Data Protection Regulations

The Data Protection Regulations, 2018 Regulation 1

Data Protection Law, 2017 (Law 33 of 2017) THE DATA PROTECTION REGULATIONS, 2018

The Cabinet, in exercise of the powers conferred by section 61 of the Data Protection Law, 2017, makes the following Regulations —

(2) These Regulations come into force immediately after the Data Protection Law, 2017 comes into force.

“child” means a person under the age of eighteen years;

“educational record” means a record of information that — (a) is processed by or on behalf of the proprietor or a teacher at a school;

(b) relates to a person who is or has been a pupil at the school; and (c) originated from or was supplied by or on behalf of any of the following persons — (i) a teacher or other employee at the school;

(ii) a person who is engaged by the proprietor of the school under a contract for the provision of educational services;

(iii) the pupil to whom the record relates; or (iv) a parent of that pupil; and “parent” in relation to a pupil, includes a guardian and any person who has custody of the pupil.

charge, except that where the request from a data subject is determined to be manifestly unfounded or excessive because the request — (a) is repetitive;

(b) is fraudulent in nature; or (c) would divert the resources of the data controller unreasonably,

Regulation 4 The Data Protection Regulations, 2018

the data controller may charge such fee as covers the cost of providing the requested data and information or may refuse to act on the request and provide the reasons for doing so.

(2) The burden of proving that the request was “manifestly unfounded” or “excessive” is on the data controller.

(3) Where personal data are — (a) open to access by the public pursuant to any other enactment as part of a public register or otherwise; or (b) available for purchase by the public in accordance with administrative procedures established for that purpose, access to that data shall be obtained in accordance with the provisions of that enactment or those administrative procedures.

(4) Where a data controller charges a fee pursuant to paragraph (1), the fee shall be reasonable taking into account the administrative cost of providing the personal data or information requested.

by up to thirty days where one or more of the following conditions apply — (a) a large amount of data is requested or is required to be searched and meeting the timelines would unreasonably interfere with the operations of the data controller;

(b) more time is required to consult with a third party or other data controller before the data controller is able to decide whether or not to give the data subject access to the requested data; or (c) the data subject has given consent to the extension.

(2) With the permission of the Ombudsman, the data controller may extend the time for responding to a subject access request under section 8 — (a) for a period longer than thirty days, where one or more of the circumstances described in paragraphs (1)(a) to (c) apply; and (b) where the Ombudsman otherwise considers that it is appropriate to do so.

(3) Where the time for responding to a request is extended under this regulation, the data controller shall inform the data subject of the reason for the extension and when a final response will be given.

data subject of the right to complain to the Ombudsman under section 43 of the Law.

request under section 10(1) unless the data controller has applied to the Ombudsman within twenty-one days of the date of the request by the data subject and has received approval from the Ombudsman to not comply with the data subject’s request to cease processing.

(2) The data controller shall inform the data subject of any application made to the Ombudsman under paragraph (1).

subject or any other person, shall be exempt from the subject information provisions.

(2) A data controller who is not a health professional shall not, on the ground of the exemption under paragraph (1), refuse a request for information under this regulation unless —

The Data Protection Regulations, 2018 Regulation 8

(a) after receiving the request, the data controller consults the appropriate health professional on the question of whether the exemption applies and obtains in writing from the health professional an opinion that the exemption applies to the information; or (b) the following conditions are satisfied — (i) the data controller consulted a health professional before receiving the request;

(ii) the health professional was the person who would have been the appropriate health professional, if the data controller had carried out the consultation under subparagraph (a); and (iii) the data controller obtained from the health professional an opinion in writing that the exemption applied to all of the information.

(3) The conditions referred to in paragraph (2) are not satisfied if — (a) the opinion was obtained before the start of the period of six months that ends on the day that the request is made; or (b) the opinion was obtained within the period in paragraph (a) but it is reasonable in all the circumstances to consult the appropriate health professional again.

section 8 of the Law to the extent that the application of that section would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.

(2) Where a parent, or someone who has been appointed by the court to manage the affairs of a person who is the data subject, is enabled to make a request under section 8 of the Law on behalf of a data subject and has made such a request, personal data that consist of information specified in paragraph (3) are exempt from the provisions in section 8 of the Law to the extent that the application of that section would not be in the interests of the data subject.

(3) For the purposes of paragraph (2), the personal data are data consisting of information constituting an educational record or information about whether the data subject, where the subject is a child, is or has been the subject of abuse or may be at risk of it.

(4) Personal data that may reveal a record of a question that is reasonably expected to be used on an examination or test within twelve months from the date of the request are exempt from the provisions under section 8.

(5) For the purposes of this regulation, “abuse” in respect of a person when that person is a child — (a) includes physical injury to and physical neglect, emotional neglect, ill-treatment and sexual abuse of the person; and (b) excludes accidental injury.

to the extent that the application of those provisions would be likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the data subject or any other person would be likely.

(2) In a case where a defined person is enabled by or under any enactment or rule of law to make a request under section 8 of the Law on behalf of a data subject and has made such a request, personal data specified in paragraphs (5)(a) or (b) are exempt from the provisions under section 8 of the Law to the extent that the application of that section would result in the disclosure of information — (a) provided by the data subject in the expectation that it would not be disclosed to the person making the request;

Regulation 10 The Data Protection Regulations, 2018

(b) obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed; or (c) that the data subject has expressly indicated should not be so disclosed.

(3) Paragraphs (2)(a) and (b) do not apply to the extent that the data subject has expressly indicated that the data subject no longer has the expectation that the information would not be disclosed.

(4) For the purposes of paragraph (2), a “defined person” is a person who — (a) has parental responsibility for a child who is the data subject; or (b) has been appointed by a court to manage the affairs of a person who is the data subject and incapable of managing his or her own affairs.

(5) The personal data referred to in paragraph (1) are — (a) personal data processed by a public authority in relation to any of the following matters — (i) the allocation of housing or other residential accommodation;

(ii) the provision of any benefit under the Health Insurance Law (2018 Revision) or the Poor Persons (Relief) Law (1997 Revision);

(iii) probation;

(iv) school attendance;

(v) ensuring that children receive suitable education whether by attendance at school or otherwise;

(vi) guardianship under the Grand Court Law (2015 Revision); or (vii) any function under the Children Law (2012 Revision), Adoption of Children Law (2003 Revision), Mental Health Law, 2013, the Older Persons Law, 2017 or any other applicable law; or (b) personal data processed by a court and consisting of information that — (i) is supplied in a report to or other evidence given to the court in the course of proceedings relating to families or children; and (ii) the court directs should be withheld from the data subject on the ground that it appears — (A) to be impracticable to disclose the report or other evidence having regard to the data subject’s age and understanding; or (B) to be undesirable to disclose the report or other evidence having regard to the serious harm that might be suffered by the data subject by the disclosure.

(6) For the purposes of this regulation, “proceedings relating to families or children” includes proceedings relating to adoption, matrimonial matters or guardianship.

agencies

as set out in paragraph 10 of Schedule 4 of the Law is limited to a disclosure that is permitted or required under an enactment in force in the Islands or an order issued by the Grand Court.

Made in the Cabinet the 28th day of August, 2018.

Kim Bullings

Clerk of the Cabinet.