This post is presented for information purposes only and references the GDPR, which may differ from the Data Protection (Jersey) Law 2018.
The content of this post does not constitute legal advice and should not be relied upon as such.
Consult your legal counsel for your particular legal clarity and understanding of your rights and obligations in order to comply with any laws and/or regulations.
Almost every health service provider from a single-person chiropractor to GP surgeries, dental practices, and care homes will be controllers or processors of Special Categories of data.
In Jersey, all controllers or processors of Special Categories of data are required to appoint a Data Protection Officer. The Data Protection Officer can be outsourced or internal unless otherwise instructed by the Jersey Office of the Information Commissioner (OIC).
It is important to understand that Special Categories of data can impact the smallest of organisations in Jersey (i.e. sole-trader) and that having Special Categories of data in paper records is not an exemption under the Jersey-GDPR.
In this post, data protection expert Marc Allenet looks at the new regulations and what they mean for health service providers in Jersey.
What are special categories of data under the GDPR?
The General Data Protection Regulation (GDPR) has Special Categories of data that are considered highly sensitive, these include:
- Genetic or biometric
- Racial or ethnic origin
- Sex-life or sexual orientation
- Political affiliations or opinions
- Religious or philosophical beliefs
- Trade Union memberships
- Criminal (or alleged)
Each of these special categories must be treated with the utmost care to ensure the highest standards of data protection and privacy.
While there are some potential exemptions that may apply under the EU/UK versions of the GDPR, no such exemptions apply in the Jersey Data Protection law.
The Jersey Office of the Information Commissioners’ (OIC) opinion is that Special Category rules apply, as specified in law, regardless of the scale of the organisation or service provider.
However, the conditions of ‘proportionate and appropriate’ also apply as specified in relation to the application of the law and the enforcement scope of the regulator.
The OIC stated that they seek to assist organisations, from the smallest to the largest, in applying best practice and high standards of data protection in Jersey. They are not seeking to penalise small business owners.
What is a Data Protection Officer?
Simplistically, the role of the Data Protection Officer (DPO) is to act as the advocate of the data subjects (i.e. clients) of the organisation, protecting them from abuses of their rights by the organisation.
The guidance from regulators and as stated within the law specifies that while the DPO must have board level access, they must also be able to act independently and not be influenced by other matters of the organisation that may conflict with the GDPR.
For smaller organisations, this can create obvious conflicts of interest within the board if a senior board member is also the DPO. Therefore, best practice guidance is for small organisations (defined as under 250 personnel) to outsource the role of the DPO and thereby avoid potential conflicts of interest, while also benefiting from efficiencies gained from expert guidance and experience.
Who can I outsource the role of Data Protection Officer to?
Salvus provides an outsourced DPO service to allow clients to focus on their core business, while Salvus focuses on supporting their data security and operational compliance with the GDPR. The Salvus outsourced DPO service includes a broad range of guidance, templates, training and services (i.e. for advice or issue resolution), all combined within an annual subscription.
In addition, Salvus recognises the time/cost efficiencies of automated solutions and has identified best in class tools and solution providers, using our scorecard ranking and cost-benefit analysis, in order to provide our clients with the right tools that are market proven for their business needs and size.
Find out more about our outsourced Data Protection Officer service or get your GDPR questions answered by an experienced Data Protection Consultant. Schedule a 30 minute consultation with a certified GDPR Practitioner today.
Do you still have questions about Data Protection and the GDPR in Jersey?
Why not join us at one of our GDPR drop-in workshops at the Digital Jersey Hub where you will have the opportunity to get your questions answered, one-to-one, with a certified GDPR Practitioner? Reserve your place here.