Data Protection

A reputation for quality and excellence is a hard-won resource. The Administration enacts appropriate measures to prevent unscrupulous operators from using the island as a haven for avoiding internationally accepted legislation. It protects the reputation of local businesses and the Isle of Man as a business centre throughout the global economy.

The body of Isle of Man legislation is outlined here.

e business - Data Protection

Consumer confidence, particularly in the areas of confidentiality and security, is an important aspect of any business and is essential to the development of e business. It is Government's belief that consumer confidence is enhanced by the existence of adequate data protection laws, that require businesses to take certain steps to safeguard a person’s privacy and provide remedies including compensation if breaches occur.

Data Protection

In the Isle of Man, the Data Protection Act 2002 (the Act) makes provisions for the regulation of the processing of information relating to individuals.

The Act is based upon the UK’s Data Protection Act 1998 and gives effect in the Island to Directive 95/46/EC of the European Parliament. This relates to the protection of individuals with regard to the processing of personal data and on the free movement of such data. In addition, Council of Europe Convention 108 also applies to the Island.

The Act applies to data processed automatically, structured manual records and certain health, education and housing records.

The Office of the Data Protection Supervisor

The Office of the Data Protection Supervisor (ODPS), which is independent of Government, is responsible for administering the Act in the Island. The ODPS policy is to actively assist businesses (data controllers) who process personal data to comply with the Act by providing training, assistance and guidance in the provisions and interpretation of the Act and thereby protect an individual’s privacy by preventing breaches from occurring.

The ODPS also actively promotes awareness of an individual’s rights and the sanctions and remedies available when these rights are contravened. Under the Act, the ODPS has powers to ensure compliance either through enforcement or if necessary through prosecution.

Further detailed information on the Act can be found on the ODPS web site.

Eight Data Protection Principles

The Act sets out eight data protection principles to be followed by data controllers when processing personal data. In summary these are:

Personal Data must be

1. Fairly and lawfully processed
2. Used for specific purposes
3. Adequate, relevant and not excessive
4. Accurate and where necessary kept up to date
5. Kept for no longer than necessary
6. Used in accordance with the rights of individuals under the Act
7. Kept secure
8. NOT transferred to another country outside the EEA without adequate protection

International Standards

The Island’s data protection legislation meets the following standards:

European Data Protection Directive 95/46/EC

On the 28th April 2004, the European Commission adopted a decision on the adequate protection of personal data in the Isle of Man. Article 1 of this decision states:

“For the purposes of Article 25(2) of Directive 95/46/EC, the Isle of Man is considered as providing an adequate level of protection for personal data transferred from the community”

The effect of this decision permits personal data to be transferred between members of the European Economic Area member states and the Isle of Man without the need for additional safeguards.

The full text of the decision can be found at:

Council Of Europe Convention 108

Council of Europe Convention 108 for the Protection of Individuals with regard to automatic processing of personal data ("Convention 108") was opened for signature in 1981 and has its roots in a concern for the right to private life. It sets out minimum standards that should be in place in national law before a country may sign the Convention.

The UK ratified Convention 108 on 26 August 1987 and it has applied to the Isle of Man since 21 January 1993.

Further information upon Convention 108 and Data Protection within the Council Of Europe can be found at:

Additional protocol to Convention 108 regarding supervisory authorities and transborder data flows (ETS No. 181)

The Island has also requested that the additional protocol to Convention 108 should be extended to the Island.

APPLICATION OF THE ACT TO E BUSINESS

2.1 Introduction

The definition of data in the Act includes information processed by equipment operating automatically in response to instructions given for that purpose. Therefore information processed on a computer as well as other equipment that is capable of processing automatically such as audio and video systems and document image processing systems falls under the definition of data.

2.3 Internet

Data protection legislation applies to personal data in an internet context.

