A LAW to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information, and for purposes incidental thereto and connected therewith.

Adopted by the States 30th June 2004

Sanctioned by Order of Her Majesty in Council 16th December 2004

Registered by the Royal Court 21st January 2005

THE STATES, subject to the sanction of Her Most Excellent Majesty in Council, have adopted the following Law –

PART 1

INTERPRETATION, OBLIGATIONS AND OFFICES

Interpretation

1 Interpretation of Law

(1) In this Law, unless the context otherwise requires –

“business” includes any trade or profession;

“Commissioner” means the holder of the office of Data Protection Commissioner referred to in Article 6;

“Committee” means the Finance and Economics Committee;

“Court” means the Royal Court;

“credit reference agency” means a person who carries on the business of providing information about the financial standing of persons;

“data” means information that –

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose;

(b) is recorded with the intention that it should be processed by means of such equipment; or

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

“data controller” means, except as provided in paragraph (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

“data processor”, in relation to personal data, means any person who processes the data on behalf of a data controller, but does not include an employee of the data controller;

“Data Protection Directive” means Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

“data protection principles” has the meaning specified in Article 4;

“data subject” means an individual who is the subject of personal data;

“EEA State” means a State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 1993;

“enforcement notice” means a notice under Article 40;

“first transitional period” means the period that starts on the day on which Schedule 8 comes into force and ends on the third anniversary of that day;

“function” includes power, authority and duty;

“health professional” means a person lawfully practising as a medical practitioner, dentist, optician, pharmacist, nurse, midwife or health visitor, osteopath, chiropractor, clinical psychologist, child psychotherapist or speech therapist, or a music therapist employed by a body lawfully providing health services, or a scientist employed by such a body as head of a department, or a person that may be prescribed by Regulations;

“health record” means a record that –

(a) consists of information relating to the physical or mental health or condition of an individual; and

(b) has been made by or on behalf of a health professional in connection with the care of that individual;

“inaccurate”, in relation to data, has the meaning set out in paragraph (5);

“information notice” means a notice under Article 43;

“non-disclosure provisions” means the following provisions to the extent that they are inconsistent with the disclosure in question –

(a) the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3;

(b) the second, third, fourth and fifth data protection principles; and

“personal data” means data that relate to a living individual who can be identified –

(a) from those data; or

(b) from those data and other information that is in the possession of, or is likely to come into the possession of, the relevant data controller,

and includes any expression of opinion about an individual who can be so identified and any indication of the intentions of the data controller or any other person in respect of an individual who can be so identified;

“processing”, in relation to information or data, means obtaining, recording or holding the information or data, or carrying out any operation or set of operations on the information or data, including –

(a) organizing, adapting or altering the information or data;

(b) retrieving, consulting or using the information or data;

(d) aligning, combining, blocking, erasing or destroying the information or data;

“public register” means any register that, pursuant to a requirement imposed under an enactment or in pursuance of an international agreement, is open to public inspection or open to inspection by any person having a legitimate interest in the subject matter of the register;

“publish”, in relation to journalistic, literary or artistic material, means make available to the public or any section of the public;

“recipient”, in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the relevant data controller, a relevant data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;

“register” means the register maintained under Article 19;

“registered company” means a company within the meaning of the Companies (Jersey) Law 1991;[1]

“Regulations” means Regulations made by the States under this Law;

“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

“second transitional period” means the period that starts when the first transitional period ends and ends on the sixth anniversary of the day when Schedule 8 comes into force;

“sensitive personal data” has the meaning set out in Article 2;

“special information notice” means a notice under Article 44;

“special purposes” has the meaning set out in Article 3;

“staff” of the Commissioner includes any person employed in the office of the Commissioner;

“subject information provisions” means –

(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Schedule 1 Part 2; and

(b) Article 7;

“third party”, in relation to personal data, means any person other than –

(a) the data subject;

(b) the data controller; or

“Tribunal” means the Tribunal continued by Article 6 and known as the Data Protection Tribunal.

(2) In this Law, unless the context otherwise requires –

(a) obtaining, or recording, personal data includes obtaining, or recording, the information to be contained in the data; and

(b) using, or disclosing, personal data includes using, or disclosing, the information contained in the data.

(3) In determining for the purposes of this Law whether any information is recorded with the intention –

(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose; or

(b) that it should form part of a relevant filing system,

it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside Jersey.

(4) If personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is, in relation to the data, the data controller for the purposes of this Law.

(5) For the purposes of this Law data are inaccurate if they are incorrect or misleading as to any matter of fact.

(6) For the purposes of this Law, a description or class may be framed by reference to any circumstances whatsoever.

2 Sensitive personal data

In this Law “sensitive personal data” means, in relation to a data subject, personal data consisting of information as to –

(a) the racial or ethnic origin of the data subject;

(b) the political opinions of the data subject;

(d) whether the data subject is a member of a trade union;

(e) the data subject’s physical or mental health or condition;

(f) the data subject’s sexual life;

(g) the data subject’s commission, or alleged commission, of any offence; or

(h) any proceedings for any offence committed, or alleged to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in any such proceedings.

3 The special purposes

In this Law “special purposes” means any one or more of the following –

(a) the purposes of journalism;

(b) artistic purposes;

Principles, application, and obligations

4 The data protection principles: their content, Regulations about them, and duty to comply with them

(1) References in this Law to the data protection principles are to the principles set out in Schedule 1 Part 1.

(2) Those principles are to be interpreted in accordance with Schedule 1 Part 2.

(3) Paragraph 7 of Schedule 2, paragraph 11 of Schedule 3 and paragraph 10 of Schedule 4 shall have effect.

(4) Subject to Article 27(1), it shall be the duty of a person to comply with the data protection principles in relation to all personal data with respect to which the person is a data controller.

5 Application of Law; duty of data controller outside Jersey to nominate Jersey representative

(1) Except as otherwise provided by or under Article 54, this Law applies to a data controller in respect of any data only if –

(a) the data controller is established in Jersey and the data are processed in the context of that establishment; or

(b) the data controller is not established in Jersey but uses equipment in Jersey for processing the data otherwise than for the purposes of transit through Jersey.

(2) A data controller referred to in paragraph (1)(b) shall nominate for the purposes of this Law a representative established in Jersey.

(3) For the purposes of paragraphs (1) and (2), each of the following is to be treated as established in Jersey –

(a) an individual who is ordinarily resident in Jersey;

(b) a body incorporated under the law of Jersey;

(d) any person who does not fall within sub-paragraph (a), (b) or (c) but maintains in Jersey –

(i) an office, branch or agency through which the person carries on any activity, or

(ii) a regular practice.

Offices

6 Commissioner and Tribunal

(1) The office originally established by Article 2(1)(a) of the Data Protection (Jersey) Law 1987[2] as the office of Data Protection Registrar shall become, and be regarded as one with, the corporation known as the Data Protection Commissioner.

(2) The States may from time to time appoint a person to the office of Data Protection Commissioner, but until the first such appointment takes effect, the person holding office as Data Protection Registrar immediately before this Article comes into force shall hold office after then as the Commissioner on the terms and conditions applying immediately before then.

(3) The States shall take all reasonable steps to ensure that at all times the office of Data Protection Commissioner is filled and shall in any case appoint one or more members of the Commissioner’s staff as vice-Data Protection Commissioners to act in any absence of the Commissioner.

(4) The Tribunal originally established by Article 2(1)(b) of the Data Protection (Jersey) Law 1987[3] as the Data Protection Tribunal shall continue to exist for the purposes of this Law under the same name.

(5) The Tribunal shall consist of a president, and 4 other members, appointed by the States on the recommendation of the Committee and on the basis that they evenly represent the interests of data subjects and of data controllers. Of the 4 other members, one or more shall be appointed as vice-presidents by the States on the recommendation of the Committee.

(6) Until the States appoint members of the Tribunal under this Law, a person who is the chairman or a deputy chairman or other member of the Tribunal immediately before this Article comes into force shall continue after then as (respectively) the president or a vice-president or other member of the Tribunal, on the same terms and conditions as before then.

(7) Schedule 5 shall have effect.

PART 2

RIGHTS OF DATA SUBJECTS AND OTHERS

7 Fundamental rights of access to personal data

(1) An individual is entitled to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller, and, if that is the case, to be given by the data controller a description of –

(a) the personal data being so processed of which that individual is the data subject;

(b) the purposes for which they are being or are to be processed by or on behalf of that data controller; and

(c) the recipients or classes of recipients to whom they are or may be disclosed by or on behalf of that data controller.

(2) An individual is entitled to the communication in intelligible form, by the relevant data controller, of –

(a) the information constituting any personal data of which the individual is the data subject; and

(b) any information available to the relevant data controller as to the source of those data.

(3) If the processing by automatic means of personal data of which an individual is the data subject for the purpose of evaluating matters relating to the individual (for example, the individual’s performance at work, creditworthiness, reliability or conduct) has constituted or is likely to constitute the sole basis for any decision significantly affecting the individual, the individual is entitled to be informed by the relevant data controller of the logic involved in that decision-taking.

(4) A data controller is not obliged under paragraph (1), (2) or (3) to supply any information unless the data controller has received –

(a) a request in writing; and

(b) except in cases that may be prescribed by Regulations, such fee (not exceeding any maximum that may be prescribed by Regulations) as the data controller may require.

(5) The request may, in such cases as may be prescribed by Regulations, specify that it is limited to personal data of any description that may be prescribed by Regulations.

(6) If a data controller reasonably requires further information in order to be satisfied as to the identity of the person making the request or to locate the information that the person seeks, and has informed the person of the requirement, the data controller is not obliged to comply with the request unless supplied with that information.

(7) If a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, the controller is not obliged to comply with the request unless –

(a) the other individual has consented to the disclosure of the information to the person making the request; or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(8) In paragraph (7), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought in the request.

(9) Paragraph (7) is not to be construed as excusing a data controller from communicating so much of the information sought in the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(10) In determining for the purposes of paragraph (7)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to –

(a) any duty of confidentiality owed to the other individual;

(b) any steps taken by the data controller to seek the consent of the other individual;

(d) any express refusal of consent by the other individual.

(11) Except as provided in paragraph (7), a data controller shall comply with a request under this Article promptly and in any event within such period as may be prescribed by Regulations, or if no period is so prescribed for the time being, within the period that –

(a) begins with the day on which the data controller receives the request under paragraph (4) or, if later, the first day on which the data controller has both the fee required under that paragraph and the information referred to in paragraph (6); and

(b) ends on the 40th day after the day on which the period begins.

(12) If a court is satisfied on the application of any person who has made a request under this Article that a data controller has contravened this Article in failing to comply with the request, the court may order the data controller to comply with the request.

8 Treatment of requests under Article 7

(1) The States may by Regulations provide that, in such cases as may be prescribed by those Regulations, a request under Article 7 for information referred to in any provision of Article 7 is to be treated as a request for information referred to in any other provision of Article 7.

(2) The obligation imposed by Article 7(2)(a) shall be complied with by supplying the data subject with a copy of the relevant information in permanent form unless –

(a) the supply of such a copy is not possible or would involve disproportionate effort; or

(b) the data subject agrees otherwise.

(3) If any of the information referred to in Article 7(2)(a) is expressed in terms that are not intelligible without explanation the copy shall be accompanied by an explanation of those terms.

(4) If a data controller has previously complied with a request under Article 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that Article by the individual unless the interval between compliance with the previous request and the making of the current request is reasonable.

(5) In determining whether the interval is reasonable, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(6) Article 7(3) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking to the extent that the information constitutes a trade secret.

(7) Information supplied under Article 7 shall be supplied by reference to the data in question at the time when the request for the data is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

(8) For the purposes of Article 7(7) and (9), another individual can be identified from the information being disclosed if the individual can be identified from that information, or from that and any other information that, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.

9 Credit reference agency as data controller

(1) If a data controller is a credit reference agency, Article 7 applies in relation to that data controller subject to this Article.

(2) An individual may limit a request to a data controller under Article 7 to personal data relevant to the financial standing of the individual, and shall be taken to have so limited the request unless the request shows a contrary intention.

(3) If personal data are being processed by or on behalf of a data controller who receives a request under Article 7 from an individual who is the data subject of those data, the obligation to supply information under that Article includes an obligation to give the individual a statement of the individual’s rights under this Law in such form, and to such extent, as may be prescribed by Regulations.

10 Right to stop processing that causes distress or damage

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which the individual is the data subject, on the ground that, for reasons specified in the notice –

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual; and

(b) that damage or distress is or would be unwarranted.

(2) Paragraph (1) does not apply –

(a) if one or more of the conditions in paragraphs 1 - 4 of Schedule 2 is met; or

(b) in such other cases as may be prescribed by Regulations.

(3) The data controller shall within 21 days of receiving a notice under paragraph (1) give the individual who gave it a written notice –

(a) stating that the data controller has complied or intends to comply with the individual’s notice; or

(b) stating the data controller’s reasons for regarding the individual’s notice as to any extent unjustified and the extent (if any) to which the data controller has complied or intends to comply with it.

(4) If a court is satisfied, on the application of any person who has given notice under paragraph (1) –

(a) that the notice is justified to any extent; and

(b) that the data controller in question has failed to comply with the notice to that extent,

the court may order the data controller to take such steps as it thinks fit for complying with the notice to that extent.

(5) The failure by a data subject to exercise the right conferred by paragraph (1) does not affect any other right conferred on the data subject by this Part.

11 Right to stop processing for direct marketing

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which the individual is the data subject.

(2) If a court is satisfied, on the application of any person who has given a notice under paragraph (1), that the data controller has failed to comply with the notice, the court may order the data controller to take such steps for complying with the notice as the court thinks fit.

(3) The failure by a data subject to exercise the right conferred by paragraph (1) does not affect any other right conferred on the data subject by this Part.

(4) In this Article, “direct marketing” means the communication (by whatever means) of any advertising material, or marketing material, that is directed to particular individuals.

12 Rights in relation to automated decision-making

(1) An individual is entitled at any time, by notice in writing to a data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller that significantly affects the individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to the individual (for example, the individual’s performance at work, creditworthiness, reliability or conduct).

(2) If no such notice has effect and a decision that significantly affects an individual is based solely on such processing –

(a) the data controller shall as soon as reasonably practicable notify the individual that the decision was taken on that basis; and

(b) the individual is entitled, within 21 days after receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3) The data controller shall, within 21 days after receiving a notice under paragraph (2)(b), give the individual a written notice specifying the steps that the data controller intends to take to comply with the data subject’s notice.

(4) A notice under paragraph (1) does not have effect in relation to, and nothing in paragraph (2) applies to, an exempt decision, that is, a decision –

(a) in respect of which the conditions in paragraphs (5) and (6) are both satisfied; or

(b) that is made in such other circumstances as may be prescribed by Regulations.

(5) The first condition is that the decision –

(a) is taken in the course of steps taken –

(i) for the purpose of considering whether to enter into a contract with the data subject,

(ii) with a view to entering into such a contract, or

(iii) in the course of performing such a contract; or

(b) is authorized or required by or under any enactment.

