DATA PROTECTION OVERVIEW
The Data Protection Act 2018 (Act) is the principal piece of primary legislation addressing data protection in the Isle of Man. The Act allows for the EU General Data Protection Regulation (GDPR) and the EU Law Enforcement Directive (LED) to be applied to the Island by way of order and regulations. This Guide does not consider the implementation of the LED.
The Data Protection (Application of GDPR) Order 2018 implemented GDPR into domestic Isle of Man law (Order) and is supplemented by the GDPR and LED Implementing Regulations 2018 (Implementing Regulations). Together the Act, the Order, the Implementing Regulations and supplementary secondary legislation compose the Island’s data protection law.
The Order provides that the GDPR applies as part of the law of the Island, subject to certain modifications as set out in Schedule 1 of the Order. The GDPR and the modifications are referred to in the Order as the “Applied GDPR” (i.e. the GDPR as amended and as it applies to the Isle of Man) the term that we will use in this Guide.
The Isle of Man is not part of the European Union (EU) but in 2004, the European Commission formally recognised that the Isle of Man’s data protection legislation offered an equivalent level of protection (a so called “adequacy finding”).
Certain definitions are set out in Article 4 of the Applied GDPR:
“controller”
is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
“data subject”
is defined as an identified or identifiable natural person;
“personal data”
is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or with reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“filing system”
is defined as any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
“special categories of personal data”
are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Under Article 5 of the Applied GDPR, the following data processing principles apply. Personal data:
- shall be processed fairly, lawfully and in a transparent manner;
- shall only be obtained for a specified, explicit and legitimate purpose and not further processed in any manner incompatible with that purpose;
- shall be relevant, adequate and limited to what is necessary in relation to the purposes for which they are processed;
- shall be accurate and kept up to date, with every reasonable step taken to ensure that inaccurate data is erased or rectified without delay;
- shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for, and must be able to demonstrate compliance with, the above principles.
PERSONAL INFORMATION
The Applied GDPR covers the processing of personal data (see definitions above) that is processed:
- wholly or partly by automated means; or
- in a non-automated manner that forms part of, or is intended to form part of, a filing system.
The definition of “processing” under Article 4 is is defined very widely as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
The Applied GDPR does not apply to the processing of personal data: (i) by a natural person in the course of a purely personal or household activity; or (ii) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against the prevention of threats to public safety.
The Applied GDPR extends to personal data and special category data. When processing special category data, additional conditions will apply.
Article 4(5) of the Applied GDPR introduces a concept of pseudonymisation, which involves processing personal data in such a manner that it can no longer be attributed to a specific individual without the use of additional information that is kept separately and is subject to technical and organisational measures to safeguard its use; for example, replacing names or other obvious identifiers with reference numbers. Pseudonymised data is considered personal data and is within the scope of the Applied GDPR.
Anonymised information is not within scope of the Applied GDPR. For information to be anonymous, the individual must not or no longer be identifiable (Recital 26, Applied GDPR). If there are reasonably available means to re-identify individuals, then the information will not have been effectively anonymised and will still constitute personal data.
In addition, under regulation 9(4) of the Implementing Regulations, personal data must not be processed unless the data controller is registered with the Isle of Man Information Commissioner (IC). Every controller and processor, to which the Applied GDPR applies must comply with the registration requirements set out in Schedule 7 of the Implementing Regulations. It is an offence to fail to register.
There are exceptions to the notification requirements set out in Part 3 of Schedule 7 of the Implementing Regulations. These exemptions are limited, but include processing for staff administration purposes, keeping accounts (this does not apply to bookkeeping or accountancy services) and for non-profit organisations. Even where exemption from registration can be claimed, the controller or processor must still comply with the remaining provisions of the legislation.
Collecting personal information
Article 13 of the Applied GDPR states that the data controller has an obligation at the time when the data is collected from the data subject, to provide the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are collected, as well as the legal basis for the processing;
- where the processing is based on the legitimate interests pursued by the controller or by a third party, details of these interests;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data outside of the Isle of Man and/or the EEA.
Further to this, the controller shall inform the data subject as to:
- the period for which the personal data will be stored or if that is not possible, the criteria used to determine the retention period;
- the existence of the rights to access, rectification or erasure, or restriction of processing and the right to data portability;
- the right to withdraw consent at any time;
- the right to lodge a complaint with a Supervisory Authority;
- whether the provision of personal data is a contractual or statutory requirement;
- the existence of automated decision-making, including profiling.
