"It is essential that businesses should review their existing data protection policies and procedures to ensure that they comply with the requirements of the Law."
"A business must not deceive or mislead any person from whom Personal Data is obtained as to the purposes for which the information is to be processed."
"The Law is designed to work in tandem with other laws. Therefore, if a business is obliged to retain data for a given length of time under any other laws, this should be taken into consideration."
"If a business has any doubts as to whether a country outside the EEA has an adequate level of protection or whether a transfer is exempt, it should seek independent legal advice."

Record management within the financial services sector

10 Mar 2011

The purpose of this briefing is to address some of the issues a business may have to consider in relation to its record management policy and procedures in order to comply with the provisions of the Law.

The Data Protection (Jersey) Law 2005 (the "Law") came into force on 1 December 2005. It sets out rules for the processing of personal data. Additional data protection provisions are set out in subordinate legislation. Broadly speaking, the processing of personal data includes obtaining, disclosing, recording, holding, using, erasing or destroying personal data. It applies to many paper records as well as those held on computer. The Law, therefore, has a significant impact on the way in which businesses manage their records.

This briefing is only intended to provide an outline of some of the issues a business should consider in relation to record management and compliance with data protection law in Jersey. It is essential that businesses should review their existing data protection policies and procedures to ensure that they comply with the requirements of the Law. If a business has any doubts as to the adequacy of its data protection policies and procedures or has any specific queries, it should seek independent legal advice.  

To whom and what does the Law apply?
The Law applies primarily to those who are Data Controllers. A "Data Controller" as defined by the Law is:
"a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed."

"Personal Data" as defined by the Law is: "Information relating to a living individual, who can be identified (1) from the data; or (2) from the data or other information in possession of the Data Controller (or likely to come into possession of the Data Controller). It includes expressions of opinion and indications of the intentions of the Data Controller".

A company, while a legal entity, is not a "living individual". Therefore, the Law does not apply to information relating to corporate entities themselves, as such information will not constitute Personal Data.

The Law applies to all local businesses which process Personal Data, such as personal employee or client information, including, of course, businesses in the financial services sector.

What obligations does a business have under the Law?
A business which is a Data Controller must comply with eight data protection principles set out in the Law ("Data Protection Principles") which govern the collection, retention and use of Personal Data.

The Data Protection Principles state that Personal Data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept longer than necessary;
  • processed in accordance with the individual's rights;
  • secure; and
  • not transferred to countries outside the European Economic Area ("EEA") unless the country has adequate protection for the individual.

Personal Data may include information such as a person's name, address and date of birth. It may also include opinions about the individual and/or any other information from which the individual can be identified.

In addition to complying with the Data Protection Principles, any business processing personal information must notify the Data Protection Commissioner's Office that it is doing so, unless its processing is exempt. As at the date of this briefing, notification costs £50 per year.

A business is also under an obligation to deal with data access requests by individuals seeking information about their Personal Data which may be held or processed by that business. These are known as subject access requests.

How can a business ensure compliance with the Data Protection Principles?
As detailed above, the Data Protection Principles govern the way in which a business collects, retains and uses personal information.  In the remainder of this briefing, we consider some of the issues a business may need to consider in relation to its records management policies and procedures to ensure compliance with the Data Protection Principles.  In particular, we will look at the following issues:

  • Collecting and using data
  • Security of records
  • The length of time records should be stored
  • Circulating data outside of EEA/equivalent system
  • Data subject access requests

How can a business collect and use Personal Data?
The Law provides that Personal Data must be processed fairly and lawfully and for limited purposes. The Law sets out a number of conditions which must be met before Personal Data can be said to have been fairly processed and a business should have regard to these conditions when processing Personal Data. The Law states that, where an individual has provided explicit consent to processing, the data will be considered as fairly processed. Further details of the other conditions can be found on the Data Protection Commissioner's website.

A business must not deceive or mislead any person from whom Personal Data is obtained as to the purposes for which the information is to be processed. A business should, therefore, have a clear policy stating the identity of the Data Controller and the purpose or purposes for which the data is intended to be processed. The policy should outline what and how information is going to be processed. A business should not be doing anything with an individual's Personal Data unless the individual knows exactly what is going to happen to his or her information and how it is going to be used. There are certain exemptions. If the purpose for which the information has been obtained has changed, the individual's further consent should be obtained.

