42
DAYS LEFT

New registration requirements

If you use personal data in your work you are legally obliged to register here during 1 Jan - 28 Feb.
More details at odpa.gg/2021.

Jargon Explained

We want everyone to engage positively and constructively with data protection rights and responsibilities. To do that, we try and present information and guidance in a relevant and accessible way. Although it is sometimes necessary to use legal terminology, we will use plain English wherever we can. Data protection is for all of us, not just for lawyers.
All
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z

P

Personal data

‘Personal data’ has a very broad legal definition, it is: ‘any information relating to an identified or identifiable [living] individual’.

The scope of what is considered ‘personal data’ expands even further when you consider that it includes both factual information about people as well as opinions expressed about people. It also includes anonymised data that could identify people if it was combined with other information.

NOTE: personal data does not include: any data about a dead person; any information, facts or opinions that do not relate to, or identify people (e.g. employment statistics, or anything else that has been irreversibly anonymised) 

Personal data breach

A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law).

Organisations can report a breach to us online here. We have produced guidance on handling data breaches here

You can access the statistics we publish about personal data breaches here

Processing

The legal definition of ‘processing’ is very broad: ‘Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.’

In plain English, ‘processing’ can be summed up as: anything you do with personal data

Some examples of processing include: Collection; Recording; Organisation; Structuring; Storage; Alteration; Retrieval; Consultation; Use; Disclosure; Dissemination; Restriction; Erasure; Destruction.

Processor

An individual or other person that processes personal data on behalf of a controller and includes a secondary processor (another processor engaged by the primary processor).

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, including aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

Public authority

The following are public authorities for the purposes of the Law.

(a)  the States,

(b)  a public committee,

(c)  a holder of a public office,

(d)  a statutory body,

(e) a court or tribunal of the Bailiwick,

(f)  any person hearing or determining an appeal, or conducting a public inquiry, under any enactment,

(g)  the salaried police force of the Island of Guernsey or any police force which may be established by the States of Alderney or Chief Pleas of Sark,

(h)  a parish Douzaine of the Island of Guernsey or the Douzaine of the Island of Sark,

(i)   any person exercising or performing functions or holding any office similar or comparable to any of the persons described in paragraphs (a) to (h) in respect of any country other than the Bailiwick, or

(j)   any other person that exercises or performs any function that is of a public nature in respect of the Bailiwick or any other country.