Collection and use of personal data

Registration process

Many organisations are required to ‘register’ with the Commissioner. The information submitted includes some personal data, for example, the name and contact details of any designated Data Protection Officer (DPO) or, in the absence of a DPO, the name and contact details of the person to whom correspondence should be sent.  Where a business is required to register but is not established in the Island, the name and contact details of its representative in the Island will also be obtained.

The office will use this information for its own purposes, for example, to contact the business where we have a query about a registration or receive a complaint.

The Commissioner is required to include some of the information in a public register.  

The Commissioner will not put the name of the DPO or Representative in the public register but may include contact details such as email address for the DPO or Representative in the public register.   Businesses should therefore consider submitting a generic email address for the DPO and/or Representative.

Where a DPO is not appointed, the contact details of the relevant member of staff provided to the Commissioner will not be included in the public register.

Personal data breach reports

We use the data collected to record the breach, to make decisions about the action we may take and, as relevant, in order to carry out those actions.  Any personal data obtained by the Commissioner as a result of a reported personal data breach will only be processed for as long as necessary to carry out the statutory functions and in line with our retention schedule.

We retain de-personalised information about organisations for as long as is necessary to help inform future actions, but no individuals are identifiable from that data.

Complaints and enquiries

People who make a complaint to us

When we receive a complaint from a person we record details of the complaint in a file. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal data we collect to process the complaint and to check on the level of service we provide.

We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We usually have to disclose the complainant’s identity to whoever the complaint is about.  This is inevitable where, for example, the accuracy of a person’s record is in dispute.  If a complainant does not want information identifying them to be disclosed, we will try to respect that, particularly if the complaint has been made by a whistle-blower.  However, the nature of some complaints means it is not possible to investigate on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy.  It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

When we take enforcement action against someone, we may publish the identity of the controller or processor in our Annual Report or elsewhere.  Usually we do not, identify complainants unless the details have already been made public, for example as a result of a prosecution.

People who make enquiries

The information you provide will only be used to respond to your query or deal with your complaint and will be retained in accordance with our retention policy.

We do not record telephone calls.

Any email sent to us, including any attachments, may be monitored for reasons of data security and compliance with office policy.  Email monitoring includes blocking software which may result in your email being blocked or deleted.