The Data Protection (Bailiwick of Guernsey) Law, 2017 sets out the principles that should be applied whenever a controller or processer established in the Bailiwick works with information about people – so its application is broad. The Law’s purpose is to protect people’s rights over their personal data, and to ensure the free movement of personal data.
The Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance, 2018 applies only when a ‘competent authority’ is using information about people for a ‘law enforcement purpose’ – so its application is narrow.
Like the Law, the LEO aims to protect people’s rights over their personal data, and to ensure the free movement of personal data.
In contrast to the Law, it is designed to take account of the extra care that must be taken when personal data is used for a law enforcement purpose. This extra care is needed because this type of processing carries a number of risks for victims, witnesses and suspects of crime, as well as greater considerations for public and national security. The LEO is intended to offer the same provisions as the equivalent European laws, so that law enforcement bodies can easily share relevant information across these jurisdictions.
In July 2023 the UK deemed the LEO ‘adequate’ for the transfer of personal data for law enforcement purposes. An ‘adequacy decision’ is a formal decision made by a jurisdiction which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as they do.
You are considered a ‘competent authority’ if you meet the following definition in section 50 of the LEO. Please note the importance of the combination of being one of the ‘persons’ listed as well as having a law enforcement purpose:
“Any of the following persons, when exercising or performing a function conferred or imposed on the person by law or by a States Resolution for a law enforcement purpose
(i) the States,
(ii) a public committee,
(iii) a holder of a public office,
(iv) a statutory body,
(v) a court or tribunal of the Bailiwick,
(vi) any person hearing or determining an appeal, or conducting a public inquiry, under any enactment,
(vii) the salaried police force of the Island of Guernsey or any police force which may be established by the States of Alderney or Chief Pleas of Sark,
(viii) a parish Douzaine of the Island of Guernsey or the Douzaine of the Island of Sark, or
(ix) any person exercising or performing functions or holding any office similar or comparable to any of the persons described in subparagraphs (i) to (viii) in respect of any country other than the Bailiwick, or
(b) any other person that exercises or performs any function that is of a public nature in respect of the Bailiwick or any other country, when exercising or performing a function that is of a public nature in respect of the Bailiwick or any other country for a law enforcement purpose, or
(c) any other prescribed person,”
To reiterate: the LEO only applies to the above competent authorities when they are exercising or performing a function conferred or imposed on the person by law or by a States Resolution for a law enforcement purpose. For all other purposes these competent authorities are required to apply the Law (not the LEO) when they are using people’s data.
There are four types of activity that count as law enforcement purposes:
1. The first is any purpose that aims to prevent, investigate, detect, or prosecute a criminal offence.
2. The second is to execute criminal penalties.
3. The third is to safeguard against or prevent threats to public or national security.
4. The fourth is to allow a public authority to take action as outlined in a criminal proceeds enactment.
It is important to understand that while some provisions within the Law do apply within the LEO (as explained within section 3 of the LEO), almost all elements of the LEO differ in some way to the equivalent section of the Law.
If you are a competent authority and you are doing something that means the LEO applies, it is your responsibility to understand how the following elements apply to what you are doing:
• Data Subject Rights
• Lawful bases
• Controller/Processor agreements
• International Transfers
• ODPA enforcement powers
• Data Protection Impact Assessments
• Data Protection Officers
• Automated Processing
• Personal data breaches
There may be occasions where the same personal data is processed by a competent authority for different purposes, with some purposes falling under the LEO and some under the Law. In these circumstances it is important to identify which legislation applies to the specific purpose in question.