MyGov is a designated portal to enable the public to securely interact with a variety of States of Guernsey services. This fair processing notice details how personal data will be processed in connection with the provision of the service. The controller of the personal data processed for this purpose is the Committee for Policy & Resources.
1. The Data Protection Law
The controller acknowledges its obligations as per the data protection law, which provides a number of requirements in terms of processing activities involving personal data. The controller further acknowledges the general principles of processing as well as the rights of a data subject and more information in relation to these provisions are provided within this fair processing notice.
2. The Principles of Processing
- Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner.
The controller acknowledges that all processing of personal data must be lawful, fair and undertaken with transparency. Appendix A (please see below) explains all of the processing which is being undertaken in connection with this public consultation. All of the personal data set out within Appendix A will only be collected directly from yourself, and not any other third party.
The controller will share personal data, where appropriate, with the Registrar of the Register of Contact Details ('the Registrar'), as may be requested by the Registrar in accordance with their powers under the Register of Contact Details (Guernsey and Alderney) Law, 2019. Furthermore, the Registrar has granted the controller with access to the personal data contained within the Register of Contact Details ('the Register') for the purpose of carrying out the relevant functions explained within this fair processing notice. The controller will only process the personal data contained within the Register where there is a legitimate and lawful basis for doing so and in accordance with both the Data Protection Law and the Register of Contact Details Law.
The States of Guernsey have a professional relationship with a third party supplier, Agilisys Guernsey Ltd., who provide support to and carry out maintenance on the IT infrastructure of the organisation. For Agilisys to carry out the function they are contracted to provide, there will be instances where they may have sight of your personal data. Shared Services will only provide Agilisys with access to your personal data where there is a legitimate and lawful purpose for this access to be given in line with Schedule 2 of the Data Protection (Bailiwick of Guernsey) Law, 2017 and our internal policies and directives.
Your personal data will also be shared with the Scrutiny Management Committee ('SMC') and the Internal Audit function of the States of Guernsey, as specifically requested by the relevant controller and only where absolutely necessary for the completion of their relevant functions. Furthermore, any personal data shared with SMC and Internal Audit will be limited and processed in accordance with Conditions 5 and 13(b) of Schedule 2 of the Law.
- Purpose limitation
Personal data must not be collected except for a specific, explicit and legitimate purpose and, once collected, must not be further processed in a manner incompatible with the purpose for which it was collected.
The controller acknowledges its responsibility with regards to this data protection principle and therefore the controller maintains that it will not further process that personal data in a way which is incompatible to its original reason for processing as specified in Appendix A, unless the controller is required to do so by law. The personal data will not be transferred to a recipient in an authorised or an unauthorised jurisdiction (as per the definition within data protection law).
Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
The controller maintains that it will only process the personal data which is detailed in section 2a, and will not process any further personal data that is not necessary in relation to the original reason for processing personal data as specified in section 2a, unless the controller is required to do so by law.
Personal data processed must be accurate, kept up-to-date (where applicable) and reasonable steps must be taken to ensure that personal data that is inaccurate is erased or corrected without delay.
The controller will ensure that all personal data that it holds is accurate and kept up-to-date, and any personal data that is inaccurate will be erased or corrected without delay.
- Storage limitation
Personal data must not be kept in a form that permits identification of a data subject for any longer than is necessary for the purpose for which it is processed.
Personal and special category data will be kept in accordance with the States of Guernsey Records Management Policy and the relevant Retention and Disposal Policies. Data is stored on secure Guernsey data centers and only accessible by authorised staff or approved suppliers.
- Integrity and confidentiality
Personal data may be held in both electronic and hard copy formats. Electronic data is held on secure States of Guernsey data centers which are certified to ISO27001 standard.
Information Access - access to electronic is tightly controlled. Employees are vetted in a manner commensurate with the role that they are expected to undertake. Protocols are followed to ensure that employees only have access as required to undertake their role.
Information Security – The controller adopts the information security standards of the States of Guernsey.
The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
3. Contact Details
The contact details of the controller are as follows:
The Policy and Resources Committee
Tel: 01481 227000
The contact details for the Data Protection Officer of Education, Sport and Culture are as follows:
Data Protection Officer, the Committee for Smart Guernsey
Tel: 01481 220012
|Personal data||Purpose for processing||Lawful basis for processing|
|Basic personal data
||Schedule 2, Part I, Condition 1:
The data subject has given explicit consent to the processing of the personal data for the purpose for which it is processed.
Schedule 2, Part I, Condition 4:
The processing is necessary for the purposes of the legitimate interests of the controller or a third party.
Schedule 2, Part II, Condition 8:
The processing is necessary for the controller to exercise any right or power, or perform of comply with any duty, conferred or imposed on the controller by an enactment.