Guernsey Legal Resources
Search site

main

Data Protection (Bailiwick of Guernsey) Law, 2001

headerimg
View printable version

To access the legislation in printable format, please click the "view printable version" button.

Please note that this Law has been repealed by - Data Protection (Bailiwick of Guernsey) Law, 2017

PROJET DE LOI
ENTITLED
 
The Data Protection (Bailiwick of Guernsey) Law, 2001
 
ARRANGEMENT OF SECTIONS
 
PART I
PRELIMINARY
 
1      Basic interpretative provisions.
2      Sensitive personal data.
3      The special purposes.
4      The data protection principles.
5      Application of Law.
6      The Commissioner.
 
PART II
RIGHTS OF DATA SUBJECTS AND OTHERS
 
7      Right of access to personal data.
8      Provisions supplementary to section 7.
9      Application of section 7 where data controller is credit reference agency.
10      Right to prevent processing likely to cause damage or distress.
11      Right to prevent processing for purposes of direct marketing.
12      Rights in relation to automated decision-taking.
13      Compensation for failure to comply with certain requirements.
14      Rectification, blocking, erasure and destruction.
15      Jurisdiction and procedure.
PART III
NOTIFICATION BY DATA CONTROLLERS
 
16      Preliminary.
17      Prohibition on processing without registration.
18      Notification by data controllers.
19      Register of notifications.
20      Duty to notify changes.
21      Offences.
22      Preliminary assessment by Commissioner.
23      Power to make provision for appointment of data protection supervisors.
24      Duty of certain data controllers to make certain information available.
25      Functions of Commissioner in relation to making of notification regulations.
26      Fees regulations.
 
PART IV
EXEMPTIONS
 
27      Preliminary.
28      Public security.
29      Crime and taxation.
30      Health, education and social work.
31      Regulatory activity.
32      Journalism, literature and art.
33      Research, history and statistics.
34      Public information.
35      Disclosures required by law or made in connection with legal proceedings etc.
36      Domestic purposes.
37      Miscellaneous exemptions.
38      Power to make further exemptions by Order.
39      Transitional relief.
 
PART V
ENFORCEMENT
 
40      Enforcement notices.
41      Cancellation of enforcement notice.
42      Request for assessment.
43      Information notices.
44      Special information notices.
45      Determination by Commissioner as to the special purposes.
46      Restriction on enforcement in case of processing for the special purposes.
47      Failure to comply with notice.
48      Rights of appeal.
49      Determination of appeals.
50      Powers of entry and inspection.
 
PART VI
MISCELLANEOUS AND GENERAL
 
Functions of Commissioner
 
51      General duties of Commissioner.
52      Codes of practice and reports to be laid before the States.
53      Assistance by Commissioner in cases involving processing for the special purposes.
54      International co-operation.
 
Unlawful obtaining etc. of personal data
 
55      Unlawful obtaining etc. of personal data.
 
Records obtained under data subject's right of access
 
56      Prohibition of requirement to produce certain records.
57      Avoidance of certain contractual terms relating to health records.
 
Information provided to Commissioner or a court
 
58      Disclosure of information.
59      Confidentiality of information.
 
General provisions relating to offences
 
60      Prosecutions and penalties.
61      Liability of directors etc.
 
General
 
62      Application to committees of the States.
63      Application to the police.
64      Transmission of notices etc. by electronic or other means.
65      Service of notices by Commissioner.
66      Ordinances, orders, regulations and rules.
67      Interpretation and supplementary definitions.
68      Index of defined expressions.
69      Amendment by Ordinance.
70      Modifications of Law.
71      Transitional provisions and savings.
72      Repeals and revocations.
73      Rules of court.
74      Citation, commencement and extent.
 
SCHEDULES
 
Schedule 1 - The data protection principles.
Part I - The principles.
Part II - Interpretation of the principles.
 
Schedule 2 - Conditions relevant for purposes of the first principle: processing of any personal data.
 
Schedule 3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data.
 
Schedule 4 - Cases where the eighth principle does not apply.
 
Schedule 5 - The Data Protection Commissioner.
 
Schedule 6 - Miscellaneous exemptions.
 
Schedule 7 - Transitional relief.
Part I - Interpretation of Schedule.
Part II - Exemptions available during the First Transitional Period.
Part III - Exemptions available during the Second Transitional Period.
Part IV - Exemptions after the First Transitional Period for historical research.
Part V - Exemption from section 22.
 
Schedule 8 - Powers of entry and inspection.
 
Schedule 9 - Further provisions relating to assistance under section 53.
 
Schedule 10 - Modifications of law having effect before 24th October 2007.
 
Schedule 11 - Transitional provisions and savings.
 
Schedule 12 - Repeals and revocations.
Part I - Repeal of Law.
Part II - Repeal of Ordinances
Part II - Revocation of Regulations.
PROJET DE LOI
ENTITLED
 
The Data Protection (Bailiwick of Guernsey) Law, 2001
 
THE STATES, in pursuance of their Resolution of the 26th July, 2000[a], have approved the following provisions which, subject to the Sanction of Her Most Excellent Majesty in Council, shall have force of law in the Bailiwick of Guernsey.
 
PART I
PRELIMINARY
 
Basic interpretative provisions.
1.      (1)       In this Law, unless the context otherwise requires-
"data" means information which-
 
(a)      is being processed by means of equipment operating automatically in response to instructions given for that purpose;
 
(b)       is recorded with the intention that it should be processed by means of such equipment; or
 
(c)      is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
 
"data controller" means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
 
"data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
 
"data subject" means an individual who is the subject of personal data;
 
"personal data" means data which relate to a living individual who can be identified-
 
(a)       from those data; or
 
(b)       from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
 
"processing", in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
 
(a)       organisation, adaptation or alteration of the information or data;
 
(b)       retrieval, consultation or use of the information or data;
 
(c)       disclosure of the information or data by transmission, dissemination or otherwise making available; or
 
(d)      alignment, combination, blocking, erasure or destruction of the information or data;
 
"relevant filing system" means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
 
(2)       In this Law, unless the context otherwise requires-
 
(a)      "obtaining" or "recording", in relation to personal data, includes obtaining or recording the information to be contained in the data; and
 
(b)      "using" or "disclosing", in relation to personal data, includes using or disclosing the information contained in the data.
 
(3)       In determining for the purposes of this Law whether any information is recorded with the intention-
 
(a)      that it should be processed by means of equipment operating automatically in response to instructions given for that purpose; or
 
(b)      that it should form part of a relevant filing system;
 
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the Bailiwick.
 
(4)      Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Law the data controller.
 
Sensitive personal data.
2.       In this Law "sensitive personal data" means personal data consisting of information as to-
 
(a)      the racial or ethnic origin of the data subject;
 
(b)      his political opinions;
 
(c)      his religious beliefs or other beliefs of a similar nature;
 
(d)      whether he is a member of a labour organisation, such as a trade union;
 
(e)      his physical or mental health or condition;
 
(f)      his sexual life;
 
(g)      the commission or alleged commission by him of any offence; or
 
(h)      any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
 
The special purposes.
3.       In this Law "the special purposes" means any one or more of the following-
(a)      the purposes of journalism;
 
(b)      artistic purposes; and
 
(c)      literary purposes.
 
The data protection principles.
4.      (1)      References in this Law to the data protection principles are to the principles set out in Part I of Schedule 1
 
(2)      Those principles are to be interpreted in accordance with Part II of Schedule 1.
 
(3)      Schedule 2 (which applies to all personal data) and Schedule 3 (which applies only to sensitive personal data) set out conditions applying for the purposes of the first principle; and Schedule 4 sets out cases in which the eighth principle does not apply.
 
(4)      Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
 
Application of Law.
5.      (1)      Except as otherwise provided by or under section 54, this Law applies to a data controller in respect of any data only if-
 
(a)      the data controller is established in the Bailiwick and the data are processed in the context of that establishment; or
 
(b)      the data controller is not established in the Bailiwick but uses equipment in the Bailiwick for processing the data otherwise than for the purposes of transit through the Bailiwick.
 
(2)      A data controller falling within subsection (1)(b) must nominate for the purposes of this Law a representative established in the Bailiwick.
(3)      For the purposes of subsections (1) and (2), each of the following is to be treated as established in the Bailiwick-
 
(a)      an individual who is ordinarily resident in the Bailiwick;
 
(b)      a body incorporated under the law of any part of the                        Bailiwick;
 
(c)      a partnership or other unincorporated association formed under the law of any part of the Bailiwick; and
 
(d)      any person who does not fall within paragraph (a), (b) or (c) but maintains in the Bailiwick-
 
(i)      an office, branch or agency through which he carries on any activity; or
 
(ii)      a regular practice.
 
The Commissioner.
6.      (1)      The office originally established by section 33A of the Data Protection (Bailiwick of Guernsey) Law, 1986[b] and known as the Data Protection Commissioner shall continue to exist for the purposes of this Law; and in this Law the Data Protection Commissioner is referred to as "the Commissioner".
 
(2)      The Commissioner shall be appointed by the States on the nomination of the Committee; provided that any person holding the office of Commissioner immediately before the coming into force of this section by virtue of an appointment made under section 33A of the Data Protection (Bailiwick of Guernsey) Law, 1986, shall continue to hold office in accordance with the terms of that appointment but as if appointed under and in accordance with this Law.
 
(3)      The terms and conditions of the Commissioner's appointment shall be such as may from time to time be agreed between the Committee and the Commissioner, provided that none of those terms and conditions shall be-
 
(a)      inconsistent with any provision of Schedule 5 to this Law; or
 
(b)      construed so as to create a contract of employment or agency between the States and the Commissioner.
 
(4)      The Commissioner is not a servant or agent of the States, but is a holder of public office and is under a duty to discharge the functions of that office with complete fairness, impartiality and independence.
 
(5)      Schedule 5 to this Law has effect in relation to the Commissioner.
 
PART II
RIGHTS OF DATA SUBJECTS AND OTHERS
 
Right of access to personal data.
7.      (1)      Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled-
 
(a)      to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller;
 
(b)      if that is the case, to be given by the data controller a description of-
 
(i)      the personal data of which that individual is the data subject;
 
(ii)      the purposes for which they are being or are to be processed; and
 
(iii)      the recipients or classes of recipients to whom they are or may be disclosed;
 
(c)      to have communicated to him in an intelligible form-
 
(i)      the information constituting any personal data of which that individual is the data subject; and
 
(ii)      any information available to the data controller as to the source of those data; and
 
(d)      where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.
 
(2)      A data controller is not obliged to supply any information under subsection (1) unless he has received-
 
(a)       a request in writing; and
 
(b)      except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
 
(3)      Where a data controller-
 
(a)      reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks; and
 
(b)      has informed him of that requirement,
 
the data controller is not obliged to comply with the request unless he is supplied with that information.
 
(4)      Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless-
 
(a)      the other individual has consented to the disclosure of the information to the person making the request; or
 
(b)      it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
 
(5)      In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
 
(6)       In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to-
 
(a)      any duty of confidentiality owed to the other individual;
 
(b)      any steps taken by the data controller with a view to seeking the consent of the other individual;
 
(c)      whether the other individual is capable of giving consent; and
 
(d)      any express refusal of consent by the other individual.
 
(7)      An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.
 
(8)      Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
 
(9)      If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
 
(10)      For the purpose of determining any question whether an applicant under subsection (9) is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) the court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in subsection (1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery or otherwise.
 
(11)      In this section-
 
"prescribed" means prescribed by the Committee by regulations;
 
"the prescribed maximum" means such amount as may be prescribed;
 
"the prescribed period" means sixty days or such other period as may be prescribed; and
 
"the relevant day", in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).
 
(12)      Different amounts or periods may be prescribed under this section in relation to different cases.
 
Provisions supplementary to section 7.
8.      (1)      The Committee may by regulations provide that, in such cases as may be prescribed, a request for information under any provision of subsection (1) of section 7 is to be treated as extending also to information under other provisions of that subsection.
 
(2)      The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-
 
(a)      the supply of such a copy is not possible or would involve disproportionate effort; or
 
(b)      the data subject agrees otherwise;
 
and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
 
(3)      Where a data controller has previously complied with a request made under section 7 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
 
(4)      In determining for the purposes of subsection (3) whether requests under section 7 are made at reasonable intervals, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
 
(5)      Section 7(1)(d) is not to be regarded as requiring the provision of information as to the logic involved in any decision-taking if, and to the extent that, the information constitutes a trade secret.
 
(6)      The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
 
(7)      For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.
 
 
Application of section 7 where data controller is credit reference agency.
9.      (1)      Where the data controller is a credit reference agency, section 7 has effect subject to the provisions of this section.
 
(2)      An individual making a request under section 7 may limit his request to personal data relevant to his financial standing, and shall be taken to have so limited his request unless the request shows a contrary intention.
 
(3)      Where the data controller receives a request under section 7 in a case where personal data of which the individual making the request is the data subject are being processed by or on behalf of the data controller, the obligation to supply information under that section includes an obligation to give the individual making the request a statement, in such form as may be prescribed by the Committee by regulations, of the individual's rights to the extent required by the prescribed form, under this Law.
 
Right to prevent processing likely to cause damage or distress.
10.      (1)      Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-
 
(a)      the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another; and
 
(b)      that damage or distress is or would be unwarranted.
 
(2)      Subsection (1) does not apply-
 
(a)      in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met; or
 
(b)      in such other cases as may be prescribed by the Committee by Order.
 
(3)      The data controller must within twenty-one days of receiving a notice under subsection (1) ("the data subject notice") give the individual who gave it a written notice-
 
(a)      stating that he has complied or intends to comply with the data subject notice; or
 
(b)      stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.
 
(4)      If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
 
(5)      The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.
 
Right to prevent processing for purposes of direct marketing.
11.      (1)      An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.
 
(2)      If a court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.
 
(3)      In this section "direct marketing" means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
 
Rights in relation to automated decision-taking.
12.      (1)      An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.
 
(2)      Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)-
 
(a)      the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis; and
 
(b)      the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.
 
(3)      The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) ("the data subject notice") give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.
 
(4)      A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.
 
(5)      In subsection (4) "exempt decision" means any decision-
 
(a)      in respect of which the condition in subsection (6) and the condition in subsection (7) are met; or
 
(b)      which is made in such other circumstances as may be prescribed by the Committee by Order.
 
(6)      The condition in this subsection is that the decision-
 
(a)      is taken in the course of steps taken-
 
(i)      for the purpose of considering whether to enter into a contract with the data subject;
 
(ii)      with a view to entering into such a contract; or
 
(iii)      in the course of performing such a contract; or
 
(b)      is authorised or required by or under any enactment.
 
