Sponsored Content
Data protection
By Paul Byrne, of PropelFwd
DATA protection has become a cornerstone of modern business practices, especially with increasing awareness of data protection and the obligations businesses have to safeguard personal information.
Under the Data Protection (Jersey) Law 2018, one of the fundamental principles is the concept of “purpose.” Organisations must be transparent about why they are collecting personal data and how it will be used. This article will explore the significance of purpose, focusing on data collection, restrictions on its use and data retention in line with Jersey’s legal framework.
Data collection and purpose
Purpose limitation is a key principle in data protection. Under the DPJL, when an organisation collects personal data, it must do so for a clear, specific and legitimate purpose. This means that organisations cannot simply gather data without a defined objective.
For example, if a company collects customer information to process transactions, or, as most of us would have experienced, asks for our email address for a receipt to be provided, it cannot later decide to use that information for unsolicited marketing campaigns without the individual’s explicit consent or another legal basis for using it in this way.
The law requires transparency and accountability, making it essential for businesses to inform individuals about why their data is being collected, what it will be used for and who will have access to it. This concept ensures that individuals are aware of how their data is handled and reduces the risk of misuse or exploitation.
Data retention and the statute of limitations
Under the DPJL, data should be retained only for as long as it is required for the purpose for which it was collected. In some instances, however, other legal obligations come into play, such as the anti-money laundering laws, tax laws and the statute of limitations.
Using the statute of limitations as an example, an individual has up to ten years to take an organisation to civil litigation for breach of contract. In these circumstances, organisations may need to retain specific information to defend potential claims. This is why ten years is the usual maximum time frame for retaining specific data.
Balancing these legal requirements with data protection obligations is essential. While businesses must be cautious not to retain data indefinitely, they should also ensure compliance with relevant legal retention periods.
Data disposal
Data disposal refers to the process of securely deleting or destroying personal and sensitive information that is no longer needed, to prevent unauthorised access or misuse. It is a critical component of data protection practices and compliance with laws like the DPJL and GDPR. Proper disposal methods depend on the format of the data. For digital data, secure deletion software ensures that files cannot be recovered, hardware should be degaussed or shredded using specialist equipment, while physical data, such as paper documents, must be shredded or incinerated.
Failing to dispose of data properly can result in data breaches, leading to financial penalties and reputational damage. Organisations should have clear policies in place for regular data audits and disposal, ensuring they only keep information for as long as necessary. Proper data disposal protects individuals’ privacy, safeguards against identity theft and demonstrates compliance with relevant legal requirements.