(6) The second condition is that –

(a) the effect of the decision is to grant a request of the data subject; or

(b) steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing the data subject to make representations).

(7) If a court is satisfied on the application of a data subject that a person taking a decision in respect of the data subject has failed to comply with a notice under paragraph (1) or (2)(b), the court may order the person to reconsider the decision, or to take a new decision that is not based solely on such processing as is mentioned in paragraph (1).

(8) An order under paragraph (7) shall not affect the rights of anyone other than the data subject and the person.

13 Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any requirement of this Law is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any requirement imposed by or under this Law is entitled to compensation from the data controller for that distress.

(3) In proceedings brought against a person by virtue of this Article it is a defence for the person to prove that the person took such care as in all the circumstances was reasonably required to comply with the requirement concerned.

14 Rectification, blocking, erasure and destruction

(1) If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order a person who is the data controller of the data to rectify, block, erase or destroy –

(a) those data; and

(b) any other personal data in respect of which the person is the data controller and that contain an expression of opinion that appears to the court to be based on the inaccurate data.

(2) Paragraph (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party, but if the data accurately record such information then –

(a) if the conditions referred to in paragraph 7(a) and (b) of Schedule 1 Part 2 have been satisfied in respect of the data - the court may, instead of making an order under paragraph (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve; or

(b) if one or both of those conditions have not been satisfied in respect of the data - the court may, instead of making an order under paragraph (1), make such order as it thinks fit for securing that those conditions are satisfied, with or without a further order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve.

(3) If a court –

(a) makes an order under paragraph (1); or

(b) is satisfied on the application of a person that personal data of which the person was the data subject and that have been rectified, blocked, erased or destroyed were inaccurate,

it may, if it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(4) If a court is satisfied on the application of a person who is a data subject –

(a) that the person has suffered damage by reason of any contravention by a data controller of any of the requirements of, or under, this Law in respect of any personal data, in circumstances entitling the person to compensation under Article 13; and

(b) that there is a substantial risk of further contravention in respect of those data in such circumstances,

the court may order the rectification, blocking, erasure or destruction of any of those data.

(5) If a court makes an order under paragraph (4) it may, if it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) In determining whether it is reasonably practicable to require notification under paragraph (3) or (5), a court shall have regard, in particular, to the number of persons who would have to be notified.

15 Court may inspect data

(1) For the purpose of determining any question relating to whether an applicant under Article 7(12) is entitled to the information that the applicant seeks (including any question whether any relevant data are exempt from Article 7 by virtue of Part 4) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in Article 7(3) to be made available for its own inspection.

(2) The court shall not, during the course of the proceedings, require the information sought by the applicant to be disclosed to the applicant or any other person.

PART 3

NOTIFICATIONs and REGULATIONS

Notification by data controllers

16 Preliminary

(1) In this Part, “registrable particulars”, in relation to a data controller, means –

(a) the name and address of the data controller;

(b) in the case of a data controller to whom Article 5(1)(b) applies - the name and address of a representative of the data controller, being a representative established in Jersey within the meaning of that Article;

(c) a description of the personal data being, or to be, processed by or on behalf of the data controller and of the category or categories of data subject to which they relate;

(d) a description of the purpose or purposes for which the data are being or are to be processed;

(e) a description of the recipients (if any) to whom the data controller intends or may wish to disclose the data;

(f) the names, or a description, of any countries or territories outside Jersey to which (directly or indirectly) the data controller transfers, or intends or may wish to transfer, the data; and

(g) if personal data are being, or are intended to be, processed by a data controller in circumstances in which the prohibition in Article 17(1) is excluded by Article 17(2) or (3) and a notification in respect of the data controller under Article 18 does not extend to those data – a statement of that fact.

(2) For the purposes of this Part, so far as it relates to the addresses of data controllers –

(a) the address of a registered company is that of its registered office; and

(b) the address of a person (other than a registered company) carrying on a business is that of the person’s principal place of business in Jersey.

17 No processing without registration

(1) Personal data shall not be processed unless an entry in respect of the data controller who determines the purposes for which and the manner in which the data are so processed is included (or taken to be included) in the register.

(2) Except if the processing is assessable processing for the purposes of Article 22, paragraph (1) does not apply in relation to personal data that consist of information that does not fall within paragraph (a) or (b) of the definition of “data” in Article 1(1).

(3) Paragraph (1) does not apply to processing of a description prescribed by Regulations under paragraph (5).

(4) Paragraph (1) does not apply to processing whose sole purpose is the maintenance of a public register.

(5) If it appears to the States that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, the States may by Regulations prescribe processing (in all cases or in specified cases) of that description as processing to which paragraph (1) shall not apply.

18 Notification by data controllers

(1) A data controller who wishes to be included in the register shall give notification to the Commissioner in accordance with this Article.

(2) The data controller’s notification shall specify –

(a) the registrable particulars in relation to the data controller; and

(b) a general description of measures to be taken for the purpose of complying with the seventh data protection principle,

and the notification shall specify those matters in accordance with such requirements as may be prescribed by Regulations.

(3) Those Regulations may make provision for (or for the determination by the Commissioner, in accordance with any requirements of the Regulations, of) the form and detail in which the registrable particulars referred to in Article 16(1)(c) - (f), and the description referred to in paragraph (2)(b), are to be specified.

(4) Those Regulations may make provision as to the giving of notification –

(a) by partnerships; or

(b) in other cases where 2 or more persons are the data controllers in respect of any personal data.

(5) A notification is not made in accordance with this Article if the Regulations prescribe a fee for it and the fee has not been paid.

(6) The States may by Regulations prescribe fees to accompany notifications under this Article and may by Regulations provide for any such fee that has been paid to be refunded in circumstances set out in Regulations.

19 Register of notifications

(1) The Commissioner shall –

(a) maintain a register of persons who have given notifications under Article 18; and

(b) make an entry in the register in pursuance of each notification received under Article 18 from a person in respect of whom no entry as data controller was for the time being included in the register.

(2) Each entry in the register shall consist of –

(a) the registrable particulars notified under Article 18 or, as the case requires, those particulars as amended under Article 20(4); and

(b) such other information as the Commissioner may be authorized or required by Regulations to include in the register.

(3) The States may make Regulations for the purposes of paragraph (2)(b) and may by Regulations make provision as to the time when any entry in respect of a data controller is to be treated for the purposes of Article 17 as having been included in the register.

(4) No entry shall be retained in the register for more than such period as may be prescribed by Regulations (or if no period is prescribed, 12 months) except on payment of such fee as may be prescribed by Regulations.

(5) The Commissioner –

(a) shall make the information contained in the register available for inspection (in visible and legible form) by members of the public at reasonable hours and free of charge; and

(b) may provide such facilities for making that information available to the public free of charge as the Commissioner considers appropriate.

(6) The Commissioner shall, on application, supply any person with a copy in writing of the particulars contained in any entry made in the register, being a copy certified by the Commissioner to be a true copy of those particulars.

(7) An application is not made in accordance with this Article if the Regulations prescribe a fee for it and the fee has not been paid.

(8) The States may by Regulations prescribe such a fee and may by Regulations provide for any such fee that has been paid to be refunded in circumstances set out in Regulations.

20 Duty to notify changes

(1) For the purpose specified in paragraph (2), the States may by Regulations require every person in respect of whom an entry as a data controller is for the time being included in the register to notify the Commissioner, in such circumstances, at such times and in such form as the Regulations prescribe, of such matters relating to the registrable particulars and measures taken as referred to in Article 18(2)(b) as the Regulations prescribe.

(2) The purpose referred to in paragraph (1) is that of ensuring, so far as practicable, that at any time –

(a) the entries in the register contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data; and

(b) the Commissioner is provided with a general description of measures currently being taken as referred to in Article 18(2)(b).

(3) Regulations under this Article may make provision for (or for the determination by the Commissioner, in accordance with any requirements of the Regulations, of) the form and detail in which the matters and measures referred to in paragraph (1) are to be notified.

(4) The Commissioner shall amend the relevant entry in the register as soon as practicable after being notified of those matters and measures.

21 Offences and defence

(1) If personal data are processed in contravention of Article 17(1), the data controller who determines the purposes for which and the manner in which the data are so processed shall be guilty of an offence.

(2) A person who fails to comply with the duty imposed under Article 20(1) shall be guilty of an offence.

(3) It shall be a defence for a person charged with an offence under paragraph (2) to show that the person exercised all due diligence to comply with that duty.

22 Preliminary assessment by Commissioner

(1) In this Article “assessable processing” means processing prescribed as such by Regulations.

(2) The States may by Regulations prescribe as assessable processing any processing that they consider particularly likely –

(a) to cause substantial damage or substantial distress to data subjects; or

(b) otherwise significantly to prejudice the rights and freedoms of data subjects.

(3) On receiving notification from any data controller under Article 18 or under Regulations made under Article 20, the Commissioner shall consider –

(a) whether any of the processing to which the notification relates is assessable processing; and

(b) whether the assessable processing (if any) is likely to comply with this Law.

(4) The Commissioner shall, within 28 days beginning with the day on which such notification is received from a data controller, give notice to the data controller stating the extent to which the Commissioner considers that the processing is likely or unlikely to comply with this Law.

(5) Before the end of that period of 28 days, the Commissioner may, by reason of special circumstances, extend that period (on one occasion only) by notice to the data controller by such further period not exceeding 14 days as the Commissioner may specify in the notice.

(6) No assessable processing in respect of which notification has been given to the Commissioner as referred to in paragraph (3) shall be carried on unless –

(a) the period for the Commissioner’s giving notice under paragraph (4), including any extension of that period, has elapsed; or

(b) the data controller has received notice from the Commissioner under paragraph (4) in respect of the processing.

(7) If paragraph (6) is contravened, the relevant data controller is guilty of an offence.

(8) The States may by Regulations amend any expression of time in this Article.

23 Power to make provision for appointment of data protection supervisors

(1) The States may by Regulations –

(a) make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller’s compliance with this Law; and

(b) provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the Regulations and who complies with such conditions as may be specified in the Regulations, this Part is to have effect subject to such exemptions or other modifications as may be specified in the Regulations.

(2) Regulations under this Article may –

(a) impose duties on data protection supervisors in relation to the Commissioner; and

(b) confer functions on the Commissioner in relation to data protection supervisors.

24 Duty of certain data controllers to make certain information available

(1) If personal data are processed in a case where –

(a) because of Article 17(2) or (3), Article 17(1) does not apply to the processing; and

(b) the relevant data controller has not, under Article 18, notified the registrable particulars referred to in Article 16(1)(a) - (f) in respect of that processing,

the data controller shall, within 21 days after receiving a written request from any person, make those particulars available to that person in writing free of charge.

(2) The States may, by Regulations, make provision for exemptions from the operation of this Article, and this Article has effect subject to any such exemptions.

(3) A data controller who fails to comply with the duty imposed by paragraph (1) is guilty of an offence.

(4) It shall be a defence for a person charged with such an offence to show that the person exercised all due diligence to comply with the duty.

Regulations in general and about fees

25 Preparation of Regulations

(1) As soon as practicable after this Law has been passed by the States, the Commissioner shall submit to the Committee proposals as to the provisions to be included in the first Regulations to be made under this Law.

(2) Once the first Regulations, or any replacement of them, are in force, the Commissioner shall keep their working under review and may from time to time submit to the Committee proposals as to amendments to be made to the Regulations.

(3) The Committee may from time to time require the Commissioner to consider any matter relating to the Regulations and to submit to the Committee proposals as to amendments to be made to the Regulations in connection with that matter.

(4) Before the Committee decides that any projet for the making of Regulations be lodged in the States, the Committee shall –

(a) consider any proposals made to it by the Commissioner under this Article; and

(b) consult the Commissioner.

26 Fees

(1) The States may by Regulations require fees to be paid and may provide for different fees to be payable in different cases.

(2) In the case of fees payable to (or in respect of the functions of) the Commissioner or the Tribunal, the States may by Regulations prescribe fees that may, but need not, be sufficient to offset –

(a) the expenses incurred by the Commissioner and the Tribunal in discharging their functions and any expenses of the States or the Committee that relate to the Commissioner or the Tribunal (including expenses relating to salaries, other remuneration, pensions and office accommodation); and

(b) any deficit incurred before the making of the Regulations (whether before or after the passing of this Law) in respect of the expenses referred to in sub-paragraph (a), and expenses incurred or to be incurred in respect of any transfer of superannuation membership, or of entitlements, of the staff of the Commissioner.

PART 4

EXEMPTIONS

27 Effect of this Part

(1) References in any of the data protection principles, or in any provision of Parts 2 and 3, to personal data, or to the processing of personal data, do not include references to data, or processing, that by virtue of this Part are exempt from that principle or provision.

(2) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorizing the withholding, of information.

28 Exemption based on national security

(1) Personal data are exempt from any of the provisions of –

(a) the data protection principles;

(b) Parts 2, 3 and 5; and

if the exemption from that provision is required for the purpose of safeguarding national security.

(2) A certificate signed by the President of the Home Affairs Committee certifying that exemption from all or any of those provisions is or at any time was required for the purpose there mentioned in respect of any personal data shall be sufficient evidence of that fact.

(3) The certificate may identify the personal data to which it applies by means of a general description and may, but need not, be expressed to have prospective effect.

(4) A person directly affected by the issue of the certificate may apply to the Court for review of the decision to issue the certificate.

(5) If on such an application, the Court finds that the President of the Home Affairs Committee did not have reasonable grounds for the decision to issue the certificate, the Court may quash the decision and avoid the certificate.

(6) If in any proceedings before the Tribunal (or a court) under or by virtue of this Law it is claimed by a data controller that a certificate under this Article that identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal (or court, as the case may be) on the ground that the certificate does not apply to the personal data in question. However, unless the Tribunal (or court) makes a determination under paragraph (7), the certificate shall be conclusively presumed so to apply.

(7) On any appeal under paragraph (6), the Tribunal (or court) may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under this Article shall be received in evidence and taken to be such a certificate unless the contrary is proved.

(9) A document that purports to be certified by or on behalf of the President of the Home Affairs Committee as a true copy of a certificate issued by the President under this Article shall in any legal proceedings be evidence of that certificate.

(10) No power conferred by any provision of Part 5 may be exercised in relation to personal data that by virtue of this Article are exempt from that provision.

(11) Schedule 6 has effect in relation to any appeal to the Tribunal under paragraph (6).

(12) The States may, by Regulations, modify any reference to the President of the Home Affairs Committee in this Article by substituting a reference to another person.

29 Exemption: crime and taxation

(1) Personal data processed for any of the following purposes –

(a) the prevention, detection, or investigation, anywhere of crime;

(b) the apprehension, or prosecution, anywhere of persons who have committed an offence anywhere; or

are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and Article 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters referred to in sub-paragraphs (a)-(c).

(2) Personal data that –

(a) are processed for the purpose of discharging functions under any Law; and

(b) consist of information obtained for such a purpose from a person who had it in the person’s possession for any of the purposes referred to in paragraph (1)(a)-(c),

are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes referred to in paragraph (1)(a)-(c).