(7)      The condition in this subsection is that either-
 
(a)      the effect of the decision is to grant a request of the data subject; or
 
(b)      steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).
 
(8)      If a court is satisfied on the application of a data subject that a person taking a decision in respect of him ("the responsible person") has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).
 
(9)      An Order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.
 
Compensation for failure to comply with certain requirements.
13.      (1)      An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Law is entitled to compensation from the data controller for that damage.
 
(2)      An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Law is entitled to compensation from the data controller for that distress if-
 
(a)      the individual also suffers damage by reason of the contravention; or
 
(b)      the contravention relates to the processing of personal data for the special purposes.
 
(3)      In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
 
Rectification, blocking, erasure and destruction.
14.      (1)      If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data.
 
(2)      Subsection (1) applies whether or not the data accurately record information received or obtained by the data controller from the data subject or a third party but where the data accurately record such information, then-
 
(a)      if the requirements mentioned in paragraph 7 of Part II of Schedule 1 have been complied with, the court may, instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the court may approve; and
 
(b)      if all or any of those requirements have not been complied with, the court may, instead of making an order under that subsection, make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as is mentioned in paragraph (a).
 
(3)      Where the court-
 
(a)      makes an order under subsection (1); or
 
(b)      is satisfied on the application of a data subject that personal data of which he was the data subject and which have been rectified, blocked, erased or destroyed were inaccurate;
 
it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
 
(4)      If a court is satisfied on the application of a data subject-
 
(a)      that he has suffered damage by reason of any contravention by a data controller of any of the requirements of this Law in respect of any personal data, in circumstances entitling him to compensation under section 13; and
 
(b)      that there is a substantial risk of further contravention in respect of those data in such circumstances;
 
the court may order the rectification, blocking, erasure or destruction of any of those data.
 
(5)      Where the court makes an order under subsection (4) it may, where it considers it reasonably practicable, order the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction.
 
(6)      In determining whether it is reasonably practicable to require such notification as is mentioned in subsection (3) or (5) the court shall have regard, in particular, to the number of persons who would have to be notified.
 
Jurisdiction and procedure.
15.      (1)      The jurisdiction conferred by this Part is exercisable -
 
(a)      in the case of a data controller, in respect of whom there is a current entry in the register maintained under section 19 -
 
(i)      if his address, for the purposes of Part III, is in Guernsey, by the Royal Court;
 
(ii)      if his address, for the purposes of Part III, is in Alderney, by the Court of Alderney; and
 
(iii)      if his address, for the purposes of Part III, is in Sark, by the Court of the Seneschal of Sark;
 
(b)      in the case of an application under section 12(8) -
 
(i)      if the responsible person has a place of business or resides in Guernsey, by the Royal Court;
 
(ii)      if the responsible person has a place of business or resides in Alderney, by the Court of Alderney; and
 
(iii)      if the responsible person has a place of business or resides in Sark, by the Court of the Seneschal of Sark;
 
(c)      in any other case -
 
(i)      if the personal data in question are held in Guernsey, by the Royal Court;
 
(ii)      if the personal data in question are held in Alderney, by the Court of Alderney; and
 
(iii)      if the personal data in question are held in Sark, by the Court of the Seneschal of Sark.
 
(2)      For the purpose of determining any question whether an applicant under section 7(9) is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV) a court may require the information constituting any data processed by or on behalf of the data controller and any information as to the logic involved in any decision-taking as mentioned in section 7(1)(d) to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives by discovery or otherwise.
 
PART III
NOTIFICATION BY DATA CONTROLLERS
 
Preliminary.
16.      (1)      In this Part "the registrable particulars", in relation to a data controller, means-
 
(a)      his name and address;
 
(b)      if he has nominated a representative for the purposes of this Law, the name and address of the representative;
 
(c)      a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate;
 
(d)      a description of the purpose or purposes for which the data are being or are to be processed;
 
(e)      a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data; and
 
(f)      the names, or a description of, any countries or territories outside the Bailiwick to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the data.
 
(2)      In this Part-
 
"fees regulations" means regulations made by the Committee under section 18(5) or 19(4) or (7);
 
"notification regulations" means regulations made by the Committee under the other provisions of this Part;
 
"prescribed", except where used in relation to fees regulations, means prescribed by notification regulations.
 
(3)      For the purposes of this Part, so far as it relates to the addresses of data controllers-
 
(a)      the address of a registered company is that of its registered office; and
 
(b)      the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the Bailiwick.
 
Prohibition on processing without registration.
17.      (1)      Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included).
 
(2)      Except where the processing is assessable processing for the purposes of section 22, subsection (1) does not apply in relation to personal data consisting of information which falls neither within paragraph (a) of the definition of "data" in section 1(1) nor within paragraph (b) of that definition.
 
(3)      If it appears to the Committee that processing of a particular description is unlikely to prejudice the rights and freedoms of data subjects, notification regulations may provide that, in such cases as may be prescribed, subsection (1) is not to apply in relation to processing of that description.
 
(4)      Subsection (1) does not apply in relation to any processing whose sole purpose is the maintenance of a public register.
 
Notification by data controllers.
18.      (1)      Any data controller who wishes to be included in the register maintained under section 19 shall give a notification to the Commissioner under this section.
 
(2)      A notification under this section must specify in accordance with notification regulations-
 
(a)      the registrable particulars; and
 
(b)      a general description of measures to be taken for the purpose of complying with the seventh data protection principle.
 
(3)      Notification regulations made by virtue of subsection (2) may provide for the determination by the Commissioner, in accordance with any requirements of the regulations, of the form in which the registrable particulars and the description mentioned in subsection (2)(b) are to be specified, including in particular the detail required for the purposes of section 16(1)(c), (d), (e) and (f) and subsection (2)(b).
 
(4)      Notification regulations may make provision as to the giving of notification-
 
(a)      by partnerships; or
 
(b)      in other cases where two or more persons are the data controllers in respect of any personal data.
 
(5)      The notification must be accompanied by such fee as may be prescribed by fees regulations.
 
(6)      Notification regulations may provide for any fee paid under subsection (5) or section 19(4) to be refunded in prescribed circumstances.
 
Register of notifications.
19.      (1)      The Commissioner shall-
 
(a)      maintain a register of persons who have given notification under section 18; and
 
(b)      make an entry in the register in pursuance of each notification received by him under that section from a person in respect of whom no entry as data controller was for the time being included in the register.
 
(2)      Each entry in the register shall consist of-
 
(a)      the registrable particulars notified under section 18 or, as the case requires, those particulars as amended in pursuance of section 20(4); and
 
(b)      such other information as the Commissioner may be authorised or required by notification regulations to include in the register.
 
(3)      Notification regulations may make provision as to the time as from which any entry in respect of a data controller is to be treated for the purposes of section 17 as having been made in the register.
 
(4)      The Commissioner may delete from the register an entry which has been retained for more than the relevant time and in respect of which there has not been paid such fee as may be prescribed by fees regulations.
 
(5)      In subsection (4) "the relevant time" means twelve months or such other period as may be prescribed by notification regulations; and different periods may be prescribed in relation to different cases.
 
(6)      The Commissioner-
 
(a)      shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge; and
 
(b)      may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.
 
(7)      The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the register.
 
Duty to notify changes.
20.      (1)      For the purpose specified in subsection (2), notification regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained under section 19 a duty to notify to the Commissioner, in such circumstances and at such time or times and in such form as may be prescribed, such matters relating to the registrable particulars and measures taken as mentioned in section 18(2)(b) as may be prescribed.
 
(2)      The purpose referred to in subsection (1) is that of ensuring, so far as practicable, that at any time-
 
(a)      the entries in the register maintained under section 19 contain current names and addresses and describe the current practice or intentions of the data controller with respect to the processing of personal data; and
 
(b)      the Commissioner is provided with a general description of measures currently being taken as mentioned in section 18(2)(b).
 
(3)      Section 18(3) has effect in relation to notification regulations made by virtue of subsection (1) as it has effect in relation to notification regulations made by virtue of section 18(2).
 
(4)      On receiving any notification under notification regulations made by virtue of subsection (1), the Commissioner shall make such amendments of the relevant entry in the register maintained under section 19 as are necessary to take account of the notification.
 
Offences.
21.      (1)      If section 17(1) is contravened, the data controller is guilty of an offence.
 
(2)      Any person who fails to comply with the duty imposed by notification regulations made by virtue of section 20(1) shall be guilty of an offence.
 
(3)      It shall be a defence for a person charged with an offence under subsection (2) to show that he exercised all due diligence to comply with the duty.
 
Preliminary assessment by Commissioner.
22.      (1)      In this section "assessable processing" means processing which is of a description specified in an Order made by the Committee as appearing to it to be particularly likely-
 
(a)      to cause substantial damage or substantial distress to data subjects; or
 
(b)      otherwise significantly to prejudice the rights and freedoms of data subjects.
 
(2)      On receiving notification from any data controller under section 18 or under notification regulations made by virtue of section 20 the Commissioner shall consider-
 
(a)            whether any of the processing to which the notification relates is assessable processing; and
 
(b)            if so, whether the assessable processing is likely to comply with the provisions of this Law.
 
(3)      Subject to subsection (4), the Commissioner shall, within the period of twenty-eight days beginning with the day on which he receives a notification which relates to assessable processing, give a notice to the data controller stating the extent to which the Commissioner is of the opinion that the processing is likely or unlikely to comply with the provisions of this Law.
 
(4)      Before the end of the period referred to in subsection (3) the Commissioner may, by reason of special circumstances, extend that period on one occasion only by notice to the data controller by such further period not exceeding fourteen days as the Commissioner may specify in the notice.
 
(5)      No assessable processing in respect of which a notification has been given to the Commissioner as mentioned in subsection (2) shall be carried on unless either-
 
(a)      the period of twenty-eight days beginning with the day on which the notification is received by the Commissioner (or, in a case falling within subsection (4), that period as extended under that subsection) has elapsed; or
 
(b)      before the end of that period (or that period as so extended) the data controller has received a notice from the Commissioner under subsection (3) in respect of the processing.
 
(6)      Where subsection (5) is contravened, the data controller shall be guilty of an offence.
 
(7)      The Committee may by Order amend subsections (3), (4) and (5) by substituting for the number of days for the time being specified there a different number specified in the order.
 
Power to make provision for appointment of data protection supervisors.
23.      (1)      The Committee may by Order-
 
(a)      make provision under which a data controller may appoint a person to act as a data protection supervisor responsible in particular for monitoring in an independent manner the data controller's compliance with the provisions of this Law; and
 
(b)      provide that, in relation to any data controller who has appointed a data protection supervisor in accordance with the provisions of the order and who complies with such conditions as may be specified in the order, the provisions of this Part are to have effect subject to such exemptions or other modifications as may be specified.
 
(2)      An Order under this section may-
 
(a)      impose duties on data protection supervisors in relation to the Commissioner; and
 
(b)      confer functions on the Commissioner in relation to data protection supervisors.
 
Duty of certain data controllers to make certain information available.
24.      (1)      Subject to subsection (3), where personal data are processed in a case where-
 
(a)      by virtue of section 17(2) or (3),section 17(1) does not apply to the processing; and
 
(b)      the data controller has not notified the relevant particulars in respect of that processing under section 18;
 
the data controller must, within twenty-one days of receiving a written request from any person, make the relevant particulars available to that person in writing free of charge.
 
(2)      In this section "the relevant particulars" means the particulars referred to in paragraphs (a) to (f) of section 16(1).
 
(3)      This section has effect subject to any exemption conferred for the purposes of this section by notification regulations.
 
(4)      Any data controller who fails to comply with the duty imposed by subsection (1) shall be guilty of an offence.
 
(5)      It shall be a defence for a person charged with an offence under subsection (4) to show that he exercised all due diligence to comply with the duty.
 
Functions of Commissioner in relation to making of notification regulations.
25.      (1)      As soon as practicable after the passing of this Law, the Commissioner shall submit to the Committee proposals as to the provisions to be included in the first notification regulations.
 
(2)      The Commissioner shall keep under review the working of notification regulations and may from time to time submit to the Committee proposals as to amendments to be made to the regulations.
 
(3)      The Committee may from time to time require the Commissioner to consider any matter relating to notification regulations and to submit to him proposals as to amendments to be made to the regulations in connection with that matter.
 
(4)      Before making any notification regulations, the Committee shall-
 
(a)      consider any proposals made to it by the Commissioner under subsection (1), (2) or (3); and
 
(b)      consult the Commissioner.
 
Fees regulations.
26.      Fees regulations prescribing fees for the purposes of any provision of this Part may provide for different fees to be payable in different cases.
 
PART IV
EXEMPTIONS
 
Preliminary.
27.      (1)      References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.
 
(2)      In this Part "the subject information provisions" means-
 
(a)      the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1; and
 
(b)      section 7.
 
(3)      In this Part "the non-disclosure provisions" means the provisions specified in subsection (4) to the extent to which they are inconsistent with the disclosure in question.
 
(4)      The provisions referred to in subsection (3) are-
 
(a)      the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3;
 
(b)      the second, third, fourth and fifth data protection principles; and
 
(c)      sections 10 and 14(1) to (3).
 
(5)      Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.
 
Public security.
28.      (1)      Personal data are exempt from any of the provisions of-
 
(a)      the data protection principles;
 
(b)      Parts II, III and V; and
 
(c)      section 55;
 
if the exemption from that provision is required for the purpose of safeguarding the security of the British Islands.
 
(2)      Subject to subsection (4), a certificate signed by Her Majesty's Procureur certifying that exemption from all or any of the provisions mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be conclusive evidence of that fact.
 
(3)      A certificate under subsection (2) may identify the personal data to which it applies by means of a general description and may be expressed to have prospective effect.
 
(4)      Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Royal Court against the certificate.
 
(5)      If on an appeal under subsection (4), the Royal Court finds that Her Majesty's Procureur did not have reasonable grounds for issuing the certificate, the court may allow the appeal and quash the certificate.
 
(6)      Where in any proceedings under or by virtue of this Law it is claimed by a data controller that a certificate under subsection (2) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Royal Court on the ground that the certificate does not apply to the personal data in question and, subject to any determination under subsection (7), the certificate shall be conclusively presumed so to apply.
 
(7)      On any appeal under subsection (6), the Royal Court may determine that the certificate does not so apply.
 
(8)      A document purporting to be a certificate under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.
 
(9)      A document which purports to be certified by or on behalf of Her Majesty's Procureur as a true copy of a certificate issued by Her Majesty's Procureur under subsection (2) shall in any legal proceedings be evidence of that certificate.
 
