JCSC Privacy Policy

Beginning section Jersey Cyber Security Centre Privacy Policy

This privacy policy covers the Jersey Cyber Security Centre (“JCSC”) which sits within the Department for the Economy.

The JCSC is registered as a ‘Controller’ under the Data Protection (Jersey) Law 2018 (the “Data Protection Law”), as we collect and process personal information about you. We process and hold your information in order to provide public services and meet our statutory obligations. This notice explains how we use and share your information.

We will review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.


Beginning section How we collect information about you

How we collect information about you

Information about you will, in most cases, be collected directly from you. This may be done by you completing a paper or online form, by telephone, email, or by a member of our staff.

In some cases, we may collect information about you from another Government of Jersey department or from third parties we interact with in order to deliver our duties.

Third party organisations with whom JCSC will interact include national security agencies, law enforcement and crime prevention agencies, Cyber Emergency Response Teams (CERTs) and other national or international cyber authorities.

Email
If you email us, we may keep a record of your email address and a copy of the email for record keeping purposes in accordance with our retention schedule.

We suggest that you keep the amount of confidential information you send to us via email to a minimum.

Telephones

We may record or monitor any telephone calls you make to us using recording equipment. If you leave a message on our voicemail systems your message will be kept until we are able to return your call or make a note of your message.

File notes of when and why you called may be taken for record keeping purposes, in accordance with our retention schedule. We will not pass on the content of your telephone calls, unless is it necessary for us to do so, either to fulfil your request for a service, to comply with a legal obligation, or where permitted under other legislation.

 


Beginning section Types of information we collect

Types of information we collect

The types of personal data collected will vary depending on what information you volunteer and the information we need in each circumstance. However, we have listed below the most common categories of information we may collect about you.

  • Contact Details: for example name, address, phone number, mobile phone number, email address.
  • Organisation Details: for example the name of your organisation, your job title or role, your responsibilities within your organisation.
  • Incident Details: for example victim information, data on alleged or confirmed criminal activity, information on cyber security vulnerabilities, computer and network forensic information.
  • Cyber Risk Data: for example information shared by other national cyber authorities or Cyber Emergency Response Teams (CERTs) including the security and law enforcement services, including highly classified information, personal information and sensitive information relating to cyber incidents and reports.
  • Technical Metadata: for example, IP addresses, usage data on software, systems and the internet.
  • Publicly available information: for example information collated from public reports and data feeds, which may include information on individuals.
  • Preferences: for example dietary requirements, opinions or views.
  • Voluntary Information: for example unsolicited information you may provide to us when you engage with us.

 

Cookies and the JCSC Website

JCSC does not track individual website visitors using cookies or any other method. We do not set cookies on our website or retain any data collected using cookies.

However cookies may be set for essential purposes by our web application firewall provider or web hosting provider, and by third party companies providing services connected with our website such as Microsoft and Google.

Cookies may also be set within external content embedded within our website. This includes externally hosted videos and maps.


Beginning section How we will use the information about you

How we will use the information about you

We need to collect and hold information about you, in order to carry out the public functions of the JCSC. Our legal basis for processing personal data in most cases is that it is necessary for the exercise of JCSC’s function as a public authority or as conferred upon JCSC under an enactment.

We have set out in further detail below why we use your personal data in each instance.

Data Collected: Used to: Legal Basis:
Contact Details
Organisation
Incident Details
Cyber Risk Data
Technical Metadata
Publicly Available Information
Voluntary Information
 

Identify the risk of, respond to, and
remediate an actual or potential cyber
security vulnerability, event or
incident.

Allow the statistical analysis of data so
we can amend and adapt our policies
and procedures and plan the provision
of future services.

Public functions: The
processing is necessary for
the exercise of any function
of Crown, the States or any
public authority (Data
Protection (Jersey) Law
2018, Schedule 2,
paragraph 4b).
Contact Details
Organisation Details
Incident Details
Voluntary Information
Carry out the service you have
requested, and to monitor and
improve our performance in
responding to your service requests
Public functions: The
processing is necessary for
the exercise of any function
of Crown, the States or any
public authority (Data
Protection (Jersey) Law
2018, Schedule 2,  paragraph 4b).
Contact Details
Incident Details
Cyber Risk Data
Technical Metadata
Publicly Available Information
Voluntary Information
For crime prevention and national
security purposes.
Public functions: The
processing is necessary for
the exercise of any function
of Crown, the States or any
public authority (Data
Protection (Jersey) Law
2018, Schedule 2, paragraph 4b).
Contact Details
Incident Details
Cyber Risk Data
Technical Metadata
Publicly Available Information
Voluntary Information
Maintain awareness of cyber
threats, and to share and communicate
this information with other national
cyber bodies, CERTs, law enforcement
and the security services and to
maintain an understanding of the
Island’s ability to prevent, detect,
respond to and recover from cyber
security incidents.Assist us in fulfilling our safeguarding
obligations and protect individuals
from harm or injury.
Public functions: The
processing is necessary for
the exercise of any function
of Crown, the States or any
public authority (Data
Protection (Jersey) Law
2018, Schedule 2,
paragraph 4b).
Contact Details
Preferences
Tailor events to meet your dietary
requirements.
Contact Details
Organisation
Details
Preferences
Keep you informed about
developments in cyber security, our
services and events, and where
appropriate information on third party
events.
Consent

 


Beginning section Data sharing

Data sharing

We may need to pass your information to other Government of Jersey departments or other organisations (for example, law enforcement agencies, national security bodies, and cyber response teams) for the purposes stated above.

We have set out, in the table below, the organisations we most frequently need to share personal data with. We may disclose information to other public authorities where it is necessary, either to comply with a legal obligation, or where required under other legislation.

Examples of this include, but are not limited to:

  • where the disclosure is necessary for the purposes of the prevention and/or detection of crime
  • for national security purposes
  • for the purposes of meeting statutory obligations
  • to prevent risk of harm to an individual

We may need to share the information you provide to us with other public authorities in order to fulfil your request for a service. This information may contain personal data and – if it does – the legal basis for us processing the data will be, in most cases, for the public function in line with JCSC’s mission to prepare, protect and defend the Island against cyber threats. Further details on the legal basis we rely on is set out below.

In some instances, this data sharing may require us to transfer your personal data outside Jersey. However, we shall only do this with the necessary safeguards in place and where it is lawful because it is necessary and proportionate for the proper discharge of our statutory functions.

Purpose for use Data used Legal Basis
National Security Agencies All data collected and
mentioned above can be used
 1. Necessary for the exercise
of any function of JCSC as a
public authority
2. Necessary to protect the
vital interests of the data
subject
3. Carried out in the public
interest or is in the exercise
of official authority
Cyber Emergency Response
Teams and other National or
International Cyber Authorities

 

Your personal data may be processed on our behalf by certain third parties who provide services to us, so that they can provide those services. We have strict contracts in place with these service providers to ensure they process your data only on our instructions and with appropriate security in place. The categories of third parties who may receive your personal data in order to provide us with a service are:

  • email and data storage providers such as Microsoft;
  • IT support or security service providers such as SystemLabs;
  • email providers such as DotDigital;
  • online survey providers such as SmartSurvey.

At no time will your information be passed to organisations for marketing or sales purposes or for any commercial use without your prior express consent.