JCSC Privacy Policy
This privacy policy covers the Jersey Cyber Security Centre (“JCSC”) which sits within the Department for the Economy.
The JCSC is registered as a ‘Controller’ under the Data Protection (Jersey) Law 2018 (the “Data Protection Law”), as we collect and process personal information about you. We process and hold your information in order to provide public services and meet our statutory obligations. This notice explains how we use and share your information.
We will review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.
Beginning section How we collect information about you
How we collect information about you
Information about you will, in most cases, be collected directly from you. This may be done by you completing a paper or online form, by telephone, email, or by a member of our staff.
In some cases, we may collect information about you from another Government of Jersey department or from third parties we interact with in order to deliver our duties.
Third party organisations with whom JCSC will interact include national security agencies, law enforcement and crime prevention agencies, Cyber Emergency Response Teams (CERTs) and other national or international cyber authorities.
Email
If you email us, we may keep a record of your email address and a copy of the email for record keeping purposes in accordance with our retention schedule.
We suggest that you keep the amount of confidential information you send to us via email to a minimum.
Telephones
We may record or monitor any telephone calls you make to us using recording equipment. If you leave a message on our voicemail systems your message will be kept until we are able to return your call or make a note of your message.
File notes of when and why you called may be taken for record keeping purposes, in accordance with our retention schedule. We will not pass on the content of your telephone calls, unless is it necessary for us to do so, either to fulfil your request for a service, to comply with a legal obligation, or where permitted under other legislation.
Beginning section Types of information we collect
Types of information we collect
The types of personal data collected will vary depending on what information you volunteer and the information we need in each circumstance. However, we have listed below the most common categories of information we may collect about you.
- Contact Details: for example name, address, phone number, mobile phone number, email address.
- Organisation Details: for example the name of your organisation, your job title or role, your responsibilities within your organisation.
- Incident Details: for example victim information, data on alleged or confirmed criminal activity, information on cyber security vulnerabilities, computer and network forensic information.
- Cyber Risk Data: for example information shared by other national cyber authorities or Cyber Emergency Response Teams (CERTs) including the security and law enforcement services, including highly classified information, personal information and sensitive information relating to cyber incidents and reports.
- Technical Metadata: for example, IP addresses, usage data on software, systems and the internet.
- Publicly available information: for example information collated from public reports and data feeds, which may include information on individuals.
- Preferences: for example dietary requirements, opinions or views.
- Voluntary Information: for example unsolicited information you may provide to us when you engage with us.
Cookies and the JCSC Website
JCSC does not track individual website visitors using cookies or any other method. We do not set cookies on our website or retain any data collected using cookies.
However cookies may be set for essential purposes by our web application firewall provider or web hosting provider, and by third party companies providing services connected with our website such as Microsoft and Google.
Cookies may also be set within external content embedded within our website. This includes externally hosted videos and maps.
Beginning section How we will use the information about you
How we will use the information about you
We need to collect and hold information about you, in order to carry out the public functions of the JCSC. Our legal basis for processing personal data in most cases is that it is necessary for the exercise of JCSC’s function as a public authority or as conferred upon JCSC under an enactment.
We have set out in further detail below why we use your personal data in each instance.
Data Collected: | Used to: | Legal Basis: |
Contact Details Organisation Incident Details Cyber Risk Data Technical Metadata Publicly Available Information Voluntary Information |
Identify the risk of, respond to, and Allow the statistical analysis of data so |
Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b). |
Contact Details Organisation Details Incident Details Voluntary Information |
Carry out the service you have requested, and to monitor and improve our performance in responding to your service requests |
Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b). |
Contact Details Incident Details Cyber Risk Data Technical Metadata Publicly Available Information Voluntary Information |
For crime prevention and national security purposes. |
Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b). |
Contact Details Incident Details Cyber Risk Data Technical Metadata Publicly Available Information Voluntary Information |
Maintain awareness of cyber threats, and to share and communicate this information with other national cyber bodies, CERTs, law enforcement and the security services and to maintain an understanding of the Island’s ability to prevent, detect, respond to and recover from cyber security incidents.Assist us in fulfilling our safeguarding obligations and protect individuals from harm or injury. |
Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b). |
Contact Details Preferences |
Tailor events to meet your dietary requirements. |
|
Contact Details Organisation Details Preferences |
Keep you informed about developments in cyber security, our services and events, and where appropriate information on third party events. |
Consent |
Beginning section Data sharing
Data sharing
We may need to pass your information to other Government of Jersey departments or other organisations (for example, law enforcement agencies, national security bodies, and cyber response teams) for the purposes stated above.