(10)      No power conferred by any provision of Part V may be exercised in relation to personal data which by virtue of this section are exempt from that provision.
 
(11)      Rules of Court may provide that, for the purposes of performing such functions of the Court under this section as may be specified in the rules-
 
(a)      the Court shall be properly constituted if it consists of the Bailiff-
 
(i)      sitting unaccompanied by the Jurats; or
 
(ii)      sitting accompanied by such number of the Jurats as may be so specified; and
 
(b)      the Court may, where it consists of the Bailiff sitting as mentioned in paragraph (a)(i) or (a)(ii), sit in chambers.
 
(12)      A function performed in pursuance of rules of Court under subsection (11) shall be considered for all purposes to have been performed by the Court; and any order or finding made or other thing done pursuant to the rules shall have effect as if made or done by the Court.
 
(13)      The provisions of this section are without prejudice to any other power under this Law, any other enactment or any inherent power of the Court to make rules governing its procedure or any other matter.
 
Crime and taxation.
29.      (1)      Personal data processed for any of the following purposes-
 
(a)      the prevention, detection or investigation of crime within or outside the Bailiwick;
 
(b)      the apprehension or prosecution of offenders within or outside the Bailiwick; or
 
(c)      the assessment or collection within or outside the Bailiwick of any tax or duty or of any imposition of a similar nature;
 
are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
 
(2)      Personal data which-
 
(a)      are processed for the purpose of discharging statutory functions; and
 
(b)      consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1);
 
are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.
 
(3)      Personal data are exempt from the non-disclosure provisions in any case in which-
 
(a)      the disclosure is for any of the purposes mentioned in subsection (1); and
 
(b)      the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.
 
(4)      Personal data in respect of which the data controller is a relevant authority and which-
 
(a)      consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes-
 
(i)      the assessment or collection of any tax or duty or any imposition of a similar nature; or
 
(ii)      the prevention, detection or investigation of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds; and
 
(b)      are processed for either of those purposes;
 
are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.
 
(5)      In subsection (4) "relevant authority" means-
 
(a)      the States;
 
(b)      the States of Alderney;
 
(c)      the Chief Pleas of Sark;
 
(d)      a committee of any of the bodies referred to in paragraphs (a), (b) or (c); or
 
(e)      a Guernsey Parish Douzaine.
 
Health, education and social work.
30.      (1)      The Committee may by Order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health or condition of the data subject.
 
(2)      The Committee may by Order exempt from the subject information provisions, or modify those provisions in relation to personal data in respect of which the data controller is the proprietor of, or a teacher at, a school or college, and which consist of information relating to persons who are or have been pupils at the school or college.
 
(3)      The Committee may by Order exempt from the subject information provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the Order, being information-
 
(a)      held by persons or bodies specified in the Order; and
 
(b)      appearing to the Committee to be processed in the course of, or for the purposes of, carrying out social work in relation to the data subject or other individuals;
 
but the Committee shall not under this subsection confer any exemption or make any modification except so far as it considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.
 
(4)      An Order under this section may make different provision in relation to data consisting of information of different descriptions.
 
(5)      In this section-
 
"proprietor" in relation to a school or college in the Bailiwick, means the person or body of persons responsible for the management of the school or college.
 
Regulatory activity.
31.      (1)      Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
 
(2)      Subsection (1) applies to any relevant function which is designed-
 
(a)      for protecting members of the public against-
 
(i)      financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment, fiduciary, trustee services or other financial services or in the establishment or management of bodies corporate;
 
(ii)      financial loss due to the conduct of a person whose affairs have been, or are, in a state of désastre; or
 
(iii)      dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity;
 
(b)      for protecting charities against misconduct or mismanagement (whether by trustees or other persons) in their administration;
 
(c)      for protecting the property of charities from loss or misapplication;
 
(d)      for the recovery of the property of charities;
 
(e)      for securing the health, safety and welfare of persons at work;
 
(f)      for protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work; or
 
(g)      for protecting the reputation and standing of the Bailiwick.
 
(3)      In subsection (2) "relevant function" means-
 
(a)      any function conferred on any person by or under any enactment;
 
(b)      any function of the Crown, a Law Officer of the Crown or committee of the States; or
 
(c)      any other function which is of a public nature and is exercised in the public interest.
 
Journalism, literature and art.
32.      (1)      Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if-
 
(a)      the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material;
 
(b)      the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest; and
 
(c)      the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.
 
(2)      Subsection (1) relates to the provisions of-
 
(a)      the data protection principles except the seventh data protection principle;
 
(b)      section 7;
 
(c)      section 10;
 
(d)      section 11; and
 
(e)      section 14(1) to (3).
 
(3)      In considering for the purposes of subsection (1)(b) whether the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice which-
 
(a)      is relevant to the publication in question; and
 
(b)      is designated by the Committee by order for the purposes of this subsection.
 
(4)      Where at any time ("the relevant time") in any proceedings against a data controller under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed-
 
(a)      only for the special purposes; and
 
(b)      with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller;
 
the court shall stay the proceedings until either of the conditions in subsection (5) is met.
 
(5)      Those conditions are-
 
(a)      that a determination of the Commissioner under section 45 with respect to the data in question takes effect; or
 
(b)      in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.
 
(6)      For the purposes of this Law "publish", in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.
 
Research, history and statistics.
33.      (1)      In this section-
 
"research purposes" includes statistical or historical purposes;
 
"the relevant conditions", in relation to any processing of personal data, means the conditions-
 
(a)      that the data are not processed to support measures or decisions with respect to particular individuals; and
 
(b)      that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
 
(2)      For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained.
 
(3)      Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.
 
(4)      Personal data which are processed only for research purposes are exempt from section 7 if-
 
(a)      they are processed in compliance with the relevant conditions; and
 
(b)      the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.
 
(5)      For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed-
 
(a)      to any person, for research purposes only;
 
(b)      to the data subject or a person acting on his behalf;
 
(c)      at the request, or with the consent, of the data subject or a person acting on his behalf; or
 
(d)      in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).
 
Public information.
34.      (1)      Personal data are exempt from-
 
(a)      the subject information provisions;
 
(b)      the fourth data protection principle and sections 14(1) to (3); and
 
(c)      the non-disclosure provisions;
 
if the data consist of public information.
 
(2)      In this section "public information" includes-
 
(a)      information which the data controller is obliged by or under any enactment to make available to the public, whether by publishing it, by making it available for inspection, or otherwise and whether gratuitously or on payment of a fee; and
 
(b)      information or any class or type of information held by any person or body designated by the Committee for the purposes of this section.
 
Disclosures required by law or made in connection with legal proceedings etc.
35.      (1)      Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.
 
(2)      Personal data are exempt from the non-disclosure provisions where the disclosure is necessary-
 
(a)      for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); or
 
(b)       for the purpose of obtaining legal advice;
 
or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
 
Domestic purposes.
36.      Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.
 
Miscellaneous exemptions.
37.      Schedule 6 (which confers further miscellaneous exemptions) has effect.
 
Powers to make further exemptions by Order.
38.      (1)      The Committee may by Order exempt from the subject information provisions personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if and to the extent that it considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those provisions.
 
(2)      The Committee may by Order exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the order, if it considers the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.
 
Transitional relief.
39.      Schedule 7 (which confers transitional exemptions) has effect.
 
PART V
ENFORCEMENT
 
Enforcement notices.
40.      (1)      If the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commissioner may serve him with a notice (in this Law referred to as "an enforcement notice") requiring him, for complying with the principle or principles in question, to do either or both of the following-
 
(a)      to take within such time as may be specified in the notice, or to refrain from taking after such time as may be so specified, such steps as are so specified; or
 
(b)      to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.
 
(2)      In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
 
(3)      An enforcement notice in respect of a contravention of the fourth data protection principle which requires the data controller to rectify, block, erase or destroy any inaccurate data may also require the data controller to rectify, block, erase or destroy any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.
 
(4)      An enforcement notice in respect of a contravention of the fourth data protection principle, in the case of data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either-
 
(a)      to rectify, block, erase or destroy any inaccurate data and any other data held by him and containing an expression of opinion as mentioned in subsection (3); or
 
(b)      to take such steps as are specified in the notice for securing compliance with the requirements specified in paragraph 7 of Part II of Schedule 1 and, if the Commissioner thinks fit, for supplementing the data with such statement of the true facts relating to the matters dealt with by the data as the Commissioner may approve.
 
(5)      Where-
 
(a)      an enforcement notice requires the data controller to rectify, block, erase or destroy any personal data; or
 
(b)      the Commissioner is satisfied that personal data which have been rectified, blocked, erased or destroyed had been processed in contravention of any of the data protection principles;
 
an enforcement notice may, if reasonably practicable, require the data controller to notify third parties to whom the data have been disclosed of the rectification, blocking, erasure or destruction; and in determining whether it is reasonably practicable to require such notification regard shall be had, in particular, to the number of persons who would have to be notified.
 
(6)      An enforcement notice must contain-
 
(a)      a statement of the data protection principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion; and
 
(b)      particulars of the rights of appeal conferred by section 48.
 
(7)      Subject to subsection (8), an enforcement notice must not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.
 
(8)      If by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (7) shall not apply but the notice must not require the provisions of the notice to be complied with before the end of the period of seven days beginning with the day on which the notice is served.
 
(9)      Notification regulations (as defined by section 16(2)) may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 19 which relates to the person on whom the notice is served.
 
(10)      This section has effect subject to section 46(1).
 
Cancellation of enforcement notice.
41.      (1)      If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection principle or principles to which it relates, he may cancel or vary the notice by written notice to the person on whom it was served.
 
(2)      A person on whom an enforcement notice has been served may, at any time after the expiry of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of a change of circumstances, all or any of the provisions of that notice need not be complied with in order to ensure compliance with the data protection principle or principles to which that notice relates.
 
Request for assessment.
42.      (1)      A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Law.
 
(2)      On receiving a request under this section, the Commissioner shall make an assessment in such manner as appears to him to be appropriate, unless he has not been supplied with such information as he may reasonably require in order to-
 
(a)      satisfy himself as to the identity of the person making the request; and
 
(b)      enable him to identify the processing in question.
 
(3)      The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include-
 
(a)      the extent to which the request appears to him to raise a matter of substance;
 
(b)      any undue delay in making the request; and
 
(c)      whether or not the person making the request is entitled to make an application under section 7 in respect of the personal data in question.
 
(4)      Where the Commissioner has received a request under this section he shall notify the person who made the request-
 
(a)      whether he has made an assessment as a result of the request; and
 
(b)      to the extent that he considers appropriate, having regard in particular to any exemption from section 7 applying in relation to the personal data concerned, of any view formed or action taken as a result of the request.
 
Information notices.
43.      (1)      If the Commissioner-
 
(a)      has received a request under section 42 in respect of any processing of personal data; or
 
(b)      reasonably requires any information for the purpose of determining whether the data controller has complied or is complying with the data protection principles;
 
he may serve the data controller with a notice (in this Law referred to as "an information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information relating to the request or to compliance with the principles as is so specified.
 
(2)      An information notice must contain-
 
(a)      in a case falling within subsection (1)(a), a statement that the Commissioner has received a request under section 42 in relation to the specified processing; or
 
(b)      in a case falling within subsection (1)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with the data protection principles and his reasons for regarding it as relevant for that purpose.
 
(3)      An information notice must also contain particulars of the rights of appeal conferred by section 48.
 
(4)      Subject to subsection (5), the time specified in an information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
 
(5)      If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (4) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.
 
(6)      A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of-
 
(a)      any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Law; or
 
(b)      any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law and for the purposes of such proceedings.
 
(7)       In subsection (6) references to the client of a professional legal adviser include references to any person representing such a client.
 
(8)      A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Law, expose him to proceedings for that offence.
 
(9)      The Commissioner may cancel an information notice by written notice to the person on whom it was served.
 
(10)      This section has effect subject to section 46(3).
 
Special information notices.
44.      (1)      If the Commissioner-
 
(a)      has received a request under section 42 in respect of any processing of personal data; or
 
(b)      has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 32, the personal data to which the proceedings relate-
 
(i)      are not being processed only for the special purposes; or
 
(ii)      are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller;
 
he may serve the data controller with a notice (in this Law referred to as a "special information notice") requiring the data controller, within such time as is specified in the notice, to furnish the Commissioner, in such form as may be so specified, with such information as is so specified for the purpose specified in subsection (2).
 
(2)      That purpose is the purpose of ascertaining-
 
(a)      whether the personal data are being processed only for the special purposes; or
 
(b)      whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller.
 
(3)      A special information notice must contain-
 
(a)      in a case falling within paragraph (a) of subsection (1), a statement that the Commissioner has received a request under section 42 in relation to the specified processing; or
 
(b)      in a case falling within paragraph (b) of that subsection, a statement of the Commissioner's grounds for suspecting that the personal data are not being processed as mentioned in that paragraph.
 
(4)      A special information notice must also contain particulars of the rights of appeal conferred by section 48.
 
(5)      Subject to subsection (6), the time specified in a special information notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the information need not be furnished pending the determination or withdrawal of the appeal.
 
(6)      If by reason of special circumstances the Commissioner considers that the information is required as a matter of urgency, he may include in the notice a statement to that effect and a statement of his reasons for reaching that conclusion; and in that event subsection (5) shall not apply, but the notice shall not require the information to be furnished before the end of the period of seven days beginning with the day on which the notice is served.
 
(7)      A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of-
 
(a)      any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Law; or
 
(b)      any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law and for the purposes of such proceedings.
 
(8)      In subsection (7) references to the client of a professional legal adviser include references to any person representing such a client.
 
(9)      A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would, by revealing evidence of the commission of any offence other than an offence under this Law, expose him to proceedings for that offence.
 
(10)      The Commissioner may cancel a special information notice by written notice to the person on whom it was served.
 
Determination by Commissioner as to the special purposes.
45.      (1)      Where at any time it appears to the Commissioner (whether as a result of the service of a special information notice or otherwise) that any personal data-
 
(a)      are not being processed only for the special purposes; or
 
(b)      are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller;
 
he may make a determination in writing to that effect.
 
(2)      Notice of the determination shall be given to the data controller; and the notice must contain particulars of the right of appeal conferred by section 48.
 
(3)      A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.
 
Restriction on enforcement in case of processing for the special purposes.
46.      (1)      The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless-
 
(a)      a determination under section 45(1) with respect to those data has taken effect; and
 
(b)      a court has granted leave for the notice to be served.
 