(3) Personal data are exempt from the non-disclosure provisions in any case in which –

(a) the disclosure is for any of the purposes referred to in paragraph (1)(a)-(c); and

(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters referred to in paragraph (1)(a)-(c).

(4) Personal data in respect of which the data controller is an authority (being an administration of the States, or one of the 12 parishes of Jersey, or an authority that may be prescribed by Regulations) and that –

(a) consist of a classification applied to the data subject as part of a system of risk assessment operated by that authority for the purpose of the assessment or collection of any tax or duty or any imposition of a similar nature, or for the purpose of the prevention or detection of crime, or the apprehension or prosecution of persons who commit an offence, if the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds; and

(b) are processed for either of those purposes,

are exempt from Article 7 to the extent to which the exemption is required in the interests of the operation of the system.

30 Exemption or modification for sake of health, education or social work

(1) The States may by Regulations exempt from the subject information provisions (or modify those provisions in relation to) personal data consisting of information as to the physical or mental health or condition of the data subject.

(2) The States may by Regulations exempt from the subject information provisions (or modify those provisions in relation to) personal data in respect of which the data controller is the proprietor, governor, governing body, director or manager of, or a principal or teacher at, a school, and that consist of information relating to persons who are or have been pupils at the school.

(3) The States may by Regulations exempt from the subject information provisions (or modify those provisions in relation to) personal data of such other descriptions as may be specified in the Regulations, being information –

(a) processed by any administration of the States, any of the 12 parishes of Jersey, any voluntary organization, or any body prescribed by the Regulations; and

(b) appearing to the States to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals,

to the extent that the States consider that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.

31 Exemption for sake of regulatory activity: charities, health and safety, protection against financial loss; maladministration or practices contrary to fair trading

(1) Personal data processed for the purposes of discharging any of the following functions are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of the function –

(a) a function designed for protecting members of the public against –

(i) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate,

(ii) financial loss due to the conduct of discharged or undischarged bankrupts, or

(iii) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorized to carry on any profession or other activity;

(b) a function designed for protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration;

(d) a function designed for the recovery of the property of charities;

(e) a function designed for securing the health, safety or welfare of persons at work;

(f) a function designed for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work.

(2) Paragraph (1) applies to –

(a) a function conferred on any person by or under any enactment;

(b) a function of the Crown, the States or a Committee, or administration, of the States; or

(3) Personal data processed for the purpose of discharging any function to which this paragraph applies are exempt from the subject information provisions to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of that function.

(4) Paragraph (3) applies to a function that is conferred by or under any enactment on a person, or body, that may be prescribed by Regulations and is designed –

(a) for protecting members of the public against –

(i) maladministration by public bodies,

(ii) failures in services provided by public bodies, or

(iii) a failure of a public body to provide a service which it was a function of the body to provide;

(b) for protecting members of the public against conduct that may adversely affect their interests by persons carrying on a business;

(c) for regulating agreements, or conduct, that have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity; or

(d) for regulating conduct on the part of one or more undertakings that amounts to the abuse of a dominant position in a market.

(5) Paragraph (3) also applies to the following functions –

(a) any function relating to an investigation under Article 19 of the Collective Investment Funds (Jersey) Law 1988,[4] Article 27 of the Banking Business (Jersey) Law 1991,[5] Part 19 of the Companies (Jersey) Law 1991,[6] Article 10 of the Insurance Business (Jersey) Law 1996[7] or Article 30 of the Financial Services (Jersey) Law 1998,[8] including the functions of appointment, investigation and reporting under any of those Articles;

(b) any function (whether or not under any of the Laws referred to in sub-paragraph (a)) that may be prescribed by Regulations.

32 Exemption for sake of journalism, literature or art

(1) Personal data which are processed only for the special purposes are exempt from any provision to which this Article relates if –

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material;

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2) This Article relates to the following provisions –

(a) the data protection principles except the seventh data protection principle;

(b) Article 7;

(d) Article 12;

(e) Article 14(1), (2) and (3).

(3) In considering for the purposes of paragraph (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to the data controller’s compliance with any code of practice that is relevant to the publication in question and may be prescribed by Regulations.

(4) If at any time in any proceedings against a data controller under Article 7(12), 10(4), 12(7) or 14, or by virtue of Article 13, the data controller claims, or it appears to a court, that any personal data to which the proceedings relate are being processed –

(a) only for the special purposes; and

(b) with a view to the publication by any person of any journalistic, literary or artistic material that, at the point 24 hours immediately before that time, had not previously been published by the data controller,

the court shall stay the proceedings until (in any case) a determination of the Commissioner under Article 45 with respect to the data in question takes effect or (in a case where the proceedings were stayed on the making of a claim) the claim is withdrawn, whichever first occurs.

33 Exemption for sake of research, history or statistics

(1) In this Article –

“relevant conditions”, in relation to any processing of personal data, means the conditions –

(a) that the data are not processed to support measures or decisions with respect to particular individuals; and

(b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject;

“research purposes” includes statistical or historical purposes.

(2) For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.

(3) Personal data processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.

(4) Personal data processed only for research purposes are exempt from Article 7 if –

(a) they are processed in compliance with the relevant conditions; and

(b) the results of the research or any resulting statistics are not made available in a form that identifies one or more of the data subjects.

(5) For the purposes of paragraphs (2)-(4), personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed –

(a) to any person, for research purposes only;

(b) to the data subject or a person acting on the data subject’s behalf;

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within sub-paragraph (a), (b) or (c).

34 Exemption for information available to public by or under enactment

Personal data are exempt from –

(a) the subject information provisions;

(b) the fourth data protection principle and Article 14(1)-(3); and

if the data consist of information that the data controller is obliged by or under any enactment to make available to the public, whether by making it available for inspection, publishing it in another sense or otherwise and whether gratuitously or on payment of a fee.

35 Disclosures required by law or made in connection with legal proceedings

(1) Personal data are exempt from the non-disclosure provisions if the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions if their disclosure is necessary –

(a) for the purpose of, in connection with, or in contemplation of, any legal proceedings;

(b) for the purpose of obtaining legal advice; or

36 Exemption for data processed for domestic purposes

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and Parts 2 and 3.

37 Miscellaneous exemptions

Schedule 7 has effect.

38 Exemptions by Regulations

(1) The States may by Regulations exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment to the extent that they consider it necessary, for safeguarding the interests of the data subject or the rights and freedoms of any other individual, that the prohibition or restriction prevail over the subject information provisions.

(2) The States may by Regulations exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the Regulations, if they consider the exemption is necessary for safeguarding the interests of the data subject or the rights and freedoms of any other individual.

39 Transitional relief

Schedule 8 has effect.

PART 5

ENFORCEMENT

40 Enforcement notices

(1) If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may by notice served on the data controller require the data controller to do one or both of the following, for complying with the principles contravened –

(a) to take specified steps within a specified time, or to refrain from taking specified steps after a specified time; or

(b) to refrain from processing any personal data, or any personal data of a specified description, or to refrain from processing them for a specified purpose or in a specified manner, after a specified time.

(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.

(3) An enforcement notice in respect of a contravention of the fourth data protection principle, being a notice that requires a data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by the data controller that contain an expression of opinion that appears to the Commissioner to be based on the inaccurate data.

(4) An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data that accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller –

(a) to rectify, block, erase or destroy any inaccurate data and any other data held by the data controller that contain an expression of opinion that appears to the Commissioner to be based on the inaccurate data; or

(b) to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Schedule 1 Part 2 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.

(5) If –

(a) an enforcement notice requires a data controller to rectify, block, erase or destroy any personal data; or

(b) the Commissioner is satisfied that personal data that have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.

(6) The Commissioner shall, in determining whether it is reasonably practicable to require such notification, have regard in particular to the number of persons who would have to be notified.

(7) An enforcement notice shall contain –

(a) a statement of the data protection principles that the Commissioner is satisfied have been or are being contravened and the reasons for reaching that conclusion; and

(b) particulars of the rights of appeal conferred by Article 48.

(8) An enforcement notice shall not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with until the determination or withdrawal of the appeal.

(9) However, if by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for reaching that conclusion.

(10) In that case, paragraph (8) shall not apply but the notice shall not require compliance before the end of the period of 7 days beginning with the day on which the notice is served.

(11) The States may by Regulations make provision as to the effect of the service of an enforcement notice on a register entry that relates to the data controller on whom the notice is served.

41 Cancellation or variation of enforcement notices

(1) If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, the Commissioner may cancel or vary the notice by further written notice served on the person on whom the enforcement notice was served.

(2) The cancellation or variation takes effect on service of the further notice or at such later time as is specified in the further notice.

(3) A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.

42 Request for assessment

(1) A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Law.

(2) On receiving the request, the Commissioner shall make an assessment in such manner as the Commissioner considers appropriate, unless the Commissioner has not been supplied with such information as may reasonably be required in order to –

(a) be satisfied as to the identity of the person making the request; and

(b) identify the processing in question.

(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include –

(a) the extent to which the request appears to the Commissioner to raise a matter of substance;

(b) any undue delay in making the request; and

(c) whether or not the person making the request is entitled to make request under Article 7 in respect of the personal data in question.

(4) The Commissioner shall notify the person who made the request –

(a) whether the Commissioner has made an assessment in response to the request; and

(b) to the extent that the Commissioner considers appropriate, having regard in particular to any exemption from Article 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.

43 Information notices

(1) If the Commissioner –

(a) has received a request under Article 42 in respect of any processing of personal data; or

(b) reasonably requires any information for the purpose of determining whether a data controller has complied, or is complying, with the data protection principles,

the Commissioner may by notice served on the relevant data controller (or on a data processor who processes data on behalf of the data controller, being data or processing relevant to the request or the determination, as the case may be) require the person served with the notice to furnish the Commissioner, in a specified form (if any) and within a specified period, with specified information relating to the request or to compliance with the principles.

(2) An information notice shall contain –

(a) in the case referred to in paragraph (1)(a), a statement that the Commissioner has received a request under Article 42 in relation to the processing; or

(b) in the case referred to in paragraph (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and the Commissioner’s reasons for regarding it as relevant for that purpose.

(3) An information notice shall also contain particulars of the rights of appeal conferred by Article 48.

(4) An information notice shall not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with until the determination or withdrawal of the appeal.

(5) However, if by reason of special circumstances the Commissioner considers that an information notice should be complied with as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for reaching that conclusion.

(6) In that case, paragraph (4) shall not apply but the notice shall not require compliance before the end of the period of 7 days beginning with the day on which the notice is served.

(7) A person shall not be required by virtue of this Article to furnish the Commissioner with any information in respect of –

(a) any communication between a professional legal adviser and a client in connection with the giving of legal advice to the client with respect to the latter’s obligations, liabilities or rights under this Law; or

(b) any communication between a professional legal adviser and a client, or between such an adviser or client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law (including proceedings before the Tribunal) and for the purposes of such proceedings.

(8) In paragraph (7), references to a client of a professional legal adviser include references to any person representing such a client.

(9) A person shall not be required by virtue of this Article to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Law, expose the person to proceedings for that offence.

(10) The Commissioner may cancel an information notice by written notice served on the person on whom the information notice was served.

(11) Nothing in paragraph (1) prevents the Commissioner from serving notices under that paragraph on both a data controller and a data processor.

(12) If the Commissioner serves a notice on a data processor under this Article, the Commissioner shall serve a copy of the notice on the data controller on whose behalf the data processor processes data (being data or processing relevant to the information notice).

44 Special information notices

(1) If the Commissioner –

(a) has received a request under Article 42 in respect of any processing of personal data; or

(b) has reasonable grounds for suspecting, in a case in which proceedings have been stayed under Article 32, that the personal data to which the proceedings relate –

(i) are not being processed only for the special purposes, or

(ii) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material that has not previously been published by the data controller,

the Commissioner may by notice served on the data processor concerned in the processing (or on the data controller on behalf of whom the processing is carried out) require the person served with the notice to furnish the Commissioner within a specified time and in a specified form (if any) with specified information for the purpose specified in paragraph (2).

(2) That purpose is the purpose of ascertaining –

(a) whether the personal data are being processed only for the special purposes; or

(b) whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material that has not previously been published by the data controller.

(3) A special information notice shall contain –

(a) in a case falling within paragraph (1)(a) – a statement that the Commissioner has received a request under Article 42 in relation to the specified processing; or

(b) in a case falling within paragraph (1)(b), a statement of the Commissioner’s grounds for suspecting that the personal data are not being processed as mentioned in that sub-paragraph.

(4) A special information notice shall also contain particulars of the rights of appeal conferred by Article 48.

(5) A special information notice shall not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with until the determination or withdrawal of the appeal.

(6) However, if by reason of special circumstances the Commissioner considers that a special information notice should be complied with as a matter of urgency, the Commissioner may include in the notice a statement to that effect and a statement of the reasons for reaching that conclusion.

(7) In that case, paragraph (5) shall not apply but the notice shall not require compliance before the end of the period of 7 days beginning with the day on which the notice is served.

(8) A person shall not be required by virtue of this Article to furnish the Commissioner with any information in respect of –

(9) In paragraph (8), references to a client of a professional legal adviser include references to any person representing such a client.

(10) A person shall not be required by virtue of this Article to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Law, expose the person to proceedings for that offence.

(11) The Commissioner may cancel a special information notice by written notice served on the person on whom the special information notice was served.

(12) Nothing in paragraph (1) prevents the Commissioner from serving notices under that paragraph on both a data controller and a data processor.

(13) If the Commissioner serves a notice on a data processor under this Article, the Commissioner shall serve a copy of the notice on the data controller on whose behalf the data processor processes data (being processing relevant to the notice).

45 Determination by Commissioner as to the special purposes

(1) If it appears to the Commissioner (whether following the service of a special information notice or otherwise) that any personal data –

(a) are not being processed only for the special purposes; or

(b) are not being processed with a view to the publication by any person of any journalistic, literary or artistic material that has not previously been published by the data controller,

the Commissioner may make a determination in writing to that effect.

(2) The Commissioner shall give notice of the determination to the relevant data controller.

(3) The notice shall contain particulars of the right of appeal conferred by Article 48.

(4) The determination shall not take effect until the end of the period within which an appeal can be brought against the determination and, if such an appeal is brought, the determination shall not take effect until the determination or withdrawal of the appeal.

46 Special purposes: no notices without prior determination etc.

(1) The Commissioner shall not serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless –

(a) a determination under Article 45(1) with respect to those data has taken effect; and

(b) the Court has granted leave for the notice to be served.

(2) The Court shall not grant such leave unless it is satisfied –

(a) that the Commissioner has reason to suspect a contravention of the data protection principles that is of substantial public importance; and

(b) except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.

(3) The Commissioner shall not serve an information notice with respect to the processing of personal data for the special purposes unless a determination under Article 45(1) with respect to those data has taken effect.

47 Failure to comply with notice

(1) A person who fails to comply with an enforcement notice, information notice or special information notice is guilty of an offence.