Where the controller intends to process personal data for a purpose other than that for which it was collated, the controller has to provide the data subject with information regarding that further purpose.
Article 14 deals with the information that has to be provided where personal data have not been obtained from the data subject.
What constitutes valid consent?
Article 6(1)(a) of the Applied GDPR states that consent to processing shall be one of the lawful conditions for processing. Article 9 of the Applied GDPR deals with the processing of special category personal data and requires “explicit consent.” to be in place.
Article 7 of the Applied GDPR sets out the conditions for valid consent:
- where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data;
- if the consent is given in writing which also concerns other matters, the consent must be presented in a way that distinguishes it from the other matters and in an intelligible and easily accessible form and using clear and plain language;
- the data subject has the right to withdraw the consent at any time; and
- when assessing whether consent is freely given, utmost account will be taken of whether or not consent has been made a condition of the performance of a contract or service.
In the context of processing childrens’ data for information society services, a child is defined by reference to the age of 13, rather than 16 (regulation 11 of the Implementing Regulations).
The IC would expect Isle of Man controllers to take recognition of the guidelines issued by the European Data Protection Board.
Processing and retention of personal data
Alongside consent, Article 6 of the Applied GDPR provides the lawful bases for processing, namely where it is necessary:
- for the performance of a contract, to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
- for compliance with any legal obligation to which the data controller is subject;
- in order to protect the vital interests of the data subject or of another natural person;
- for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller. This includes data processing necessary for (a) the administration of justice; (b) the exercise of any function of Tynwald (the Manx parliament) or its branches; (c) the exercise of a function conferred on a person by an enactment; or, (d) the exercise of a function of the Crown, a department of the Isle of Man Government or an Isle of Man statutory body. Substantial public interest conditions are also set out in Part 2 of Schedule 2 of the Implementing Regulations regarding processing special category data and that related to criminal convictions;
- for the purposes of legitimate interest pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection, in particular where the data subject is a child. This condition is not applicable to processing carried out by a public authority.
In addition, the Council of Ministers may by order specify particular circumstances in which the foregoing is taken to be satisfied.
Decisions of the Court of Justice of the European Union regarding the interpretation of the term “necessary” would be persuasive in an Isle of Man court and the IC would require the term to be interpreted narrowly by controllers.
Accessing Personal Information
Individuals are entitled to be informed whether their personal data is being processed by or on behalf of a data controller. If so, the individual is entitled to a description of:
(i) the personal data,
(ii) the purposes for which it is being or is to be processed, and
(iii) the recipients or classes of recipient to whom the data may be disclosed.
The individual is also entitled to a copy of their data. The right is subject to certain limitations (such as the rights of third parties whose personal data is “mixed” with that of the data subject). The individual must send a data subject access request to the data controller, who must respond within one month. Data subjects can also request that their data is corrected where it is not accurate, or that it be erased (in limited circumstances).
Controllers are expressly required to bring the right of access to the attention of data subjects and to take steps to facilitate the exercise of that right.
Law Enforcement
The LED deals solely with personal data being processed for the purposes of the prevention, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security.
Are there any other exemptions?
The main exemptions relate to processing for specific purposes and are not a blanket exclusion of the Applied GDPR’s rights and obligations. The purposes for processing personal data determine the provisions from which an organisation can claim exemption. Data controllers should only depart from the Implementing Regulations to the extent necessary to protect the purposes for which the exemption is claimed.
Regulation 8 of the Implementing Regulations provides further details on the jurisdictional scope of the regulations.
The main exemptions include:
- manual unstructured data held by Freedom of Information (FOI) public authorities;
- manual unstructured data used in longstanding historical research;
- insurance;
- legal proceedings;
- protection of the rights of others;
- national security;
- crime and taxation;
- legal professional privilege;
- trusts;
- health, education and social work;
- regulatory activity;
- journalism, literature and academic purposes;
- research, history and statistics;
- Tynwald privilege; and
- domestic purposes.
Schedule 9 also contains miscellaneous exemptions in relation to the following: confidential references given by the data controller; armed forces; immigration control; judicial appointments and honours; crown employment and appointments; management forecasts; corporate finance; negotiations; examination marks and scripts; legal matters and self- incrimination.
