Manx data protection guardian is not made of chocolate


How refreshing to see a data protection supervisor who is not made of chocolate! Take a bow, Mr Iain McDonald from the Isle of Man. Perhaps he could educate his Scottish counterpart and namesake who is tasked with upholding the same UK wide legislation to protect children and families from state snoopers? Let's hope the Tynwald and Manx population reject this sinister Scottish import that has already caused chaos in policing and other 'single entity' services, but is being shamelessly touted as a success by the cheerleader-in-chief Sir John Elvidge of Enabling State fame (but only if you follow your state dictated outcomes).

Manx Independent letters, October 23, 2014

Effects of single legal entity

The Manx Independent, dated October 16, published an open letter addressed to the Data Protection Supervisor from Mr Alan Croll concerning a proposal to establish Isle of Man Government as a single legal entity.

Mr Croll posed three questions to me and I have attempted to answer those questions below.

My responses are limited to matters relating to the Data Protection Act 2002 (‘the Act’).

1. Would creating the Isle of Man Government as a single legal entity remove the legal barriers to Government sharing our personal data?

No, establishing Isle of Man Government as a single legal entity will not change how personal data is processed or shared by government.

Personal data must be processed for a specified and lawful purpose or purposes.

The proposed ‘Isle of Man Government’, must, as a public body, have the relevant statutory powers to process personal data including powers to share data.

If the power does not currently exist for a department to do so, then it will not exist for ‘Isle of Man Government’.

In addition to compliance with the Act, there are other compliance issues to consider before any data sharing could occur.

These include: any statutory provision that expressly restricts the use of data (such as those contained in the Income Tax Act for example), compliance with the European Convention on Human Rights, the common law duty of confidentiality and other confidentiality obligations such as those set out in the Caldicott Principles for health and social care data and professional codes of conduct.

2. What other legal consequences would there be if the Isle of Man Government became a single entity?

At present every Department is a separate data controller and each has an entry in the Register of Data Controllers. If a single entity was established then Government would become one data controller.

This also means that if an individual exercised any of the rights set out in Part 2 of the Act, such as the right of access to their personal data this request would apply to the whole of the ‘Isle of Man Government’.

Similarly if enforcement was necessary, the requirements of any notice would apply to the whole of the ‘Isle of Man Government.’

3. If the Isle of Man Government were to be found sharing personal data illegally would there be ‘any consequences?

Unlike the UK Information Commissioner, the Supervisor does not have mandatory powers of audit, nor the power to impose a monetary penalty.

If the Supervisor received a complaint and, as a result, found that ‘Isle of Man Government’ processed personal data in contravention of the Act then an Enforcement Notice could be issued using existing powers. Failure to comply with an enforcement Notice is an offence.

Iain McDonald, Data Protection Supervisor.