(2) A person is guilty of an offence if the person, in purported compliance with an information notice or special information notice –

(a) makes a statement that the person knows to be false in a material respect; or

(b) recklessly makes a statement that is false in a material respect.

(3) It is a defence for a person charged with an offence under paragraph (1) to prove that the person exercised all due diligence to comply with the notice in question.

48 Rights of appeal

(1) A person on whom an enforcement notice, information notice or special information notice (or a copy of an information notice or of a special information notice) has been served under this Law may appeal to the Tribunal against the notice.

(2) A person on whom an enforcement notice has been served may appeal to the Tribunal against the refusal of an application under Article 41(3) for cancellation or variation of the notice.

(3) If an enforcement notice, information notice or special information notice contains a statement by the Commissioner in accordance with (respectively) Article 40(9), 43(5) or 44(6) then, whether or not a person entitled to appeal against the notice does so, the person may appeal against –

(a) the Commissioner’s decision to include the statement in the notice; or

(b) the effect of the inclusion of the statement as respects any part of the notice.

(4) A data controller in respect of whom a determination has been made under Article 45 may appeal to the Tribunal against the determination.

(5) Schedule 6 has effect in relation to appeals under this Article and the proceedings of the Tribunal in respect of any such appeal.

49 Determination of appeal

(1) The Tribunal shall allow an appeal under Article 48(1) if it decides –

(a) that the notice against which the appeal is brought is not in accordance with the law; or

(b) to the extent that the notice involved an exercise of discretion by the Commissioner, that the Commissioner ought to have exercised the discretion differently.

(2) If it does not come to such a decision on an appeal under Article 48(1), the Tribunal shall dismiss the appeal.

(3) In allowing such an appeal, the Tribunal may, but need not, substitute such other notice or decision as could have been served or made by the Commissioner.

(4) On an appeal under Article 48(1), the Tribunal may review any determination of fact on which the notice in question was based.

(5) If on an appeal under Article 48(2) the Tribunal considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Tribunal shall cancel or vary the notice.

(6) On an appeal under Article 48(3) the Tribunal may direct –

(a) that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that paragraph; or

(b) that the inclusion of the statement shall not have effect in relation to any part of the notice,

and may make such modifications to the notice as may be required for giving effect to the direction.

(7) On an appeal under Article 48(4), the Tribunal may cancel the determination of the Commissioner.

(8) A party to an appeal to the Tribunal under Article 48 may appeal from the decision of the Tribunal on a question of law to the Court.

50 Entry and search of premises, obtaining of information

Schedule 9 has effect.

PART 6

GENERAL

Functions of Commissioner

51 General duties of Commissioner

(1) It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform the Commissioner’s functions under this Law as to promote the observance of the requirements of this Law by data controllers.

(2) The Commissioner shall arrange for the dissemination in such form and manner as the Commissioner considers appropriate of such information as it may appear to the Commissioner expedient to give to the public about the operation of this Law, about good practice, and about other matters within the scope of the Commissioner’s functions under this Law, and may give advice to any person as to any of those matters.

(3) If the Committee so directs, or the Commissioner considers it appropriate to do so, the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to the Commissioner appropriate, prepare and disseminate to such persons as the Commissioner considers appropriate codes of practice for guidance as to good practice.

(4) A direction under paragraph (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.

(5) The Commissioner shall also –

(a) if the Commissioner considers it appropriate to do so - encourage trade associations to prepare, and to disseminate to their members, codes of practice for guidance as to good practice; and

(b) if a trade association submits a code of practice for the Commissioner’s consideration - consider the code and, after such consultation with data subjects or persons representing data subjects as appears to the Commissioner to be appropriate, notify the trade association whether in the Commissioner’s opinion the code promotes good practice.

(6) The Commissioner shall arrange for the dissemination in such form and manner as the Commissioner considers appropriate of –

(a) any Community finding as defined by paragraph 15(2) of Schedule 1 Part 2;

(b) any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, made for the purposes of Article 26(3) or (4) of the Directive; and

(c) such other information as it may appear to the Commissioner to be expedient to give to data controllers (in relation to any personal data) about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the European Economic Area.

(7) The Commissioner may, with the consent of the relevant data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.

(8) The Commissioner may charge such fees as the Commissioner thinks fit for any services provided by the Commissioner under this Law.

(9) In this Article –

“good practice” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Law;

“trade association” includes any body representing data controllers.

52 Reports and codes of practice to be laid before Committee and States

(1) The Commissioner shall prepare a report on the activities of the Commissioner in each financial year.

(2) The Commissioner shall provide the Committee with the report as soon as practicable after the end of the financial year to which the report relates, but in no case later than 6 months after the end of that year.

(3) The Commissioner may also provide the Committee with other reports relating to the Commissioner’s functions or activities.

(4) The Commissioner shall also provide the Committee with a copy of any code of practice prepared under Article 51(3), unless the code is included in any report provided to the Committee.

(5) The Committee shall lay a copy of a report, or of a code, so provided before the States as soon as practicable after the Committee receives the report or a copy of the code.

53 Assistance by Commissioner in cases involving processing for the special purposes

(1) An individual who is an actual or prospective party to proceedings (whether actual or prospective) under Article 7(12), 10(4), 12(7) or 14, or by virtue of Article 13, that relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.

(2) The Commissioner shall, as soon as reasonably practicable after receiving an application under paragraph (1), consider it and decide to what extent to grant it, but shall not grant the application unless, in the opinion of the Commissioner, the case involves a matter of substantial public importance.

(3) If the Commissioner decides to provide assistance, the Commissioner shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.

(4) If the Commissioner decides not to provide assistance, the Commissioner shall, as soon as reasonably practicable after making the decision, notify the applicant of the decision and give reasons for it.

(5) In this Article –

“prospective party”, in relation to actual or prospective proceedings, means an individual who, in the opinion of the Commissioner, has a reasonable prospect of success in those proceedings or a reasonable interest in those proceedings;

“prospective proceedings” means proceedings that, if they took place, would, in the opinion of the Commissioner, have a reasonable basis.

(6) Schedule 10 has effect.

54 International co-operation

(1) The Commissioner shall continue to be the designated authority in Jersey for the purposes of Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature on 28th January 1981.

(2) The States may by Regulations make provision as to the functions to be performed by the Commissioner as the designated authority in Jersey for the purposes of Article 13 of the Convention.

(3) The States may by Regulations make provision enabling, or as to, co-operation by the Commissioner with the European Commission and with supervisory authorities in EEA States in connection with the performance of their respective duties and, in particular, enabling or as to –

(a) the exchange of information with supervisory authorities in EEA States or with the European Commission; and

(b) the exercise within Jersey at the request of a supervisory authority in an EEA State, in cases excluded by Article 5 from the application of the other provisions of this Law, of functions of the Commissioner specified in the Regulations.

(4) The Commissioner shall also carry out any data protection functions (that is, functions relating to the protection of individuals with respect to the processing of personal information) that the States may by Regulations direct for the purpose of enabling Jersey to give effect to any of its international obligations.

Unlawful obtaining etc. of personal data

55 Unlawful obtaining etc. of personal data

(1) A person shall not knowingly or recklessly, without the consent of the relevant data controller –

(a) obtain or disclose personal data or the information contained in personal data; or

(b) procure the disclosure to another person of the information contained in personal data.

(2) A person who contravenes paragraph (1) is guilty of an offence.

(3) A person does not contravene paragraph (1) if the person shows that –

(a) the obtaining, disclosing or procuring was necessary for the purpose of preventing or detecting crime, or was required or authorized by or under any enactment, by any rule of law or by the order of a court;

(b) the person acted in the reasonable belief that the person had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person;

(c) the person acted in the reasonable belief that the person would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it; or

(d) in the circumstances of the case, the obtaining, disclosing or procuring was justified as being in the public interest.

(4) A person who sells personal data is guilty of an offence if the person has obtained the data in contravention of paragraph (1).

(5) A person who offers to sell personal data is guilty of an offence if –

(a) the person has obtained the data in contravention of paragraph (1); or

(b) the person subsequently obtains the data in contravention of that paragraph.

(6) For the purposes of paragraph (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) For the purposes of this Article, Article 1(2) does not apply.

(8) For the purposes of paragraphs (4) to (6), “personal data” includes information extracted from personal data.

Records obtained under data subject’s right of access

56 Requirement to produce certain records illegal

(1) A person shall not, in connection with –

(a) the recruitment of another person as an employee;

(b) the continued employment of another person; or

require that other person or a third party to supply or produce a relevant record to the first person.

(2) A person concerned with the provision (for payment or not) of goods, facilities or services to the public (or a section of the public) shall not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply or produce a relevant record to the first person.

(3) A person does not contravene paragraph (1) or (2) if the person shows that –

(a) the imposition of the requirement was required or authorized by or under any enactment, by any rule of law or by the order of a court; or

(b) in the particular circumstances the imposition of the requirement was justified as being in the public interest.

(4) A person who contravenes paragraph (1) or (2) shall be guilty of an offence.

(5) For the purposes of this Article, a record that states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.

(6) In this Article (including the Table to this Article) –

“caution” means a caution given to any person in Jersey in respect of an offence that, at the time when the caution is given, is admitted;

“conviction” has the same meaning as in the Rehabilitation of Offenders (Jersey) Law 2001;[9]

“employee” means an individual who works under a contract of employment, or holds any office, whether or not entitled to remuneration and “employment” shall be construed accordingly;

“relevant record” means any record that –

(a) has been or is to be obtained by a data subject from a data controller specified in the first column of the Table to this Article in the exercise of the right conferred by Article 7; and

(b) contains information relating to a matter specified in relation to the data controller in the second column of that Table,

and includes a copy of such a record or a part of such a record.

(7) The States may by Regulations amend the Table to this Article and the definitions of “caution” and “conviction” in paragraph (6).

TABLE
Data controller	Subject-matter
1. Chief Officer of the States of Jersey Police Force	Convictions, cautions
2. A member of the honorary police of any of the 12 Parishes of Jersey	Cautions
3. Home Affairs Committee	Convictions, cautions, functions of that Committee under the Prison (Jersey) Law 1957[10]
4. Employment and Social Security Committee	Convictions, cautions, functions of that Committee under any enactment of Jersey

57 Certain contractual terms relating to health records void

(1) A term, or condition, of a contract is void in so far as it purports to require an individual to supply, or produce, to any other person a record to which this Article applies, or with a copy of such a record or a part of such a record.

(2) This Article applies to any record that may be obtained by a data subject in the exercise of the right conferred by Article 7 and consists of the information contained in any health record.

Information provided to Commissioner or Tribunal

58 Disclosure of information

An enactment or rule of law prohibiting or restricting the disclosure of information shall not prevent a person from furnishing the Commissioner or the Tribunal with any information necessary for the discharge of their functions under this Law.

59 Confidentiality of information

(1) A person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall not, except with lawful authority, disclose information that –

(a) has been obtained by, or furnished to, the Commissioner under or for the purposes of this Law;

(b) relates to an identified or identifiable individual or business; and

(2) For the purposes of paragraph (1), a disclosure of information is made with lawful authority if –

(a) the disclosure is made with the consent of the individual or of the person for the time being carrying on the business;

(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under this Law;

(c) the disclosure is made for the purposes of, and is necessary for, the discharge of a function under this Law, or of an obligation under an agreement, or other instrument, of the European Community;

(d) the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Law or otherwise; or

(e) having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.

(3) A person who knowingly or recklessly discloses information in contravention of paragraph (1) is guilty of an offence.

60 False information

(1) Any person who knowingly or recklessly provides the Commissioner, or any other person entitled to information under this Law, or under Regulations made under this Law, with information that is false or misleading in a material particular shall be guilty of an offence if the information is provided –

(a) in purported compliance with a requirement imposed under this Law or under Regulations made under this Law; or

(b) otherwise than as mentioned in sub-paragraph (a) but in circumstances in which the person providing the information intends, or could reasonably be expected to know, that the information would be used by the Commissioner for the purpose of carrying out the Commissioner’s functions under this Law.

(2) Any person who knowingly or recklessly provides the Commissioner, or any other person entitled to information under this Law, with information that is false or misleading in a material particular shall be guilty of an offence if the information is provided in connection with an application under this Law.

(3) A person who is guilty of an offence against this Article shall be liable to a term of imprisonment of 5 years and to a fine.

61 General provisions relating to offences

(1) Proceedings for an offence under this Law shall be not be instituted except by or with the consent of the Attorney General.

(2) A person guilty of an offence under this Law shall be liable, except where this Law otherwise provides –

(a) on conviction on indictment – to a fine; or

(b) on summary conviction – to a fine of level 4 on the standard scale.

(3) A court by or before which a person is convicted of –

(a) an offence under Article 21(1), 22(7), 55 or 56;

(b) an offence under Article 21(2) relating to processing that is assessable processing for the purposes of Article 22; or

may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(4) A court shall not make an order under paragraph (3) in relation to any material if a person (other than the offender) claiming to be the owner of, or otherwise interested in, the material applies to be heard by the court, unless an opportunity is given to the person to show cause why the order should not be made.

62 Liability for offences

(1) Where an offence under this Law, or under Regulations made under this Law, committed by a limited liability partnership or body corporate is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of –

(a) a person who is a partner of the partnership, or director, manager, secretary or other similar officer of the body corporate; or

(b) any person purporting to act in any such capacity,

the person shall also be guilty of the offence and liable in the same manner as the partnership or body corporate to the penalty provided for that offence.

(2) If the affairs of a body corporate are managed by its members, paragraph (1) shall apply in relation to acts and defaults of a member in connection with the member’s functions of management as if the member were a director of the body corporate.

(3) A person who aids, abets, counsels or procures the commission of an offence under this Law shall also be guilty of the offence and liable in the same manner as a principal offender to the penalty provided for that offence.

General

63 Application to public sector

(1) This Law binds the Crown.

(2) This Law applies to the States and any Committee, department, or administration, of the States.

(3) For the purposes of this Law, each department, or administration, of the States shall be taken to be a separate person.

(4) For the purposes of this Law, if an order, requirement, direction, notice or other instrument is imposed or served on the head of a department of the States or the head of an administration of the States, it is taken to have been imposed or served on the department or administration, and the head shall ensure that if it requires compliance, it is complied with.

64 Transmission of notices etc. by electronic or other means

(1) This Article applies to –

(a) a notice or request under Part 2;

(b) a written request under Article 24(1) and particulars made available under that paragraph; and

but does not apply to anything required to be served in accordance with rules of court.

(2) The requirement that any notice, request, particulars or application to which this Article applies should be in writing is satisfied if the text of the notice, request, particulars or application –

(a) is transmitted by electronic means;

(b) is received in legible form; and

(3) The States may by Regulations provide that any requirement that any notice, request, particulars or application to which this Article applies should be in writing is not to apply in such circumstances as may be prescribed by the Regulations.

65 Service of notices etc.

(1) A notice required by this Law to be given to the Commissioner shall not be regarded as given until it is in fact received by the Commissioner.

(2) A notice or other document required or authorized under this Law or under Regulations made under this Law to be given to the Commissioner may be given by facsimile, other electronic transmission, or by any other means by which the Commissioner may obtain or recreate the notice or document in a form legible to the naked eye.

