Privacy Statement

What this Statement covers

This Privacy Statement (the Statement) sets out the privacy practices relevant to the Office of the Comptroller and Auditor General. For the purposes of this Statement, the Office of the Comptroller and Auditor General is referred to as the Jersey Audit Office (JAO).  This Statement explains what information we collect, how information is collected, how it is used, your rights and what controls you have. In particular:

• What information the JAO collects about you and when
• How the JAO uses your information
• How the JAO protects your information; and
• Your rights regarding the information you provide.

It applies to information the JAO collects about you in the course of our statutory audit work, when we deal with any complaints, correspondence and enquiries, and when you use the JAO website (the Website) including when you sign up for any of our events. The JAO also has X (formally Twitter) and LinkedIn accounts.

 

Identity of the Data Controller

The Office of the Comptroller and Auditor General was established by Article 2 of the Comptroller and Auditor General (Jersey) Law 2014 (the C&AG(J)L 2014) and is the relevant data controller in respect of the personal information it holds about you.   The C&AG(J)L 2014 requires the C&AG to provide the States with independent assurance that the public finances of Jersey are being regulated, controlled, supervised and accounted for in accordance with the Law.

You can contact us by phone, email, in person, via social media and by post.

Our contact details are:

Jersey Audit Office, de Carteret House, 7 Castle Street, St Helier Jersey, JE2 3BT

1. (+44) 1534 716800
   E. [email protected]
   W. www.jerseyauditoffice.je

The Data Protection Officer (DPO)

To contact the JAO’s DPO, please email [email protected] or call the JAO office on +44 1534 716800.

 

The Data Protection Law

We comply with the Data Protection (Jersey) Law 2018 (the 2018 Law).

 

What kinds of data may we access or hold about you?

Personal data, or personal information, means any information about an individual from which that person can be identified directly or indirectly. It does not include data where the identity has been removed (anonymous data).

We process data where we have a clear legal basis for doing so and where it is proportionate and necessary in pursuance of our role and responsibilities. In practice, this means that we may potentially collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes names, marital status, title, date of birth, nationality and gender.
• Contact Data includes address, email address and telephone numbers.
• Work Data includes details about your work for an organisation that we audit or examine or a related organisation or for an international organisation. This could include details of your role at the organisation, projects you have worked on, your personnel file, information about your performance, and correspondence between you and colleagues at that organisation or between you and people who interact with that organisation.
• Financial Data includes bank account details, remuneration information and records of payments to and from you.
• Service Data includes details about your use of services provided by organisations we audit or examine or related organisations or by an international organisation. This can include details about actions those organisations have taken relating to you, including case files and other records the organisation keeps about you and correspondence between you and those organisations.
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
• Usage Data includes information about how you use our website.
• Communications Preferences includes your preferences in receiving information from us such as updates about our work and events and our other public engagement activities, and the mode of communication you choose.
• Event Photographs and Videos includes group or individual photographs or videos taken at conferences or other events we host.

Work data, financial data and service data sometimes includes Special Category Data, which means data about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. For example, if a financial examination includes payroll information it might include details of trade union subscriptions you have asked your employer to deduct from your pay.

We may also sometimes include data about criminal convictions and offences (Criminal Data). This is rare but does sometimes happen. For example, where we examine the effectiveness of organisations that provide services relating to the criminal justice system we might access Criminal data in the course of our examination.

 

How do we collect your personal data?

We collect your data in different ways. Most of the data we hold about you is data you have provided directly or is data provided to us by organisations that we audit or examine or related organisations.

In this Statement we use the phrases ‘audit’ and ‘examine’ to refer to the work we carry out for our main statutory functions:

• ‘Audit’ refers to the financial audits where we are required to appoint auditors under the C&AG(J)L 2014.
• ‘Examine’ refers to the value for money studies and investigations that we carry out using our legal powers.

You can find out more about our work here: Jersey Audit Office

Data collected for audits or examinations. When we audit or examine an organisation we collect information from that organisation, and sometimes from its contractors, grant recipients, or other related organisations. The information we collect from them may contain your Identity Data, Contact Data, Work Data, Financial Data, Technical Data or Service Data. Sometimes that information is provided to us voluntarily, but generally we obtain it through using our legal powers to access information.

Data collected in our international work. We work with international organisations to share knowledge. Those organisations may provide personal data to us.

