This Protocol sets out the internal Corporate Governance arrangements for the Guernsey Data Protection Authority (“the Authority”). The arrangements set out here were adopted by the Authority on 25 May 2018, were updated in January 2021 and will be kept under review by the Authority.
The Authority is a statutory body created by the Data Protection (Bailiwick of Guernsey) Law 2017 (“the DP Law”) which sets out its responsibilities. Part XI of the DP Law (sections 60-77 sets out the main functions of the Authority and Schedule 6 sets out various provisions about how the Authority must, or may, conduct itself. Schedule 7 sets out information-gathering and other powers.
The DP Law is the ultimate instrument for corporate governance and this Protocol takes effect subject to its provisions. This Protocol has been adopted to achieve maximum clarity about the role and authority of each participant and their inter-relationships. Some (but not all) of the provisions of the DP Law are repeated in this Protocol in more accessible language. Many of the provisions are elaborated, especially where a discretion is available to the Authority.
The Authority and its Board
The Authority currently consists of seven members – the Chairman, five voting members and the Data Protection Commissioner as a non-voting member. As the governing body, for convenience the members are known as “the Board”.
The Authority, through the Board, carries the ultimate responsibility for the discharge of the responsibilities created by the DP Law. The Authority is the guardian of independence, sets the organisation’s strategic direction, holds the Commissioner to account and provides the Commissioner with advice, support and encouragement. It also responsible for maintaining the high standards expected of a public body.
The Authority is responsible for appointing (or re-appointing) the Commissioner and (subject to stringent limitations) removing a Commissioner from office.
The Authority has certain other specific responsibilities under the DP Law – e.g. producing the Annual Report, employment of staff, maintaining (and reporting on) proper financial accounts and records.
More general areas of responsibility will include:
• periodic adoption of objectives, strategic / business plans and budgets
• review of performance against plans
• regular review of risks facing the Authority
• allocation of resources, including any single item of expenditure in excess of £50,000
• overall financial control
• strategic staffing issues
• major accommodation issues
• service standards and performance measurement
• corporate ethics
• oversight of the Authority’s reputation and standing
• major policy issues
• consideration of each draft Annual Report, including audited accounts
The Authority has very limited operational responsibilities and it is the Commissioner who is responsible for day-to-day operations, individual casework and most enforcement decisions.
The Commissioner holds office for a fixed term which may be renewed by the Authority. The Commissioner is a non-voting member of the Authority and attends all meetings of the Authority.
Specific responsibilities include:
• acting as Chief Executive of the Authority, providing leadership to ensure its effective and efficient management;
• managing the staff of the Authority and all day-to-day operations of the Authority;
• ensuring propriety of all expenditure;
• ensuring that each year the expenditure of the Authority does not exceed the financial resources available to it; and
• acting as the principal public face of the organisation.
In accordance with Paragraph 6 of Schedule 6 of the DP Law, the Commissioner “may exercise or perform, on behalf of the Authority, and in its name, any function of the Authority other than a reserved function
.” A function exercised or performed by the Commissioner is “deemed for all purposes to have been excised or performed by the Authority
”. This includes fulfilling the (mandatory) duties imposed upon the Authority and exercising any of the (discretionary) powers available to the Authority.
Paragraph 6 is expressed to be “subject to any policies, procedures and specific directions issued by the Authority
”. The Authority has not, however, issued any such policies, procedures or directions to limit the powers of the Commissioner.
Under the DP Law the functions of the Authority which may not be exercised or delegated by the Commissioner are:
• issuing a public statement under section 64 of the DP Law (“…gravity of the matter or other exceptional circumstances
• order to pay an administrative fine;
• making of the Annual Report; or
• any other function specified by the Authority by written notice given to the Commissioner.
Members of staff are employed by the Authority, but recruited and managed by the Commissioner. The Commissioner will consult the Chair of the Authority before proceeding with:
• recruitment of a Deputy Commissioner;
• significant changes to staff terms and conditions, salaries or pension arrangements
• significant disciplinary action;
• dismissal of any member of staff.
The Commissioner may, by written notice, also delegate any specified function to any employee in accordance with the DP Law. This does not require the involvement of the Authority. In accordance with a written Notice of Delegation, the Deputy Commissioner will be able to deputise for the Commissioner and exercise any of her functions. The Deputy Commissioner attends all meetings of the Authority.
Proceedings of the Authority’s Board
In accordance with the DP Law, the Board resolved on 25 May 2018 to meet four
times a year. An annual schedule of meetings will be established.
With a current membership of six voting members, the quorum for each Board meeting is Four. The DP Law provides that any decision is made by a majority vote, with neither Chair nor Commissioner voting. In the event of a tie the Chair has a casting vote.
An agenda and supporting papers will be circulated to members of the Authority at least one clear week in advance of the meeting. Special arrangements will be made where papers contain personal data or sensitive enforcement or similar information. All matters requiring substantial decisions should usually appear on the agenda and be supported by short papers including the necessary information upon which to base a decision. There may be pressing circumstances where this cannot happen.
At each regular meeting of the Board, the Commissioner will normally provide a written or oral report on recent current and prospective activities and issues, and a written report with management accounts to summarise the budgetary situation.
The DP Law requires proper minutes to be kept.
The Code of Practice
for Members covers conduct at meetings, disclosure of interests (at meetings and in a public Register
) and the handling of information, including personal data,
The DP Law also provides that business may be transacted by circulation of papers and that written resolution approved by a majority of voting member is as valid as if passed at a meeting.
The Board has established the following Committees:
Relationship with the Guernsey States of Deliberation
- Audit and Risk Committee – which primarily (1) oversees the Authority’s financial reporting processes to ensure the balance, transparency and integrity of financial information, (2) reviews the effectiveness of internal financial controls and (3) reviews the risk management process. Its full role, authority and procedures will be set out in the ODPA Risk and Audit Charter.
- Section 64 Committee - to which (in accordance with Paragraph 14 of Schedule 6 of the DP Law) the Board has delegated power to make public statements under section 64 of the DP Law.
Although some funding is received from the States of Deliberation in accordance with the DP Law, it is important that the Authority is – and is seen to be – independent from the States. A separate Memorandum of Understanding sets out the relationship between the Authority and the Committee for Home Affairs.