schedule 7 or any provision of Part 4 of
this Law if paragraph 9 were included in the relevant non-disclosure
provisions.
11 Eligible
automated data: back-up data
Eligible automated data processed
only for the purpose of replacing other data in the event of the latter’s
being lost, destroyed or impaired are exempt from Article 7 during the
first transitional period.
12 Exemption of all
eligible automated data from certain requirements
(1) During
the first transitional period, eligible automated data are exempt from the
following provisions –
(a) the first data protection principle to the
extent to which it requires compliance with –
(i) paragraph
2 of Schedule 1 Part 2,
(ii) the
conditions in Schedule 2, and
(iii) the
conditions in Schedule 3;
(b) the seventh data protection principle to the
extent to which it requires compliance with paragraph 12 of Schedule 1 Part 2;
(c) the eighth data protection principle;
(d) Article 7(1)(a), (b) and (c), (2)(b)
and (3);
(e) Articles 10 and 11;
(f) Article 12; and
(g) Article 13, except so far as it relates
to –
(i) any
contravention of the fourth data protection principle,
(ii) any
disclosure without the consent of the data controller,
(iii) loss
or destruction of data without the consent of the data controller, or
(iv) processing
for the special purposes.
(2) The
exemptions conferred by sub-paragraph (1)(a), (c) and (e) do not limit the
data controller’s general duty under the first data protection principle
to ensure that processing is fair.
PART 3
EXEMPTIONS
DURING SECOND TRANSITIONAL PERIOD
13 Certain eligible
manual data
(1) This
paragraph applies to eligible manual data held immediately before the
commencement of this Schedule, but does not apply to eligible manual data to
which the exemption in paragraph 15 applies.
(2) During
the second transitional period, data to which this paragraph applies are exempt
from the following provisions –
(a) the first data protection principle except
to the extent to which it requires compliance with paragraph 2 of Schedule 1
Part 2;
(b) the second, third, fourth and fifth data
protection principles; and
(c) Article 14(1) to (3).
PART 4
EXEMPTIONS
AFTER FIRST TRANSITIONAL PERIOD FOR HISTORICAL RESEARCH
14 Interpretation
In this Part of this Schedule
“relevant conditions” has the same meaning as in Article 33.
15 Eligible manual
data
Eligible manual data that are
processed only for the purpose of historical research in compliance with the
relevant conditions are exempt from the following provisions at any time after
the end of the first transitional period –
(a) the
first data protection principle except in so far as it requires compliance with
paragraph 2 of Schedule 1 Part 2;
(b) the
second, third, fourth and fifth data protection principles; and
(c) Article 14(1)
to (3).
16 Eligible
automated data
(1) After
the end of the first transitional period, eligible automated data that are
processed only for the purpose of historical research in compliance with the
relevant conditions are exempt from the first data protection principle to the
extent to which it requires compliance with conditions in Schedules 2 and 3.
(2) Eligible
automated data that are processed –
(a) only for the purpose of historical research;
(b) in compliance with the relevant conditions;
and
(c) otherwise than by reference to the data
subject,
are also exempt from the
provisions referred to in sub-paragraph (3) after the end of the first
transitional period.
(3) The
provisions are –
(a) the first data protection principle except
in so far as it requires compliance with paragraph 2 of Schedule 1 Part 2;
(b) the second, third, fourth and fifth data
protection principles; and
(c) Article 14(1) to (3).
17 Certain
disclosures do not vitiate exemption
For the purposes of this Part of
this Schedule personal data are not to be treated as processed otherwise than
for the purpose of historical research merely because the data are disclosed –
(a) to
any person, for the purpose of historical research only;
(b) to
the data subject or a person acting on the data subject’s behalf;
(c) at
the request, or with the consent, of the data subject or a person acting on
data subject’s behalf; or
(d) in
circumstances in which the person making the disclosure has reasonable grounds
for believing that the disclosure falls within sub-paragraph (a), (b) or
(c).
