Contact Us

Email: dataprotection@gov.je

Tel: +44 (1534) 441064
Fax: +44 (1534) 441065

Data Protection> How to Complain

How to Complain

This section deals with both complaints against the Commissioner or her staff, as well as complaints against Data Controllers or processors of personal data. Please also refer to our section on Policy Statements under the General Information link for a downloadable version of the Policy Statement and Guidance on Complaint Handling.

Complaints against the Commissioner or her staff

Introduction

The complaints procedure set out below applies to actions of the Commissioner and her staff which do not amount to regulatory decisions but where the complainant believes the Commissioner or her staff has acted unreasonably.

The laws that the Commission acts under provide for appeals, within strict time limits, against regulatory decisions of the Commission. Persons dissatisfied with a regulatory decision of the Commission should use the right of appeal set out in law.

The Office of the Data Protection Commissioner is an independent regulatory body, and is accountable to the Chief Ministers Department of the States of Jersey.

Procedure

Any person who is dissatisfied with the actions of the Commissioner may complain to the Chief Minister.

Any person who is dissatisfied with the actions of any of the Commissioner’s staff may complain to the Commissioner.

All complaints must be made in writing or by e-mail and should be accompanied by a copy of all relevant documentation and correspondence. Complaints should be made within twelve months of the date on which the complainant first became aware of the circumstances of the complaint.

The Commissioner will investigate all complaints received about her staff. If necessary the Commissioner will be assisted by a senior member of the Commissioner's staff who has not been involved in the matter complained about.

All complaints will be acknowledged within five working days of receipt and will be investigated as quickly as possible. If an investigation is not completed within four weeks the complainant will be contacted by the Commissioner and given a likely completion date. The Commissioner aims to complete an investigation within eight weeks.

If a complaint is upheld the Commissioner will write to the complainant to advise what steps will be taken to remedy the matters complained about. This may include, for example, a suitable apology or a decision to change department Policy. If a complaint is rejected the Commissioner will write to the complainant giving the reasons why.

A complainant who is dissatisfied with the decision of the Commissioner may refer the matter in writing or by e-mail to the Chief Minister, who will undertake a review of the decision. A complainant who is dissatisfied with the decision of the Chief Minister may wish to consider taking legal advice on what alternative remedies may be open to him/her.

Complaints against Data Controllers and Processors of Personal Data


Scope

This Policy Statement and Guidance Document applies to all persons and businesses (“Data Controllers”), whether notified with the Commissioner or not, who collect and process personal data, which fall within the scope of the Data Protection (Jersey) Law 2005 and associated subordinate legislation.

Structure

Part I introduces the paper. It seeks to explain why such a paper is considered necessary and provides a basic overview of the policy.

Part II is the Commissioner’s stated policy on complaint handling. The policy is divided into the following described sections:

1.      Lodge your complaint with the  Data Controller first
2.      When to make your complaint to the Commissioner
3.      How to make a complaint to the Commissioner
4.      The nature of the Commissioner’s role in complaint handling
5.      How the Commissioner will handle your complaint
6.      Action the Commissioner can take and remedies available
7.      Alternative solutions

Part I: Introduction

The Office of the Data Protection Commissioner (“the Commissioner”) is responsible for the supervision of all persons and businesses with regard to promoting the observance of the data protection principles and ensuring compliance with the provisions of the Data Protection (Jersey) Law 2005 (“the Law”).

The Law requires that any person who holds personal data relating to an individual must notify the Commissioner, unless an exemption to notification can be granted. The notification entry must detail what type of information they hold, the purpose for which it is held, and to or from whom the data may be sourced or disclosed. Failure to notify these details in accordance with the Law is an offence, unless an exemption to the Law applies.

The purpose of this policy statement is to give guidance to individuals and Data Controllers with regard to the Commissioner’s handling of complaints. The policy statement covers what is expected of the individual in the first instance, before addressing the circumstances in which the Commissioner will investigate complaints against a person or Data Controller. This policy statement also details what action the Commissioner can take with regard to an individual’s complaint.