International transfers of personal information
Part 5 of the Implementing Regulations deals with transfers of personal data to third countries. Regulation 68 states that a controller or processor must not transfer personal data for processing to a third country or an international organisation unless that country or organisation ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The level of protection is adequate if:
- the European Commission has made an adequacy decision under Article 45 of the GDPR;
- there are safeguards in place that meet the requirements of Article 46 of the Applied GDPR (see further below);
- the transfer falls within the exceptions set out in Schedule 10 of the Implementing Regulations.
Schedule 10 of the Implementing Regulations provides exceptions to the adequacy requirements and these are as follows:
- the transfer is specifically required by an order or judgment of a court or tribunal having the force of law in the Isle of Man or having force of law in the Isle of Man based on an international agreement or obligation on the Isle of Man or a decision of a public authority on the Island that is based on such an international agreement (paragraph 1 of Schedule 10);
- the data subject has explicitly consented to the transfer after being informed of the possible risk of the transfer (paragraph 2 of Schedule 10);
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request (paragraph 3 of Schedule 10);
- the transfer is necessary for the conclusion or performance of a contract between the controller and a person other than the data subject (paragraph 4 of Schedule 10);
- the transfer is necessary for reasons of substantial public interest which only applies in certain circumstances (paragraph 5 of Schedule 10);
- the transfer is necessary (a) for the purposes of, or in connection with, any legal proceedings (including prospective legal proceedings); (b) for the purposes of obtaining legal advice; or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights (paragraph 6 of Schedule 10);
- the transfer is necessary in order to protect the vital interests of the data subject or other persons where (a) the data subject is physically or legally incapable of giving consent; (b) the data subject has unreasonably withheld consent; or (c) the controller or processor cannot reasonably be expected to obtain the explicit consent of the data subject (paragraph 7 of Schedule 10);
- the transfer is made from a public register in certain circumstances (paragraph 8 of Schedule 10).
Paragraph 9 of Schedule 10 provides that where a transfer cannot be based on any other provision of the Implementing Regulations, a transfer to a third country or international organisation can only take place if:
- the transfer is not repetitive;
- the transfer concerns only a limited number of data subjects;
- the transfer is necessary for the purposes of the compelling legitimate interests of the controller (which are not overridden by the interests of rights and freedoms of the data subject); and,
- the controller has assessed all the circumstances and/or the basis of such provided suitable safeguards.
If a transfer is to take place under paragraph 9, the controller must inform the IC and the data subjects of the transfer as soon as practicable and confirm the compelling legitimate interest being pursued. In addition, the controller or processor must document the assessment and safeguards it is putting in place.
Paragraphs 2, 3, 4 and 9 of Schedule 10 do not apply to the activities carried out by public authorities in the exercise of their public powers.
Under regulation 69 of the Implementing Regulations, transfers can be undertaken subject to other appropriate safeguards, but these are subject to approval by the IC.
The safeguards specified in Article 46(2) of the Applied GDPR are as follows:
- legally binding and enforceable instrument between public authorities or bodies;
- adoption of the Commission’s standard data protection clauses (or those of an EU Supervisory Authority);
- an approved code of conduct or certification, together with binding and enforceable commitments to apply those safeguards, including the rights, is followed.
Note that binding corporate rules in accordance with Article 47 of the GDPR are not part of the Isle of Man law as the Isle of Man is not part of the EU.
The EU has approved standard contractual clauses for the transfer of personal data to data controllers and data processors in countries outside of the EEA which do not have an adequacy decision from the European Commission.
Data transfer agreements are sufficient to legitimise transfers, however, the transfer must also meet the requirements of the Applied GDPR and the Implementing Regulations.
How is direct marketing regulated?
Article 21 of the Applied GDPR gives an individual the right to prevent their personal data being processed for direct marketing, irrespective of the medium being used to send the marketing materials.
The Unsolicited Communications Regulations 2005 (2005 Regulations), restrict the making of unsolicited marketing communications to individuals by telephone calls, fax messages, email communications and automated calling systems.