PART 5
EXEMPTION
FROM ARTICLE 22
18 Processing
already running not assessable processing
Processing already under way
immediately before the commencement of this Schedule is not assessable
processing for the purposes of Article 22.
SCHEDULE
9[37]
(Article 50)
ENTRY
AND SEARCH OF PREMISES, OBTAINING INFORMATION
PART
1
ENTRY
AND SEARCH
1 Interpretation
In this Part –
“occupier” of premises includes a person in
charge of a vessel, vehicle, aircraft or hovercraft;
“premises” includes a vessel, vehicle,
aircraft or hovercraft;
“warrant” means warrant issued under this
Schedule.
2 Entry
and search
(1) If
the Bailiff or a Jurat is satisfied by information on oath supplied by the
Commissioner that there are reasonable grounds for suspecting –
(a) that a data controller has contravened or is
contravening any of the data protection principles; or
(b) that an offence under this Law has been or
is being committed,
and that evidence of the
contravention or of the commission of the offence is to be found on any
premises specified in the information, the Bailiff or Jurat may issue a warrant
to the Commissioner.
(2) The
Bailiff or a Jurat shall not issue a warrant in respect of any personal data
processed for the special purposes unless a determination by the Commissioner
under Article 45 with respect to those data has taken effect.
(3) A
warrant may authorize the Commissioner or any of the Commissioner’s staff
at any time within 7 days of the date of the warrant to enter the
premises, to search them, to inspect, examine, operate and test any equipment
found there which is used or intended to be used for the processing of personal
data and to inspect and seize any documents or other material found there which
may be such evidence as is mentioned in sub-paragraph (1).
3 Additional
conditions for issue of warrant
(1) The
Bailiff or a Jurat shall not issue a warrant unless satisfied –
(a) that the Commissioner has given 7 days’
notice in writing to the occupier of the premises in question demanding access
to the premises;
(b) that either access was demanded at a
reasonable hour and was unreasonably refused or although entry to the premises
was granted, the occupier unreasonably refused to comply with a request by the
Commissioner or any of the Commissioner’s staff to permit the
Commissioner or the member of staff to do any of the things referred to in paragraph
2(3); and
(c) that the occupier, has, after the refusal,
been notified by the Commissioner of the application for the warrant and has
had an opportunity of being heard by the Bailiff or Jurat on the question
whether or not it should be issued.
(2) Sub-paragraph (1)
shall not apply if the Bailiff or Jurat is satisfied that the case is one of
urgency or that compliance with that sub-paragraph would defeat the object of
the entry.
4 Force
A person executing a warrant issued
under this Schedule may use such reasonable force as may be necessary.
5 Police
officer may accompany
A person executing a warrant issued
under this Schedule may be accompanied by a police officer during its execution.
6 Hour
A warrant shall be executed at a
reasonable hour unless it appears to the person executing it that there are
grounds for suspecting that the evidence in question would not be found if it
were so executed.
7 Warrant
to be shown
(1) If
the person who occupies the premises in respect of which a warrant is issued is
present when the warrant is executed, the person executing it shall show the
warrant to that person and supply him or her with a copy of it.
(2) If
that person is not present, the person executing it shall leave a copy of it in
a prominent place on the premises.
8 Receipt
(1) A
person seizing anything in pursuance of a warrant shall give a receipt for it
to the person in occupation of the premises if the latter asks for it.
(2) Anything
so seized may be retained for so long as is necessary in all the circumstances
but the person in occupation of the premises in question shall be given a copy
of anything that is seized if the person so requests and the person executing
the warrant considers that it can be done without undue delay.
9 Exempt
personal data
The powers of inspection and
seizure conferred by a warrant shall not be exercisable in respect of personal
data that are exempt under Article 28.
10 Exempt
communications about legal advice
(1) The
powers of inspection and seizure conferred by a warrant shall not be
exercisable in respect of –
(a) any communication between a professional
legal adviser and the adviser’s client in connection with the giving of
legal advice to the client with respect to the client’s obligations,
liabilities or rights under this Law; or
(b) any communication between a professional
legal adviser and the adviser’s client, or between such an adviser or such
a client and any other person, made in connection with or in contemplation of
proceedings under or arising out of this Law and for the purposes of such
proceedings.