(3) Any notice, direction or other document required or authorized by or under this Law to be given to or served on any person other than the Commissioner may be given or served –

(a) by delivering it to the person;

(b) by leaving it at the person’s proper address;

(d) by sending it to the person at that address by facsimile, other electronic transmission, or by any other means by which the notice, direction or document may be obtained or recreated in a form legible to the naked eye.

(4) Without limiting the generality of paragraph (3), any such notice, direction or other document may be given to or served on a partnership, company incorporated outside Jersey or unincorporated association by being given to or served –

(a) in any case – on a person who is, or purports (under whatever description) to act as, its secretary, clerk or other similar officer;

(b) in the case of a partnership – on the person having the control or management of the partnership business;

(c) in the case of a partnership or company incorporated outside Jersey – on a person who is a principal person in relation to it (within the meaning of the Financial Services (Jersey) Law 1998[11]); or

(d) by being delivered to the registered or administrative office of a person referred to in sub-paragraph (a), (b) or (c) if the person is a body corporate.

(5) For the purposes of this Article and of Article 12 of the Interpretation (Jersey) Law 1954,[12] the proper address of any person to or on whom a notice, direction or other document is to be given or served by post shall be the person’s last known address, except that –

(a) in the case of a company (or person referred to in paragraph (4) in relation to a company incorporated outside Jersey) – it shall be the address of the registered or principal office of the company in Jersey; and

(b) in the case of a partnership (or person referred to in paragraph (4) in relation to a partnership) – it shall be the address of the principal office of the partnership in Jersey.

(6) If the person to or on whom any notice, direction or other document referred to in paragraph (3) is to be given or served has notified the Commissioner of an address within Jersey, other than the person’s proper address within the meaning of paragraph (5), as the one at which the person or someone on the person’s behalf will accept documents of the same description as that notice, direction or other document, that address shall also be treated for the purposes of this Article and Article 12 of the Interpretation (Jersey) Law 1954[13] as the person’s proper address.

(7) If the name or the address of any owner, lessee or occupier of premises on whom any notice, direction or other document referred to in paragraph (3) is to be served cannot after reasonable enquiry be ascertained it may be served by –

(a) addressing it to the person on whom it is to be served by the description of “owner”, “lessee” or “occupier” of the premises;

(b) specifying the premises on it; and

(c) delivering it to some responsible person resident or appearing to be resident on the premises or, if there is no person to whom it can be delivered, by affixing it, or a copy of it, to some conspicuous part of the premises.

66 Limitation of civil liability for administration of Law

(1) A person or body to whom this paragraph applies shall not be liable in damages for anything done or omitted in the discharge or purported discharge of any functions under this Law or under Regulations made under this Law unless it is shown that the act or omission was in bad faith.

(2) Paragraph (1) applies to –

(a) the Commissioner; and

(b) any member of the staff of the Commissioner.

67 Regulations

(1) The States may by Regulations make provision for the purpose of carrying this Law into effect and, in particular, but without prejudice to the generality of the foregoing, for or with respect to any matter that may be prescribed under this Law by Regulations.

(2) Regulations made under this Law may –

(a) make different provision in relation to different cases or circumstances;

(b) apply in respect of particular persons or particular cases or particular classes of persons or particular classes of cases, and define a class by reference to any circumstances whatsoever; or

(c) contain such transitional, consequential, incidental or supplementary provisions as appear to the States to be necessary or expedient for the purposes of the Regulations.

(3) Regulations made under this Law may create an offence punishable by a fine of level 4 on the standard scale.[14]

68 Interim modifications of Law

Before the end of the second transitional period, this Law shall have effect subject to the modifications set out in Schedule 11.

69 Transitional provisions and savings

Schedule 12 has effect.

70 Consequential amendments

The enactments specified in Schedule 13 shall be amended as set out in that Schedule.

71 Repeal

The Data Protection (Jersey) Law 1987[15] shall be repealed.

72 Citation and commencement

(1) This Law may be cited as the Data Protection (Jersey) Law 2005.

(2) Articles 1-3, 25(1) and (4), 26 and 69, this Article and paragraph 13 of Schedule 5, as well as so much of any other provision of this Law as confers any power to make Regulations, shall come into force on the day on which this Law is passed.

(3) Except as provided by paragraph (2), this Law shall come into force on such day as the States may by Act appoint, and different days may be appointed for different purposes.

D.C.G. FILIPPONI

Assistant Greffier of the States.

SCHEDULE 1

(Article 4(1))

PART 1

THE DATA PROTECTION PRINCIPLES

1 First principle

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) in every case – at least one of the conditions set out in paragraphs 1-6 of Schedule 2 is met; and

(b) in the case of sensitive personal data – at least one of the conditions in paragraphs 1-10 of Schedule 3 is also met.

2 Second principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 Third principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Fourth principle

Personal data shall be accurate and, where necessary, kept up to date.

5 Fifth principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Sixth principle

Personal data shall be processed in accordance with the rights of data subjects under this Law.

7 Seventh principle

Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Eighth principle

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

PART 2

(Article 4(2))

INTERPRETATION OF DATA PROTECTION PRINCIPLES

1 First principle: source

(1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who –

(a) is authorized by or under any enactment to supply it; or

(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on Jersey.

2 First principle: specified information at relevant time

(1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless –

(a) in the case of data obtained from the data subject - the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him or her, the specified information; or

(b) in any other case - the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him or her, the specified information.

(2) For the purposes of this paragraph, the relevant time is –

(a) in any case – the time when the data controller first processes the data; or

(b) in a case where, at the time when the data controller first processes the data, disclosure of the data to a third party within a reasonable period is envisaged –

(i) if the data are in fact disclosed to a third party within a reasonable period – the time when the data are first disclosed,

(ii) if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period – the time when the data controller does become, or ought to become, so aware, or

(iii) in any other case - the end of that period.

(3) For the purposes of this paragraph, the specified information is all of the following –

(a) the identity of the data controller;

(b) the identity of the representative (if any) nominated by the data controller under Article 5;

(d) any further information that is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

3 First principle: primary and other conditions

(1) Paragraph 2(1)(b) does not apply if either of the primary conditions, together with such further conditions as may be prescribed by Regulations, are met.

(2) For the purposes of this paragraph, the primary conditions are –

(a) that the provision of the specified information would involve a disproportionate effort on the part of the data controller; and

(b) that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 First principle: general identifier

(1) For the purposes of the first principle, personal data that contain a general identifier falling within such description as may be prescribed by Regulations are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.

(2) In this paragraph, “general identifier” means any identifier (for example, a number or code used for identification purposes) that relates to an individual and forms part of a set of similar identifiers that is of general application.

5 Second principle: how purpose specified

For the purposes of the second principle, the purpose or purposes for which personal data are obtained may in particular be specified –

(a) in a notice (if any) given for the purposes of paragraph 2 by the data controller to the data subject; or

(b) in a notification given to the Commissioner under Part 3 of this Law.

6 Second principle: purpose of processing after disclosure

For the purposes of the second principle, in determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

7 Fourth principle

The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data that accurately record information obtained by the data controller from the data subject or a third party in a case where –

(a) having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data; and

(b) if the data subject has notified the data controller of the data subject’s view that the data are inaccurate – the data indicate that fact.

8 Sixth principle

A person is to be regarded as contravening the sixth principle if the person fails –

(a) to supply information in accordance with Article 7;

(b) to comply with a notice given under Article 10(1) to the extent that the notice is justified;

(d) to comply with a notice given under Article 11(1);

(e) to comply with a notice given under Article 12(1) or (2)(b); or

(f) to give a notification under Article 12(2)(a) or a notice under Article 12(3).

9 Seventh principle: appropriateness of measures

For the purposes of the seventh principle, the measures shall ensure, having regard to the state of technological development and the cost of implementing any measures, a level of security appropriate to –

(a) the harm that might result from unauthorized or unlawful processing of, or accidental loss, destruction or damage to, the personal data; and

(b) the nature of the personal data to be protected.

10 Seventh principle: reliability of employees

For the purposes of the seventh principle, the data controller shall take reasonable steps to ensure the reliability of any employees of the data controller who have access to the personal data.

11 Seventh principle: reliability of data processor

If processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall in order to comply with the seventh principle –

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and

(b) take reasonable steps to ensure compliance with those measures.

12 Seventh principle: processing contract to ensure reliability

If processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless the processing is carried out under a contract –

(a) that is made or evidenced in writing;

(b) under which the data processor is to act only on instructions from the data controller; and

(c) that requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

13 Eighth principle: what is adequate protection in foreign country

For the purposes of the eighth principle, an adequate level of protection is one that is adequate in all the circumstances of the case, having regard in particular to –

(a) the nature of the personal data;

(b) the country or territory of origin of the information contained in the data;

(d) the purposes for which and period during which the data are intended to be processed;

(e) the law in force in the country or territory in question;

(f) the international obligations of that country or territory;

(g) any relevant codes of conduct or other rules that are enforceable in that country or territory (whether generally or by arrangement in particular cases); and

(h) any security measures taken in respect of the data in that country or territory.

14 Exceptions to eighth principle

The eighth principle does not apply to a transfer falling within any of paragraphs 1-9 of Schedule 4, except in such circumstances and to such extent as may be prescribed by Regulations.

15 Eighth principle: Community finding decisive

(1) If in any proceedings under this Law any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and a Community finding has been made in relation to transfers of the kind in question, that question is to be determined in accordance with that finding.

(2) In this paragraph “Community finding” means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.

SCHEDULE 2

(Article 4(3) and Schedule 1 Part 1, paragraph 1(a))

FIRST PRINCIPLE: CONDITIONS FOR PROCESSING OF ANY PERSONAL DATA

1 Consent

The data subject has consented to the processing.

2 Processing necessary for contract

The processing is necessary for –

(a) the performance of a contract to which the data subject is a party; or

(b) the taking of steps at the request of the data subject with a view to entering into a contract.

3 Processing under legal obligation

The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 Processing to protect vital interests

The processing is necessary in order to protect the vital interests of the data subject.

5 Processing necessary for exercise of public functions

The processing is necessary for –

(a) the administration of justice;

(b) the exercise of any functions conferred on any person by or under any enactment;

(d) the exercise of any other functions of a public nature exercised in the public interest by any person.

6 Processing for legitimate interests

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

7 Regulations about legitimate interests

The States may by Regulations specify particular circumstances in which the condition set out in paragraph 6 is, or is not, to be taken to be satisfied.

SCHEDULE 3

(Article 4(3) and Schedule 1 Part 1, paragraph 1(b))

FIRST PRINCIPLE: CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA

1 Consent

The data subject has given explicit consent to the processing of the personal data.

2 Employment

The processing is necessary for the purposes of exercising or performing any right, or obligation, conferred or imposed by law on the data controller in connection with employment.

3 Vital interests

The processing is necessary –

(a) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject; or

(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4 Non-profit associations

The processing –

(a) is carried out in the course of its legitimate activities by any body, or association, that is not established or conducted for profit, and exists for political, philosophical, religious or trade-union purposes;

(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects;

(c) relates only to individuals who are members of the body or association or have regular contact with it in connection with its purposes; and

(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.

5 Data subject has made information public

The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6 Legal proceedings etc.

The processing –

(a) is necessary for the purpose of, or in connection with, any legal proceedings;

(b) is necessary for the purpose of obtaining legal advice; or

7 Public functions

The processing is necessary for –

(a) the administration of justice;

(b) the exercise of any functions conferred on any person by or under an enactment; or

8 Medical purposes

(1) The processing is necessary for medical purposes and is undertaken by –

(a) a health professional; or

(b) a person who in the circumstances owes a duty of confidentiality equivalent to that which would arise if that person were a health professional.

(2) In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment, and the management of healthcare services.

9 Equal opportunity research

The processing –

(a) is of sensitive personal data consisting of information as to racial or ethnic origin;

(b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and

10 Circumstances prescribed by Regulations

The personal data are processed in such circumstances as may be prescribed by Regulations.

11 Regulations about paragraph 2, 7 or 9

(1) The States may by Regulations –

(a) exclude the application of paragraph 2 or 7 in such cases as may be specified; or

(b) provide that, in such cases as may be specified, the condition in paragraph 2 or 7 is not to be regarded as satisfied unless such further conditions as may be specified in the Regulations are also satisfied.

(2) The States may by Regulations specify circumstances in which processing falling within paragraph 9(a) and (b) is, or is not, to be taken for the purposes of paragraph 9(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

SCHEDULE 4

(Article 4(3) and Schedule 1 Part 2, paragraph 14)

TRANSFERS TO WHICH EIGHTH PRINCIPLE DOES NOT APPLY

1 Consent

The data subject has consented to the transfer.

2 Contract between data subject and data controller

The transfer is necessary for –

(a) the performance of a contract between the data subject and the data controller; or

(b) the taking of steps at the request of the data subject with a view to the data subject’s entering into a contract with the data controller.

3 Third-party contract in interest of data subject

The transfer is necessary for –

(a) the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject; or

(b) the performance of such a contract.

4 Public interest

The transfer is necessary for reasons of substantial public interest.

5 Legal proceedings etc.

The transfer –

(a) is necessary for the purpose of, or in connection with, any legal proceedings;

(b) is necessary for the purpose of obtaining legal advice; or

6 Vital interests

The transfer is necessary in order to protect the vital interests of the data subject.

7 Public register

The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

8 Transfer made on terms generally approved by Commissioner

The transfer is made on terms of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

9 Commissioner has authorized transfer

The transfer has been authorized by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

10 Regulations specify what is or is not public interest

The States may by Regulations specify –

(a) circumstances in which a transfer is to be taken for the purposes paragraph 4 to be necessary for reasons of substantial public interest; and

(b) circumstances in which a transfer not required by or under an enactment is not to be taken for the purposes of paragraph 4 to be necessary for reasons of substantial public interest.

SCHEDULE 5

(Article 6(7))

DATA PROTECTION COMMISSIONER AND DATA PROTECTION TRIBUNAL

PART 1

COMMISSIONER

1 Status and capacity

(1) The Commissioner shall be a corporation sole by the name of the “Data Protection Commissioner”.

(2) The terms and conditions of appointment to the office of Commissioner shall be consistent with this Law and determined by the States at the time of the appointment.

2 Nature and tenure of office

(1) A person may hold the office of Commissioner for such term not exceeding 5 years as the States determine at the time of the person’s appointment.

(2) The person may resign from that office by notice in writing to the Committee.

(3) Only the States may remove the person from that office before the expiry of the person’s term of office as Commissioner.

(4) A person who ceases to hold that office shall be eligible for re-appointment.

(5) The terms and conditions of the appointment shall not be construed so as to create a contract of employment or agency between the States (or the Committee) and the person appointed.

3 Salary etc.

(1) The person appointed to the office of Commissioner shall be paid out of the annual income of the States a salary and other remuneration in accordance with the terms of the person’s appointment.

(2) The person shall be entitled to superannuation in accordance with the terms of the person’s appointment.

