Cyber Security Strategy – Consultation Response

Monday 3 April 11:36

The Office of the Information Commissioner (“the OIC”) welcomes the Cyber Security Strategy (“the strategy”) and its commitment to considering privacy and civil liberties, especially in light of the new standards imposed by the imminent arrival of the General Data Protection Regulation (GDPR) in May 2018.

With that in mind, there is significant overlap between the strategy objectives and the statutory requirements of GDPR (and associated local legislation) and the successful implementation of both the strategy and GDPR will serve to assist in the delivery of the strategy as well as ensuring Jersey continues to be seen as a well regulated jurisdiction in respect of data. Data is increasingly the lifeblood of business, government and citizens. As a jurisdiction we must strive towards the highest standards of data governance of which an essential element is data security.

 

In relation to the content of the strategy document itself, the Information Commissioner (“the Commissioner”) makes a number of comments/observations which are detailed in the numbered points below:

 

1. Page 5 – “Pillar 4: Legislation and international engagement” - In relation to legislation and international engagement, this is clearly critical in the context of GDPR compliance and implementation, and in maintaining the Island’s adequacy status with the European Commission in respect of data protection regulation.

 

2. Page 6 – “Why does it matter?” – It is important to recognise the GDPR compliance needs given its extra-territorial scope. The economic and political imperative to maintain adequacy has also been articulated by the States of Jersey and is relevant in the context of this strategy.

 

3. Page 7 – “1. Establish an information sharing, reporting and incident response capability” – The Commissioner would welcome additional consideration of the specific GDPR breach reporting requirements in this section of the strategy. Industry will potentially be faced with multiple reporting requirements in Jersey (JFSC, OIC) which is not business-friendly and is therefore not likely to be welcomed. Careful consideration should also be given to the management of incident response data and the commercially sensitive nature of these data. Clarity around how such data may be stored, disseminated and used is essential.

 

4. Page 7 – “7. Set minimum security requirements” – Consideration should be given here to the specific and statutory data security requirements imposed by the GDPR, including the principle of privacy by design and privacy by default. Advantage should be taken of the analogous nature of these objectives. 

5. Page 8 – “8. Support law enforcement” - The GDPR provides for a number of criminal offences and as such it is important that, in the context of data security breaches, the Office of the Information Commissioner is appropriately empowered to enforce data security breaches. Consideration should be given to formal coordination between the law enforcement agencies tasked with oversight of this area to encourage a consistent approach and effective use of resources.

6. Page 9 – “3.1 Establish an information sharing, reporting and incident response capability” –Please see the Commissioner’s comments at point 3 above.

7. Page 10 – “Proposed next steps” – As per the Commissioner’s previous comments, careful consideration should be given to the management of incident response data and the obligations imposed by GDPR.

8. Page 10 – “Establish incident response capability” – A cooperative framework for breach reporting would be welcomed and the Commissioner, as a pan-Island regulatory authority, would support a pan-Island approach.

9. Page 14 – “Strengthen training and educational programs” – Education and awareness is a crucial element of successful delivery of this strategy and of the GDPR. The Commissioner is of the view that a strong education and skills programme for all data-related areas would be a significant benefit for the Island. Consideration should be given to how this goal could usefully interact with the requirement for a Data Protection Officer under GDPR. The Commissioner is of the view that there is opportunity to build on the financial services model of professional compliance officers to deliver high quality data governance to the Islands’ businesses.

10. Page 16 – “The States of Jersey Information Security Roadmap” - The Commissioner would be interested to know if the Roadmap has been revised since its approval by the Council of Ministers in 2015 to include compliance with GDPR. If not, it is suggested that a review of the Roadmap would be helpful to ensure GDPR is appropriately considered.

11. Page 19 – “Explore and set minimum security requirements” – The Commissioner encourages the offering of appropriate assistance for all businesses and would also work with Government and other bodies to provide such support and guidance.

12. Page 23 – “Strategic objectives: Establish incident reporting mechanism” - Please see the Commissioner’s comments at point 3 above. The Commissioner would welcome consideration of a cooperative model for incident response to alleviate the multiple reporting requirements facing business.