(2)      A court shall not grant leave for the purposes of subsection (1)(b) unless it is satisfied-
 
(a)      that the Commissioner has reason to suspect a contravention of the data protection principles which is of substantial public importance; and
 
(b)      except where the case is one of urgency, that the data controller has been given notice, in accordance with rules of court, of the application for leave.
 
(3)      The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 45(1) with respect to those data has taken effect.
 
(4)      The jurisdiction conferred by this section is exercisable -
 
(a)      if the data controller concerned has a place of business or resides in Guernsey, by the Magistrate's Court;
 
(b)      if the data controller concerned has a place of business or resides in Alderney, by the Court of Alderney; and
 
(c)      if the data controller concerned has a place of business or resides in Sark, by the Court of the Seneschal of Sark.
 
Failure to comply with notice.
47.      (1)      A person who fails to comply with an enforcement notice, an information notice or a special information notice shall be guilty of an offence.
 
(2)      A person who, in purported compliance with an information notice or a special information notice-
 
(a)      makes a statement which he knows to be false in a material respect; or
 
(b)      recklessly makes a statement which is false in a material respect;
 
shall be guilty of an offence.
 
(3)      It is a defence for a person charged with an offence under subsection (1) to prove that he exercised all due diligence to comply with the notice in question.
 
Rights of appeal.
48.      (1)      A person on whom an enforcement notice, an information notice or a special information notice has been served may appeal to the Royal Court against the notice.
 
(2)      A person on whom an enforcement notice has been served may appeal to the Royal Court against the refusal of an application under section 41(2) for cancellation or variation of the notice.
 
(3)      Where an enforcement notice, an information notice or a special information notice contains a statement by the Commissioner in accordance with section 40(8), 43(5) or 44(6) then, whether or not the person appeals against the notice, he may appeal against-
 
(a)      the Commissioner's decision to include the statement in the notice; or
 
(b)      the effect of the inclusion of the statement as respects any part of the notice.
 
(4)      A data controller in respect of whom a determination has been made under section 45 may appeal to the Royal Court against the determination.
 
Determination of appeals.
49.      (1)      If on an appeal under section 48(1) the Royal Court considers-
 
(a)      that the notice against which the appeal is brought is not in accordance with the law; or
 
(b)      to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently;
 
the court shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and in any other case the court shall dismiss the appeal.
 
(2)      On such an appeal, the Royal Court may review any determination of fact on which the notice in question was based.
 
(3)      If on an appeal under section 48(2) the Royal Court considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the court shall cancel or vary the notice.
 
(4)      On an appeal under section 48(3) the Royal Court may direct-
 
(a)      that the notice in question shall have effect as if it did not contain any such statement as is mentioned in that section; or
 
(b)      that the inclusion of the statement shall not have effect in relation to any part of the notice;
 
and may make such modifications in the notice as may be required for giving effect to the direction.
 
(5)      On an appeal under section 48(4), the Royal Court may cancel the determination of the Commissioner.
 
(6)      Any party to an appeal to the Royal Court under section 48 may appeal from the decision of the court on a point of law to the Court of Appeal.
 
Powers of entry and inspection.
50.      Schedule 8 (powers of entry and inspection) has effect.
 
PART VI
MISCELLANEOUS AND GENERAL
 
Functions of Commissioner
 
General duties of Commissioner.
51.      (1)      It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Law as to promote the observance of the requirements of this Law by data controllers.
 
(2)      The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Law, about good practice, and about other matters within the scope of his functions under this Law, and may give advice to any person as to any of those matters.
 
(3)       Where-
 
(a)      the Committee so directs by Order; or
 
(b)      the Commissioner considers it appropriate to do so;
 
the Commissioner shall, after such consultation with trade associations, data subjects or persons representing data subjects as appears to him to be appropriate, prepare and disseminate to such persons as he considers appropriate codes of practice for guidance as to good practice.
 
(4)      The Commissioner shall also-
 
(a)      where he considers it appropriate to do so, encourage trade associations to prepare, and to disseminate to their members, such codes of practice; and
 
(b)      where any trade association submits a code of practice to him for his consideration, consider the code and, after such consultation with data subjects or persons representing data subjects as appears to him to be appropriate, notify the trade association whether in his opinion the code promotes the following of good practice.
 
(5)      An Order under subsection (3) shall describe the personal data or processing to which the code of practice is to relate, and may also describe the persons or classes of persons to whom it is to relate.
 
(6)      The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of-
 
(a)      any Community finding as defined by paragraph 15(2) of Part II of Schedule 1;
 
(b)      any decision of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, which is made for the purposes of Article 26(3) or (4) of the Directive; and
 
(c)      such other information as it may appear to him to be expedient to give to data controllers in relation to any personal data about the protection of the rights and freedoms of data subjects in relation to the processing of personal data in countries and territories outside the Bailiwick.
 
(7)      The Commissioner may, with the consent of the data controller, assess any processing of personal data for the following of good practice and shall inform the data controller of the results of the assessment.
 
(8)      The Commissioner may charge such sums as he may with the consent of the Committee determine for any services provided by the Commissioner by virtue of this Part.
 
(9)      In this section-
 
"good practice" means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Law;
 
"trade association" includes any body representing data controllers.
 
Codes of practice and reports to be laid before the States.
52.       The Committee shall lay before the States-
 
(a)      any code of practice prepared under section 51(3) for complying with a direction of the Committee; and
 
(b)      any report prepared under paragraph 5 of Schedule 5.
 
Assistance by Commissioner in cases involving processing for the special purposes.
53.      (1)      An individual who is an actual or prospective party to any proceedings under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 which relate to personal data processed for the special purposes may apply to the Commissioner for assistance in relation to those proceedings.
 
(2)      The Commissioner shall, as soon as reasonably practicable after receiving an application under subsection (1), consider it and decide whether and to what extent to grant it, but he shall not grant the application unless, in his opinion, the case involves a matter of substantial public importance.
 
(3)      If the Commissioner decides to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.
 
(4)      If the Commissioner decides not to provide assistance, he shall, as soon as reasonably practicable after making the decision, notify the applicant of his decision and, if he thinks fit, the reasons for it.
 
(5)      In this section-
 
(a)      references to "proceedings" include references to prospective proceedings; and
 
(b)      "applicant", in relation to assistance under this section, means an individual who applies for assistance.
 
(6)      Schedule 9 has effect for supplementing this section.
 
International co-operation.
54.      (1)      The Commissioner-  
 
(a)      shall be the designated authority in the Bailiwick for the purposes of Article 13 of the Convention; and
 
(b)      shall be the supervisory authority in the Bailiwick for the purposes of the Data Protection Directive.
 
(2)      The Committee may by Order make provision as to the functions to be discharged by the Commissioner as the designated authority in the Bailiwick for the purposes of Article 13 of the Convention.
 
(3)      The Committee may by Order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in EEA States in connection with the performance of their respective duties and, in particular, as to-
 
(a)      the exchange of information with supervisory authorities in EEA States or with the European Commission; and
 
(b)      the exercise within the Bailiwick at the request of a supervisory authority in an EEA State, in cases excluded by section 5 from the application of the other provisions of this Law of functions of the Commissioner specified in the order.
 
(4)      The Commissioner shall also carry out any data protection functions which the Committee may by Order direct him to carry out for the purpose of enabling the States to give effect to any international obligations of the Bailiwick.
 
(5)      Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.
 
(6)      In this section-
 
"the Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981; and
 
"data protection functions" means functions relating to the protection of individuals with respect to the processing of personal information.
 
Unlawful obtaining etc. of personal data
 
Unlawful obtaining etc. of personal data.
55.      (1)      A person must not knowingly or recklessly, without the consent of the data controller-
 
(a)      obtain or disclose personal data or the information contained in personal data; or
 
(b)       procure the disclosure to another person of the information contained in personal data.
 
(2)      Subsection (1) does not apply to a person who shows-
 
(a)      that the obtaining, disclosing or procuring-
 
(i)      was necessary for the purpose of preventing, detecting or investigating crime; or
 
(ii)      was required or authorised by or under any enactment, by any rule of law or by the order of a court;
 
(b)      that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person;
 
(c)      that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it; or
 
(d)      that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
 
(3)      A person who contravenes subsection (1) shall be guilty of an offence.      
 
(4)      A person who sells personal data shall be guilty of an offence if he has obtained the data in contravention of subsection (1).
 
(5)      A person who offers to sell personal data shall be guilty of an offence if-
 
(a)      he has obtained the data in contravention of subsection (1); or
 
(b)      he subsequently obtains the data in contravention of that subsection.
 
(6)      For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.
 
(7)      Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), "personal data" includes information extracted from personal data.
 
(8)      References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.
 
Records obtained under data subject's right of access
 
Prohibition of requirement as to production of certain records.
56.      (1)      A person must not, in connection with-
 
(a)      the recruitment of another person as an employee;
 
(b)      the continued employment of another person; or
 
(c)      any contract for the provision of services to him by another person;
 
require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
 
(2)      A person concerned with the provision (for payment or not) of goods, facilities or services to the public or a section of the public must not, as a condition of providing or offering to provide any goods, facilities or services to another person, require that other person or a third party to supply him with a relevant record or to produce a relevant record to him.
 
(3)      Subsections (1) and (2) do not apply to a person who shows-
 
(a)      that the imposition of the requirement was required or authorised by or under any enactment, by any rule of law or by the order of a court; or
 
(b)      that in the particular circumstances the imposition of the requirement was justified as being in the public interest.
 
(4)      A person who contravenes subsection (1) or (2) shall be guilty of an offence.
 
(5)      In this section "a relevant record" means any record which-
 
(a)      has been or is to be obtained by a data subject from any data controller specified in the first column of the Table below in the exercise of the right conferred by section 7; and
 
(b)      contains information relating to any matter specified in relation to that data controller in the second column;
 
and includes a copy of such a record or a part of such a record.
 
TABLE
 
 
 
Data Controller
 
 
 
Subject-matter
 
1.
 
The Chief Officer of Police
 
(a)
 
Convictions
 
 
 
 
 
(b)
 
Cautions
 
2.
 
States Prison Board
 
(a)
 
Convictions
 
 
 
 
 
(b)
 
Cautions
 
 
 
 
 
(c)
 
Its functions under the Prison Administration (Guernsey) Law, 1949[c].
 
3.
 
Social Security Authority
 
(a)
 
Convictions
 
 
 
 
 
(b)
 
Cautions
 
 
 
 
 
(c)
 
Its functions under the Social Insurance (Guernsey) Law, 1978[d].
 
 
(6)      In the Table in subsection (5) -
 
"caution" means a caution given to any person in the Bailiwick in respect of an offence which, at the time when the caution is given, is admitted;
 
"conviction" means a conviction of a criminal offence;
 
"Social Security Authority" means the Authority established by the Social Insurance (Guernsey) Law, 1978;
 
"States Prison Board" means the Board established by the Prison Administration (Guernsey) Law, 1949.
 
(7)      The Committee may by Order amend-
 
(a)      the Table in subsection (5); and
 
(b)      subsection (6).
 
(8)      For the purposes of this section a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.
 
(9)      In this section "employee" means an individual who-
 
(a)      works under a contract of employment; or
 
(b)      holds any office;
 
whether or not he is entitled to remuneration; and "employment" shall be construed accordingly.
 
Avoidance of certain contractual terms relating to health records.
57.      (1)      Any term or condition of a contract is void in so far as it purports to require an individual-
 
(a)      to supply any other person with a record to which this section applies, or with a copy of such a record or a part of such a record; or
 
(b)      to produce to any other person such a record, copy or part.
 
(2)      This section applies to any record which-
 
(a)      has been or is to be obtained by a data subject in the exercise of the right conferred by section 7; and
 
(b)      consists of the information contained in any health record as defined in section 67(1).
 
Information provided to Commissioner or a court
 
Disclosure of information.
58.       No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing the Commissioner, or a court properly constituted under and in accordance with any law of the Bailiwick, with any information necessary for the discharge of their functions under this Law.
 
Confidentiality of information.
59.      (1)      No person who is or has been the Commissioner, a member of the Commissioner's staff or an agent of the Commissioner shall disclose any information which-
 
(a)      has been obtained by, or furnished to, the Commissioner under or for the purposes of this Law;
 
(b)      relates to an identified or identifiable individual or business; and
 
(c)      is not at the time of the disclosure, and has not previously been, available to the public from other sources;
 
unless the disclosure is made with lawful authority.
 
(2)      For the purposes of subsection (1) a disclosure of information is made with lawful authority only if, and to the extent that-
 
(a)      the disclosure is made with the consent of the individual or of the person for the time being carrying on the business;
 
(b)      the information was provided for the purpose of its being made available to the public (in whatever manner) under any provision of this Law;
 
(c)      the disclosure is made for the purposes of, and is necessary for, the discharge of-
 
(i)      any functions under this Law; or
 
(ii)      any international obligation of the Bailiwick;
 
(d)      the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Law or otherwise; or
 
(e)      having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.
 
(3)      Any person who knowingly or recklessly discloses information in contravention of subsection (1) shall be guilty of an offence.
 
General provisions relating to offences
 
Prosecutions and penalties.
60.      (1)      A person guilty of an offence under any provision of this Law other than paragraph 11 of Schedule 8 is liable-
 
(a)      on summary conviction, to a fine not exceeding level 5 on the uniform scale; or
 
(b)      on conviction on indictment, to a fine.
 
(2)      A person guilty of an offence under paragraph 11 of Schedule 8 is liable on summary conviction to a fine not exceeding level 5 on the uniform scale.
 
(3)      Subject to subsection (4), the court by or before which a person is convicted of-
 
(a)      an offence under section 21(1), 22(6), 55 or 56;
 
(b)      an offence under section 21(2) relating to processing which is assessable processing for the purposes of section 22; or
 
(c)      an offence under section 47(1) relating to an enforcement notice;
 
may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.
 
(4)      The court shall not make an order under subsection (3) in relation to any material where a person (other than the offender) claiming to be the owner of or otherwise interested in the material applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.
 
Liability of directors etc.
61.      (1)      Where an offence under this Law has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
 
(2)      Where the affairs of a body corporate are managed by its members subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
General
 
Application to committees of the States.
62.      (1)      Except as provided in subsection (2), a committee of the States shall be subject to the same obligations and liabilities under this Law as a private person; and for the purposes of this Law each committee of the States shall be treated as a person separate from any other such committee and a person in the public service of the States shall be treated as a servant of each such committee to which his responsibilities or duties relate.
 
(2)      A committee of the States shall not be liable to prosecution under this Law, but section 55 and paragraph 11 of Schedule 8 shall apply to a person in the service of the States as they apply to any other person.
 