(2) Sub-paragraph (1)
applies also to –
(a) a copy or other record of any such
communication; and
(b) any document or article enclosed with or
referred to in any such communication if made in connection with the giving of
any advice or, as the case may be, in connection with or in contemplation of
and for the purposes of such proceedings.
(3) This
paragraph does not apply to anything in the possession of any person other than
the professional legal adviser or the client or to anything held with the
intention of furthering a criminal purpose.
(4) In
this paragraph references to the client of a professional legal adviser include
references to any person representing such a client.
11 Occupier to
furnish what is not exempt
If the person in occupation of
premises in respect of which a warrant is issued objects to the inspection or
seizure under the warrant of material on the grounds that it consists partly of
matters in respect of which those powers are not exercisable, the person shall,
if the person executing the warrant so requests, furnish the latter with a copy
of so much of the material as is not exempt from those powers.
12 Return of
warrants
(1) The
Commissioner shall return a warrant to the Bailiff or a Jurat after it is executed
or if not executed within the time authorized for its execution.
(2) The
person by whom the warrant is executed shall make an endorsement on it stating
what powers have been exercised under the warrant.
13 Offences
A person who obstructs a person in
the execution of a warrant or who fails without reasonable excuse to give the
latter person such assistance as the latter person may reasonably require for
the execution of the warrant commits an offence and shall be liable to a term
of imprisonment of 6 months and to a fine.
PART
2
OBTAINING
INFORMATION
14 Power to require
information
(1) The
Commissioner may, for any purpose connected with the investigation of an
offence under this Law or under Regulations made under this Law or with
proceedings for such an offence, by notice in writing –
(a) require any person to produce to the
Commissioner, or any person appointed by the latter for that purpose, any
documents specified or described in the notice that are in the custody, or
under the control, of the first-mentioned person; and
(b) specify the time, manner and form in which
those documents are to be produced.
(2) The
Commissioner may keep a document produced under paragraph (1) for a
reasonable time and take copies of such a document.
(3) No
person shall be compelled for any purpose referred to in paragraph (1) to
produce any document that the person cannot be compelled to produce in
proceedings before a court or, in complying with any requirement to furnish
information, to give any information that the person could not be compelled to
give in evidence in those proceedings.
(4) Any
person who refuses or, without reasonable excuse, fails to comply with the
requirements of a notice under sub-paragraph (1) shall be guilty of an
offence and liable to a fine of level 3 on the standard scale.
(5) A
person who intentionally alters, suppresses or destroys a document that is the
subject of a notice under sub-paragraph (1) shall be guilty of an offence and
liable to a term of imprisonment of 5 years and to a fine.
(6) If
a person fails to comply with the requirements of a notice under sub-paragraph (1)
the Court may, on application by the Commissioner, make an order requiring
compliance, and the order may provide that the costs of, and incidental to, the
application shall be paid by the person who failed to comply with the notice.
SCHEDULE
10
(Article 53(6))
FURTHER
PROVISIONS RELATING TO ASSISTANCE UNDER ARTICLE 53
1 Interpretation
In this Schedule
“applicant” (or “proceedings”) means an applicant (or
proceedings) to which Article 53 refers.
2 Costs
The assistance provided under Article 53
may include the making of arrangements for, or for the Commissioner to bear the
costs of –
(a) the
giving of advice or assistance by an advocate or solicitor; and
(b) the
representation of the applicant, or the provision to the applicant of such
assistance as is usually given by an advocate or solicitor –
(i) in steps preliminary or incidental to
the proceedings, or
(ii) in arriving at or giving effect to a
compromise to avoid or bring an end to the proceedings.
