News
Data Protection Presentation for Landlords by ODPC
Data Protection Reform
Rachel Masterton
Deputy Data Protection Commissioner
Office of the Data Protection Commissioner (ODPC) in Guernsey
New Data Protection Law
Data Protection (Bailiwick of Guernsey) Law, 2017
Came into force on 25 May 2018
Aligns with the EU GDPR
Key changes
Accountability
Strengthened rights for individuals
Breach reporting
Data Protection Principles
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation – retention of data
Integrity & confidentiality – security of data
Accountability – embrace principles & demonstrate compliance
What
What personal data do you hold?
Do you hold any special category data?
Where
Where is it from?
Where is it sent?
Why
Why is it processed?
For what purpose?
How
How is the processing fair & lawful?
Which of the lawful processing conditions is met?
Lawful processing
Consent Made public
Contract Required by law/court
Vital Interests Health and social care
Legal proceedings
Public authority Function of Crown
Required by Law Law enforcement
Legitimate interests Not for profit
Historic, scientific
Consent
Data controllers must be able to show consent was given
Consent as a basis for processing gives individuals stronger rights
Consent must be
1 Freely given
2 Specific
3 Informed
4 Unambiguous
Has to be a positive indication of agreement
Special Category Data
Race or ethnic origin
Political opinion
Religious beliefs or similar
Trade union membership
Physical or mental health
Sexual life
Offences, alleged offences
Genetics
Biometrics
Lawful processing – special category data
Made public Explicit consent
Required by law/court Vital interests
Health and social care
Legal proceedings
Function of Crown
Law enforcement
Not for profit
Historic, scientific
Privacy Notices
The following should be given to individuals at time of data collection :-
Purpose & legal basis for processing
Recipients of the data
Any third countries data are transferred to & safeguards in place
Data retention periods
The existence of individual’s rights
Right to withdraw consent, where provided
Whether provision has a statutory or contractual basis
Details where legitimate interests have been relied upon
Individual’s Rights
Individuals will have the right to :
Subject access
Have inaccuracies corrected
Have information erased (“right to be forgotten”)
Prevent direct marketing
Prevent processing based on public interest
Prevent automated decision making & profiling
Seek compensation
Data portability (from 25 May 2019)
Subject Access Requests (SARs)
In most circumstances no fee can be charged
Response provided within 1 month
Provide both the personal data & a copy of the privacy information
Breach reporting
Data breaches must be reported to Commissioner within 72 hours of discovery
Individuals impacted should be told where there exists a high riskto their rights and freedoms eg identity theft, personal safety
Breaches, their impact & any remedial action must be fully documented
Notification
Controllers responsible for the processing of personal data need to notify with our Office
This is an annual process and costs £50.
Exemption from this where processing only for :-
Accounts and records
Staff matters
Advertising own goods & services
Small landlords can probably claim this exemption
But, if CCTV is used, the landlord must be notified
Useful Guidance
Conditions for Lawful Processing
https://odpc.gg/wp-content/uploads/2018/06/Conditions.pdf
Information to be Given – Transparency (privacy notices)
https://odpc.gg/wp-content/uploads/2018/03/InfoGiven.pdf
Breach Reporting
https://odpc.gg/wp-content/uploads/2018/06/BreachReporting.pdf
Notification and Registration
https://odpc.gg/wp-content/uploads/Notification-and-Registration.pdf
The Office of the Data Processing Commissioner
St Martin’s House, Le Bordage, St Peter Port, GY1 1BR
Telephone: (01481) 742074
Office email: enquiries@odpc.gg
Website: www.odpc.gg