13. Page 24 – “Strategic objectives: Strengthen training and educational programs” – The OIC supports and encourages a robust educational programme. We consider that there is currently a skills gap in terms of data protection/data security (including cyber security) and considerable effort must be applied to this objective, particularly with the imminent arrival of GDPR. In the longer term, the Commissioner would encourage the development of a bespoke Jersey/Channel Island qualification in this area

General comments:

 

In addition to the above, the Commissioner would encourage detailed consideration of both the current and proposed data security requirements in respect of the Data Protection (Jersey) Law 2005 and the GDPR. ‘Cyber security’ is inextricably linked to and part of ‘data security’ for which there are already legal obligations in place. The existing legal framework demands that personal information is kept secure and that appropriate measures are taken by companies to protect data, both organisationally and technically (Seventh principle, Data Protection (Jersey) Law 2005). The GDPR will develop this area further and will place additional obligations upon data controllers and data processors. The GDPR is also about harmonising standards across Europe, and in many cases beyond, and as such there is a strong rationale for a robust, but cooperative strategy framework that works both locally and internationally in a global digital environment.

 

The support of government together with other agencies and authorities through strategies such as this is very much welcomed by the Commissioner. We look forward to working with all stakeholders to ensure that high standards of compliance and awareness are delivered to the Island’s business community and its citizens alike.

 

For further information, please contact the Office of the Information Commissioner at enquiries@dataci.org.

Events

  • JeCC - External Render / EWI / Architectural Profiles Building Trust Into your External Facade by Pentagon Builders Merchants

    › read more
  • JeCC - BS7533 Compliant Hard Landscaping Paving the way to Success with Parex HardLandscaping by Pentagon Builders Merchants

    › read more
  • Jersey Electricity - Everything you wanted to know about heat pumps but were afraid to ask Want to know more about Heat Pumps, their application, how they fit with the new Building Bye Laws, what tariff is best?

    › read more
  • Market Fountain Unveiling Following a period of refurbishment, the market fountain which has been restored to its former glory will be unveiled by the Connétable of St Helier accompanied by the Minister for Infrastructure.

    › read more
  • WDF - Women as Team Players - sponsored by Santander Women as Team Players with Jennifer Moore – Yoga & Ironman Triathlon Sam Horsfall – Triathlon Coach and parkrun Jemima Leach and Helene Mon Petit – Island Games MBT Cycling Team

    › read more
  • Public Meeting: CIFO 2016 Annual Report The independent Channel Islands Financial Ombudsman (CIFO) is holding a public event to mark the publication of its 2016 annual report and accounts.

    › read more
  • Eco Active Business and BIFM sustainability event Have you booked your place at next week’s sustainability event?

    › read more
  • Is Your Business Autism-Friendly? Did you know more than one in 100 of your customers are autistic? Would you like to find out how you can make their experiences better?

    › read more
  • Benest Corbett Renouf Joins Forces With Farrer & Co to Reinforce Need for Safeguarding Children LAW firm Benest Corbett Renouf has teamed up with the market-leading London firm Farrer & Co to present a safeguarding conference. The event, “Creating Safer Organisations”, will take place on Thursday, 15th June in Jersey.

    › read more
  • Ibex Education - Excel 1 to 1s Our expert UK trainer will work with you on particular issues

    › read more

Chamber Knowledgebase

Our frequently asked questions

Chamber News 

All the latest news from Chamber in one monthly PDF

Jersey Airport / Harbours

The latest arrivals and departures, select a link above

The Jersey Chamber of Commerce - Annual Charity of Choice

the benefits of membership

Networking opportunities, including our popular luncheons
Topical seminar programme
Support and guidance on doing business in Jersey


And become one of over 500 member businesses supporting Chamber in its aim of ensuring that local business is at the heart of a thriving and diverse local economy.

Call 01534 724536
› About Chamber


Copyright © Jersey Chamber 2012 - The Jersey Chamber of Commerce welcomes your comments and views. However, the posting of comments is subject to our terms which can be read here. Comments posted by users of this site are not the Chamber's comments nor do they represent the views of the Jersey Chamber of Commerce.

↑ Back to top