Part II: Policy Statement and Guidance on Complaints

From time to time, the Commissioner receives complaints about the way Data Controllers have handled information personal to the individual. This document explains the Commissioner’s policy towards such complaints, and how they will be dealt with.

1. Lodge your complaint with the Data Controller first

1.1. If you have a complaint about the way a Data Controller has handled information personal to you, we would recommend that you first try and resolve the complaint directly with the Data Controller. Many businesses have a Data Protection Officer who is an employee of the company and seeks to ensure that the business remains compliant with the data protection principles and the Law. However, complaints should be addressed in the first instance to the senior management of the company concerned. Complaining first to the Data Controller allows the business an opportunity to put things right at an early stage.

1.2. If lodging your complaint with the institution first is either impractical or inappropriate, the Commissioner will be happy to listen to your complaint.

2. When to make your complaint to the Commissioner

2.1. If you are not happy with the way in which the institution has dealt with your complaint, or if you have not received a response within 14 days after making your complaint, you may wish to seek the assistance of the Commissioner.

2.2. We will check to ensure that the institution has complied with the data protection principles with regard to the processing of personal data relating to you, as well as making sure that the institution has handled your complaint in a proper manner.

3. How to make your complaint to the Commissioner

3.1. You should put your complaint in writing, with full details of the nature of your complaint, your name, and how we may contact you. You should also include copies of any relevant correspondence that may assist us in our investigations.

3.2. We do not normally deal with verbal or anonymous complaints; however, if your complaint relates to the generic processes of an institution as opposed to a specific complaint in relation to you, we may consider investigation. Please contact us by telephone if you have any individual difficulties which might prevent you from making a written complaint.

3.3. Alternatively, download the Complaint Submission form.

3.4. In order to progress your complaint, we will often need to disclose details of your complaint to the institution concerned. We will therefore also need your written consent for us to disclose details of your complaint to the institution. The form referred to in paragraph 3.3 above includes a section on customer consent.

3.5. If you do not wish to use the website form to make your complaint, you may write to us at the following address:

Office of the Data Protection Commissioner
Morier House
Halkett Place
St.Helier
Jersey JE1 1DD

Tel: (+44) 1534 441064

Fax: (+44) 1534 441065

E-Mail: dataprotection@gov.je

4. The nature of the Commissioner’s role in complaint handling

4.1. Whilst the Commissioner does not have an explicit statutory responsibility for consumer protection, the Commissioner’s primary duty is to promote the observance of the data protection principles by Data Controllers to ensure that personal data relating to individuals us afforded a high level of protection.

4.2. It is the role of the Attorney General to instigate prosecution proceedings where offences have been committed under this Law, upon referral by the Commissioner. Where a person is convicted of an offence under this Law, they shall be liable to a fine, and in some cases the Court may order that the data be forfeited, erased or destroyed.

4.3. We do however expect Data Controllers to have satisfactory systems and controls in place to enable them to deal with customer complaints in a thorough and prompt manner.

4.4. We will therefore try to ensure that the Data Controller handles your complaint properly. It is important to note however that we do not have the power to order an institution to pay you compensation. Only the Court is able to grant payments of compensation, and then only in certain circumstances as prescribed by Law.

5. How will the Commissioner handle your complaint?

5.1. All complaints will be treated in strict confidence, although as already previously stated, and with your prior consent, we may need to disclose details of your complaint to the institution concerned.

5.2. Upon receipt of a written complaint, we will issue an acknowledgement to you, normally within two working days.

5.3. Provided you are content for us to contact the institution concerned, we will write to the institution to obtain any further documentary evidence that will assist the investigation and will seek their comments and/or explanation as to the circumstances surrounding the complaint. Alternatively, we may meet with representatives of the institution to discuss the complaint and attempt to broker a mutually acceptable solution.