(3)      In this section, section 31(3)(b), paragraph 5(c) of Schedule 2 and paragraph 7(1)(c) of Schedule 3, references to a committee and to a committee of the States refer to any committee (however described) of the States of Guernsey, the States of Alderney and the Chief Pleas of Sark.
 
Application to the police.
63.      This Law applies to the Chief Officer of Police and, for the purposes of this Law-
 
(a)      every member of the salaried police force of Guernsey;
 
(b)      every member of the special constabulary of Guernsey whilst acting as such; and
 
(c)      every special constable appointed by the Court of Alderney whilst acting as such,
 
shall be treated as his servant.
 
Transmission of notices etc. by electronic or other means.
64.      (1)      This section applies to-
 
(a)      a notice or request under any provision of Part II;
 
(b)      a notice under section 24(1) or particulars made available under that section; or
 
(c)      an application under section 41(2);
 
but does not apply to anything which is required to be served in accordance with rules of court.
 
(2)      The requirement that any notice, request, particulars or application to which this section applies should be in writing is satisfied where the text of the notice, request, particulars or application-
 
(a)      is transmitted by electronic means;
 
(b)      is received in legible form; and
 
(c)      is capable of being used for subsequent reference.
 
(3)      The Committee may by regulations provide that any requirement that any notice, request, particulars or application to which this section applies should be in writing is not to apply in such circumstances as may be prescribed by the regulations.
 
Service of notices by Commissioner.
65.      (1)      Any notice authorised or required by this Law to be served on or given to any person by the Commissioner may-
 
(a)      if that person is an individual, be served on him-
 
(i)      by delivering it to him; or
 
(ii)      by sending it to him by post addressed to him at his usual or last-known place of residence or business; or
 
(iii)      by leaving it for him at that place;
 
(b)      if that person is a body corporate or unincorporate, be served on that body-
 
(i)      by sending it by post to the proper officer of the body at its principal office; or
 
(ii)      by addressing it to the proper officer of the body and leaving it at that office.
 
(2)      In subsection (1)(b) "principal office", in relation to a registered company, means its registered office and "proper officer", in relation to any body, means the secretary or other executive officer charged with the conduct of its general affairs.
 
(3)      This section is without prejudice to any other lawful method of serving or giving notice.
 
Ordinances, orders, regulations and rules.
66.      (1)      Any power conferred by or under this Law to make any Ordinance, Order, regulations or rules includes power to vary or revoke any Ordinance, Order, regulations or rules so made by a subsequent Ordinance, Order, regulations or rules, as the case may be.
 
(2)      Any Ordinance, Order, regulations or rules made by or under this Law may-
 
(a)      make different provision for different cases; and
 
(b)      make such supplemental, incidental, consequential or transitional provision or savings as the States, the Committee or the Royal Court as the case may be, considers appropriate;
 
and nothing in section 7(11), 19(5), 26 or 30(4) limits the generality of paragraph (a).
 
(3)      Before making-
 
(a)      an Order under any provision of this Law other than section 74(3);
 
(b)      any regulations under this Law other than notification regulations (as defined by section 16(2));
 
the Committee shall consult the Commissioner.
 
(4)      Any Order or regulations made under this Law shall be laid before a meeting of the States as soon as may be after being made and if at that meeting or the next subsequent meeting the States resolve that the Order or regulations be annulled, the Order or regulations shall cease to have effect but without prejudice to anything done under the Order or regulations or to the making of a new Order or new regulations.
 
Interpretation and supplementary definitions.
67.      (1)      In this Law, unless the context otherwise requires-
 
"Alderney" means the Island of Alderney and its dependencies;
 
"the Bailiff" means the Bailiff, the Deputy Bailiff, a Lieutenant Bailiff or the Juge Délégué;
 
"the Bailiwick" means the Bailiwick of Guernsey;
 
"British Islands" has the meaning given by section 8(1) of the Interpretation (Guernsey) Law, 1948[e];
 
"business" includes any trade or profession;
 
"Chief Officer of Police" means the chief officer of the salaried police force of Guernsey;
 
"the Commissioner" means the Data Protection Commissioner;
 
"committee of the States" has the meaning given by section 62(3);
 
"the Committee" means the States' Advisory and Finance Committee;
 
"the Court" means the Royal Court;
 
"the Court of Appeal" means the court established by the Court of Appeal (Guernsey) Law, 1961[f];
 
"credit reference agency" means a person carrying on business comprising the furnishing of persons with information relevant to the financial standing of individuals, being information collected for that purpose;
 
"the Data Protection Directive" means Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
 
"EEA State" means a State which is a contracting party to the Agreement on the European Economic Area signed at Oporto on 2nd May 1992 as adjusted by the Protocol signed at Brussels on 17th March 1993;
 
"enactment" includes-
 
(a)      an enactment passed after this Law; and
 
(b)      legislation enacted by Parliament and having effect in the Bailiwick;
 
"Guernsey" includes Jethou and Herm;
 
"health record" means any record which-
 
(a)      consists of information relating to the physical or mental health or condition of an individual; and
 
(b)      has been made by or on behalf of a health professional in connection with the care of that individual;
 
"health professional" means the States of Guernsey Board of Health and any medical practitioner, dentist, optician, pharmaceutical chemist or druggist, nurse, midwife, health visitor, chiropodist, dietician, occupational therapist, orthoptist, physiotherapist, clinical psychologist, child psychotherapist, speech therapist or music therapist;
 
"Her Majesty's Procureur" includes Her Majesty's Comptroller;
 
"Law Officer of the Crown" means Her Majesty's Procureur or Comptroller General;
 
"Magistrate's Court" means the court established under and by virtue of the Magistrate's Court (Guernsey) Law, 1954[g]
 
"proprietor" has the meaning given by Section 30(5);
 
"public register" means any register which -
 
(a)      pursuant to a requirement imposed -
 
(i)      by or under any enactment; or
 
(ii)      in pursuance of any international agreement; or
 
(b)      by custom and practice,
 
is open to public inspection or open to inspection by any person having a legitimate interest;
 
"pupil" has the meaning given in section 1(1) of the Education (Guernsey) Law, 1970[h];
 
"recipient", in relation to any personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;
 
"registered company" means a company registered under the enactments relating to companies for the time being in force in the Bailiwick;
 
"the Royal Court" means the Royal Court of Guernsey sitting as an Ordinary Court;
 
"Sark" means the Island of Sark and its dependencies;
 
"school" has the meaning given in section 1(1) of the Education (Guernsey) Law, 1970, as amended;
 
"the States" means the States of Guernsey;
 
"teacher" includes head teacher;
 
"third party", in relation to personal data, means any person other than-
 
(a)      the data subject;
 
(b)      the data controller; or
 
(c)      any data processor or other person authorised to process data for the data controller or processor;
 
(2)      For the purposes of this Law data are inaccurate if they are incorrect or misleading as to any matter of fact.
 
(3)      The provisions of the Interpretation (Guernsey) Law, 1948 shall apply to the interpretation of this Law throughout the Bailiwick.
 
(4)      Unless the context otherwise requires, references in this Law to an enactment are references thereto as amended, re-enacted (with or without modification), extended or applied.
 
Index of defined expressions.
68.      The following Table shows provisions defining or otherwise explaining expressions used in this Law (other than some provisions defining or explaining an expression only used in the same section or Schedule)-
 
address (in Part III)                                    section 16(3)
 
Advocate                                          paragraph 1 of
Schedule 9
 
Alderney                                          section 67(1)
 
Bailiff                                                section 67(1) and
                        paragraph 12 of
                        Schedule 8
 
Bailiwick                                          section 67(1)
 
business                                          section 67(1)
 
British Islands                                          section 67(1)
 
Chief Officer of Police                              section 67(1)
 
the Commissioner                                    section 67(1)
 
the Committee                                          section 67(1)
 
committee of the States                              section 67(1)
 
the Court                                          section 67(1)
 
credit reference agency                              section 67(1)
 
data                                                section 1(1)
 
data controller                                          sections 1(1) and (4)
 
data processor                                          section 1(1)
 
the Data Protection Directive                              section 67(1)
 
data protection principles                              section 4 and Schedule 1
 
data subject                                          section 1(1)
 
disclosing (of personal data)                              section 1(2)(b)
 
EEA State                                          section 67(1)
 
enactment                                          section 67(1)
 
enforcement notice                                    section 40(1)
 
fees regulations (in Part III)                              section 16(2)
 
health professional                                    section 67(1)
 
inaccurate (in relation to data)                        section 67(2)
 
information notice                                     section 43(1)
 
Law Officer of the Crown                              section 67(1)
 
the Magistrate's Court                              section 67(1)                                    
the non-disclosure provisions (in Part IV)                  section 27(3)
 
notification regulations (in Part III)                        section 16(2)
 
obtaining (of personal data)                              section 1(2)(a)
 
personal data                                          section 1(1)
 
prescribed (in Part III)                              section 16(2)
 
processing (of information or data)      section 1(1) and paragraph 4 of Schedule 7
 
proprietor                                          sections 67(1) and 30(5)
 
public information                                    section 34(2)
 
public register                                          section 67(1)
 
publish (in relation to journalistic,
literary or artistic material)                              section 32(6)
 
pupil (in relation to a school)                              section 67(1)
 
recipient (in relation to personal data)                  section 67(1)
 
recording (of personal data)                              section 1(2)(a)
 
registered company                                    section 67(1)
 
registrable particulars (in Part III)                        section 16(1)
 
relevant filing system                               section 1(1)
 
Royal Court                                          section 67(1)
 
Sark                                                section 67(1)
 
school                                                section 67(1)
 
sensitive personal data                              section 2
 
special information notice                              section 44(1)
 
the special purposes                                    section 3
 
the States                                          section 67(1)
 
the subject information provisions (in Part IV)            section 27(2)
 
teacher                                                section 67(1)
 
third party (in relation to processing
of personal data)                                    section 67(1)
 
using (of personal data)                              section 1(2)(b).
 
Amendment by Ordinance.
69.      The States may by Ordinance amend any of the provisions of this Law.
 
Modifications of Law.
70.      During the period beginning with the commencement of this section and ending with 23rd October 2007, the provisions of this Law shall have effect subject to the modifications set out in Schedule 10.
 
Transitional provisions and savings.
71.      Schedule 11 (which contains transitional provisions and savings) has effect.
 
Repeals and revocations.
72.      The enactments and instruments specified in Schedule 12 are repealed or revoked to the extent specified.
 
Rules of court.
73.      (1)      The Royal Court may by Order make rules dealing with -
 
(a)      all procedural and incidental matters arising under this Law; and
 
(b)      generally for carrying this Law into effect.
 
(2)      Without limiting the generality of subsection (1), rules made by the Royal Court may regulate the exercise of any rights of appeal conferred by this Law by specifying -
 
(a)      the manner in which any appeal may be commenced; and
 
(b)      the period within any appeal may or must be commenced.
 
Citation, commencement and extent.
74.      (1)      This Law may be cited as the Data Protection (Bailiwick of Guernsey) Law, 2001.
 
(2)      The following provisions of this Law-
 
(a)      sections 1 to 3;
 
(b)      section 25(1) and (4);
 
(c)      section 26;
 
(d)      sections 66 to 68;
 
(e)      this section; and
 
(f)      so much of any other provision of this Law as confers any power to make subordinate legislation;
 
shall come into force on the day of its registration on the Records of the Island of Guernsey.
 
(3)      The remaining provisions of this Law shall come into force on such day as the Committee may by Order appoint; and different days may be appointed for different purposes.
 
(4)      Any repeal or revocation made by Schedule 12 has the same extent as that of the enactment or instrument to which it relates.
 
S C H E D U L E S
 
Section 4(1) and (2)
SCHEDULE 1
THE DATA PROTECTION PRINCIPLES
 
PART I
THE PRINCIPLES
 
The first principle
 
1.      Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
 
(a)      at least one of the conditions in Schedule 2 is met; and
 
(b)      in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
 
The second principle
 
2.      Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
 
The third principle
 
3.      Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
 
The fourth principle
 
4.      Personal data shall be accurate and, where necessary, kept up to date.
 
The fifth principle
 
5.      Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
 
The sixth principle
 
6.      Personal data shall be processed in accordance with the rights of data subjects under this Law.
 
The seventh principle
 
7.      Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
 
The eighth principle
 
8.      Personal data shall not be transferred to a country or territory outside the Bailiwick unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
 
PART II
INTERPRETATION OF THE PRINCIPLES IN PART I
 
The first principle
 
1.      (1)      In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
 
(2)      Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who-
 
(a)      is authorised by or under any enactment to supply it; or
 
(b)      is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the States.
 
2.      (1)      Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless-
 
(a)      in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3); and
 
(b)      in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).
 
(2)      In sub-paragraph (1)(b) "the relevant time" means-
 
(a)      the time when the data controller first processes the data; or
 
(b)      in a case where at that time disclosure to a third party within a reasonable period is envisaged-
 
(i)      if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed;
 
(ii)      if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware; or
 
(iii)      in any other case, the end of that period.
 
(3)      The information referred to in sub-paragraph (1) is as follows, namely-
 
(a)      the identity of the data controller;
 
(b)      if he has nominated a representative for the purposes of this Law, the identity of that representative;
 
(c)      the purpose or purposes for which the data are intended to be processed; and
 
(d)      any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
 
3.      (1)      Paragraph 2(1)(b) does not apply where either of the primary conditions in sub-paragraph (2), together with such further conditions as may be prescribed by the Committee by Order, are met.
 
(2)      The primary conditions referred to in sub-paragraph (1) are-
 
(a)      that the provision of that information would involve a disproportionate effort; or
 
(b)      that the recording of the information to be contained in the data by, or the disclosure of the data by, the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
 
4.      (1)      Personal data which contain a general identifier falling within a description prescribed by the Committee by Order are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions so prescribed in relation to general identifiers of that description.
 
(2)      In sub-paragraph (1) "a general identifier" means any identifier (such as, for example, a number or code used for identification purposes) which-
 
(a)      relates to an individual; and
 
(b)      forms part of a set of similar identifiers which is of general application.
 
The second principle
 
5.       The purpose or purposes for which personal data are obtained may in particular be specified-
 
(a)      in a notice given for the purposes of paragraph 2 by the data controller to the data subject; or
 
(b)      in a notification given to the Commissioner under Part III of this Law.
 
6.      In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.
 
The fourth principle
 
7.      The fourth principle is not to be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where-
 
(a)      having regard to the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data; and
 
(b)      if the data subject has notified the data controller of the data subject's view that the data are inaccurate, the data indicate that fact.
 