3 Indemnification
If assistance is provided with
respect to the conduct of proceedings –
(a) it
shall include an agreement by the Commissioner to indemnify the applicant
(subject only to any exceptions specified in the notification) in respect of
any liability to pay costs or expenses arising by virtue of any judgment or
order of the court in the proceedings;
(b) it
may include an agreement by the Commissioner to indemnify the applicant in
respect of any liability to pay costs or expenses arising by virtue of any
compromise or settlement arrived at in order to avoid the proceedings or bring
the proceedings to an end; and
(c) it
may include an agreement by the Commissioner to indemnify the applicant in
respect of any liability to pay damages pursuant to an undertaking given on the
grant of interlocutory relief to the applicant.
4 Defendant
informed of assistance
If the Commissioner provides
assistance in relation to any proceedings, the Commissioner shall do so on such
terms, or make such other arrangements, as will secure that a person against
whom the proceedings have been or are commenced is informed that assistance has
been or is being provided by the Commissioner in relation to them.
5 Commissioner’s
recovery of costs
The recovery of expenses incurred
by the Commissioner in providing an applicant with assistance (as taxed or
assessed in such manner as may be prescribed by rules of court) shall
constitute a first charge for the benefit of the Commissioner –
(a) on
any costs that, by virtue of any judgment or order of the court, are payable to
the applicant by any other person in respect of the matter in connection with
which the assistance is provided; and
(b) on
any sum payable to the applicant under a compromise or settlement arrived at in
connection with that matter to avoid or bring to an end, any proceedings.
SCHEDULE 11
(Article 68)
MODIFICATIONS
BEFORE END OF SECOND TRANSITIONAL PERIOD
1 Article 12A
inserted
After Article 12 there shall
be inserted –
“12A Rights of data subjects in relation to exempt
manual data
(1) A data subject is
entitled at any time by notice in writing –
(a) to require the relevant
data controller to rectify, block, erase or destroy exempt manual data that are
inaccurate or incomplete; or
(b) to require the data
controller to cease holding exempt manual data in a way incompatible with the
legitimate purposes pursued by the data controller.
(2) A notice under paragraph (1)
shall state the data subject’s reasons for believing that the data are
inaccurate or incomplete or, as the case may be, the data subject’s
reasons for believing that they are held in a way incompatible with the
legitimate purposes pursued by the data controller.
(3) If the court is
satisfied, on the application of any person who has given a notice under paragraph (1)
that appears to the court to be justified (or to be justified to any extent),
that the data controller in question has failed to comply with the notice, the
court may order the data controller to take such steps for complying with the
notice (or for complying with it to that extent) as the court thinks fit.
(4) For the purposes of
this Article personal data are incomplete if the data, although not inaccurate,
are such that their incompleteness would constitute a contravention of the
third or fourth data protection principle, if the principle applied to the
data.
(5) In this Article
‘exempt manual data’ means –
(a) in relation to the
first transitional period, data to which paragraph 3 of that Schedule
applies, and
(b) in relation to the
second transitional period, data to which paragraph 13 of that Schedule
applies.”.
2 Article 32
amended
In Article 32 –
(a) after
paragraph (2)(d) there shall be inserted the following sub-paragraph –
(b) in
paragraph (4) after the matter “12(7)” there shall be inserted
the matter “, 12A(3)”.
3 Article 34
amended
In Article 34(b) for the
matter “Article 14(1) – (3)” there shall be substituted
the matter “Articles 12A and 14(1) – (3)”.
4 Article 53
amended
In Article 53(1) after the
matter “12(7)” there shall be inserted the reference “, 12A(3)”.
5 Schedule
1 Part 2 amended
After paragraph 8(b) of Schedule 1
Part 2, there shall be inserted the following sub-paragraph –
“(ba) contravenes Article 12A by failing
to comply with a notice given under Article 12A(1) to the extent that the
notice is justified;”.
SCHEDULE
12
(Article 69)
TRANSITIONAL
PROVISIONS AND SAVINGS
1 Interpretation
In this Schedule –
“1987 Law” means the Data Protection (Jersey) Law 1987[38];
“new principles” means the data protection
principles within the meaning of this Law;
“old principles” means the data protection
principles within the meaning of the 1987 Law.