The Article 29 Working Party (a working party established under Directive 95/46/EC and comprising the heads of made up of EU member states data protection regulators) has published several opinions with regard to processing on the internet. These opinions can be found at:

In addition, the Council of Europe has issued Recommendation No.R(99) 5 for the protection of privacy on the Internet (23 February 1999)

This recommendation can be found at:

2.5 E-mail

It is accepted that where an e-mail address constitutes the name of an individual, it is likely to be personal data as an individual can be identified from that information. This does not necessarily apply to an e-mail address which does not contain the name of an individual such as abc@aol.com. However, in the possession of the relevant ISP for example, even this e-mail address may constitute personal data as it is possible that the individual could be identified from other information in the ISP's possession.

Information gathered via the use of e-mail clearly can be personal data, for example when an individual sends their name and address by way of e-mail. It is important to remember that the definition of personal data includes opinions about an individual, therefore such opinions transmitted by email are also personal data.

The Unsolicited Communications Regulations 2005, which are based on the UK regulations and the EU Privacy and Electronic Communications Directive, make provisions for the transmission of marketing e-mails to individuals.

A business wishing to send marketing e-mails to an individual must have prior consent or have obtained the e-mail address of the individual in relation to a transaction for a similar product or service. Any e-mails transmitted must also provide a free of charge method for the individual to prevent further marketing e-mails.

2.6 Websites

The use of personal data on a website is no different to the use of personal data anywhere else. The Act applies to the obtaining of information over the internet where this constitutes personal data, for example via an on-line application or registration form.

Websites need to comply with the Act and the data protection principles. Of particular importance in an internet context are the fair processing requirement and security issues.

2.7 Cookies

The use of cookies or other covert software, such as web bugs, to collect information about visitors to a website is collecting personal information and therefore covered by the Act. Individuals should therefore be told of such collection.

Further useful information can be found at:

2.8 Privacy Statements

It is always good practice for a website to contain a statement of privacy policy, individuals are therefore reassured when they visit a site that adequate safeguards are in place for their personal information.

The OECD provide a privacy statement generator, this can be found at:

2.9 Security Measures

The seventh principle measures against misuse and loss of data, states:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The interpretation of the principle further states:

“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to-

a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

b) the nature of the data to be protected.”

and

“The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.”

The nature of the data concerned/ Risk analysis

Clearly, the more sensitive the data the greater the harm that may result.

The level of security taken by the local newsagent to protect his list of clients on the paper round is not going to match that of a bank with online client access. For example, what amount of harm (damage or distress) would be caused by the accidental disclosure of the paper round list, compared with the unauthorised disclosure of a clients bank account details? One may cause some minor embarrassment when the neighbours learn that the Vicar reads the Sunday Sport while the other could lead to financial loss if a claim for damages were successful.

Once you have established the type of data you hold, and the potential harm that could be caused by its errant use or loss you should then look at how best to remove or reduce that risk. There are three main areas that should be considered when assessing security with regard to personal data.

• System security
• Policy and procedures
• Staff training

System security

Looking particularly at security measures that apply to the Internet and computer systems, your IT department will, or should have, looked at measures such as:-

• Firewalls
• Encryption
• Audit trails
• User access authority
• Password controls
• Anti-virus software
• Backups
• The place where personal data are stored:-
  1. Consider the physical location of your data, including the location of everything from file servers to the PC on the receptionist's desk.
  2. Could data be accessed or removed by unauthorised personnel or visitors?
  3. Could someone take your backup tapes?

Policies and procedures

Measures taken for ensuring the reliability of staff having access to the data:-

• Not all of your staff should have access to all personal data. For example, an accounts clerk in an insurance company has no need to access the results or notes of a data subject's health report. Health reports should only be accessible by the companies designated Medical Office or possibly the insurers underwriter.
• There should be a corporate policy and procedure on how staff will handle and use personal data.
• All employees who have access to personal data must be made aware of the data protection principles and their responsibilities and obligations under the Data Protection Act.

Good practice dictates that:-

• Every business should have an internet and e-mail policy informing staff of the rules concerning the use of e-mail or the Internet for personal use, what usage is acceptable and what is not, and including any policy concerning the interception of e-mails together with penalties for misuse

Staff training

Compliance officers should ensure:-

• IT managers are aware of the implications of the Act
• Employees should be made aware of their responsibilities before they access or handle personal data. If you wait three weeks before sending staff on an induction course much damage could have already been done by then.