The sixth principle
 
8.      A person is to be regarded as contravening the sixth principle if, but only if-
 
(a)      he contravenes section 7 by failing to supply information in accordance with that section;
 
(b)      he contravenes section 10 by failing to comply with a notice given under section 10(1) to the extent that the notice is justified or by failing to give a notice under section 10(3);
 
(c)      he contravenes section 11 by failing to comply with a notice given under section 11(1); or
 
(d)      he contravenes section 12 by failing to comply with a notice given under section 12(1) or (2)(b) or by failing to give a notification under section 12(2)(a) or a notice under section 12(3).
 
The seventh principle
 
9.      Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to-
 
(a)      the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle; and
 
(b)      the nature of the data to be protected.
 
10.      The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
 
11.      Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle-
 
(a)      choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
 
(b)      take reasonable steps to ensure compliance with those measures.
 
12.      Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless-
 
(a)      the processing is carried out under a contract-
 
(i)      which is made or evidenced in writing; and
 
(ii)      under which the data processor is to act only on instructions from the data controller; and
 
(b)      the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.
 
The eighth principle
 
13.      An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to-
 
(a)      the nature of the personal data;
 
(b)      the country or territory of origin of the information contained in the data;
 
(c)      the country or territory of final destination of that information;
 
(d)      the purposes for which and period during which the data are intended to be processed;
 
(e)      the law in force in the country or territory in question;
 
(f)      the international obligations of that country or territory;
 
(g)      any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases); and
 
(h)      any security measures taken in respect of the data in that country or territory.
 
14.      The eighth principle does not apply to a transfer falling within any paragraph of Schedule 4, except in such circumstances and to such extent as the Committee may by Order provide.
 
15.      (1)      Where-
 
(a)      in any proceedings under this Law any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the Bailiwick; and
 
(b)      a Community finding has been made in relation to transfers of the kind in question;
 
that question is to be determined in accordance with that finding.
 
(2)      In sub-paragraph (1) "Community finding" means a finding of the European Commission, under the procedure provided for in Article 31(2) of the Data Protection Directive, that a country or territory outside the European Economic Area does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive.
 
 
 
Section 4(3)
SCHEDULE 2
 
 
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF ANY PERSONAL DATA
 
1.      The data subject has given his consent to the processing.
 
2.      The processing is necessary-
 
(a)      for the performance of a contract to which the data subject is a party; or
 
(b)      for the taking of steps at the request of the data subject with a view to entering into a contract.
 
3.      The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
 
4.      The processing is necessary in order to protect the vital interests of the data subject.
 
5.      The processing is necessary-
 
(a)      for the administration of justice;
 
(b)      for the exercise of any functions conferred on any person by or under any enactment;
 
(c)      for the exercise of any functions of the Crown, a Law Officer of the Crown or a committee of the States; or
 
(d)      for the exercise of any other functions of a public nature exercised in the public interest by any person.
 
6.      (1)      The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
 
(2)      The Committee may by Order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.
 
Section 4(3)
SCHEDULE 3
 
CONDITIONS RELEVANT FOR PURPOSES OF THE FIRST PRINCIPLE: PROCESSING OF SENSITIVE PERSONAL DATA
 
1.      The data subject has given his explicit consent to the processing of the personal data.
 
2.      (1)      The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
 
(2)      The Committee may by Order-
 
(a)      exclude the application of sub-paragraph (1) in such cases as may be specified; or
 
(b)      provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
 
3.      The processing is necessary-
 
(a)      in order to protect the vital interests of the data subject or another person, in a case where-
 
(i)      consent cannot be given by or on behalf of the data subject; or
 
(ii)      the data controller cannot reasonably be expected to obtain the consent of the data subject; or
 
(b)      in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
 
4.      The processing-
 
(a)      is carried out in the course of its legitimate activities by any body or association which-
 
(i)      is not established or conducted for profit; and
 
(ii)      exists for political, philosophical, religious or trade-union purposes;
 
(b)      is carried out with appropriate safeguards for the rights and freedoms of data subjects;
 
(c)      relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and
 
(d)      does not involve disclosure of the personal data to a third party without the consent of the data subject.
 
5.      The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
 
6.      The processing-
 
(a)      is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
 
(b)      is necessary for the purpose of obtaining legal advice; or
 
(c)      is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
 
7.      (1)      The processing is necessary-
 
(a)      for the administration of justice;
 
(b)      for the exercise of any functions conferred on any person by or under an enactment; or
 
(c)      for the exercise of any functions of the Crown, a Law Officer of the Crown or a committee of the States.
 
(2)      The Committee may by Order-
 
(a)      exclude the application of sub-paragraph (1) in such cases as may be specified; or
 
(b)      provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
 
8.      (1)      The processing is necessary for medical purposes and is undertaken by-
 
(a)      a health professional; or
 
(b)      a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
 
(2)      In this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
 
9.      (1)      The processing-
 
(a)      is of sensitive personal data consisting of information as to racial or ethnic origin;
 
(b)      is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and
 
(c)      is carried out with appropriate safeguards for the rights and freedoms of data subjects.
 
(2)      The Committee may by Order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.
 
10.      The personal data are processed in circumstances specified in an Order made by the Committee for the purposes of this paragraph.
 
Section 4(3)
 
SCHEDULE 4
CASES WHERE THE EIGHTH PRINCIPLE DOES NOT APPLY
 
1.      The data subject has given his consent to the transfer.
 
2.      The transfer is necessary-
 
(a)      for the performance of a contract between the data subject and the data controller; or
 
(b)      for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.
 
3.      The transfer is necessary-
 
(a)      for the conclusion of a contract between the data controller and a person other than the data subject which-
 
(i)      is entered into at the request of the data subject; or
 
(ii)      is in the interests of the data subject; or
 
(b)      for the performance of such a contract.
 
4.      (1)      The transfer is necessary for reasons of substantial public interest.
 
(2)      The Committee may by Order specify-
 
(a)      circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest; and
 
(b)      circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.
 
5.      The transfer-
 
(a)      is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
 
(b)      is necessary for the purpose of obtaining legal advice; or
 
(c)      necessary for the purposes of establishing, exercising or defending legal rights.
 
6.      The transfer is necessary in order to protect the vital interests of the data subject.
 
7.      The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.
 
8.      The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
 
9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
Sections 6(5)
SCHEDULE 5
 
THE DATA PROTECTION COMMISSIONER
 
Tenure of office
1.      (1)      Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding five years as may be agreed between the Committee and the Commissioner at the time of his appointment.
 
(2)      The Commissioner may only be relieved of his office before the expiration of its full term, by the Committee-
 
(a)      pursuant to a Resolution of the States requiring the Committee so to do; or
 
(b)      on receipt of a written request made by the Commissioner.
 
(3)       When the Commissioner ceases to hold office by reason of the expiration of his term he shall be eligible for reappointment.
 
Staffing resources etc.
2.      (1)      The Committee must make available to the Commissioner such number and descriptions of staff as he may reasonably require for the proper and effectual discharge of his functions.
 
(2)      To the extent that the services of a States employee are made available to the Commissioner as required by this paragraph, it is hereby declared for the avoidance of doubt that for the purposes of the Public Functions (Transfer and Performance) (Bailiwick of Guernsey) Law, 1991[i]-
 
(a)       that employee is an officer responsible to the Commissioner;
 
(b)      the Commissioner may arrange for any of the functions of his office to be performed in his name by that employee to the extent permitted by section 4 of that Law.
 
(3)      The Committee must provide for the Commissioner such accommodation and equipment, such secretarial and clerical services, and such other facilities, as he may reasonably request for the proper and effectual discharge of his functions.
 
(4)      The costs of meeting the requirements of this paragraph, as also the agreed emoluments and expenses of the Commissioner, shall be paid by the Committee from the general revenue account of the States.
 
Financial and accounting provisions
 
3.      (1)      All fees and similar sums received by the Commissioner in the exercise of his functions shall be paid by him to the Committee for the general revenue account of the States.
 
(2)      Subparagraph (1) of this paragraph does not apply if and to the extent that, in accordance with agreed financial procedures, the Committee may otherwise direct.
 
(3)      The Commissioner must-
 
(a)      maintain proper accounts and proper records in relation to those accounts; and
 
(b)      furnish to the Committee, as often as the Committee may reasonably direct but not less frequently than once in any period of 12 months, a full and accurate statement of those accounts.
 
(4)      For the purposes of the States Audit Commission (Guernsey) Law, 1997[j], but only for those purposes, the office of the Data Protection Commissioner is deemed to be a department or operation conducted by the Committee.
 
Oath of office
 
4.      The Commissioner shall, upon his appointment or as soon as reasonably practicable thereafter, take an oath or make an affirmation before the Royal Court in the following terms or in words to the like effect:
 
“You [swear and promise on the faith and truth that you owe to God] [do solemnly, sincerely and truly declare and affirm] that you will well and faithfully discharge the functions of Data Protection Commissioner in accordance with law; that you will exercise the powers entrusted to you only as appears necessary to you for the due discharge of those functions; and that you will not disclose any information received by you in the discharge of those functions which to your knowledge may directly lead to the identification of any person, save to persons engaged in the discharge of those functions; pursuant to an express power conferred by or under the Data Protection (Bailiwick of Guernsey) Law, 2001; or in any other case required by law.”
 
Annual report
 
5.      The Commissioner must report in writing to the Committee at least once in every period of 12 months as to the discharge of his functions.
 
Presumption of authenticity of documents
 
6.      Any document purporting to be issued by the Commissioner and to be signed by or on behalf of the Commissioner shall be deemed to be such a document unless the contrary is shown.
 
 
.
 
 
 
 
 
    
 
Section 37
SCHEDULE 6
MISCELLANEOUS EXEMPTIONS
 
Confidential references given by the data controller
 
1.      Personal data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of- 
 
(a)      the education, training or employment, or prospective education, training or employment, of the data subject;
 
(b)      the appointment, or prospective appointment, of the data subject to any office; or
 
(c)      the provision, or prospective provision, by the data subject of any service.
Armed forces
 
2.      Personal data are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown. 
Judicial appointments and honours
 
3.      Personal data processed for the purposes of- 
 
(a)      assessing any person's suitability for judicial office or the office of Queen's Counsel; or
 
(b)      the conferring by the Crown of any honour or dignity;
 
are exempt from the subject information provisions. 
 
Crown employment and Crown appointments
 
4.      The Committee may by Order exempt from the subject information provisions personal data processed for the purposes of assessing any person's suitability for- 
 
(a)      employment by or under the Crown; or
 
(b)       any office to which appointments are made by Her Majesty.
 
Management forecasts etc.
 
5.      Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the conduct of that business or other activity. 
Corporate finance
 
6.      (1)      Where personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person- 
 
(a)      the data are exempt from the subject information provisions in any case to the extent to which either-
 
(i)      the application of those provisions to the data could affect the price of any instrument which is already in existence or is to be or may be created; or
 
(ii)      the data controller reasonably believes that the application of those provisions to the data could affect the price of any such instrument; and
 
(b)      to the extent that the data are not exempt from the subject information provisions by virtue of paragraph (a), they are exempt from those provisions if the exemption is required for the purpose of safeguarding an important economic or financial interest of the Bailiwick.
 
(2)      For the purposes of sub-paragraph (1)(b) the Committee may by Order specify-  
 
(a)      matters to be taken into account in determining whether exemption from the subject information provisions is required for the purpose of safeguarding an important economic or financial interest of the Bailiwick; or
 
(b)      circumstances in which exemption from those provisions is, or is not, to be taken to be required for that purpose.
 
       (3)      In this paragraph-  
 
"corporate finance service" means a service consisting in-
 
(a)      underwriting in respect of issues of, or the placing of issues of, any instrument;
 
(b)      advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings; or
 
(c)      services relating to such underwriting as is mentioned in paragraph (a);
 
"instrument" means any instrument listed in section B of the Annex to the Council Directive on investment services in the securities field (93/22/EEC), as set out in Schedule 1 to the Investment Services Regulations 1995[k];
 
"price" includes value;
 
"relevant person" means-
 
(a)      any person who holds a licence to carry on controlled investment business under of Part I of the Protection of Investors (Bailiwick of Guernsey) Law, 1987[l] or is an exempted person under Part IV of that Law;
 
(b)      any person who is authorised under Chapter III of Part I of the Financial Services Act 1986[m] or is an exempted person under Chapter IV of Part I of that Act;
 
(c)      any person who, but for Part III or IV of Schedule I to the Financial Services Act 1986, would require authorisation under that Act;
 
(d)      any European investment firm within the meaning given by Regulation 3 of the Investment Services Regulations 1995;
 
(e)      any person who, in the course of his employment, provides to his employer a service falling within paragraph (b) or (c) of the definition of "corporate finance service"; or
 
(f)      any partner who provides to other partners in the partnership a service falling within either of those paragraphs. 
Negotiations
 
7.      Personal data which consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice those negotiations.
 
 
 
Examination marks
 
8.      (1)      Section 7 shall have effect subject to the provisions of sub-paragraphs (2) to (4) in the case of personal data consisting of marks or other information processed by a data controller-
  
(a)      for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined; or
 
(b)      in consequence of the determination of any such results.
 
(2)      Where the relevant day falls before the day on which the results of the examination are announced, the period mentioned in section 7(8) shall be extended until- 
 
(a)      the end of five months beginning with the relevant day; or
 
(b)      the end of sixty days beginning with the date of the announcement;
 
whichever is the earlier. 
 
(3)      Where by virtue of sub-paragraph (2) a period longer than the prescribed period elapses after the relevant day before the request is complied with, the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with. 
 
(4)      For the purposes of this paragraph the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question. 
 
(5)      In this paragraph- 
 
"examination" includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity;
 
"the prescribed period" means sixty days or such other period as is for the time being prescribed under section 7 in relation to the personal data in question;
 
"relevant day" has the same meaning as in section 7.
 
Examination scripts etc.
 
9.      (1)      Personal data consisting of information recorded by candidates during an academic, professional or other examination are exempt from section 7. 
 
(2)      In this paragraph "examination" has the same meaning as in paragraph 8. 
 
Legal professional privilege
 
10.      Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege, could be maintained in legal proceedings. 
 
Self-incrimination
 
11.      (1)      A person need not comply with any request or order under section 7 to the extent that compliance would, by revealing evidence of the commission of any offence other than an offence under this Law, expose him to proceedings for that offence. 
 
(2)      Information disclosed by any person in compliance with any request or order under section 7 shall not be admissible against him in proceedings for an offence under this Law.
 
