The Data Protection Commissioner is an independent official appointed by the States. He is responsible for administering the provisions of the Data Protection (Bailiwick of Guernsey) Law, 2001, “the Law”.

The Law requires data controllers, those collecting and using personal data, to comply with rules of good information handling practice called the Data Protection Principles. The Commissioner’s specific duties include providing information and advice to the public and data controllers on the requirements of the Law and best practice. He maintains a public register of data controllers who are required to notify their processing, that is to provide a basic description of the personal data they process and the purposes for which they process them.

In making effective use of his resources the Commissioner’s focus is on seeking to ensure compliance, and the following of best practice, in the future. Failure to adhere to the Data Protection Principles, which require among other things, that data controllers hold accurate and relevant data which are subject to appropriate security, and processed fairly, is not a criminal offence and the Commissioner has no powers to punish a data controller for such contraventions.

Educating Data Controllers

Though a data controller may be an individual, (for example where a self-employed consultant uses personal data for business purposes) most data controllers will be companies or organisations. The Commissioner’s strategy is to encourage data controllers to build data protection compliance into their business practices. For example, he will seek to ensure that States Committees and other public bodies, which hold substantial amounts of data on citizens, consider at the outset the implications of any policy developments which will involve the processing of personal data.

Informing Data Subjects

An equal priority is to inform individuals (data subjects) of the requirements of the Law and, in particular, of their right of access to information held about them, so they can take up any concerns they may have regarding a data controller’s processing directly. The Commissioner strongly encourages individuals who have specific concerns to approach the data controller rather than to report any apparent contraventions to him at the outset. He believes that many matters can be resolved quickly without reference to his office. Besides publishing guidance on his website (http:/dataprotection.gov.gg), the Commissioner has produced a general explanatory leaflet. Individuals can obtain copies of this leaflet from the Guille Allès Library, Citizen’s Advice Bureau or the Data Protection Office – tel. 01481 742074.

How Can the Commissioner Help You?

The Commissioner publishes advice on how to exercise your rights, for example your right of access to data about you and the right to seek compensation, and the standards you can expect from data controllers. If you are uncertain whether particular processing may involve a breach of the Law you can consult the guidance on the Commissioner’s website, or call the office.

Taking Your Concerns Up With the Data Controller

You should clearly explain the nature of your concerns. For example, if you think that data about you are inaccurate explain why, identifying the data you dispute and providing what you believe to be the correct data. Unless it is a fairly trivial matter, which can easily be sorted out over the phone, you should put your concerns in writing. In many cases this will get the matter sorted out much quicker than if you come straight to the Commissioner. Even if it is a matter that cannot, in a sense, be resolved, for example, if a disclosure has been made which you believe should not have been made without your consent, you should still take the matter up with the data controller in order to seek an explanation. It may be that there is a good explanation for the disclosure (for example, it may be required by law). Even if there isn’t a clear legitimate basis for the disclosure, by drawing your concerns to their attention without delay you will be alerting them to the need to review their practices.

Taking Your Concerns Up With the Commissioner

If you do not get a satisfactory response you may wish to take up your concerns with the Commissioner. However, before doing so you need to ask yourself whether the matter you are concerned about is an appropriate one to refer to him. Just because personal data are involved it does not follow that the Commissioner will be able to assist you. For example, you may believe that a service you were provided with was not satisfactory and decide, therefore to withhold payment and then believe that the supplier’s records are wrong if they show you as in default. In such a case the Commissioner has no competence to judge whether you were entitled to break the terms of the contract. However, in such a case, if an appropriate body had made a formal determination then the relevant records should reflect that judgement. Therefore, if a court had decided that you were entitled to withhold payment, in effect that you did not owe any money, and the company concerned continued to chase you for payment then they would be likely to be in breach of the Law.

If you are satisfied that the matter is one that is appropriate to refer to the Commissioner do bear in mind that he may need some form of evidence before he can give authoritative advice. For example, if the matter concerns a dispute about what was said in an unrecorded conversation, perhaps an alleged verbal agreement of several years ago, the Commissioner is unlikely to be in a position to make an adverse assessment against the other party unless there is other evidence to support your side of the story. In any event, it is important to understand that the Commissioner is not charged with acting on behalf of individuals to sort out any problems they are experiencing relating to, or involving, personal data.