Generally, a business cannot pass individuals' information to another business or organisation unless it has asked for and has obtained the consent of the individual.

However, there are exceptions to this.

The Law also provides that Personal Data should be adequate, relevant and not excessive in relation to the purpose or purposes for which it is being processed and Personal Data should be accurate and up to date. A business should, therefore, ensure that it regularly reviews its records to ensure that they comply with these conditions.

How can a business keep records securely?
It is a requirement of the Law for all organisations to have appropriate security to protect Personal Data against unlawful or unauthorised use or disclosure, and accidental loss, destruction or damage. This obligation applies whether a business processes the data itself or arranges for someone to process the data on its behalf.

What security a business will need depends on its own circumstances. Guidance[1] indicates that, to decide what measures are appropriate, a business will need to take into account the sort of information it has, the harm that might result from its misuse, the technology that is available and, also, what it would cost to ensure an appropriate level of security.

If outsourcing the processing of Personal Data to a third party provider, the Data Commissioner's Good Practice Note states that a business must choose a provider that it considers can carry out the work in an appropriate and secure manner. Further, while the work is going on, a business should check that this is being done. A written contract must also be in place with the provider. This contract must require the provider to:

  • only use and disclose the Personal Data in line with the instructions of the client business and in accordance with the legal requirements of the Law; and
  • take appropriate security measures.

The contract must be in place regardless of where the provider is based. There are also other considerations that must be taken into account if the processing of Personal Data is to be outsourced to a country outside the EEA. These considerations are dealt with below.

Businesses may regularly use laptops and other portable devices. If these items are lost or stolen, they could be used to cause an individual damage or distress, particularly if the items come into the hands of an identity thief. For example, about 15,000 Standard Life customers were said to be at risk of fraud after HMRC lost personal details. The data was on a CD sent from the Revenue office in Newcastle to the company's headquarters in Edinburgh.  But the CD, containing names, national insurance numbers, dates of birth and pension data, never arrived at its intended destination.

Guidance[2] issued by the UK's Information Commissioner's Office indicates that a business should, therefore, ensure that information contained on laptops and other portable devices is encrypted.  It also states that the level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device is lost or stolen. In addition to technical security, the guidance indicates that a business should have policies on the appropriate use and security of portable devices and ensure that staff are properly trained in these.

How long should Personal Data be stored for?
The Law says that information should be kept for no longer than is necessary. The Law does not specify what a "necessary" period should be for particular information. Each case should be considered on its own merits. The Law is designed to work in tandem with other laws. Therefore, if a business is obliged to retain data for a given length of time under any other laws, this should be taken into consideration, for example:

  • The JFSC Codes of Practice provide that every registered person (for example, Banks, Investment Businesses and Insurance Businesses) must have a clearly documented policy regarding record retention. The Codes also provide for a minimum retention period of 10 years which must be applied.  For further details, see the relevant Codes of Practice on the JFSC website.
  • In Jersey, claims may be time barred through the expiry of any relevant prescription or limitation period. For example, a claim in contract has a generous prescription period of ten years.  A claim in tort has a far shorter prescription period of three years. (Prescription periods may be extended in some circumstances.)
  • Accordingly, Jersey businesses may wish to consider retaining some documents for up to ten years. Where a JFSC Code of Practice applies, businesses must keep records for the stipulated periods.

Information regarding retention of documents in electronic form can be found in Article 16 of the Electronic Communications (Jersey) Law 2000.

In what circumstances may records and Personal Data be circulated outside of the EEA?
Many financial services businesses operate as cross jurisdictional and multifunctional businesses. They will seek to share data between their various operations and may also seek to outsource some data-related functions to third parties such as foreign call-centres. In some cases, the information will be circulated outside of the EEA.

The Law provides that Personal Data can only be transferred to a country or territory outside the EEA if that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Personal Data. This requirement applies to the method as well as the work itself. There are some exceptions to this, including where the consent of the data subject has been obtained.