Criminal records of persons not ordinarily resident
 
12.      Personal data are exempt from the subject information provisions in respect of persons not ordinarily resident in the Bailiwick or any part of the Bailiwick (in this paragraph referred to as "non-resident subjects"), if they consist of records of criminal convictions or cautions of non-resident subjects to which those subjects are able to obtain access under and subject to the law of a jurisdiction other than that of the Bailiwick or any part of the Bailiwick.
 
 
Section 39
SCHEDULE 7
TRANSITIONAL RELIEF
 
PART I
INTERPRETATION OF SCHEDULE
 
1.      (1)      For the purposes of this Schedule, personal data are "eligible data" at any time if, and to the extent that, they are at that time subject to processing which was already under way immediately before the commencement of this Schedule. 
 
         (2)      In this Schedule- 
 
"eligible automated data" means eligible data which fall within paragraph (a) or (b) of the definition of "data" in section 1(1);
 
"eligible manual data" means eligible data which are not eligible automated data;
 
"the first transitional period" means the period of 3 years beginning with the commencement of this Schedule;
 
"the second transitional period" means the period from the end of the first transitional period to the 23rd October 2007.
 
 
PART II
EXEMPTIONS AVAILABLE DURING THE FIRST TRANSITIONAL PERIOD
 
Manual data
 
2.      (1)      Eligible manual data are exempt from the data protection principles and Parts II and III of this Law during the first transitional period. 
 
(2)      This paragraph does not apply to eligible manual data to which paragraph 3 applies. 
 
3.      (1)      This paragraph applies to eligible manual data which consist of information relevant to the financial standing of the data subject and in respect of which the data controller is a credit reference agency. 
 
       (2)      During the first transitional period, data to which this paragraph applies are exempt from- 
 
(a)      the data protection principles, except the sixth principle so far as relating to sections 7 and 12A;
 
(b)      Part II of this Law, except section 7 (as it has effect subject to sections 8 and 9) and section 12A; and
  
(c)      Part III of this Law.
 
 
 
 
 
 
Processing otherwise than by reference to the data subject
 
4.      During the first transitional period, for the purposes of this Law (apart from paragraph 1), eligible automated data are not to be regarded as being "processed" unless the processing is by reference to the data subject. 
Payrolls and accounts
 
5.      (1)      Subject to sub-paragraph (2), eligible automated data processed by a data controller for one or more of the following purposes-  
 
(a)      calculating amounts payable by way of remuneration or pensions in respect of service in any employment or office or making payments of, or of sums deducted from, such remuneration or pensions; or
 
(b)      keeping accounts relating to any business or other activity carried on by the data controller or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments are made by or to him in respect of those transactions or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity;
 
are exempt from the data protection principles and Parts II and III of this Law during the first transitional period. 
 
       (2)      It shall be a condition of the exemption of any eligible automated data under this paragraph that the data are not processed for any other purpose, but the exemption is not lost by any processing of the eligible data for any other purpose if the data controller shows that he had taken such care to prevent it as in all the circumstances was reasonably required. 
 
(3)      Data processed only for one or more of the purposes mentioned in sub-paragraph (1)(a) may be disclosed-  
 
(a)      to any person, other than the data controller, by whom the remuneration or pensions in question are payable;
 
(b)      for the purpose of obtaining actuarial advice;
 
(c)      for the purpose of giving information as to the persons in any employment or office for use in medical research into the health of, or injuries suffered by, persons engaged in particular occupations or working in particular places or areas;
 
(d)      if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made; or
 
(e)      if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (d).
 
(4)      Data processed for any of the purposes mentioned in sub-paragraph (1) may be disclosed- 
 
(a)      for the purpose of audit or where the disclosure is for the purpose only of giving information about the data controller's financial affairs; or
 
(b)      in any case in which disclosure would be permitted by any other provision of this Part of this Law if sub-paragraph (2) were included among the non-disclosure provisions.
 
    (5) In this paragraph "remuneration" includes remuneration in kind and "pensions" includes gratuities or similar benefits. 
Unincorporated members' clubs and mailing lists
 
6.      Eligible automated data processed by an unincorporated members' club and relating only to the members of the club are exempt from the data protection principles and Parts II and III of this Law during the first transitional period. 
 
7.      Eligible automated data processed by a data controller only for the purposes of distributing, or recording the distribution of, articles or information to the data subjects and consisting only of their names, addresses or other particulars necessary for effecting the distribution, are exempt from the data protection principles and Parts II and III of this Law during the first transitional period. 
 
8.      Neither paragraph 6 nor paragraph 7 applies to personal data relating to any data subject unless he has been asked by the club or data controller whether he objects to the data relating to him being processed as mentioned in that paragraph and has not objected. 
 
9.      It shall be a condition of the exemption of any data under paragraph 6 that the data are not disclosed except as permitted by paragraph 10 and of the exemption under paragraph 7 that the data are not processed for any purpose other than that mentioned in that paragraph or as permitted by paragraph 10, but-  
 
(a)      the exemption under paragraph 6 shall not be lost by any disclosure in breach of that condition; and
 
(b)      the exemption under paragraph 7 shall not be lost by any processing in breach of that condition;
 
if the data controller shows that he had taken such care to prevent it as in all the circumstances was reasonably required. 
 
10.      Data to which paragraph 9 applies may be disclosed- 
 
(a)      if the data subject (or a person acting on his behalf) has requested or consented to the disclosure of the data either generally or in the circumstances in which the disclosure in question is made;
 
(b)      if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a); or
 
(c)      in any case in which disclosure would be permitted by any other provision of this Part of this Law if paragraph 7 were included among the non-disclosure provisions.
 
Back-up data
 
11.      Eligible automated data which are processed only for the purpose of replacing other data in the event of the latter being lost, destroyed or impaired are exempt from section 7 during the first transitional period.  
 
Exemption of all eligible automated data from certain requirements
 
12.      (1)      During the first transitional period, eligible automated data are exempt from the following provisions- 
 
(a)      the first data protection principle to the extent to which it requires compliance with-
 
(i)      paragraph 2 of Part II of Schedule 1;
 
(ii)      the conditions in Schedule 2; and
 
(iii)      the conditions in Schedule 3;
 
(b)      the seventh data protection principle to the extent to which it requires compliance with paragraph 12 of Part II of Schedule 1;
 
(c)      the eighth data protection principle;
 
(d)      in section 7(1), paragraphs (b), (c)(ii) and (d);
 
(e)      sections 10 and 11;
 
(f)      section 12; and
 
(g)      section 13, except so far as relating to-
 
(i)      any contravention of the fourth data protection principle;
 
(ii)      any disclosure without the consent of the data controller;
 
(iii)      loss or destruction of data without the consent of the data controller; or
 
(iv)      processing for the special purposes.
 
(2)      The specific exemptions conferred by sub-paragraph (1)(a), (c) and (e) do not limit the data controller's general duty under the first data protection principle to ensure that processing is fair. 
 
PART III
EXEMPTIONS AVAILABLE DURING THE SECOND TRANSITIONAL PERIOD
 
13.      (1)      This paragraph applies to eligible manual data which were held immediately before the commencement of this Schedule, but does not apply to eligible manual data to which the exemption in paragraph 15 applies. 
 
       (2)      During the second transitional period, data to which this paragraph applies are exempt from the following provisions- 
 
(a)      the first data protection principle except to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1;
 
(b)      the second, third, fourth and fifth data protection principles; and
 
(c)      section 14(1) to (3). 
PART IV
EXEMPTIONS AFTER THE FIRST TRANSITIONAL PERIOD FOR HISTORICAL RESEARCH
 
14.      In this Part of this Schedule "the relevant conditions" has the same meaning as in section 33. 
 
15.      (1)      Eligible manual data which are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the provisions specified in sub-paragraph (2) after the first transitional period. 
 
(2)      The provisions referred to in sub-paragraph (1) are-  
 
(a)      the first data protection principle except in so far as it requires compliance with paragraph 2 of Part II of Schedule 1;
 
(b)      the second, third, fourth and fifth data protection principles; and
 
(c)      section 14(1) to (3).
 
16.      (1)      After the first transitional period, eligible automated data which are processed only for the purpose of historical research in compliance with the relevant conditions are exempt from the first data protection principle to the extent to which it requires compliance with the conditions in Schedules 2 and 3.
 
(2)      Eligible automated data which are processed-  
 
(a)      only for the purpose of historical research;
 
(b)      in compliance with the relevant conditions; and
 
(c)      otherwise than by reference to the data subject;
 
are also exempt from the provisions referred to in sub-paragraph (3) after the first transitional period. 
 
(3)      The provisions referred to in sub-paragraph (2) are- 
 
(a)      the first data protection principle except in so far as it requires compliance with paragraph 2 of Part II of Schedule 1;
 
(b)      the second, third, fourth and fifth data protection principles; and
 
(c)      section 14(1) to (3).
 
17.      For the purposes of this Part of this Schedule personal data are not to be treated as processed otherwise than for the purpose of historical research merely because the data are disclosed- 
 
(a)      to any person, for the purpose of historical research only;
 
(b)      to the data subject or a person acting on his behalf;
 
(c)      at the request, or with the consent, of the data subject or a person acting on his behalf; or
 
(d)      in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).
  
PART V
EXEMPTION FROM SECTION 22
 
18.      Processing which was already under way immediately before the commencement of this Schedule is not assessable processing for the purposes of section 22. 
 
Section 50
SCHEDULE 8
POWERS OF ENTRY AND INSPECTION
Issue of warrants
 
1.      (1)      If the Bailiff is satisfied by information on oath supplied by the Commissioner that there are reasonable grounds for suspecting- 
 
(a)      that a data controller has contravened or is contravening any of the data protection principles; or
 
(b)      that an offence under this Law has been or is being committed;
 
and that evidence of the contravention or of the commission of the offence is to be found on any premises specified in the information, he may, subject to sub-paragraph (2) and paragraph 2, grant a warrant to the Commissioner. 
 
(2)      The Bailiff shall not issue a warrant under this Schedule in respect of any personal data processed for the special purposes unless a determination by the Commissioner under section 45 with respect to those data has taken effect. 
 
(3)      A warrant issued under sub-paragraph (1) shall authorise the Commissioner or any of his officers or staff at any time within seven days of the date of the warrant to enter the premises, to search them, to inspect, examine, operate and test any equipment found there which is used or intended to be used for the processing of personal data and to inspect and seize any documents or other material found there which may be such evidence as is mentioned in that sub-paragraph. 
2.      (1)      The Bailiff shall not issue a warrant under this Schedule unless he is satisfied- 
 
(a)      that the Commissioner has given seven days' notice in writing to the occupier of the premises in question demanding access to the premises; and
 
(b)      that either-
 
(i)      access was demanded at a reasonable hour and was unreasonably refused; or
 
(ii)      although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner's officers or staff to permit the Commissioner or the officer or member of staff to do any of the things referred to in paragraph 1(3); and
 
(c)      that the occupier, has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the Bailiff on the question whether or not it should be issued.
 
       (2)      Sub-paragraph (1) shall not apply if the Bailiff is satisfied that the case is one of urgency or that compliance with those provisions would defeat the object of the entry. 
Execution of warrants
 
3.      A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary. 
 
4.      A warrant issued under this Schedule shall be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed. 
 
5.      If the person who occupies the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, he shall be shown the warrant and supplied with a copy of it; and if that person is not present a copy of the warrant shall be left in a prominent place on the premises. 
 
6.      (1)      A person seizing anything in pursuance of a warrant under this Schedule shall give a receipt for it if asked to do so. 
 
(2)      Anything so seized may be retained for so long as is necessary in all the circumstances but the person in occupation of the premises in question shall be given a copy of anything that is seized if he so requests and the person executing the warrant considers that it can be done without undue delay. 
Matters exempt from inspection and seizure
 
7.      The powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of personal data which by virtue of section 28 are exempt from any of the provisions of this Law. 
 
8.      (1)      Subject to the provisions of this paragraph, the powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of- 
 
(a)      any communication between a professional legal adviser and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Law; or
 
(b)      any communication between a professional legal adviser and his client, or between such an adviser or his client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Law and for the purposes of such proceedings.
 
(2)      Sub-paragraph (1) applies also to-  
 
(a)      any copy or other record of any such communication as is there mentioned; and
 
(b)      any document or article enclosed with or referred to in any such communication if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of such proceedings as are there mentioned.
 
(3)      This paragraph does not apply to anything in the possession of any person other than the professional legal adviser or his client or to anything held with the intention of furthering a criminal purpose. 
 
(4)      In this paragraph references to the client of a professional legal adviser include references to any person representing such a client. 
 
9.      If the person in occupation of any premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure under the warrant of any material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, he shall, if the person executing the warrant so requests, furnish that person with a copy of so much of the material as is not exempt from those powers. 
 
Return of warrants
 
10.      A warrant issued under this Schedule shall be returned to the Bailiff- 
 
(a)      after being executed; or
 
(b)      if not executed within the time authorised for its execution;
 
and the person by whom any such warrant is executed shall make an endorsement on it stating what powers have been exercised by him under the warrant. 
Offences
 
11.      Any person who- 
 
(a)      intentionally obstructs a person in the execution of a warrant issued under this Schedule; or
 
(b)      fails without reasonable excuse to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant;
 
shall be guilty of an offence. 
 
Vessels, vehicles etc.
 
12.      In this Schedule-
 
"premises" includes any vessel, vehicle, aircraft or hovercraft, and references to the occupier of any premises include references to the person in charge of any vessel, vehicle, aircraft or hovercraft; and
 
"Bailiff" means-
 
(a)      where the warrant is to be executed in Alderney, the Chairman or a Jurat of the Court of Alderney;
 
(b)      where the warrant is to be executed in Sark, the Seneschal or his deputy;
 
(c)      in any other case, the Bailiff, Deputy Bailiff, Lieutenant Bailiff or Juge Délégué.
 
 
 
Section 53(6)
SCHEDULE 9
FURTHER PROVISIONS RELATING TO ASSISTANCE UNDER SECTION 53
 
1.      In this Schedule -
 
(a)      "applicant" and "proceedings" have the same meaning as in section 53; and
 
(b)      "Advocate" means advocate of the Royal Court of Guernsey.
 
2.      The assistance provided under section 53 may include the making of arrangements for, or for the Commissioner to bear the costs of- 
 
(a)      the giving of advice or assistance by an Advocate; and
 
(b)      the representation of the applicant, or the provision to him of such assistance as is usually given by an Advocate-
 
(i)      in steps preliminary or incidental to the proceedings; or
 
(ii)      in arriving at or giving effect to a compromise to avoid or bring an end to the proceedings.
 
