Friday September 10, 2010

 

Finance in Jersey 2004

Contents

Strategic view

Economic outlook

Tax reform

Income tax

Jersey Finance Limited

JFSC

Inter-island co-operation 1

Inter-island co-operation 2

Know your customer

The local market

Recruitment

The fund sector

Technology & regulation

Money laundering

Human resources

Tax expertise

Compliance

Fiduciary services

Property funds

Trustee duties

Data protection

Premier banking

Financial reform

CI Stock Exchange

E-business

Expert funds

Telecommunications

Letter to the Chancellor

Industry development

EU Savings Directive

Staff issues

Jersey’s image

Current news

Current business

News Archive

Comment

Letters

Supplements

Magazines

Local links

This is Jersey > News > Finance in Jersey 2004 >Data protection

This article from

Jersey Evening Post

Are we up to speed on data protection?

ADVOCATE WENDY BENJAMIN

Partner, commercial group, Bailhache Labesse

The 1204-2004 celebrations highlight the fact that Jersey is within the British Isles but is outside the United Kingdom. The island is within sight of the French coast but outside the European Union and the European Economic Area (EEA). Its peculiar constitutional position raises some data protection issues.

The United Kingdom’s Data Protection Act 1998 implements the European Union’s Directive 94/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data. The UK Act came fully into force in October 2001. Among other requirements, it imposes the eighth data protection principle which states: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’

So, is Jersey’s existing data protection regime adequate by European standards? The short answer is probably not yet.

Jersey’s current legislation, the Data Protection (Jersey) Law 1987, is modelled on the previous UK law. It has not kept pace with technological developments nor with best practice for data processing and privacy policies. An update is long overdue.

Thus, the Data Protection (Jersey) Law 200- was debated by the States of Jersey on 30 June 2004. The new law, once more, is modelled on the current UK legislation and aims to satisfy the requirements of the EU Directive. The new law should mean that the Island will be able to achieve a positive assessment for adequacy by the European Commission. It is essential that Jersey does achieve this status to ensure that data transfers freely from the UK and elsewhere in Europe to Jersey without the necessity of European businesses controlling data having to assess the Island’s adequacy themselves or to implement practical arrangements falling within the exceptions to the general prohibition on transfers to inadequate non-EEA countries. Those practical arrangements might include obtaining the express consent of the individual about whom data is held or entering particular contractual relationships with the intended recipient of the data.

Our nearest competitors, Guernsey and Isle of Man, have already implemented new data protection legislation and have been assessed as adequate by the European Commission. Jersey’s Registrar of Data Protection is hoping to place all three islands back on an even footing as quickly as possible once the new law is brought into force, probably towards the end of this year.

Unfortunately, the necessarily tight legislative timescale does not give Island businesses a lot of time to change their data processing arrangements and working practices. Procedures for obtaining, using and disclosing data held about individual clients, potential clients, employees, suppliers and general contacts and the like will need to be checked and amended for compliance with the new law. Island businesses without branches in the UK or elsewhere in the EEA are likely to particularly notice the effects of the changes to the existing law. Transitionary arrangements may alleviate some difficulties.

Under the new law, existing data protection registrations will be replaced by ‘notifications’. The notification procedure should be slightly simpler than registration under the existing law but will be required on an annual rather than three-yearly basis. Care should be taken to ensure that notifications reflect the actual methods of gathering, using, processing and disclosing data employed by businesses themselves. Otherwise, it might be relatively easy to unwittingly transgress data protection principles – as some States Members might have recently found. Perhaps more importantly, even those few businesses who will be exempt from notification will still remain subject to all the other provisions of the new law, including compulsory compliance with the eight data protection principles.

The eight data protection principles, in essence, ensure that personal data:

- must be processed fairly and lawfully and only if certain conditions are met;

- must be obtained and used for specified, lawful purposes only;

- must be adequate, relevant and not excessive;

- must be accurate and, where necessary, kept up to date;

- must not be kept for longer than is necessary for relevant specified, lawful purposes;

- must be processed only in accordance with the statutory rights of data subjects;

- must be appropriately protected against unauthorised or unlawful processing and loss or destruction; and

- must not be transferred to a country outside the EEA unless that country has an adequate data protection regime.

Changes to key definitions such as ‘data’ and ‘processing’ and the recategorisation and stricter control of sensitive data will significantly broaden the current data protection principles. For example, the definition of processing includes collecting, disclosing and holding personal data. So few actions will not be covered by the requirements of the new law. Similarly, the definition of personal data will be broadened to include expressions of opinions and intentions in relation to the data subject.

Overseas transfers

The eight principles prevent transfers of data to non-EEA member states who do not have an adequate data protection regime as mentioned above. Island businesses transferring data abroad will need to ensure that they assess and take practical steps to safeguard information transferred outside the EEA.

The rights of data subjects – that is individuals about whom data is held – are strengthened by the new law. It will allow them greater subject access, more rights to prevent use of information (particularly for direct marketing) and rights to compensation for damages incurred. Compensation provisions in the existing law are somewhat limited, as has recently been discussed in the case of Cole v the States of Jersey Postal Administration Committee and the Chief Officer of the States Police.

One of the other main changes will be the extension of the data protection regime to cover certain manual records in addition to electronic records. Fortunately for existing businesses, there is a fairly generous transitional period for eligible manual records of three years plus another three years for, essentially, historic research into existing records. Nevertheless, Island businesses should consider now their requirements to record and maintain manual records in line with data protection principles. Document retention and destruction policies, for instance, should be reviewed.

There are many exemptions and transitionary arrangements set out in the new law. Further will follow in the detailed regulations which are to be issued under the Law. Also, it is hoped that detailed guidance specific to the Island’s finance industry will be issued by the Registrar of Data Protection. For example, under Article 25 of the Trust (Jersey) Law 1984, trustees are entitled, in certain circumstances, to refuse to disclose information to persons including beneficiaries. The parameters of the beneficiaries’ rights to information have been tested through the courts. The new law’s subject access rights should not override those principles as interpreted by the courts and a suitable exemption or guidance should be provided.

Similarly, the finance industry in Jersey administers very many Jersey and foreign companies whose data consists entirely of statutory books required to be kept under the Companies (Jersey) Law 1991 and equivalent foreign laws. As those books include details of directors and shareholders, they may include personal data and thus may be covered by the new law’s provisions. Thus, such companies may be required to notify and comply with the draft law even though they only ‘control’ statutory information. Some of the exemptions in the new law may assist. However, as not all statutory information is made available to the public (for example, private companies’ directors details), it appears that the exemptions would not necessarily absolve the companies as ‘data controllers’ from notification themselves (in addition to administrators’ own notification as processors). Thus, again, a clear exemption or guidance for such companies should be made available. Clear guidance on the new law will be essential to ensure that the rights of Island businesses and the public sector to use and exploit data are balanced fairly against individuals’ right to privacy. Certainly, clear guidance will be necessary to successfully implement this complex piece of legislation which potentially impacts on all our businesses and lives as recent public events in the island and UK have demonstrated.

 
  
 

article © Jersey Evening Post Limited. website © 2004 Guiton Group