5.4. We ask the institution to provide this initial response within 14 days of writing to them.

5.5. We will review the response provided in order to ensure that:

5.6. The Data Controller has handled your complaint properly and has followed its own complaint handling procedures; and

5.7. The Data Controller has complied with the data protection principles and its regulatory requirements as set out in the Law.

5.8. Upon the conclusion of our investigation, we will revert to you with the results of our investigation, together with any action we propose to take, if any.

6. Action we can take and remedies available

6.1. In the light of a complaint, or a series of complaints, the Commissioner may decide to take action against a Data Controller, for instance by requiring it to modify its procedures for the handling of personal data. These would include complaints that indicate that a Data Controller has breached the data protection principles or the Law.

6.2. In cases of regulatory concern, we will follow up with the institution to establish the facts and, if necessary, require remedial action to be taken. We will advise you of the results of our investigations and any action we decide to take. In the cases of complaints where more serious concerns are highlighted, the Commissioner is able to take the following action:

Enforcement Notices:

The Commissioner has a power under Article 40 of the Law to issue Enforcement Notices in circumstances where the Commissioner is satisfied that a data controller has contravened or is contravening any of the data protection principles. The Commissioner may require the data controller to do one or both of the following, to ensure future compliance with those principles contravened:

a) To take specified steps within a specified time, or to refrain from taking specified steps after a specified time; or

b) To refrain from processing any personal data, or any personal data of a specified description, or to refrain from processing them for a specified purpose or in a specified manner, after a specified time.

Information Notices:

Article 43 of the Law gives the Commissioner the power to issue Information Notices, where the Commissioner:

a) Has received a request under Article 42 in respect of any processing of personal data; or

b) Reasonably requires any information for the purpose of determining whether a data controller has complied, or is complying, with the data protection principles.

The Commissioner may serve a notice on the relevant Data Controller (or on a Data Processor who processes data on behalf of the data controller, being data or processing relevant to the request or the determination, as the case may be), requiring the person served with the notice to furnish the Commissioner with specified information relating to the request or to compliance with the principles.

Special Information Notices:

Article 43 of the Law gives the Commissioner the power to issue Special Information Notices, where the Commissioner:

a) Has received a request under Article 42 in respect of any processing of personal data; or

b) has reasonable grounds for suspecting, in a case in which proceedings have been stayed under Article 32, that the personal data to which the proceedings relate:

    i. Are not being processed only for the special purposes, or

    ii. Are not being processed with a view to the publication by any person of any journalistic, literary or artistic material that has not previously been published by the data controller.

The Commissioner may serve a notice on the data processor concerned in the processing (or on the data controller on behalf of whom the processing is carried out) requiring the person served with the notice to furnish the Commissioner within a specified time and in a specified form (if any) with specified information for the purpose  of ascertaining:

a) Whether the personal data are being processed only for the special purposes; or

b) Whether they are being processed with a view to the publication by any person of any journalistic, literary or artistic material that has not previously been published by the data controller.

7.     Alternative solutions

7.1. There may be occasions where following our investigations and subsequent action, you are still not satisfied that your complaint has been resolved. Should this prove to be the case and we are unable to offer any further assistance, there are several alternative solutions you may wish to explore:

Independent legal advice:

You may wish to seek independent legal advice from your own lawyer should you wish to pursue a claim against the institution concerned. If you do not have your own lawyer, the Law Society of Jersey has a listing of all Jersey Law firms on their website at www.jerseylawsociety.je.

Jersey Citizens Advice Bureau:

The CAB service is independent and provides free, confidential and impartial advice to everybody, regardless of race, sex, disability or sexuality. Further details of the services they can provide can be found on their website at www.cab.org.je.

Channel Islands Association of Accredited Mediators:

CAAM is an alternative dispute resolution mechanism, which employs the services of local lawyers to mediate between disputing parties to broker a mutually acceptable conclusion. It is a non-profit making organisation and the final settlement agreed is legally binding on both parties. Further information can be found on their website at www.caam.je.