Guernsey - Data Protection
History of Data Protection in GUERNSEY
Guernsey, as a Crown Dependency of the UK, has traditionally followed UK legislation closely. This has been the case in the field of data protection.
The Data Protection (Bailiwick of Guernsey) Law 1986 was a close copy of the UK's 1984 Data Protection Act. Similarly, the Data Protection (Bailiwick of Guernsey) Law 2001, which came into force in August 2002, largely followed the UK Data Protection Act 1998.
In November 2003, the European Commission granted Guernsey's data protection legislation a 'declaration of adequacy', acknowledging that the island's law met European standards.
Summary of Data Protection in GUERNSEY
| Title of Data Protection Legislation | Data Protection (Bailiwick of Guernsey) Law 2001 |
| Name of supervisory authority | Data Protection Commission |
| General Powers of supervisory authority | The section in the Law on the functions of the Commissioner (s.51) is identical to the corresponding section in the UK Data Protection Act 1998. The Commissioner seeks to ensure compliance with the law through working with local data controllers, promoting good practice and codes of practice. The Commissioner can also investigate complaints, and works closely with the UK Information Commissioner (see Data Protection Commissioner's website). |
| Who has standing to notify the supervisory authority of breaches? | The data subject |
| What are the penalties for data controllers if they breach the law? | The 2001 law sets out the penalties in section 60. The main punishment is a fine. However, in certain circumstances, the court may order the forfeiture, destruction or erasure of any material or document used in the processing of personal data (s60(3)). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Schedule 1 part II paragraph 4(1) of the 2001 law states that: "Personal data which contain a general identifier falling within a description prescribed by the Committee by Order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description". |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | As the 2001 Guernsey law is a close copy of the UK law, only the data controller can indirectly identify the data subject. |