2 Effect
of registration under 1987 Law
(1) A
person who, immediately before the commencement of Part 3 of this Law –
(a) is registered as a data user under Part II
of the 1987 Law; or
(b) is treated by virtue of Article 6(6) of
the 1987 Law as so registered,
is exempt from Article 17(1)
of this Law until the end of the registration period.
(2) In
sub-paragraph (1) “registration period”, in relation to a
person, means –
(a) if there is a single entry in respect of
that person as a data user, the period at the end of which, if Article 7
of the 1987 Law had remained in force, that entry would have fallen to be
removed unless renewed; or
(b) if there are 2 or more entries in respect of
that person as a data user, the period at the end of which, if that Article had
remained in force, the last of those entries to expire would have fallen to be
removed unless renewed.
(3) Any
application for registration as a data user under Part II of the 1987 Law
received by the Commissioner before the commencement of Part 3 of this Law (and
any appeal against a refusal of registration, being a refusal at any time under
Part II of the 1987 Law) shall be determined in accordance with the old
principles and the 1987 Law.
(4) If
a person falling within sub-paragraph (1)(b) receives a notification under
Article 6(1) of the 1987 Law of the refusal of the person’s
application, sub-paragraph (1) shall cease to apply to the person –
(a) if no appeal is brought against the
refusal – at the end of the period within which such an appeal can
be brought; or
(b) if such an appeal is brought against the
refusal – on the withdrawal or dismissal of the appeal.
(5) If
a data controller gives a notification under Article 18(1) when exempt
from Article 17(1) by virtue of sub-paragraph (1), the data
controller shall cease to be exempt by virtue of sub-paragraph (1), but
may be exempt by virtue of Article 17(1) itself.
(6) The
Commissioner shall include in the register an entry in respect of each person
who is exempt from Article 17(1) by virtue of sub-paragraph (1).
(7) Each
such entry shall consist of the particulars that, immediately before the commencement
of Part 3 of this Law, were included (or treated as included) in respect
of that person in the register maintained under Article 3 of the 1987
Law.
(8) The
States may by Regulations make provision modifying the duty referred to in Article 20(1)
in its application to any person in respect of whom an entry in the register
has been made under sub-paragraph (6).
(9) The
States may by Regulations make further transitional provision in connection
with the implementation of Part 3 of this Law and the repeal of Part II of the
1987 Law, including provision modifying the application of provisions of Part 3
of this Law in transitional cases.
3 Request
for information and copy of personal data
(1) The
repeal of Article 20 of the 1987 Law does not affect the application
of that Article in any case in which a request under that Article (together
with any information, and fee, referred to in that Article and, in a case where
it is required, the consent referred to in that Article) was received (or, in
the case of the consent, notified) before that repeal.
(2) Sub-paragraph (1)
does not apply if the request is made by reference to this Law.
(3) Any
fee paid for the purposes of Article 20 of the 1987 Law before the
commencement of Article 7 in a case not falling within sub-paragraph (1)
shall be taken to have been paid for the purposes of Article 7.
4 Right
to compensation for inaccuracy, loss or unauthorized disclosure
The repeal of Articles 21 and
22 of the 1987 Law does not affect the application of those Articles in
relation to damage or distress suffered at any time by reason of anything done
or omitted to be done before the repeals.
5 Application
for rectification and erasure
The repeal of Article 23 of
the 1987 Law does not affect any case in which application to the court
was made under that Article before the repeal.
6 Restriction
on court orders to notify third parties of inaccuracy
Article 14(3)(b) does not
apply to any rectification, blocking, erasure, or destruction, that occurred
before the commencement of that sub-paragraph.
7 Enforcement
notices served under 1987 Law
(1) If,
immediately before the commencement of Article 40 –
(a) an enforcement notice under Article 9
of the 1987 Law has effect; and
(b) the time for appealing against the notice
has expired or any appeal has been determined,
then, after that commencement, to
the extent mentioned in sub-paragraph (3), the notice shall have effect
for the purposes of Articles 41 and 47 as if it were an enforcement notice
under Article 40.