An up-to-date list of "adequate" places can be found on the Europa website. At the time of writing, the following countries have been deemed adequate: Argentina, Canada, Guernsey, Isle of Man, Jersey and Switzerland. Personal Data can also be transferred in accordance with the US Department of Commerce Safe Harbor Privacy Principle and Air Passenger Name Records can be transferred to the US Bureau of Customs and Border Protection.  Information about this can be found on the Europa website.

Even if a country has not been designated as adequate by the European Commission, a Data Controller can nevertheless come to its own conclusion that the country provides an adequate level of protection for a particular transfer. The Law indicates the sort of factors the Data Controller should take into account in reaching such a decision.

If a business has any doubts as to whether a country outside the EEA has an adequate level of protection or whether a transfer is exempt, it should seek independent legal advice.

Data Subject Access Requests
The Law gives individuals who are data subjects a general right of access to the Personal Data which relates to them, subject to certain exemptions (see below).

It is a requirement of the Law that a reply to a subject access request by an individual must be given promptly and, in any event, within 40 days, provided that the individual has paid any necessary fee where deemed applicable. At present, a fee of up to £10 can be charged for a subject access request. The 40 day time limit is calculated from the day on which a business has both the required fee and the necessary information to confirm the identity of the data subject and to locate the data.

The information must be provided in permanent form, except where the individual agrees or where it is impossible or would involve undue effort. This means that the information may be sent as a computer print out, in a letter or on a form unless the supply of such a copy is not possible.

When dealing with a subject access request, it must be remembered that a business need not disclose everything. The Law applies only to information about individuals which is held on computer or is on paper and sorted by reference to individuals. If the information relates only to business information that does not identify individuals, the Law will not apply.

There are other circumstances in which a business may withhold information from a data subject which are set out in the Law.  For example, Personal Data in respect of a Jersey trust is exempt from the subject access requirements to the extent that the Personal Data consists of information the withholding of which is authorized by the Trusts (Jersey) Law 1984 or the disclosure of which would be contrary to a prohibition or restriction under any rule of law of Jersey. Similar exemptions are provided for foreign law trusts. There is also an exemption with respect to Personal Data which is processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity.

Sometimes, responding to a subject access request may involve providing information relating to another individual who can be identified from that information ("Third Party Information"). If a subject access request will involve the disclosure of Third Party Information, a business should consider whether it is possible to disclose the information without revealing the identity of the third party. In order to do so, a business may edit the information to remove names or other identifying details. The Third Party Information should only be disclosed if the third party consents to the disclosure of the information or it is reasonable in all the circumstances to comply with the request without the Third Party's consent. There are a number of factors set down by the Law which may be taken into account when deciding whether or not it would be reasonable in all the circumstances to disclose without consent. Guidance on this matter and handling requests which involve the disclosure of Third Party Information can be found on the Data Protection Commissioner's website (see "GD9 Subject Access and Third Party Information").

Offences/penalties
The Law creates a number of criminal offences.  For example, it is an offence to process Personal Data without notifying the Data Protection Commissioner's Office of either (i) the processing being undertaken; or (ii) any relevant changes to that processing following the original notification. It is also an offence knowingly or recklessly to obtain, disclose or procure the disclosure of personal information without the consent of the Data Controller. There are some exceptions.
There may also be civil sanctions as unauthorized disclosure of a subject's confidential/private information may constitute an actionable breach of confidence/misuse of private information. In Cole v. States Police (Royal Ct.), 2007 JLR 606, the court held that a duty of confidence was imposed whenever a person received information that he knew or ought to have known was fairly and reasonably to be regarded as private and that duty would be breached if the information received was disclosed without authorisation. In that case, disclosure by police of a job applicant's criminal record to a potential employer without explicit consent constituted misuse of private information and the applicant was awarded £750 in damages.

Conclusion
The Law has a significant effect on the way a business manages information and records. The consequences of failure to comply with obligations under the Law can be serious. Good record keeping and information management are therefore essential. Effective record management procedures and policies will help limit a business' risk in this area.

[1] The Office of the Data Protection Commissioner Good Practice Note, Outsourcing: A Guide for Small and Medium sizes Businesses.
[2] The Information Commissioner's Office Good Practice Note, Security of Personal Information.