4 Staff

(1) The Policy and Resources Committee shall make available to the Commissioner such number and descriptions of staff as the Commissioner may reasonably require for the proper and effective discharge of the Commissioner’s functions under this Law.

(2) To the extent that any employee of the States performs functions under the direction of the Commissioner because of sub-paragraph (1), the employee is a member of the Commissioner’s staff.

(3) Any functions of the Commissioner may, to the extent authorized by the Commissioner, be exercised by any staff referred to in paragraph (1).

(4) The Finance and Economics Committee shall provide such accommodation and equipment as the Commissioner may reasonably require for the proper and effective discharge of the Commissioner’s functions under this Law.

(5) The cost of providing staff, accommodation and equipment under this paragraph shall be met out of the annual income of the States.

5 Authentication of seal of the Commissioner

The application of the seal of the Commissioner shall be of no effect unless authenticated by the signature of the person holding the office of Commissioner or by the signature of some other person authorized by the Commissioner for the purpose.

6 Presumption of authenticity of documents issued by the Commissioner

A document purporting to be an instrument issued by the Commissioner and to be duly executed under the Commissioner’s seal or to be signed by or on behalf of the Commissioner shall be received in evidence and shall be taken to be such an instrument unless the contrary is shown.

7 Money

All fees and other sums received by the Commissioner in the exercise of functions under this Law shall be paid to the income of the States.

8 Accounts

(1) It shall be the duty of the Commissioner –

(a) to keep proper accounts and other records in relation to the accounts;

(b) to prepare in respect of each financial year a statement of account in such form as the Committee may direct;

(c) to have that statement properly audited on or before 31st July next following the end of the financial year to which the statement relates; and

(d) to present the statement and the report of the auditor to the Committee.

(2) The Committee shall lay copies of the statement and the report before the States.

(3) In this paragraph “financial year” means the calendar year following the last calendar year in which a report has been required to be made to the States under Article 35(5) of the Data Protection (Jersey) Law 1987[16] and every calendar year after that year.

PART 2

TRIBUNAL

9 Appointment to office and vacation of office

(1) The States may appoint a person to the office of member of the Tribunal on such terms and conditions as are consistent with this Law and as the States determine at the time of the appointment.

(2) A member of the Tribunal may hold office for such term not exceeding 6 years as the States determine at the time of the person’s appointment.

(3) The member may resign from that office by giving at least one month’s notice in writing to the Committee.

(4) Only the States may remove a member from that office before the expiry of its term.

(5) A member who ceases to hold that office shall be eligible for re-appointment.

(6) A member vacates office if the member –

(a) dies;

(b) has become bankrupt;

(d) is otherwise unable or unfit to discharge the functions of a member.

(7) A person appointed as president of the Tribunal shall continue to hold appointment as such until –

(a) the person resigns from that appointment by notice in writing delivered to the Committee;

(b) that appointment is revoked by the States; or

(8) The president of the Tribunal shall be an advocate or solicitor of at least 7 years’ standing.

10 Procedure

(1) In the absence of the president of the Tribunal, a vice-president shall preside over the Tribunal.

(2) If no vice-president is available so to preside during the absence of the president, the members of the Tribunal shall appoint one of their number to act as president during that absence.

(3) The Tribunal may, subject to this Law, govern its own procedure.

11 Allowances

A member of the Tribunal shall be paid by the Committee such remuneration and allowances as the Committee may from time to time determine.

PART 3

TRANSITIONAL PROVISIONS

12 References to Registrar

A reference in any enactment, instrument or other document to the Data Protection Registrar (within the meaning of the Data Protection (Jersey) Law 1987[17]) shall be construed, in relation to any time after the commencement of Article 6(1), as a reference to the Commissioner.

13 References to Commissioner

A reference in this Law, or in any instrument made under this Law, to the Commissioner shall be construed, in relation to any time before the commencement of Article 6(1), as a reference to the Data Protection Registrar (within the meaning of the Data Protection (Jersey) Law 1987[18]).

SCHEDULE 6

(Articles 28(11) and 48(5))

APPEAL PROCEEDINGS

1 Hearing of appeals

For the purpose of hearing and determining appeals or any matter preliminary or incidental to an appeal the Tribunal shall sit at such times and in such places as the president or a vice-president may direct and may sit in 2 or more divisions.

2 Constitution of Tribunal

Subject to any Regulations made under paragraph 5, the Tribunal shall be duly constituted for an appeal under Article 28(6) or 48 if it consists of –

(a) the president or a vice-president (who shall preside); and

(b) 2 other members (each of whom may be an ordinary member or a vice-president who does not preside) appointed by the person presiding.

3 Determination of questions by Tribunal

The determination of any question before the Tribunal shall be according to the opinion of the majority of the members hearing the appeal.

4 Ex parte proceedings

Subject to any Regulations made under paragraph 5, the jurisdiction of the Tribunal in respect of an appeal under Article 48(3) shall be exercised ex parte by the president or a vice-president sitting alone.

5 Procedure

(1) The States may make Regulations for regulating the exercise of the rights of appeal conferred by Articles 28(6) and 48 and the practice and procedure of the Tribunal.

(2) The Regulations may in particular make provision –

(a) with respect to the period within which an appeal can be brought and the burden of proof on an appeal;

(b) for the summoning of witnesses and the administration of oaths;

(d) for the inspection, examination, operation and testing of any equipment or material used in connection with the processing of personal data;

(e) for the hearing of an appeal wholly or partly in camera;

(f) for hearing an appeal in the absence of the appellant or for determining an appeal without a hearing;

(g) for enabling an appeal under Article 48(1) against an information notice to be determined by the president or a vice-president;

(h) for enabling any matter preliminary or incidental to an appeal to be dealt with by the president or a vice-president;

(i) for the award of costs;

(j) for the publication of reports of the Tribunal’s decisions; and

(k) for conferring on the Tribunal such ancillary powers as the States think necessary for the proper discharge of its functions.

(3) In making Regulations under this paragraph that relate to appeals under Article 28(6) the States shall have regard, in particular, to the need to ensure that information is not disclosed contrary to the public interest.

6 Obstruction etc.

(1) If a person is guilty of an act or omission in relation to proceedings before the Tribunal that, if those proceedings were proceedings before a court having power to commit for contempt, would constitute contempt of court, the Tribunal may certify the offence to the Court.

(2) If an offence is so certified, the Court may inquire into the matter and, after hearing any witness who may be produced against or on behalf of the person charged with the offence, and after hearing any statement that may be offered in defence, deal with the person in any manner in which it could if the person had committed the like offence in relation to the Court.

SCHEDULE 7

(Article 37)

MISCELLANEOUS EXEMPTIONS

1 Confidential references given by the data controller

Personal data are exempt from Article 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of –

(a) the education, training or employment, or prospective education, training or employment, of the data subject;

(b) the appointment, or prospective appointment, of the data subject to any office; or

2 Armed forces

Personal data are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown.

3 Judicial appointments and honours

Personal data are exempt from the subject information provisions if processed for the purposes of –

(a) assessing any person’s suitability for judicial office or the office of Queen’s Counsel; or

(b) the conferring by the Crown of any honour or dignity.

4 Crown employment and Crown appointments

The States may by Regulations exempt from the subject information provisions personal data processed for the purposes of assessing any person’s suitability for –

(a) employment by or under the Crown; or

(b) any office to which appointments are made by Her Majesty.

5 Management forecasts etc.

Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the conduct of that business or other activity.

6 Corporate finance

(1) If personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person –

(a) the data are exempt from the subject information provisions in any case to the extent to which either –

(i) the application of those provisions to the data could affect the price of any instrument already in existence or that is to be or may be created, or

(ii) the data controller reasonably believes that the application of those provisions to the data could affect the price of any such instrument; and

(b) to the extent that the data are not exempt from the subject information provisions by virtue of clause (a), they are exempt from those provisions if the exemption is required for the purpose of safeguarding an important economic or financial interest of Jersey.

(2) For the purposes of sub-paragraph (1)(b) the States may by Regulations specify –

(a) matters to be taken into account in determining whether exemption from the subject information provisions is required for the purpose of safeguarding an important economic or financial interest of Jersey; or

(b) circumstances in which exemption from those provisions is, or is not, to be taken to be required for that purpose.

(3) In this paragraph –

“corporate finance service” means a service consisting in –

(a) underwriting in respect of issues of, or the placing of issues of, any instrument;

(b) advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings; or

“instrument” means an instrument listed in Article B of the Annex to the European Council Directive on investment services in the securities field (93/22/EEC) or an investment within the meaning of the Financial Services (Jersey) Law 1998;[19]

“price” includes value;

“relevant person” means –

(a) a registered person within the meaning of the Financial Services (Jersey) Law 1998[20] (being a person registered under that Law in respect of investment business within the meaning of that Law) or a person who is exempted by that Law from the obligation to be registered under that Law in respect of such investment business;

(b) a person who is an authorised person under the Financial Services and Markets Act 2000 of the United Kingdom, or is an exempt person under that Act, in respect of such investment business;

(d) a person who, in the course of the person’s employment, provides to the person’s employer a service falling within clause (b) or (c) of the definition of “corporate finance service”; or

(e) a partner who provides to other partners in the partnership a service falling within either of those clauses.

7 Negotiations

Personal data that consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice those negotiations.

8 Examination marks

(1) Article 7 shall have effect subject to sub-paragraphs (2) to (4) in the case of personal data consisting of marks or other information processed by a data controller –

(a) for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined; or

(b) in consequence of the determination of any such results.

(2) If the relevant day falls before the day on which the results of the examination are announced, the period mentioned in Article 7(11) shall be extended until the earlier of the following –

(a) the end of 5 months beginning with the relevant day; or

(b) the end of 40 days beginning with the date of the announcement.

(3) If by virtue of sub-paragraph (2) a period longer than the prescribed period elapses after the relevant day before the request is complied with, the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with.

(4) For the purposes of this paragraph the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.

(5) In this paragraph –

“examination” includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his or her performance in any test, work or other activity;

“prescribed period” means 40 days or such other period as is for the time being prescribed under Article 7 in relation to the personal data in question;

“relevant day” means the day referred to in Article 7(11)(a).

9 Examination scripts etc.

Personal data consisting of information recorded by candidates during an academic, professional or other examination (within the meaning of paragraph 8) are exempt from Article 7.

10 Legal professional privilege

Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege, as between client and professional legal adviser, could be maintained in legal proceedings.

11 Self-incrimination

(1) A person need not comply with any request or order under Article 7 to the extent that compliance would, by revealing evidence of the commission of any offence other than an offence under this Law, expose the person to proceedings for that offence.

(2) Information disclosed by any person in compliance with any request or order under Article 7 shall not be admissible against the person in proceedings for an offence under this Law.

SCHEDULE 8

(Article 39)

TRANSITIONAL RELIEF

PART 1

INTERPRETATION

1 Interpretation

(1) For the purposes of this Schedule, personal data are “eligible data” at any time to the extent that they are at that time subject to processing that is already under way immediately before the Schedule comes into force.

(2) In this Schedule –

“eligible automated data” means eligible data that fall within paragraph (a) or (b) of the definition of “data” in Article 1(1);

“eligible manual data” means eligible data that are not eligible automated data.

PART 2

EXEMPTIONS DURING FIRST TRANSITIONAL PERIOD

2 Certain eligible manual data

(1) Eligible manual data are exempt from the data protection principles and Parts 2 and 3 of this Law during the first transitional period.

(2) This paragraph does not apply to eligible manual data to which paragraph 3 applies.

3 Eligible manual data about financial standing

(1) This paragraph applies to eligible manual data that consist of information relevant to the financial standing of the data subject and in respect of which the data controller is a credit reference agency.

(2) During the first transitional period, data to which this paragraph applies are exempt from –

(a) the data protection principles, except the sixth principle so far as it relates to Articles 7 and 12A;

(b) Part 2 of this Law, except –

(i) Article 7 (as it has effect subject to Articles 8 and 9) and Article 12A, and

(ii) Article 15 so far as it relates to those Articles; and

4 Eligible automated data processed otherwise than by reference to the data subject

During the first transitional period, for the purposes of this Law (apart from paragraph 1), eligible automated data are not to be regarded as being processed unless the processing is by reference to the data subject.

5 Eligible automated data: payrolls and accounts

(1) Eligible automated data are exempt from the data protection principles and Parts 2 and 3 of this Law during the first transitional period if processed by a data controller for one or more of the following purposes –

(a) calculating amounts payable by way of remuneration or pensions in respect of service in any employment or office or making payments of, or of sums deducted from, such remuneration or pensions; or

(b) keeping accounts relating to any business or other activity carried on by the data controller or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments are made by or to the data controller in respect of those transactions or for the purpose of making financial or management forecasts to assist the data controller in the conduct of any such business or activity.

(2) It shall be a condition of the exemption of any eligible automated data under this paragraph that the data are not processed for any other purpose, but the exemption is not lost by any processing of the eligible data for any other purpose if the data controller shows that the data controller had taken such care to prevent it as in all the circumstances was reasonably necessary.

(3) Data processed only for one or more of the purposes mentioned in sub-paragraph (1)(a) may be disclosed –

(a) to any person, other than the data controller, by whom the remuneration or pensions in question are payable;

(b) for the purpose of obtaining actuarial advice;

(c) for the purpose of giving information as to the persons in any employment or office for use in medical research into the health of, or injuries suffered by, persons engaged in particular occupations or working in particular places or areas;

(d) if the data subject (or a person acting on the latter’s behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made; or

(e) if the person making the disclosure has reasonable grounds for believing that the disclosure falls within clause (d).

(4) Data processed for any of the purposes mentioned in sub-paragraph (1) may be disclosed –

(a) for the purpose of audit or if the disclosure is for the purpose only of giving information about the data controller’s financial affairs; or

(b) in any case in which disclosure would be permitted by any other provision of this Schedule or any provision of Schedule 7 or any provision of Part 4 of this Law if sub-paragraph (2) were included in the relevant non-disclosure provisions.

(5) In this paragraph “remuneration” includes remuneration in kind and “pensions” includes gratuities or similar benefits.

6 Eligible automated data: unincorporated members’ clubs

Eligible automated data processed by an unincorporated members’ club and relating only to the members of the club are exempt from the data protection principles and Parts 2 and 3 of this Law during the first transitional period.

7 Eligible automated data: unincorporated members’ clubs’ mailing lists

Eligible automated data processed by a data controller only for the purposes of distributing, or recording the distribution of, articles or information to the data subjects (being members of the clubs) and consisting only of their names, addresses or other particulars necessary for effecting the distribution, are exempt from the data protection principles and Parts 2 and 3 of this Law during the first transitional period.

8 Eligible automated data: unincorporated members’ clubs: right to object

Neither paragraph 6 nor paragraph 7 applies to personal data relating to any data subject unless the data subject has been asked by the club or data controller whether the data subject objects to the data relating to the data subject being processed as mentioned in that paragraph and has not objected.

