Cyber Security Strategy – Consultation Response
Monday 3 April 11:36
The Office of the Information Commissioner (“the OIC”) welcomes the Cyber Security Strategy (“the strategy”) and its commitment to considering privacy and civil liberties, especially in light of the new standards imposed by the imminent arrival of the General Data Protection Regulation (GDPR) in May 2018.
With that in mind, there is significant overlap between the strategy objectives and the statutory requirements of GDPR (and associated local legislation) and the successful implementation of both the strategy and GDPR will serve to assist in the delivery of the strategy as well as ensuring Jersey continues to be seen as a well regulated jurisdiction in respect of data. Data is increasingly the lifeblood of business, government and citizens. As a jurisdiction we must strive towards the highest standards of data governance of which an essential element is data security.
In relation to the content of the strategy document itself, the Information Commissioner (“the Commissioner”) makes a number of comments/observations which are detailed in the numbered points below:
1. Page 5 – “Pillar 4: Legislation and international engagement” - In relation to legislation and international engagement, this is clearly critical in the context of GDPR compliance and implementation, and in maintaining the Island’s adequacy status with the European Commission in respect of data protection regulation.
2. Page 6 – “Why does it matter?” – It is important to recognise the GDPR compliance needs given its extra-territorial scope. The economic and political imperative to maintain adequacy has also been articulated by the States of Jersey and is relevant in the context of this strategy.
3. Page 7 – “1. Establish an information sharing, reporting and incident response capability” – The Commissioner would welcome additional consideration of the specific GDPR breach reporting requirements in this section of the strategy. Industry will potentially be faced with multiple reporting requirements in Jersey (JFSC, OIC) which is not business-friendly and is therefore not likely to be welcomed. Careful consideration should also be given to the management of incident response data and the commercially sensitive nature of these data. Clarity around how such data may be stored, disseminated and used is essential.
4. Page 7 – “7. Set minimum security requirements” – Consideration should be given here to the specific and statutory data security requirements imposed by the GDPR, including the principle of privacy by design and privacy by default. Advantage should be taken of the analogous nature of these objectives.
5. Page 8 – “8. Support law enforcement” - The GDPR provides for a number of criminal offences and as such it is important that, in the context of data security breaches, the Office of the Information Commissioner is appropriately empowered to enforce data security breaches. Consideration should be given to formal coordination between the law enforcement agencies tasked with oversight of this area to encourage a consistent approach and effective use of resources.
6. Page 9 – “3.1 Establish an information sharing, reporting and incident response capability” –Please see the Commissioner’s comments at point 3 above.
7. Page 10 – “Proposed next steps” – As per the Commissioner’s previous comments, careful consideration should be given to the management of incident response data and the obligations imposed by GDPR.
8. Page 10 – “Establish incident response capability” – A cooperative framework for breach reporting would be welcomed and the Commissioner, as a pan-Island regulatory authority, would support a pan-Island approach.
9. Page 14 – “Strengthen training and educational programs” – Education and awareness is a crucial element of successful delivery of this strategy and of the GDPR. The Commissioner is of the view that a strong education and skills programme for all data-related areas would be a significant benefit for the Island. Consideration should be given to how this goal could usefully interact with the requirement for a Data Protection Officer under GDPR. The Commissioner is of the view that there is opportunity to build on the financial services model of professional compliance officers to deliver high quality data governance to the Islands’ businesses.
10. Page 16 – “The States of Jersey Information Security Roadmap” - The Commissioner would be interested to know if the Roadmap has been revised since its approval by the Council of Ministers in 2015 to include compliance with GDPR. If not, it is suggested that a review of the Roadmap would be helpful to ensure GDPR is appropriately considered.
11. Page 19 – “Explore and set minimum security requirements” – The Commissioner encourages the offering of appropriate assistance for all businesses and would also work with Government and other bodies to provide such support and guidance.
12. Page 23 – “Strategic objectives: Establish incident reporting mechanism” - Please see the Commissioner’s comments at point 3 above. The Commissioner would welcome consideration of a cooperative model for incident response to alleviate the multiple reporting requirements facing business.
13. Page 24 – “Strategic objectives: Strengthen training and educational programs” – The OIC supports and encourages a robust educational programme. We consider that there is currently a skills gap in terms of data protection/data security (including cyber security) and considerable effort must be applied to this objective, particularly with the imminent arrival of GDPR. In the longer term, the Commissioner would encourage the development of a bespoke Jersey/Channel Island qualification in this area
In addition to the above, the Commissioner would encourage detailed consideration of both the current and proposed data security requirements in respect of the Data Protection (Jersey) Law 2005 and the GDPR. ‘Cyber security’ is inextricably linked to and part of ‘data security’ for which there are already legal obligations in place. The existing legal framework demands that personal information is kept secure and that appropriate measures are taken by companies to protect data, both organisationally and technically (Seventh principle, Data Protection (Jersey) Law 2005). The GDPR will develop this area further and will place additional obligations upon data controllers and data processors. The GDPR is also about harmonising standards across Europe, and in many cases beyond, and as such there is a strong rationale for a robust, but cooperative strategy framework that works both locally and internationally in a global digital environment.
The support of government together with other agencies and authorities through strategies such as this is very much welcomed by the Commissioner. We look forward to working with all stakeholders to ensure that high standards of compliance and awareness are delivered to the Island’s business community and its citizens alike.
For further information, please contact the Office of the Information Commissioner at firstname.lastname@example.org.