Request for an Assessment

Who Can Request an Assessment?

Persons who believe they are directly affected by any processing of personal data may request the Commissioner to assess whether the processing is likely or unlikely to have been carried out in compliance with the requirements of the Law.

How Can an Assessment Help You?

An assessment will inform you whether the matters that concern you are likely to involve a breach of the Law. It may help you in resolving a dispute and help you to decide whether to take legal action.

Making assessments helps the Commissioner identify matters of concern and breaches of the Law. Where he makes an assessment that compliance is unlikely he always advises the data controller concerned of this so that they can review their procedures. Therefore, even though an assessment may not be of any immediate benefit to you, by drawing the matter concerned to the Commissioner’s attention you may well have contributed to the improved handling of personal data in the future.

Making an Assessment

In most cases the Commissioner will be obliged to make an assessment. However, the Commissioner has wide discretion regarding the manner in which he carries out an assessment, for example, whether he gives an opinion simply on the facts as presented to him by the person making the request, or whether he seeks further information. The Law states that the Commissioner can take into account the extent to which the request raises a matter of substance and whether there has been any undue delay in making the request. However, the Commissioner is entitled to take into account such other factors as he believes are relevant. A major consideration will be to make cost-effective use of the resources available to him. He will devote grater resources to assessments which concern possible breaches of the Law that could have a significant adverse affect on individuals. He may conduct an assessment simply on the basis of the information provided by the person making the request.

It is important to appreciate that the Commissioner is not required to come to a firm determination of whether or not there has been a breach of the Law. He is simply required to decide whether, on the information available to him, compliance is, on balance, likely or unlikely. In many cases there will be genuine difficulty in coming to an opinion.

In What Circumstances Will the Commissioner Take Action?

The Commissioner may take formal action where he considers this appropriate whether or not he has been asked to make an assessment in respect of the processing concerned. The Commissioner appreciates that where individuals feel they have been badly treated by a data controller it is understandable if they wish to see the data controller punished.

However, though there are a limited number of criminal offences which the Commissioner may prosecute in appropriate circumstances, he has no powers to punish. The Commissioner’s role is to promote compliance. Where individuals suffer damage as a result of any contravention of the Law they can pursue a claim of compensation through the courts.

The Commissioner is not under duty to take any action even when he has made an adverse assessment. However, he will advise the data controller concerned of his assessment so they can review their practices in order to seek to prevent contraventions in the future. Where steps have been taken to remedy an apparent breach (e.g. by correcting an inaccuracy), or where the likely contravention concerns a matter of little real significance, he is unlikely to require any further action from the controller. However, if he receives evidence which suggests continued non-compliance, he may well seek written assurance that the issues have been properly addressed and, if appropriate, consider enforcement action. Assessments may raise general issues, for example relating to practices within a particular industry, which she may pursue on an industry-wide basis. However, whether it appears that continued non-compliance could have a significant adverse affect on individuals, the Commissioner will pursue the matter with the data controller and seek assurances of future compliance.

If You Want the Commissioner to Make an Assessment

If you decide you want to request an assessment then please complete an official request form. You can obtain this from our website or from our office if you do not have Internet access. Using the form should ensure that you provide us with all the relevant information at the outset.

When we have made an assessment we will tell whether we consider it likely or unlikely that the processing concerned was carried out in compliance with the Law. If our assessment is that compliance is unlikely we will advise the data controller accordingly so that they can review their practices. However, in the great majority of cases we will take no further action.

Compensation

The Commissioner has no powers to require a data controller to pay compensation. If you wish to seek compensation you may take the matter to court. However, it is important to note that a court may not necessarily agree with the assessment that we have made and, in any event, you would have to convince a court that not only had the data controller acted in breach of the Law, but that this actually caused you quantifiable damage.

Please note you do not need to have requested an assessment in order to seek compensation in a court under Section 13 of the Law.