3.      Where assistance is provided with respect to the conduct of proceedings- 
 
(a)      it shall include an agreement by the Commissioner to indemnify the applicant (subject only to any exceptions specified in the notification) in respect of any liability to pay costs or expenses arising by virtue of any judgment or order of the court in the proceedings;
 
(b)      it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay costs or expenses arising by virtue of any compromise or settlement arrived at in order to avoid the proceedings or bring the proceedings to an end; and
 
(c)      it may include an agreement by the Commissioner to indemnify the applicant in respect of any liability to pay damages pursuant to an undertaking given on the grant of interlocutory relief to the applicant.
 
4.      Where the Commissioner provides assistance in relation to any proceedings, he shall do so on such terms, or make such other arrangements, as will secure that a person against whom the proceedings have been or are commenced is informed that assistance has been or is being provided by the Commissioner in relation to them. 
 
5.      The expenses incurred by the Commissioner in providing an applicant with assistance (as taxed or assessed in such manner as may be prescribed by rules of court) shall be recoverable from the applicant as a civil debt due to the Commissioner where-
  
(a)      costs under any judgment or order of the court, are payable to the applicant by any other person in respect of the matter in connection with which the assistance is provided; or
 
(b)      any sum is payable to the applicant under a compromise or settlement arrived at in connection with that matter to avoid or bring to an end any proceedings.
 
 Section 70
SCHEDULE 10
 
MODIFICATIONS OF LAW HAVING EFFECT BEFORE 24th October 2007
 
 1.      After section 12 insert- 
 
"Rights of data subjects in relation to exempt manual data.
          12A. - (1) A data subject is entitled at any time by notice in writing- 
 
(a)      to require the data controller to rectify, block, erase or destroy exempt manual data which are inaccurate or incomplete; or
 
(b)      to require the data controller to cease holding exempt manual data in a way incompatible with the legitimate purposes pursued by the data controller.
 
(2)      A notice under subsection (1)(a) or (b) must state the data subject's reasons for believing that the data are inaccurate or incomplete or, as the case may be, his reasons for believing that they are held in a way incompatible with the legitimate purposes pursued by the data controller. 
 
(3)      If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent) that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit. 
 
                (4)      In this section "exempt manual data" means- 
 
(a)      in relation to the first transitional period, as defined by paragraph 1(2) of Schedule 7, data to which paragraph 3 of that Schedule applies; and
 
(b)      in relation to the second transitional period, as so defined, data to which paragraph 13 of that Schedule applies.
 
(5)      For the purposes of this section personal data are incomplete if, and only if, the data, although not inaccurate, are such that their incompleteness would constitute a contravention of the third or fourth data protection principles, if those principles applied to the data."
 
2.      In section 32- 
 
(a)      in subsection (2) after "section 11" insert-  
 
"(dd) section 12A,"; and
 
(b)      in subsection (4) after "12(8)" insert-
 
", 12A(3)".
 
3.      In section 34 for "section 14(1) to (3)" substitute-
 
"sections 12A and 14(1) to (3).". 
 
4.      In section 53(1) after "12(8)" insert-
 
", 12A(3)". 
 
5.      In paragraph 8 of Part II of Schedule 1, delete the word "or" at the end of paragraph (c) and after paragraph (d) insert-
 
"or
 
(e)      he contravenes section 12A by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified."
 
 
  
Section 71
 
SCHEDULE 11
 
TRANSITIONAL PROVISIONS AND SAVINGS
Interpretation
1.      In this Schedule-  
 
"the 1986 Law" means the Data Protection (Bailiwick of Guernsey) Law, 1986;
 
"the old principles" means the data protection principles within the meaning of the 1986 Law;
 
"the new principles" means the data protection principles within the meaning of this Law. 
Effect of registration under Part II of 1986 Law
 
2.      (1)      Subject to sub-paragraphs (4) and (5) any person who, immediately before the commencement of Part III of this Law-
 
(a)      is registered as a data user under Part II of the 1986 Law; or
 
(b)      is treated by virtue of section 6(6) of the 1986 Law as so registered;
 
is exempt from section 17(1) of this Law until the end of the registration period. 
 
(2)      In sub-paragraph (1) "the registration period", in relation to a person, means- 
 
(a)      where there is a single entry in respect of that person as a data user, the period at the end of which, if section 7 of the 1986 Law had remained in force, that entry would have fallen to be removed unless renewed; and
 
(b)      where there are two or more entries in respect of that person as a data user, the period at the end of which, if that section had remained in force, the last of those entries to expire would have fallen to be removed unless renewed.
 
(3)      Any application for registration as a data user under Part II of the 1986 Law which is received by the Commissioner before the commencement of Part III of this Law (including any appeal against a refusal of registration) shall be determined in accordance with the old principles and the provisions of the 1986 Law. 
 
(4)      If a person falling within paragraph (b) of sub-paragraph (1) receives a notification under section 6(1) of the 1986 Law of the refusal of his application, sub-paragraph (1) shall cease to apply to him- 
 
(a)      if no appeal is brought, at the end of the period within which an appeal can be brought against the refusal; or
 
(b)      on the withdrawal or dismissal of the appeal.
 
(5)      If a data controller gives a notification under section 18(1) at a time when he is exempt from section 17(1) by virtue of sub-paragraph (1), he shall cease to be so exempt. 
 
(6)      The Commissioner shall include in the register maintained under section 19 an entry in respect of each person who is exempt from section 17(1) by virtue of sub-paragraph (1); and each entry shall consist of the particulars which, immediately before the commencement of Part III of this Law, were included (or treated as included) in respect of that person in the register maintained under section 3 of the 1986 Law. 
 
          (7)       Notification regulations under Part III of this Law may make provision modifying the duty referred to in section 20(1) in its application to any person in respect of whom an entry in the register maintained under section 19 has been made under sub-paragraph (6). 
 
          (8)       Notification regulations under Part III of this Law may make further transitional provision in connection with the substitution of Part III of this Law for Part II of the 1986 law (registration), including provision modifying the application of provisions of Part III in transitional cases. 
Rights of data subjects
 
3.      (1)       The repeal of section 19 of the 1986 Law (right of access to personal data) does not affect the application of that section in any case in which the request (together with the information referred to in paragraph (a) of subsection (4) of that section and, in a case where it is required, the consent referred to in paragraph (b) of that subsection) was received before the day on which the repeal comes into force. 
 
          (2)       Sub-paragraph (1) does not apply where the request is made by reference to this Law. 
 
          (3)       Any fee paid for the purposes of section 19 of the 1986 Law before the commencement of section 7 in a case not falling within sub-paragraph (1) shall be taken to have been paid for the purposes of section 7. 
 
4.      The repeal of section 20 of the 1986 Law (compensation for inaccuracy) and the repeal of section 21 of that Law (compensation for loss or unauthorised disclosure) do not affect the application of those sections in relation to damage or distress suffered at any time by reason of anything done or omitted to be done before the commencement of the repeals. 
 
5.       The repeal of section 22 of the 1986 Law (rectification and erasure) does not affect any case in which the application to the court was made before the day on which the repeal comes into force. 
 
6.       Section 14(3)(b) does not apply where the rectification, blocking, erasure or destruction occurred before the commencement of that section. 
Enforcement and transfer prohibition notices served under Part V of 1986 Law
 
7.      (1)      If, immediately before the commencement of section 40- 
 
(a)       an enforcement notice under section 9 of the 1986 Law has effect; and
 
(b)      either the time for appealing against the notice has expired or any appeal has been determined;
 
then, after that commencement, to the extent mentioned in sub-paragraph (3), the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40. 
 
          (2)       Where an enforcement notice has been served under section 9 of the 1986 Law before the commencement of section 40 and immediately before that commencement either- 
 
(a)      the time for appealing against the notice has not expired; or
 
(b)      an appeal has not been determined;
 
the appeal shall be determined in accordance with the provisions of the 1986 Law and the old principles and, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3) the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40. 
 
          (3)      An enforcement notice under section 9 of the 1986 Law has the effect described in sub-paragraph (1) or (2) only to the extent that the steps specified in the notice for complying with the old principle or principles in question are steps which the data controller could be required by an enforcement notice under section 40 to take for complying with the new principles or any of them. 
 
 8.      (1)       If, immediately before the commencement of section 40- 
 
(a)      a transfer prohibition notice under section 11 of the 1986 Law has effect; and
 
(b)      either the time for appealing against the notice has expired or any appeal has been determined;
 
then, on and after that commencement, to the extent specified in sub-paragraph (3), the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40. 
 
(2)       Where a transfer prohibition notice has been served under section 11 of the 1986 Law and immediately before the commencement of section 40 either- 
 
(a)      the time for appealing against the notice has not expired; or
 
(b)      an appeal has not been determined;
 
the appeal shall be determined in accordance with the provisions of the 1986 Law and the old principles and, unless the notice is quashed on appeal, to the extent mentioned in sub-paragraph (3) the notice shall have effect for the purposes of sections 41 and 47 as if it were an enforcement notice under section 40. 
 
(3)      A transfer prohibition notice under section 11 of the 1986 Law has the effect described in sub-paragraph (1) or (2) only to the extent that the prohibition imposed by the notice is one which could be imposed by an enforcement notice under section 40 for complying with the new principles or any of them. 
Notices under new law relating to matters in relation to which 1986 Law had effect
 
9.      The Commissioner may serve an enforcement notice under section 40 on or after the day on which that section comes into force if he is satisfied that, before that day, the data controller contravened the old principles by reason of any act or omission which would also have constituted a contravention of the new principles if they had applied before that day. 
 
10.      Section 40(5)(b) does not apply where the rectification, blocking, erasure or destruction occurred before the commencement of that section. 
 
11.      The Commissioner may serve an information notice under section 43 on or after the day on which that section comes into force if he has reasonable grounds for suspecting that, before that day, the data controller contravened the old principles by reason of any act or omission which would also have constituted a contravention of the new principles if they had applied before that day. 
 
12.      Where by virtue of paragraph 11 an information notice is served on the basis of anything done or omitted to be done before the day on which section 43 comes into force, subsection (2)(b) of that section shall have effect as if the reference to the data controller having complied, or complying, with the new principles were a reference to the data controller having contravened the old principles by reason of any such act or omission as is mentioned in paragraph 11. 
Self-incrimination, etc.
 
13.      (1)      In section 43(8), section 44(9) and paragraph 11 of Schedule 6, any reference to an offence under this Law includes a reference to an offence under the 1986 Law. 
 
(2)      In section 32(8) of the 1986 Law, any reference to an offence under that Law includes a reference to an offence under this Law.
 
Warrants issued under 1986 Law
 
14.      The repeal of Schedule 2 to the 1986 Law does not affect the application of that Schedule in any case where a warrant was issued under that Schedule before the commencement of the repeal.  
Complaints under section 34(2) of 1986 Law and requests for assessment under section 42
 
15.      The repeal of section 34(2) of the 1986 Law does not affect the application of that provision in any case where the complaint was received by the Commissioner before the commencement of the repeal. 
 
16.      In dealing with a complaint under section 34(2) of the 1986 Law or a request for an assessment under section 42 of this Law, the Commissioner shall have regard to the provisions from time to time applicable to the processing, and accordingly- 
 
(a)      in section 34(2) of the 1986 Law, the reference to the old principles and the provisions of that Law includes, in relation to any time when the new principles and the provisions of this Law have effect, those principles and provisions; and
 
(b)      in section 42 of this Law, the reference to the provisions of this Law includes, in relation to any time when the old principles and the provisions of the 1986 Law had effect, those principles and provisions. 
 
 
 
 
Section 72
SCHEDULE 12
 
REPEALS AND REVOCATIONS
 
PART I
REPEAL OF LAW
 
1.      The Data Protection (Bailiwick of Guernsey) Law, 1986 is repealed.
PART II
REPEAL OF ORDINANCES
 
2.      The Data Protection (Subject Access Exemptions and Modifications) Ordinance, 1987[n] is revoked.
 
3.      The Data Protection (Subject Access Exemptions and Modifications) (Amendment) Ordinance, 1988[o] is revoked.
 
4.      The Data Protection (Functions of Designated Authority) Ordinance, 1993[p] is revoked.
 
5.      The Data Protection (Office of Commissioner) Ordinance, 2000[q] is revoked.
 
PART III
REVOCATION OF REGULATIONS
 
6.      The Data Protection (Fees) Regulation, 1989[r] are revoked.
 
7.      The Data Protection (Fees) (Amendment) Regulations, 1992[s] are revoked.
 
 

[a]

Article II of Billet d'État No. XVIII of 2000.

[b]

Ordres en Conseil Vol. XXIX, p. 426; and Ordinance No. V of 2000.

[c]

Ordres en Conseil Vol. XIV, p. 159; Vol. XVII, p. 234; Vol. XIX, p. 214; and No. 1 of 1999.

[d]

Ordres en Conseil Vol. XXVI, p. 292; Vol. XXVII, pp. 238, 307 and 392; Vol. XXIX, pp. 24, 148 and 422; Vol. XXXII, p. 59; No. XII of 1993; Ordinance No. XIV of 1993 (Tome XXVI, p. 177); No. V of 1994; Nos. VI and XIII of 1995; No. 1 of 1998; No. VI of 1999; and No. X of 2000.

[e]

Ordres en Conseil Vol. XIII, p. 355.

[f]

Ordres en Conseil Vol. XVIII, p. 315.

[g]

Ordres en Conseil Vol. XVI, p. 103; Vol.XVII, p. 218; Vol. XXVII, p. 170; Vol. XXVIII, pp. 5 and 385; Vol. XXX, p. 224; Vol. XXXI, p.278; No. III of 1992 and No. IX of 1996.

[h]

Ordres en Conseil Vol. XXII, p. 318; Vol. XXVII, p. 347; Vol. XXVIII, p. 181; Vol. XXX, p. 179; Vol. XXXI, p. 168; and Vol. XXXII, p. 144.

[i]

Order in Council No. XXI of 1991.

[j]

Order in Council No. XXIII of 1997.

[k]

United Kingdom S.I. 1995 No. 3275.

[l]

Ordres en Conseil Vol. XXX, pp. 281 and 243; Orders in Council XIII of 1994 and II of 1997; Ordinance XX of 1998.

[m]

An Act of Parliament (1986 c. 60).

[n]

Recueil d'Ordonnances Tome XXIV, p. 233.

[o]

Recueil d'Ordonnances Tome XXIV, p. 270.

[p]

Recueil d'Ordonnances Tome XXVI, p. 163.

[q]

Ordinance No. V of 2000.

[r]

GSI 1989 No. 21.

[s]

GSI 1992 No. 29.