introduction
This briefing is part of the Walker Series on the Data Protection (Guernsey Bailiwick) Act 2017 ('DPL) to outline what information organizations must provide to data subjects when collecting information and how the information should be provided to data subjects.
Click here to view article
A related explanation of the purpose of the DPL, some of the key concepts used in the DPL, what the data principles are, and the rights of data subjects can be found here.
What is a privacy notice?
DPL recognizes how important it is to provide individuals with clear, relevant and accurate information about what is happening with their data. When an organization collects data (whether online or offline, directly or indirectly), it must be completely clear how that data will be used. Information provided regarding the processing of personal data must be written in clear and simple language that is concise and easy to understand.
These are called data processing notices, privacy notices, data protection notices or clear indications that they are information relating to how we use your personal data.
The information contained in a privacy notice should be easily accessible and available free of charge to data subjects. Privacy notices should be tailored to the data subjects receiving them, depending on how their data will be used. Organizations must decide how to notify data subjects of privacy notices at the time of data collection.
What information do I need to provide?
The DPL specifies in some detail the information that must be provided to data subjects. This includes (but is not limited to):
- The identity and contact details of the Administrator (and the Administrator's representative, if applicable).
- Contact details of the data protection officer, if applicable.
- Whether any of the data is special category data (special category data includes health information, political opinions, religious beliefs, ethnic origin, etc.).
- The source of your personal data and whether it comes from publicly available sources.
- Purpose and legal basis of processing.
- If the lawfulness of the processing is based on it being necessary for the purposes of the controller's legitimate interests, what are those legitimate interests?
- the recipients or categories of recipients of the personal data, if any;
- If the controller intends to transfer the personal data to a recipient in Guernsey or an authorized jurisdiction other than a Member State of the European Union.
- the expected period for which the data will be stored, or, if not possible, the criteria used to determine that period;
- Data subject rights under the DPL.
- Existence of the right to withdraw consent to data processing.
- The right to lodge a complaint with the Guernsey Data Protection Authority (“O.D.P.A.“); and
- whether any decisions are made based on automated processing of personal data;
When collecting personal data from an individual, an organization does not have to provide the individual with information that the individual already has. According to ODPA, organizations are not required to provide this information to data subjects if they obtain personal data from other sources if:
- The data subject already has the information.
- It is not possible to provide any information to the data subject.
- Providing information to data subjects requires a disproportionate effort.
- Providing information to the data subject could undermine the purposes for which the personal data is processed.
- The information or personal data must be kept confidential in order to carry out or comply with the obligations imposed on the controller by law.or
- Organizations are required by law to obtain or disclose personal data.
How should the information be provided?
When organizations collect personal data from individuals, they must provide data subjects with clear and accurate information detailing how that data will be used. If an organization obtains personal data from a source other than the relevant data subject, the organization must provide the data subject with the following information:
- Within a reasonable period of time after obtaining the personal data, at the latest one month.
- If the data is used to communicate with an individual, at the latest when the first communication takes place.or
- If disclosure to others is envisaged, at the latest by the time the data is disclosed.
Information provided by organizations regarding the processing of personal data must be concise, transparent, understandable and easily accessible. It should be free and written in clear and plain language, especially if addressed to children.
Organizations must decide how to notify data subjects of privacy notices at the time of data collection. If your organization uses data across different jurisdictions, you must ensure that you comply with all relevant local laws.
Comments from walkers
Privacy notices should be tailored to the data subjects receiving them, depending on how their data will be used. Privacy notices can be complex, and there is no “one size fits all” solution that applies to all organizations and data subjects. If you don't do this correctly, your organization can face hefty fines from ODPA.
[View source.]