(2) If
an enforcement notice has been served under Article 9 of the 1987 Law
before the commencement of Article 40 and immediately before that
commencement –
(a) the time for appealing against the notice
has not expired; or
(b) an appeal against the notice has not been determined,
any appeal against the notice
shall be determined in accordance with the 1987 Law and the old principles
but, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3),
the notice shall have effect for the purposes of Articles 41 and 47 as if
it were an enforcement notice under Article 40.
(3) An
enforcement notice under Article 9 of the 1987 Law has the effect
described in sub-paragraph (1) or (2) only to the extent that the steps
specified in the notice for complying with the old principle or principles in
question are steps that the data controller could be required by an enforcement
notice under Article 40 to take for complying with any or all of the new
principles in a case to which Article 40 applies.
8 Transfer
prohibition notices served under 1987 Law
(1) If,
immediately before the commencement of Article 40 –
(a) a transfer prohibition notice under Article 11
of the 1987 Law has effect; and
(b) the time for appealing against the notice
has expired or any appeal against the notice has been determined,
then, on and after that
commencement, to the extent specified in sub-paragraph (3), the notice
shall have effect for the purposes of Articles 41 and 47 as if it were an
enforcement notice under Article 40.
(2) If
a transfer prohibition notice has been served under Article 11 of the 1987
Law and immediately before the commencement of Article 40 either –
(a) the time for appealing against the notice
has not expired; or
(b) an appeal against the notice has not been
determined,
any appeal shall be determined in
accordance with the 1987 Law and the old principles and, unless the notice
is quashed on appeal, to the extent mentioned in sub-paragraph (3) the
notice shall have effect for the purposes of Articles 41 and 47 as if it
were an enforcement notice under Article 40.
(3) A
transfer prohibition notice under Article 11 of the 1987 Law has the
effect described in sub-paragraph (1) or (2) only to the extent that the
prohibition imposed by the notice is one that could have been imposed by an
enforcement notice under Article 40 for complying with all or any of the
new principles in a case to which Article 40 applies.
9 Enforcement
notices under new law relating to matters in relation to which 1987 Law
had effect
The Commissioner may serve an
enforcement notice under Article 40 on or after the day on which that
Article comes into force if satisfied that, before that day, a data controller
contravened the old principles by reason of any act or omission that would also
have constituted a contravention of the new principles if they had applied when
the act or omission occurred.
10 Restriction on
enforcement notices to notify third parties of inaccuracy
Article 40(5)(b) does not
apply if the rectification, blocking, erasure, or destruction, referred to in
that sub-paragraph occurred before the commencement of that Article.
11 Information notices
under new law relating to matters in relation to which 1987 Law had effect
The Commissioner may serve an
information notice under Article 43 on or after the day on which that
Article comes into force if the Commissioner has reasonable grounds for
suspecting that, before that day, a data controller contravened the old
principles by reason of any act or omission that would also have constituted a
contravention of the new principles if they had applied when the act or
omission occurred.
12 Reference in new
Article 43(2)(b) read as being to old principles
If by virtue of paragraph 11
an information notice is served on the basis of anything done or omitted to be
done before the day on which Article 43 comes into force, Article 43(2)(b)
shall have effect as if the reference in it to the data controller’s
having complied, or complying, with the data protection principles were a
reference to the data controller’s having contravened the old principles
by reason of any such act or omission as is mentioned in paragraph 11.
13 Self-incrimination,
etc.
(1) In
Article 43(9), Article 44(10) and paragraph 11 of Schedule 7,
any reference to an offence under this Law includes a reference to an offence
under the 1987 Law.
(2) In
Article 33(8) of the 1987 Law, any reference to an offence under that
Law includes a reference to an offence under this Law.
14 Warrants issued
under 1987 Law
The repeal of the Fourth Schedule to
the 1987 Law does not affect the application of that Schedule in any case where
a warrant was issued under that Schedule before the repeal, and that Schedule
shall be taken to continue to have effect in that case.