Under the 2005 Regulations, unsolicited electronic mail to an individual should only be sent with the recipient’s consent. There is however an exception where the sender has obtained the recipient’s details in the course of a sale (or negotiations for the sale) of a product or service the sender offered; the messages promote similar goods or services from the sender and the recipient is given a simple opportunity to opt-out of receiving such materials. Senders of electronic marketing messages must provide the recipient with the name of the organisation sending or authorising the materials and a valid contact address. It should be noted that different rules apply to marketing by telephone and facsimile.
Regulation 11 allows a person who suffers damage by reason of contravention of the 2005 Regulations to bring proceedings in the High Court in the Isle of Man for compensation. The Data Protection (Application of GDPR) (Amendment) Order 2019 granted the IC a range of investigatory and corrective powers against those breaching the 2005 Regulations in accordance with Articles 57 and 58 of the Applied GDPR.
What rules apply to the monitoring of employees in the workplace?
Article 88 of the Applied GDPR states that the Island may, by law or collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the context of employment. In particular, these rules may be provided for the purposes of:
- recruitment;
- performance of the employment contract (including discharge of obligations laid down by law or collective agreements);
- management, planning and organisation of work;
- equality and diversity in the workplace;
- health and safety at work;
- protection of an employer’s or customer’s property;
- exercise and enjoyment (on an individual basis) of rights and benefits related to employment; and
- termination of the employment relationship.
Such rules should include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, transfers of data within a group of undertakings or enterprises, and the use of monitoring systems in the workplace.
There are no specific restrictions on employee monitoring under the Applied GDPR, however the IC has issued guidance. Employers should carry out a Data Protection Impact Assessment and evaluate less intrusive approaches to achieving the monitoring objectives. Employers should explain the monitoring purposes and the personal information being collected. Employee data may often include special category data, so additional considerations around how such processing might lawfully be effected are required.
The employer has an important obligation to appropriately inform employees about what information about them can be processed at work, how the information will be processed, why this is necessary, and what rights the employees have to protect their privacy. This can be achieved through communication of an internal privacy statement or privacy policy. This policy must be announced in a clear way and should be easily accessible to employees. For example, distributing the policy to each new employee and including it within the employee portal, so that it can be accessed and downloaded at any time. When the policy is updated, it is also important that employees are informed and materials updated accordingly.
The policy must include at least:
- whether and when employee monitoring is applied;
- the purposes of data processing and means used for processing;
- an overview of the data that is kept, along with the corresponding retention period;
- who has access to what data, and in what circumstances;
- how data is protected; and
- the rights of the employee.
Covert monitoring can rarely be justified, unless for example, there are real grounds for believing that criminal activity or equivalent malpractice is occurring and that telling people about the monitoring would prejudice the effective detection of such wrongdoing.
Can telephone calls be recorded?
As personal information may be collected during the call, the caller needs to be notified at the start that the conversation may be recorded.
Best practice is that the caller should have the opportunity to review the organisation’s privacy policy before the call proceeds. This can best be achieved by recording a copy of the privacy policy and directing the caller to listen to the policy before the call is connected.
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal information, its use will be regulated by the Applied GDPR.
To ensure that any personal information collected via CCTV is not excessive and does not go beyond the purpose for which it was collected, consideration will need to be given to the cameras’ location and recording angles.
Particular care should also be taken if CCTV is used as part of any employee monitoring process. Any monitoring should generally be disclosed to the employees in advance.
enforcement
Article 31 of the Applied GDPR requires controllers and processors (and representatives if applicable) to cooperate with the IC in the performance of its tasks. The tasks of the IC are set out in Article 57 of the Applied GDPR and regulations 77 and 79 of the Implementing Regulations, and include:
- monitoring and enforcing the application of the Applied GDPR and the Implementing Regulations;
- promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing;
- advising (in accordance with Isle of Man law) the Manx government and other institutions and bodies on legislative and administrative measures relating to data protection;
- promoting awareness of their obligations under the Applied GDPR to controllers and processors;
- providing information to any data subject concerning the exercise of their rights under the Applied GDPR and, if appropriate, co-operating with data protection authorities in the EU;
- handling and investigating complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80.
The powers given to the IC to fulfil the tasks are divided into “investigative powers” and “corrective powers” and are subject to safeguards.
