Glossary · ODPA

A

Adequacy decision

The Bailiwick is one of several jurisdictions that the European Commission (EC) currently recognises as offering an adequate standard of data protection. An adequacy decision from the EC is essential to the continued success of the Bailiwick’s economy as it allows EU organisations to easily transfer data to the islands of the Bailiwick.

Administrative fine

A fine ordered by the Data Protection Authority

Anonymised

Data is considered 'anonymised' if an organisation has irreversibly removed all information from a set of data that could have identified individual people. If data has been irreversibly anoymised then it is no longer classified as personal data.

Authorised jurisdiction

The Bailiwick of Guernsey
A Member State of the European Union
Any country, any sector within a country, or any international organisation that the (European) Commission has determined ensures an adequate level of protection within the meaning of Article 45(2) of the GDPR and for which the determination is still in force.
A designated jurisdiction (by Ordinance)

B

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows and confirms the unique identification of that individual, such as facial images or dactyloscopic (fingerprint) data.

C

Child

An individual under 18 years of age. Visit our children area for more information.

Consent is a freely given, specific, informed and unambiguous indication that an individual agrees to the processing of their personal data. It can be expressed either by a clear affirmative action or by a clear statement. Note: ‘Consent’ and ‘Explicit Consent’ are different to each other in ways that are tricky to summarise. But in essence it boils down to the difference between actions the person may take to indicate their consent, and a written statement where they give their explicit consent.

Remember, regardless of which consent is used, if the person withdraws their consent the processing of their personal data must stop.

Controller

A Controller is any entity* who is responsible for the decisions made about why and how they use personal data about staff, customers, suppliers, or any other people. Note: if you are an individual employee of a organisation you would be usually considered to be part of the controller.

* this entity would normally be an organisation, but it could be a specific human being (e.g. sole traders, landlords, elected officials etc).

See related entry on 'Processor'

Criminal data

Criminal data is any personal data about a person's: criminal activity; alleged criminal activity; investigations into that person; and legal proceedings involving that person.

D

Data harms

The harm a person experiences that is caused by the misuse, loss, or improper sharing of their personal-data both deliberate and/or accidental. Harm can be felt physically or emotionally. For example, loss of money through fraud or identity theft, or damage to a person’s reputation and any emotional distress they suffer.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments (DPIAs) are an important compliance tool when you are embarking on new processing or making changes to existing processes. In some cases it will a legal requirement that you conduct a DPIA.

You can read more about DPIAs here.

Data subject

A 'data subject' is the person who is identified (or identifiable) by personal data. So you, me, your family and friends are referred to as 'data subjects' when our personal data is being used by a organisation/entity.

Data Subject Access Request

A data subject access request ('DSAR' or simply 'SAR') is when an individual asks a controller for details of what information they have about them and what they are doing with that information. In plain English the person is asking: what do you know about me?; what do you think about me?; what do you think you know about me?; what are you doing with it all?

Read more about the ‘right of access’ here.

Data subject rights

Means a legal right a person* has under our Law. Please see Your Rights for more detail.

*(people are known as 'data subjects' in the Law)

E

Explicit consent has the same requirements as consent, with the extra safeguard that it must be conveyed in an express written statement. For example, through a signed written statement, or by filling in an electronic form, or by sending an email.

Note: ‘Consent’ and ‘Explicit Consent’ are different to each other in ways that are tricky to summarise. But in essence it boils down to the difference between actions the person may take to indicate their consent, and a written statement where they give their explicit consent.

Remember, regardless of which consent is used, if the person withdraws their consent the processing of their personal data must stop.

F

Filing system

Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

G

This is the acronym for the European Union's General Data Protection Regulation. The GDPR does not have direct application in the Bailiwick of Guernsey as we are not an EU member state.

But our local Law (The Data Protection (Bailiwick of Guernsey) Law, 2017) gives equivalent protections to the GDPR, and the Bailiwick is recognised as an 'adequate' jurisdiction by the European Commission. This allows for free-flow of data between the EU and the Bailiwick.

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual, including as a result of an analysis of a biological sample from the individual.

H

Health data

Personal data relating to the health of an individual, including the provision of health care services, which reveals information about the individual’s health (physical or mental) status.