We have set out, in the table below, the organisations we most frequently need to share personal data with. We may disclose information to other public authorities where it is necessary, either to comply with a legal obligation, or where required under other legislation.
Examples of this include, but are not limited to:
- where the disclosure is necessary for the purposes of the prevention and/or detection of crime
- for national security purposes
- for the purposes of meeting statutory obligations
- to prevent risk of harm to an individual
We may need to share the information you provide to us with other public authorities in order to fulfil your request for a service. This information may contain personal data and – if it does – the legal basis for us processing the data will be, in most cases, for the public function in line with JCSC’s mission to prepare, protect and defend the Island against cyber threats. Further details on the legal basis we rely on is set out below.
In some instances, this data sharing may require us to transfer your personal data outside Jersey. However, we shall only do this with the necessary safeguards in place and where it is lawful because it is necessary and proportionate for the proper discharge of our statutory functions.
Purpose for use | Data used | Legal Basis |
National Security Agencies | All data collected and mentioned above can be used |
1. Necessary for the exercise of any function of JCSC as a public authority 2. Necessary to protect the vital interests of the data subject 3. Carried out in the public interest or is in the exercise of official authority |
Cyber Emergency Response Teams and other National or International Cyber Authorities |
Your personal data may be processed on our behalf by certain third parties who provide services to us, so that they can provide those services. We have strict contracts in place with these service providers to ensure they process your data only on our instructions and with appropriate security in place. The categories of third parties who may receive your personal data in order to provide us with a service are:
- email and data storage providers such as Microsoft;
- IT support or security service providers such as SystemLabs;
- email providers such as DotDigital;
- online survey providers such as SmartSurvey.
At no time will your information be passed to organisations for marketing or sales purposes or for any commercial use without your prior express consent.
Beginning section Publication of your information
Publication of your information
We may need to publish your information on our website for the following reasons:
- where we are required by law to publicise certain information (although we will keep any personal data published to a minimum and anonymise the data where possible)
- in the interests of demonstrating a fair and transparent decision-making process, although your data will be anonymised to protect your identity
- where we are required to provide statistical information about a group of people; although your data will be anonymised to protect your identity
- where you have responded to a consultation, although your comments will be anonymised to protect your identity where the contribution is made in a private capacity. If it is from a person on behalf of an organisation views and connection with the organisation may be attributed.
- where you have contributed content to the website
We will not publish any of your special category data unless there is a requirement for us to do so in order to carry out our statutory functions.
Beginning section How long do we store information about you?
How long do we store information about you?
We will keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, legislation sets the length of time information has to be kept. Please ask to see our retention schedule for more detail about how long we retain your information.
Beginning section Cookies and the JCSC website
Cookies and the JCSC website
JCSC does not track individual website visitors using cookies or any other method. We do not set cookies on our website or retain any data collected using cookies. However, cookies may be set for essential purposes by our web application firewall provider or web hosting provider, and by third party companies providing services connected with our website such as Microsoft and Google.
You can choose whether or not to accept cookies when accessing our website.
Beginning section Your rights
Your rights
Please see the Government of Jersey website for details of your rights under the Data Protection Law and how to exercise them.
Beginning section Complaints
Complaints
If you have an enquiry or concern regarding JCSC processing your personal data you can contact the Central Data Protection Unit.
If you believe that JCSC has contravened the Data Protection (Jersey) Law 2018 and the contravention affects your data protection rights, you have the right to make a complaint at any time to the Jersey Office of the Information Commissioner (JOIC).
We would, however, appreciate the chance to deal with your concerns before you approach the JOIC, so please contact us in the first instance.
Beginning section Changes to this Policy
Changes to this Policy
We may, at any time, revise this privacy statement without notice. The most updated Privacy Notice will be available on Jersey Cyber Security Centre’s website or available upon request.