The investigatory powers include the IC’s ability to:
- order the provision of information it requires for the performance of its tasks;
- carry out investigations in the form of data protection audits;
- carry out a review of certifications pursuant to Article 42(7);
- notify the controller or processor of an alleged infringement of the Applied GDPR;
- obtain, through the issue of a warrant, access to all personal data, information, premises and equipment, necessary for the performance of the tasks.
The IC’s corrective powers include the ability to:
- issue warnings to controllers or processors that intended processing operations are likely to infringe provisions of the Applied GDPR;
- issue reprimands to controllers or processors where processing operations have infringed provisions of the Applied GDPR;
- order controllers or processors to:
- comply with the data subject’s requests to exercise their rights under the Applied GDPR;
- bring processing operations into compliance with the Applied GDPR;
- rectify, erase, or restrict processing of, personal data and order notification of that action to recipients of that personal data where necessary;
- communicate a personal data breach to data subjects;
- impose an administrative fine (see below);
- withdraw certification, or order the certification body to withdraw certification;
- order the suspension of data flows to a recipient in a third country or international organisation.
The IC can issue penalty notices under regulation 112 of the Implementing Regulations. In relation to an infringement of a provision of the Applied GDPR, the maximum penalty is £1,000,000. This applies despite Article 83 of the Applied GDPR.
Appeals against the exercise of investigative and corrective powers can be made in some circumstances to the Data Protection Tribunal.
What are the penalties for non-compliance?
Sanctions
The Implementing Regulations detail the penalties for criminal offences (Regulation 141).
Offences carrying a fine of up to £10,000 and/or an imprisonment term of up to 2 years
- Regulation 103 – failure to comply with an information notice;
- Regulation 126 – unlawful obtaining of personal data;
- Regulation 127 – re-identification of de-identified personal data;
- Regulation 137 – prohibition of requirement to produce relevant records.
Offences carrying a fine of up to £10,000 and/or an imprisonment term of up to 6 months
- Regulation 82 – obstruction of a person exercising the power to inspect personal data to discharge an international obligation;
- Regulation 128 – alteration of personal data to prevent disclosure;
- Regulation 129 – record tampering;
- Paragraph 15 of Schedule 4 – various offences in relation to the execution of warrants and the making of false statements.
Offences carrying a fine of up to £10,000
- Paragraph 2(1) Schedule 7 – processing of personal data without a register entry;
- Paragraph 12(1) & (2) of Schedule 7 – duty to notify changes to a register entry.
Where an offence has been committed by a body corporate, and is proved to have been committed with the consent or connivance of, or can be attributable to, neglect by any director, manager, secretary or similar body corporate officer or person purporting to act in any such capacity, the individual can be found guilty of that offence and be proceeded against accordingly.
CYBERSECURITY
No separate cybersecurity legislation has been enacted. The Office of Cyber-Security & Information Assurance (OCSIA) acts as the focal point in developing the Island’s cyber resilience, working in partnership with private and third sector organisations across the Island alongside the wider population. OCSIA operates a Cyber Security Centre providing advice, guidance and practical support to Island residents and businesses. The Isle of Man Financial Services Authority has also issued its own guidance on cybersecurity to insurers, financial services licence holders and operators of retirement benefit schemes.
Under Article 5 of the Applied GDPR, appropriate technical and organisational measures must be taken by the data controller against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, the personal data. Where a third party is processing personal data on behalf of a data controller (i.e. a data processor), the data controller must ensure that it has a written contract with the data processor that includes contractual obligations to only process the relevant personal data on the instructions of the data controller and obliges the data processor to comply with obligations equivalent to those imposed on the data controller under Article 5.
Article 32 also requires that, in assessing the appropriate level of security, a controller or processor must not only take into account the risk to the individual posed by the intended processing, but also the risk posed by accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data transmitted, stored or otherwise processed.
Who needs to be notified in the event of a data breach?
All personal data breaches must be recorded by data controllers, however, only breaches that pose any risk to the rights and freedoms of individuals must be reported to the IC. This must be done within 72 hours of becoming aware of the breach.
In addition, if there is a high risk to the rights and freedoms of individuals, the controller must notify the individuals concerned without undue delay. Data processors are also under an obligation to notify the data controller without undue delay if they become aware of a data breach.
Other regulators, such as financial services regulators, may require as part of their licence conditions that licence holders also report security breaches to them.
reviewed for accuracy [MARCH 2023]