Includes the purpose of preventative or occupational medicine, the assessment of the working capacity of an employee or worker, medical diagnosis, the provision of medical, health or social care or treatment, or the management of medical, health or social care systems and services.

High risk

Processing of personal data is deemed to be likely to pose a high risk to the significant interests of data subjects where it involves –

A systematic and extensive evaluation of personal aspects relating to data subjects based on automated processing, and decisions are based on the evaluation that affect the significant interests of the data subjects,
Large scale processing of special category data,
Large scale and systemic monitoring of a public place, or
Any other prescribed kind or description of processing.

High-risk processing

Any processing of personal data that is likely to pose a high risk to the significant interests of data subjects. This should be determined by considering the nature, scope, context and purpose of the processing as well as the technology, mechanism or procedure used to process the data in question.

Processing of personal data will be considered as posing a high risk where it involves –

a systematic and extensive evaluation of personal aspects relating to data subjects based on automated processing, and decisions are based on the evaluation that affect the significant interests of data subjects,
large-scale processing of special category data,
large-scale and systematic monitoring of a public place, or
any other prescribed kind or description of processing.

I

Identifiable individual

An individual is identifiable from any information where the individual can be directly or indirectly identified from the information, including –

by reference to a name or an identifier
by reference to one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity,
where, despite pseudonymisation, that information is capable of being attributed to that individual by the use of additional information, or
by any other means reasonably likely to be used, taking into account objective factors such as technological factors and the cost and amount of time required for identification in the light of the available technology at the time of processing.

Identifier

A number or code that is assigned to an individual by a controller or processor and that uniquely identifies that individual. It includes location data and number or code issued to an individual by a public authority but excludes an individual’s name.

O

One month

The Law requires controllers to comply with a request to exercise data subject rights within the designated period which is specified as one month.

The Interpretation and Standards Provisions (Bailiwick of Guernsey) Law, 2016 provides that one month shall mean calendar month.

P

Personal data

‘Personal data’ has a very broad legal definition, it is: ‘any information relating to an identified or identifiable [living] individual’.

The scope of what is considered ‘personal data’ expands even further when you consider that it includes both factual information about people as well as opinions expressed about people. It also includes anonymised data that could identify people if it was combined with other information.

NOTE: personal data does not include: any data about a dead person; any information, facts or opinions that do not relate to, or identify people (e.g. employment statistics, or anything else that has been irreversibly anonymised)

Personal data breach

A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law).

Organisations can report a breach to us online here. We have produced guidance on handling data breaches here.

You can access the statistics we publish about personal data breaches here.

Processing

The legal definition of ‘processing’ is very broad: ‘Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’

In plain English, ‘processing’ can be summed up as: anything you do with personal data.

Some examples of processing include: Collection; Recording; Organisation; Structuring; Storage; Alteration; Retrieval; Consultation; Use; Disclosure; Dissemination; Restriction; Erasure; Destruction.

Processor

A processor is any entity* that is given the task of processing personal data by a controller. Processors do not determine the nature or the means of the processing, they just do what the controller tells them to do. If you are part of such an arrangement you need to have in place a Controller/Processor agreement.

* this entity would normally be an organisation, but it could be a specific human being (e.g. sole traders, landlords, elected officials etc).

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, including aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

Public authority

The following are public authorities for the purposes of the Law.

(a) the States,

(b) a public committee,

(d) a statutory body,

(e) a court or tribunal of the Bailiwick,

(f) any person hearing or determining an appeal, or conducting a public inquiry, under any enactment,

(g) the salaried police force of the Island of Guernsey or any police force which may be established by the States of Alderney or Chief Pleas of Sark,

(h) a parish Douzaine of the Island of Guernsey or the Douzaine of the Island of Sark,

(i) any person exercising or performing functions or holding any office similar or comparable to any of the persons described in paragraphs (a) to (h) in respect of any country other than the Bailiwick, or

(j) any other person that exercises or performs any function that is of a public nature in respect of the Bailiwick or any other country.

S

Significant interests

A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their #personal-data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Special category data

Personal data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, criminal data.

Subject Access Request (SAR)

See entry on 'data subject access request' (DSAR).

Jargon Explained

A