At the heart of data protection are the 10 rights of the individual whose personal data is being processed.
Surrounding that person are these seven principles, outlined in The Data Protection (Bailiwick of Guernsey) Law, 2017 which all local organisations are legally obliged to adhere to:
An organisation's duties all flow from the seven principles listed below.
Because the law is principles-based, there isn’t a helpful set of precise rules for you to follow (e.g. ‘you must delete data after x number of years’). But the good news is that in many cases you are free to make your own decisions about how you apply the principles to your activities.
The key thing is to get to know your own data processing practices, the Law and its principles (below) as well as you can, keep protection of individuals’ rights at the heart of what you do, and document your decision-making.
You must have a valid legal reason for processing personal data. You must obtain it without deceiving the person whose data it is, and you must make it clear exactly how you are going to use their data.
You must only use personal data for the reason (or reasons) you have told the person you are using it for.
You must only ask for the minimum amount of personal data necessary from the person.
You must ensure that any personal data you hold is accurate and where necessary, up-to-date.
You must not keep personal data for longer than you need it for.
You must keep personal data safe so that it doesn’t get accidentally deleted or changed, or seen by someone who is not allowed to see it.
This is the big one, the foundation which the other six principles rest on (see graphic above). You must be able to evidence your accountability by showing how you take responsibility for what you do with people's data.