9 Eligible automated data: unincorporated members’ clubs: due care

(1) It shall be a condition of the exemption of any data under paragraph 6 that the data are not disclosed except as permitted by paragraph 10, but the exemption shall not be lost by any disclosure in breach of that condition if the data controller shows that the data controller had taken such care to prevent the disclosure as in all the circumstances was reasonably necessary.

(2) It shall be a condition of the exemption under paragraph 7 that the data are not processed for any purpose other than that mentioned in paragraph 7 or as permitted by paragraph 10, but the exemption under paragraph 7 shall not be lost by any processing in breach of that condition if the data controller shows that the data controller had taken such care to prevent the processing as in all the circumstances was reasonably necessary.

10 Eligible automated data: unincorporated members’ clubs: consensual or permitted disclosure

Data to which paragraph 9 applies may be disclosed –

(a) if the data subject (or a person acting on the data subject’s behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made;

(b) if the person making the disclosure has reasonable grounds for believing that such a request or consent has been given; or

(c) in any case in which disclosure would be permitted by any other provision of this Schedule or any provision of Schedule 7 or any provision of Part 4 of this Law if paragraph 9 were included in the relevant non-disclosure provisions.

11 Eligible automated data: back-up data

Eligible automated data processed only for the purpose of replacing other data in the event of the latter’s being lost, destroyed or impaired are exempt from Article 7 during the first transitional period.

12 Exemption of all eligible automated data from certain requirements

(1) During the first transitional period, eligible automated data are exempt from the following provisions –

(a) the first data protection principle to the extent to which it requires compliance with –

(i) paragraph 2 of Schedule 1 Part 2,

(ii) the conditions in Schedule 2, and

(iii) the conditions in Schedule 3;

(b) the seventh data protection principle to the extent to which it requires compliance with paragraph 12 of Schedule 1 Part 2;

(d) Article 7(1)(a), (b) and (c), (2)(b) and (3);

(e) Articles 10 and 11;

(f) Article 12; and

(g) Article 13, except so far as it relates to –

(i) any contravention of the fourth data protection principle,

(ii) any disclosure without the consent of the data controller,

(iii) loss or destruction of data without the consent of the data controller, or

(iv) processing for the special purposes.

(2) The exemptions conferred by sub-paragraph (1)(a), (c) and (e) do not limit the data controller’s general duty under the first data protection principle to ensure that processing is fair.

PART 3

EXEMPTIONS DURING SECOND TRANSITIONAL PERIOD

13 Certain eligible manual data

(1) This paragraph applies to eligible manual data held immediately before the commencement of this Schedule, but does not apply to eligible manual data to which the exemption in paragraph 15 applies.

(2) During the second transitional period, data to which this paragraph applies are exempt from the following provisions –

(a) the first data protection principle except to the extent to which it requires compliance with paragraph 2 of Schedule 1 Part 2;

(b) the second, third, fourth and fifth data protection principles; and

PART 4

EXEMPTIONS AFTER FIRST TRANSITIONAL PERIOD FOR HISTORICAL RESEARCH

14 Interpretation

In this Part of this Schedule “relevant conditions” has the same meaning as in Article 33.

15 Eligible manual data

Eligible manual data that are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the following provisions at any time after the end of the first transitional period –

(a) the first data protection principle except in so far as it requires compliance with paragraph 2 of Schedule 1 Part 2;

(b) the second, third, fourth and fifth data protection principles; and

16 Eligible automated data

(1) After the end of the first transitional period, eligible automated data that are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the first data protection principle to the extent to which it requires compliance with conditions in Schedules 2 and 3.

(2) Eligible automated data that are processed –

(a) only for the purpose of historical research;

(b) in compliance with the relevant conditions; and

are also exempt from the provisions referred to in sub-paragraph (3) after the end of the first transitional period.

(3) The provisions are –

(a) the first data protection principle except in so far as it requires compliance with paragraph 2 of Schedule 1 Part 2;

(b) the second, third, fourth and fifth data protection principles; and

17 Certain disclosures do not vitiate exemption

For the purposes of this Part of this Schedule personal data are not to be treated as processed otherwise than for the purpose of historical research merely because the data are disclosed –

(a) to any person, for the purpose of historical research only;

(b) to the data subject or a person acting on the data subject’s behalf;

(d) in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within sub-paragraph (a), (b) or (c).

PART 5

EXEMPTION FROM ARTICLE 22

18 Processing already running not assessable processing

Processing already under way immediately before the commencement of this Schedule is not assessable processing for the purposes of Article 22.

SCHEDULE 9

(Article 50)

ENTRY AND SEARCH OF PREMISES, OBTAINING INFORMATION

PART 1

ENTRY AND SEARCH

1 Interpretation

In this Part –

“occupier” of premises includes a person in charge of a vessel, vehicle, aircraft or hovercraft;

“premises” includes a vessel, vehicle, aircraft or hovercraft;

“warrant” means warrant issued under this Schedule.

2 Entry and search

(1) If the Bailiff or a Jurat is satisfied by information on oath supplied by the Commissioner that there are reasonable grounds for suspecting –

(a) that a data controller has contravened or is contravening any of the data protection principles; or

(b) that an offence under this Law has been or is being committed,

and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, the Bailiff or Jurat may issue a warrant to the Commissioner.

(2) The Bailiff or a Jurat shall not issue a warrant in respect of any personal data processed for the special purposes unless a determination by the Commissioner under Article 45 with respect to those data has taken effect.

(3) A warrant may authorize the Commissioner or any of the Commissioner’s staff at any time within 7 days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be such evidence as is mentioned in sub-paragraph (1).

3 Additional conditions for issue of warrant

(1) The Bailiff or a Jurat shall not issue a warrant unless satisfied –

(a) that the Commissioner has given 7 days’ notice in writing to the occupier of the premises in question demanding access to the premises;

(b) that either access was demanded at a reasonable hour and was unreasonably refused or although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s staff to permit the Commissioner or the member of staff to do any of the things referred to in paragraph 2(3); and

(c) that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the Bailiff or Jurat on the question whether or not it should be issued.

(2) Sub-paragraph (1) shall not apply if the Bailiff or Jurat is satisfied that the case is one of urgency or that compliance with that sub-paragraph would defeat the object of the entry.

4 Force

A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.

5 Police officer may accompany

A person executing a warrant issued under this Schedule may be accompanied by a police officer during its execution.

6 Hour

A warrant shall be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed.

7 Warrant to be shown

(1) If the person who occupies the premises in respect of which a warrant is issued is present when the warrant is executed, the person executing it shall show the warrant to that person and supply him or her with a copy of it.

(2) If that person is not present, the person executing it shall leave a copy of it in a prominent place on the premises.

8 Receipt

(1) A person seizing anything in pursuance of a warrant shall give a receipt for it to the person in occupation of the premises if the latter asks for it.

(2) Anything so seized may be retained for so long as is necessary in all the circumstances but the person in occupation of the premises in question shall be given a copy of anything that is seized if the person so requests and the person executing the warrant considers that it can be done without undue delay.

9 Exempt personal data

The powers of inspection and seizure conferred by a warrant shall not be exercisable in respect of personal data that are exempt under Article 28.

10 Exempt communications about legal advice

(1) The powers of inspection and seizure conferred by a warrant shall not be exercisable in respect of –

(a) any communication between a professional legal adviser and the adviser’s client in connection with the giving of legal advice to the client with respect to the client’s obligations, liabilities or rights under this Law; or

(b) any communication between a professional legal adviser and the adviser’s client, or between such an adviser or such a client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law and for the purposes of such proceedings.

(2) Sub-paragraph (1) applies also to –

(a) a copy or other record of any such communication; and

(b) any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings.

(3) This paragraph does not apply to anything in the possession of any person other than the professional legal adviser or the client or to anything held with the intention of furthering a criminal purpose.

(4) In this paragraph references to the client of a professional legal adviser include references to any person representing such a client.

11 Occupier to furnish what is not exempt

If the person in occupation of premises in respect of which a warrant is issued objects to the inspection or seizure under the warrant of material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, the person shall, if the person executing the warrant so requests, furnish the latter with a copy of so much of the material as is not exempt from those powers.

12 Return of warrants

(1) The Commissioner shall return a warrant to the Bailiff or a Jurat after it is executed or if not executed within the time authorized for its execution.

(2) The person by whom the warrant is executed shall make an endorsement on it stating what powers have been exercised under the warrant.

13 Offences

A person who obstructs a person in the execution of a warrant or who fails without reasonable excuse to give the latter person such assistance as the latter person may reasonably require for the execution of the warrant commits an offence and shall be liable –

(a) on conviction on indictment – to a term of imprisonment of 6 months and to a fine; or

(b) on summary conviction – to a fine of level 4 on the standard scale.[21]

PART 2

OBTAINING INFORMATION

14 Power to require information

(1) The Commissioner may, for any purpose connected with the investigation of an offence under this Law or under Regulations made under this Law or with proceedings for such an offence, by notice in writing –

(a) require any person to produce to the Commissioner, or any person appointed by the latter for that purpose, any documents specified or described in the notice that are in the custody, or under the control, of the first-mentioned person; and

(b) specify the time, manner and form in which those documents are to be produced.

(2) The Commissioner may keep a document produced under paragraph (1) for a reasonable time and take copies of such a document.

(3) No person shall be compelled for any purpose referred to in paragraph (1) to produce any document that the person cannot be compelled to produce in proceedings before a court or, in complying with any requirement to furnish information, to give any information that the person could not be compelled to give in evidence in those proceedings.

(4) Any person who refuses or, without reasonable excuse, fails to comply with the requirements of a notice under sub-paragraph (1) shall be guilty of an offence and liable to a fine of level 4 on the standard scale.[22]

(5) A person who intentionally alters, suppresses or destroys a document that is the subject of a notice under sub-paragraph (1) shall be guilty of an offence and liable to a term of imprisonment of 5 years and to a fine.

(6) If a person fails to comply with the requirements of a notice under sub-paragraph (1) the Court may, on application by the Commissioner, make an order requiring compliance, and the order may provide that the costs of, and incidental to, the application shall be paid by the person who failed to comply with the notice.

SCHEDULE 10

(Article 53(6))

FURTHER PROVISIONS RELATING TO ASSISTANCE UNDER ARTICLE 53

1 Interpretation

In this Schedule “applicant” (or “proceedings”) means an applicant (or proceedings) to which Article 53 refers.

2 Costs

The assistance provided under Article 53 may include the making of arrangements for, or for the Commissioner to bear the costs of –

(a) the giving of advice or assistance by an advocate or solicitor; and

(b) the representation of the applicant, or the provision to the applicant of such assistance as is usually given by an advocate or solicitor –

(i) in steps preliminary or incidental to the proceedings, or

(ii) in arriving at or giving effect to a compromise to avoid or bring an end to the proceedings.

3 Indemnification

If assistance is provided with respect to the conduct of proceedings –

(a) it shall include an agreement by the Commissioner to indemnify the applicant (subject only to any exceptions specified in the notification) in respect of any liability to pay costs or expenses arising by virtue of any judgment or order of the court in the proceedings;

(b) it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay costs or expenses arising by virtue of any compromise or settlement arrived at in order to avoid the proceedings or bring the proceedings to an end; and

(c) it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay damages pursuant to an undertaking given on the grant of interlocutory relief to the applicant.

4 Defendant informed of assistance

If the Commissioner provides assistance in relation to any proceedings, the Commissioner shall do so on such terms, or make such other arrangements, as will secure that a person against whom the proceedings have been or are commenced is informed that assistance has been or is being provided by the Commissioner in relation to them.

5 Commissioner’s recovery of costs

The recovery of expenses incurred by the Commissioner in providing an applicant with assistance (as taxed or assessed in such manner as may be prescribed by rules of court) shall constitute a first charge for the benefit of the Commissioner –

(a) on any costs that, by virtue of any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided; and

(b) on any sum payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid or bring to an end, any proceedings.

SCHEDULE 11

(Article 68)

MODIFICATIONS BEFORE END OF SECOND TRANSITIONAL PERIOD

1 Article 12A inserted

After Article 12 there shall be inserted –

“12A Rights of data subjects in relation to exempt manual data

(1) A data subject is entitled at any time by notice in writing –

(a) to require the relevant data controller to rectify, block, erase or destroy exempt manual data that are inaccurate or incomplete; or

(b) to require the data controller to cease holding exempt manual data in a way incompatible with the legitimate purposes pursued by the data controller.

(2) A notice under paragraph (1) shall state the data subject’s reasons for believing that the data are inaccurate or incomplete or, as the case may be, the data subject’s reasons for believing that they are held in a way incompatible with the legitimate purposes pursued by the data controller.

(3) If the court is satisfied, on the application of any person who has given a notice under paragraph (1) that appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order the data controller to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.

(4) For the purposes of this Article personal data are incomplete if the data, although not inaccurate, are such that their incompleteness would constitute a contravention of the third or fourth data protection principle, if the principle applied to the data.

(5) In this Article ‘exempt manual data’ means –

(a) in relation to the first transitional period, data to which paragraph 3 of that Schedule applies, and

(b) in relation to the second transitional period, data to which paragraph 13 of that Schedule applies.”.

2 Article 32 amended

In Article 32 –

(a) after paragraph (2)(d) there shall be inserted the following sub-paragraph –

“(dd) Article 12A;”

(b) in paragraph (4) after the matter “12(7)” there shall be inserted the matter “, 12A(3)”.

3 Article 34 amended

In Article 34(b) for the matter “Article 14(1) – (3)” there shall be substituted the matter “Articles 12A and 14(1) – (3)”.

4 Article 53 amended

In Article 53(1) after the matter “12(7)” there shall be inserted the reference “, 12A(3)”.

5 Schedule 1 Part 2 amended

After paragraph 8(b) of Schedule 1 Part 2, there shall be inserted the following sub-paragraph –

“(ba) contravenes Article 12A by failing to comply with a notice given under Article 12A(1) to the extent that the notice is justified;”.

SCHEDULE 12

(Article 69)

TRANSITIONAL PROVISIONS AND SAVINGS

1 Interpretation

In this Schedule –

“1987 Law” means the Data Protection (Jersey) Law 1987;[23]

“new principles” means the data protection principles within the meaning of this Law;

“old principles” means the data protection principles within the meaning of the 1987 Law.

2 Effect of registration under 1987 Law

(1) A person who, immediately before the commencement of Part 3 of this Law –

(a) is registered as a data user under Part II of the 1987 Law;[24] or

(b) is treated by virtue of Article 6(6) of the 1987 Law[25] as so registered,

is exempt from Article 17(1) of this Law until the end of the registration period.

(2) In sub-paragraph (1) “registration period”, in relation to a person, means –

(a) if there is a single entry in respect of that person as a data user, the period at the end of which, if Article 7 of the 1987 Law[26] had remained in force, that entry would have fallen to be removed unless renewed; or

(b) if there are 2 or more entries in respect of that person as a data user, the period at the end of which, if that Article had remained in force, the last of those entries to expire would have fallen to be removed unless renewed.

