GUIDANCE FOR CHARITIES (Non-profit making organisations)

Transcription

1 DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE FOR CHARITIES (Non-profit making organisations) GD17 1

2 2

3 Introduction The new Data Protection (Jersey) Law 2005 came into force on 1 December The intention to upgrade the current Law follows moves across Europe, via a 1995 European Directive to strengthen the rights for individuals in the face of advancing information technologies. As a result of this Directive the various EEA countries have revised their domestic legislation to increase the rights of individuals. The United Kingdom enacted its upgrade in the form of the Data Protection Act Jersey is closely modelling its new Law on the UK Act as Jersey wishes to see its own citizens with rights similar to those enjoyed in Europe and to safeguard its trading position within the EEA. The new Law contains familiar elements from the previous 1987 legislation including: the Data Protection Principles of good practice covering such things as accurate records, retention periods for data and appropriate security safeguards; a registration system; an independent supervisory authority to oversee data protection matters; and the data subject s right to have access to his or her personal data, held by his/her employer or bank and to have it corrected it where it is inaccurate. New areas covered include certain manually held records, sensitive data rules, adequate protection for overseas transfers outside of Jersey and (as mentioned above) additional rights for individuals, which include:- enhanced access rights the right to prevent processing for direct marketing purposes rights in relation to automated decision-making the right to compensation rights in relation to the rectification, blocking and destruction of personal data the right to ask the Commissioner to assess whether the Law has been contravened by an organisation A new exemption from the need to notify with the Commissioner s office covers many non-profit making organisations. This exemption, explained later in this Guidance, should assist some charities, although compliance with the Principles will still be required. The new Law provides a period of transitional relief during which data controllers can bring their existing systems into compliance with the new provisions. Organisations already complying with the 1987 Law should be well placed to meet the requirements of the revised legislation. 3

4 GUIDANCE ON THE EXEMPTION FROM NOTIFICATION FOR NON-PROFIT MAKING ORGANISATIONS What is a non-profit making organisation? The exemption can only apply to processing carried out by a data controller which is a body or association which is not established for profit. An accounting dictionary defines a non-profit making organisation as one which exists for a purpose (e.g. charitable or social) other than making a commercial profit. It can be further defined as an organisation operating under rules which require all income to be applied to future activities of the same type (usually charitable). Such an organisation may make profits for its own purposes but not in order to enrich others. Therefore, an organisation may raise funds from events or functions where the monies raised exceed the expenses as long as the money raised is devoted to the organisation s activities. Any organisation which is not sure whether or not it is a non profit-making organisation should seek appropriate advice, either from their accountant or legal adviser. The exemption applies to processing which is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it. As a non-profit making organisation, is all of your processing covered by the following descriptions? Your Processing is only: for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it. This exempt purpose is intended for small clubs, voluntary organisations, church administration and some charities. Your data subjects are restricted to: any person the processing of whose personal data is necessary for this exempt purpose, e.g. past, existing or prospective members or those who have regular contact with the organisation. 4

5 Your data classes are restricted to: data which are necessary for this exempt purpose, e.g. names, addresses, identifiers or eligibility for membership. Your disclosures other than those made with the consent of the data subjects are restricted to: those third parties who are necessary for this exempt purpose. Retention of the data The personal data are not kept after the relationship between you and the data subject ends, unless and for so long as it is necessary to do so for the exempt purpose. It is important to note that a data controller will still have to adhere to the Law even if exempt from Notification. (See the 8 Data Protection Principles below). In addition a general description of processing will have to be supplied without charge by the exempt data controller to any member of the public upon request. It might therefore be beneficial to make a voluntary notification and have processing details added to the register thus avoiding the need to respond to requests. THE DATA PROTECTION PRINCIPLES There are eight Principles under the Law. In summary they require that data shall be: 1. fairly and lawfully processed; 2. processed for limited purposes; 3. adequate, relevant and not excessive; 4. accurate; 5. not kept longer than necessary; 6. processed in accordance with the data subject s rights; 5

6 7. kept secure; 8. not transferred to countries outside of Jersey or EEA without adequate protection. Please Note: If you are registered under the Data Protection (Jersey) Law 1987, and have, or in future, receive an Invitation to Notify from the Commissioner under the Data Protection (Jersey) Law 2005, you may select to claim the non-profit making organisation exemption detailed above. In this event, please advise the Commissioner s office in writing, quoting your 1987 Registration Number, Name and Renewal Date. 6

7 CONTACT THE COMMISSIONER: Enquiries and Publication Requests: T: F: gov.je W: Office of the Data Protection Commissioner Morier House Halkett Place St.Helier Jersey JE11DD 7