15 Complaints under Article 35(2)
of 1987 Law
The repeal of Article 35(2) of
the 1987 Law does not affect the application of that provision in any case
where a complaint has been received by the Commissioner under that Article
before its repeal.
16 Complaints and
assessments: regard to be had to contemporary principles and provisions
In dealing with a complaint under Article 35(2)
of the 1987 Law or a request for an assessment under Article 42 of this
Law, the Commissioner shall have regard to the provisions from time to time applicable
to the processing, and accordingly –
(a) in
Article 35(2) of the 1987 Law, the references to the data protection
principles, and the provisions, of that Law include, in relation to any time
when the new principles and the provisions of this Law have effect, the latter
principles and provisions; and
(b) in
Article 42, the reference to the provisions of this Law includes, in
relation to any time when the old principles and the provisions of the 1987 Law
had effect, the latter principles and provisions.
17 General:
references to Data Protection Registrar
(1) This
paragraph is subject to any express provision, or implication, to the contrary
in or under this Law or any other enactment, or in any agreement or other
document.
(2) A
reference in any enactment, agreement or other document to the Data Protection
Registrar shall, on and from when Article 6(2) comes into force, become a
reference to the Data Protection Commissioner.
(3) Accordingly,
any application made to the Data Protection Registrar, any proceedings
commenced with the Data Protection Registrar as party, or anything else
involving the Data Protection Registrar, being an application, proceedings or
thing that has not been finally determined, or finished, when Article 6(2)
comes into force may be determined or continued by the Data Protection
Commissioner.
(4) Furthermore,
any record or requirement made by, any information given to, any document
deposited with, any record kept by, or any statement made to, the Data
Protection Registrar in the exercise of any of the Registrar’s functions
before Article 6(2) comes into force shall be taken, on and from that
time, to have been made by, given to, deposited with, kept by or made to, the
Data Protection Commissioner.
18 General saving
(except for Regulations, Rules or Orders)
(1) Except
as provided otherwise in or under this Schedule, anything made or done by any
person under any provision of the 1987 Law (being a thing that still had force
or effect immediately before the repeal of that provision by this Law) shall,
if there is a provision under this Law that gives power to make or do such a
thing, be taken to have been made or done under the latter provision.
(2) However,
a Regulation, Rule, or Order, made under the 1987 Law shall cease to be in
force when this paragraph comes into force.
19 Power to make
savings, or transitional or consequential provisions, by Regulations
(1) The
States may, by Regulations, make provisions of a saving or transitional nature
consequent on the enactment of this Law.
(2) A
provision of Regulations made under this paragraph may, if the Regulations so
provide, come into force on the day on which this Schedule comes into force or
on a later day.
(3) To
the extent to which any such provision comes into force on a date that is earlier
than the date of its promulgation, the provision does not operate so as –
(a) to affect, in a manner prejudicial to any
person (other than the States or a Minister or administration of the States),
the rights of that person existing before the date of its promulgation; or
(b) to impose liabilities on any person (other
than the States or a Minister or administration of the States) in respect of
anything done or omitted to be done before the date of its promulgation.
SCHEDULE
13
(Article 70)
AMENDMENTS[39]
Lloyds TSB
(Jersey) Law 1997
|
Insert
after Article 8(4) the following paragraph –
“(5) The
Data Protection Commissioner may exercise, in respect of any breach by the
transferor company of the data protection principles under the Data Protection (Jersey) Law 1987, the
same power under the Data Protection
(Jersey) Law 2005 as the power referred to in paragraph (4) that
was exercisable by the Data Protection Registrar under Article 9 of the Data Protection (Jersey) Law 1987.”.
|
Royal Bank of
Canada (Jersey) Law 2000
|
Insert
after Article 5(4) the following paragraph –
“(5) The
Data Protection Commissioner may exercise, in respect of any breach by the
transferor company of the data protection principles under the Data Protection (Jersey) Law 1987, the
same power under the Data Protection
(Jersey) Law 2005 as the power referred to in paragraph (4) that
was exercisable by the Data Protection Registrar under Article 9 of the Data Protection (Jersey) Law 1987.”.
|