(3) Any application for registration as a data user under Part II of the 1987 Law[27] received by the Commissioner before the commencement of Part 3 of this Law (and any appeal against a refusal of registration, being a refusal at any time under Part II of the 1987 Law[28]) shall be determined in accordance with the old principles and the 1987 Law.

(4) If a person falling within sub-paragraph (1)(b) receives a notification under Article 6(1) of the 1987 Law[29] of the refusal of the person’s application, sub-paragraph (1) shall cease to apply to the person –

(a) if no appeal is brought against the refusal – at the end of the period within which such an appeal can be brought; or

(b) if such an appeal is brought against the refusal – on the withdrawal or dismissal of the appeal.

(5) If a data controller gives a notification under Article 18(1) when exempt from Article 17(1) by virtue of sub-paragraph (1), the data controller shall cease to be exempt by virtue of sub-paragraph (1), but may be exempt by virtue of Article 17(1) itself.

(6) The Commissioner shall include in the register an entry in respect of each person who is exempt from Article 17(1) by virtue of sub-paragraph (1).

(7) Each such entry shall consist of the particulars that, immediately before the commencement of Part 3 of this Law, were included (or treated as included) in respect of that person in the register maintained under Article 3 of the 1987 Law.[30]

(8) The States may by Regulations make provision modifying the duty referred to in Article 20(1) in its application to any person in respect of whom an entry in the register has been made under sub-paragraph (6).

(9) The States may by Regulations make further transitional provision in connection with the implementation of Part 3 of this Law and the repeal of Part II of the 1987 Law,[31] including provision modifying the application of provisions of Part 3 of this Law in transitional cases.

3 Request for information and copy of personal data

(1) The repeal of Article 20 of the 1987 Law[32] does not affect the application of that Article in any case in which a request under that Article (together with any information, and fee, referred to in that Article and, in a case where it is required, the consent referred to in that Article) was received (or, in the case of the consent, notified) before that repeal.

(2) Sub-paragraph (1) does not apply if the request is made by reference to this Law.

(3) Any fee paid for the purposes of Article 20 of the 1987 Law[33] before the commencement of Article 7 in a case not falling within sub-paragraph (1) shall be taken to have been paid for the purposes of Article 7.

4 Right to compensation for inaccuracy, loss or unauthorized disclosure

The repeal of Articles 21 and 22 of the 1987 Law[34] does not affect the application of those Articles in relation to damage or distress suffered at any time by reason of anything done or omitted to be done before the repeals.

5 Application for rectification and erasure

The repeal of Article 23 of the 1987 Law[35] does not affect any case in which application to the court was made under that Article before the repeal.

6 Restriction on court orders to notify third parties of inaccuracy

Article 14(3)(b) does not apply to any rectification, blocking, erasure, or destruction, that occurred before the commencement of that sub-paragraph.

7 Enforcement notices served under 1987 Law

(1) If, immediately before the commencement of Article 40 –

(a) an enforcement notice under Article 9 of the 1987 Law[36] has effect; and

(b) the time for appealing against the notice has expired or any appeal has been determined,

then, after that commencement, to the extent mentioned in sub-paragraph (3), the notice shall have effect for the purposes of Articles 41 and 47 as if it were an enforcement notice under Article 40.

(2) If an enforcement notice has been served under Article 9 of the 1987 Law[37] before the commencement of Article 40 and immediately before that commencement –

(a) the time for appealing against the notice has not expired; or

(b) an appeal against the notice has not been determined,

any appeal against the notice shall be determined in accordance with the 1987 Law[38] and the old principles but, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3), the notice shall have effect for the purposes of Articles 41 and 47 as if it were an enforcement notice under Article 40.

(3) An enforcement notice under Article 9 of the 1987 Law[39] has the effect described in sub-paragraph (1) or (2) only to the extent that the steps specified in the notice for complying with the old principle or principles in question are steps that the data controller could be required by an enforcement notice under Article 40 to take for complying with any or all of the new principles in a case to which Article 40 applies.

8 Transfer prohibition notices served under 1987 Law

(1) If, immediately before the commencement of Article 40 –

(a) a transfer prohibition notice under Article 11 of the 1987 Law[40] has effect; and

(b) the time for appealing against the notice has expired or any appeal against the notice has been determined,

then, on and after that commencement, to the extent specified in sub-paragraph (3), the notice shall have effect for the purposes of Articles 41 and 47 as if it were an enforcement notice under Article 40.

(2) If a transfer prohibition notice has been served under Article 11 of the 1987 Law[41] and immediately before the commencement of Article 40 either –

(a) the time for appealing against the notice has not expired; or

(b) an appeal against the notice has not been determined,

any appeal shall be determined in accordance with the 1987 Law[42] and the old principles and, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3) the notice shall have effect for the purposes of Articles 41 and 47 as if it were an enforcement notice under Article 40.

(3) A transfer prohibition notice under Article 11 of the 1987 Law[43] has the effect described in sub-paragraph (1) or (2) only to the extent that the prohibition imposed by the notice is one that could have been imposed by an enforcement notice under Article 40 for complying with all or any of the new principles in a case to which Article 40 applies.

9 Enforcement notices under new law relating to matters in relation to which 1987 Law had effect

The Commissioner may serve an enforcement notice under Article 40 on or after the day on which that Article comes into force if satisfied that, before that day, a data controller contravened the old principles by reason of any act or omission that would also have constituted a contravention of the new principles if they had applied when the act or omission occurred.

10 Restriction on enforcement notices to notify third parties of inaccuracy

Article 40(5)(b) does not apply if the rectification, blocking, erasure, or destruction, referred to in that sub-paragraph occurred before the commencement of that Article.

11 Information notices under new law relating to matters in relation to which 1987 Law had effect

The Commissioner may serve an information notice under Article 43 on or after the day on which that Article comes into force if the Commissioner has reasonable grounds for suspecting that, before that day, a data controller contravened the old principles by reason of any act or omission that would also have constituted a contravention of the new principles if they had applied when the act or omission occurred.

12 Reference in new Article 43(2)(b) read as being to old principles

If by virtue of paragraph 11 an information notice is served on the basis of anything done or omitted to be done before the day on which Article 43 comes into force, Article 43(2)(b) shall have effect as if the reference in it to the data controller’s having complied, or complying, with the data protection principles were a reference to the data controller’s having contravened the old principles by reason of any such act or omission as is mentioned in paragraph 11.

13 Self-incrimination, etc.

(1) In Article 43(9), Article 44(10) and paragraph 11 of Schedule 7, any reference to an offence under this Law includes a reference to an offence under the 1987 Law.[44]

(2) In Article 33(8) of the 1987 Law,[45] any reference to an offence under that Law includes a reference to an offence under this Law.

14 Warrants issued under 1987 Law

The repeal of the Fourth Schedule to the 1987 Law[46] does not affect the application of that Schedule in any case where a warrant was issued under that Schedule before the repeal, and that Schedule shall be taken to continue to have effect in that case.

15 Complaints under Article 35(2) of 1987 Law

The repeal of Article 35(2) of the 1987 Law[47] does not affect the application of that provision in any case where a complaint has been received by the Commissioner under that Article before its repeal.

16 Complaints and assessments: regard to be had to contemporary principles and provisions

In dealing with a complaint under Article 35(2) of the 1987 Law[48] or a request for an assessment under Article 42 of this Law, the Commissioner shall have regard to the provisions from time to time applicable to the processing, and accordingly –

(a) in Article 35(2) of the 1987 Law,[49] the references to the data protection principles, and the provisions, of that Law include, in relation to any time when the new principles and the provisions of this Law have effect, the latter principles and provisions; and

(b) in Article 42, the reference to the provisions of this Law includes, in relation to any time when the old principles and the provisions of the 1987 Law had effect, the latter principles and provisions.

17 General: references to Data Protection Registrar

(1) This paragraph is subject to any express provision, or implication, to the contrary in or under this Law or any other enactment, or in any agreement or other document.

(2) A reference in any enactment, agreement or other document to the Data Protection Registrar shall, on and from when Article 6(2) comes into force, become a reference to the Data Protection Commissioner.

(3) Accordingly, any application made to the Data Protection Registrar, any proceedings commenced with the Data Protection Registrar as party, or anything else involving the Data Protection Registrar, being an application, proceedings or thing that has not been finally determined, or finished, when Article 6(2) comes into force may be determined or continued by the Data Protection Commissioner.

(4) Furthermore, any record or requirement made by, any information given to, any document deposited with, any record kept by, or any statement made to, the Data Protection Registrar in the exercise of any of the Registrar’s functions before Article 6(2) comes into force shall be taken, on and from that time, to have been made by, given to, deposited with, kept by or made to, the Data Protection Commissioner.

18 General saving (except for Regulations, Rules or Orders)

(1) Except as provided otherwise in or under this Schedule, anything made or done by any person under any provision of the 1987 Law[50] (being a thing that still had force or effect immediately before the repeal of that provision by this Law) shall, if there is a provision under this Law that gives power to make or do such a thing, be taken to have been made or done under the latter provision.

(2) However, a Regulation, Rule, or Order, made under the 1987 Law[51] shall cease to be in force when this paragraph comes into force.

19 Power to make savings, or transitional or consequential provisions, by Regulations

(1) The States may, by Regulations, make provisions of a saving or transitional nature consequent on the enactment of this Law.

(2) A provision of Regulations made under this paragraph may, if the Regulations so provide, come into force on the day on which this Schedule comes into force or on a later day.

(3) To the extent to which any such provision comes into force on a date that is earlier than the date of its promulgation, the provision does not operate so as –

(a) to affect, in a manner prejudicial to any person (other than the States or a Committee or administration of the States), the rights of that person existing before the date of its promulgation; or

(b) to impose liabilities on any person (other than the States or a Committee or administration of the States) in respect of anything done or omitted to be done before the date of its promulgation.

SCHEDULE 13

(Article 70)

AMENDMENTS


Lloyds TSB (Jersey) Law 1997	Insert after Article 8(4)[52] the following paragraph – “(5) The Data Protection Commissioner may exercise, in respect of any breach by the transferor company of the data protection principles under the Data Protection (Jersey) Law 1987,[53] the same power under the Data Protection (Jersey) Law 2005[54] as the power referred to in paragraph (4) that was exercisable by the Data Protection Registrar under Article 9 of the Data Protection (Jersey) Law 1987.[55]”.
Royal Bank of Canada (Jersey) Law 2000	Insert after Article 5(4)[56] the following paragraph – “(5) The Data Protection Commissioner may exercise, in respect of any breach by the transferor company of the data protection principles under the Data Protection (Jersey) Law 1987,[57] the same power under the Data Protection (Jersey) Law 2005[58] as the power referred to in paragraph (4) that was exercisable by the Data Protection Registrar under Article 9 of the Data Protection (Jersey) Law 1987.[59]”.
Public Records (Jersey) Law 2002	In Article 39(4)[60] for the words “Data Protection (Jersey) Law 1987[61]” there shall be substituted the words “Data Protection (Jersey) Law 2005[62]”.
Police Procedures and Criminal Evidence (Jersey) Law 2003	In Schedule 3,[63] the matter relating to the Data Protection (Jersey) Law 1987 shall be deleted.

[1] Volume 1990-1991, page 875, Volume 1992-1993, page 63, Volume 1994-1995, page 351, Volume 1996-1997, pages 552 and 683, Volume 1998, pages 499 and 594, Volume 1999, pages 107 and 525, Volume 2000, page 746, Volume 2002, pages 177 and 439 and R&Os 8326, 8941 and 68/2002.

[2] Volume 1986-1987, page 322.

[3] Volume 1986-1987, page 323.

[4] Volume 1988-1989, page 158, Volume 1998, pages 262 and 405 and Volume 2002, page 101.

[5] Volume 1990-1991, page 519 and Volume 1998, pages 267 and 687.

[6] Volume 1990-1991, page 1005, Volume 1998, page 269 and Volume 2002, page 293.

[7] Volume 1996-1997, page 99 and Volume 1998, pages 276 and 428.

[8] Volume 1998, page 557 and Volume 2000, pages 732 and 745.

[9] Volume 2001, page 51 and Volume 2003, page 570.

[10] Tome VIII, page 657, Volume 1979-1981, page 365, Volume 1986-1987, page 20, Volume 1994-1995, page 61 and Volume 1996-1997, page 801.

[11] Volume 1998, page 507, Volume 1999, pages 413, 420 and 527, Volume 2000, pages 705 and 716-745, Volume 2002, page 107 and R&Os 9402 and 127/2000.

[12] Tome VIII, page 381.

[13] Tome VIII, page 381.

[14] Volume 1992-1993, page 437.

[15] Volume 1986-1987, page 315.

[16] Volume 1986-1987, page 361.

[17] Volume 1986-1987, page 315.

[18] Volume 1986-1987, page 315.

[19] Volume 1998, page 507, Volume 1999, pages 413, 420 and 527, Volume 2000, pages 705 and 716-745, Volume 2002, page 107 and R&Os 9402 and 127/2000.

[20] Volume 1998, page 507, Volume 1999, pages 413, 420 and 527, Volume 2000, pages 705 and 716-745, Volume 2002, page 107 and R&Os 9402 and 127/2000.

[21] Volume 1992-1993, page 437.

[22] Volume 1992-1993, page 437.

[23] Volume 1986-1987, page 315.

[24] Volume 1986-1987, page 323.

[25] Volume 1986-1987, page 328.

[26] Volume 1986-1987, page 330.

[27] Volume 1986-1987, page 323.

[28] Volume 1986-1987, page 323.

[29] Volume 1986-1987, page 327.

[30] Volume 1986-1987, page 323.

[31] Volume 1986-1987, page 323.

[32] Volume 1986-1987, page 342.

[33] Volume 1986-1987, page 342.

[34] Volume 1986-1987, pages 345 and 346.

[35] Volume 1986-1987, page 347.

[36] Volume 1986-1987, page 331.

[37] Volume 1986-1987, page 331.

[38] Volume 1986-1987, page 315.

[39] Volume 1986-1987, page 331.

[40] Volume 1986-1987, page 335.

[41] Volume 1986-1987, page 335.

[42] Volume 1986-1987, page 315.

[43] Volume 1986-1987, page 335.

[44] Volume 1986-1987, page 315.

[45] Volume 1986-1987, page 358.

[46] Volume 1986-1987, page 374.

[47] Volume 1986-1987, page 360.

[48] Volume 1986-1987, page 360.

[49] Volume 1986-1987, page 360.

[50] Volume 1986-1987, page 315.

[51] Volume 1986-1987, page 315.

[52] Volume 1996-1997, page 952.

[53] Volume 1986-1987, page 315.

[54] Volume 2005, page 17.

[55] Volume 1986-1987, page 331.

[56] Volume 2000, page 925.

[57] Volume 1986-1987, page 315.

[58] Volume 2005, page 17.

[59] Volume 1986-1987, page 331.

[60] Volume 2002, page 1255.

[61] Volume 1986-1987, page 315.

[62] Volume 2005, page 17.

[63] Volume 2003, page 111.

Page Last Updated: 04 Jun 2015

Jersey Legal Information Board

Promoting access to justice in Jersey

Search this site

Data Protection (Jersey) Law 2005