Direct interactions. You give us your data by filling in forms or by corresponding with us by post, phone, email or otherwise. This also includes personal data you provide when you:

• subscribe for email updates
• take part in a survey
• give us feedback
• apply for a role with us
• connect with us on social media; or
• attend an event we host.

Correspondence or publicly available sources. We may receive personal data about you from people who write to or telephone us or from publicly available sources.

Automated technologies or interactions.  As you interact with our website, we automatically collect Technical Data about your equipment browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Photography or video recordings at our events. If you attend events hosted by us, you may be invited to appear in an individual or group photograph or video used to record or publicise the event.

 

How do we use your information?

We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:

• Where it is necessary in order for us to carry out our statutory functions in the public interest or, in the case of special categories of personal data, for reasons of substantial public interest. Our appointment of auditors and undertaking of examinations help the States Assembly to scrutinise public spending, hold government to account, and drive improvement in public services. This work serves a substantial public interest.
• Where it is necessary for us to comply with a legal or regulatory obligation.
• With your consent, but only in the case of sending you email updates. You have the right to withdraw consent at any time by contacting us.

We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so.

Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal lawful basis we are relying on to process your personal data where more than one lawful basis has been set out in the table below.

 

Purpose	Type of data	Lawful basis for processing
a) To appoint an auditor where the Law requires us to do so, or b) to conduct statutory examinations of the economy, efficiency and effectiveness of the States of Jersey, which we do by carrying out value for money studies, investigations and briefing the States Assembly/Public Accounts Committee	Identity Contact Work Financial Services Technical (These types of data may include Special Category Data or Criminal Data)	The processing is necessary for us to carry out our statutory functions in the public interest. Where we process Special Category Data or Criminal Data we do so because it is necessary for carrying out statutory functions, which serve as prevention of unlawful acts.
To carry out quality assurance for our audit work, and to enable the Institute of Chartered Accountants in England and Wales (ICAEW) to review audit work.	Identity Contact Work Financial Services Technical (These types of data may include Special Category Data or Criminal Data)	The processing is necessary for us to carry out our statutory functions in the public interest. Where we process Special Category Data or Criminal Data we do so because it is necessary for carrying out statutory functions, which serve as prevention of unlawful acts.
To contact you to ask you to participate in surveys relevant to our value for money studies, investigations and briefing the States Assembly/Public Accounts Committee	Identity Contact	The processing is necessary for us to carry out our statutory functions in the public interest.
For recruitment purposes	Identity Contact Work Technical (These types of data may include Special Category Data or Criminal Data)	Necessary for entering into a contract between the data subject and data controller.
To send you JAO publications, email updates and manage event invitations you have accepted.	Identity Contact Communications Preferences	Your consent. Processing is necessary in the public interest.
To respond to correspondence from you.	Any data you include in the correspondence Technical	The processing is necessary for us to carry out our statutory functions in the public interest.
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	Identity Contact Technical Usage	The processing is necessary for us to carry out our statutory functions in the public interest. Processing is necessary to comply with other legal obligations.
For fulfilling our legal obligations to provide information to third parties.	Any of the categories of data we hold (These types of data may include Special Category Data or Criminal Data)	Processing is necessary for compliance with our legal obligations. In the case of Special Category Data or Criminal Data processing is necessary for reasons of prevention of unlawful acts, or is necessary for the establishment, exercise or defence of legal proceedings.
To take legal advice and to make and defend legal claims.	Any of the categories of data we hold. (These types of data may include Special Category Data or Criminal Data)	Processing is necessary in the public interest. In the case of Special Category Data or Criminal Data processing is necessary for the establishment, exercise or defence of legal proceedings.
To record or publicise the events we host.	Event photographs or video.	Your consent.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 

Who do we share your information with?

We may have to share your personal data with the following parties for the purposes set out in the table above:

• States Assembly/Public Accounts Committee, if the personal data is included in a report that we are required to lay before them.
• The Institute of Chartered Accountants in England and Wales (ICAEW) where the ICAEW reviews audit work for quality assurance.
• Third parties that are legally entitled to receive the data.
• Our service providers who process the data on our behalf in order to provide IT and administration services.
• Our service providers who process the data on our behalf to conduct surveys or to distribute other communications.
• Our professional advisers including lawyers and auditors who provide professional services to us.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

How do we keep your data secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those individuals in the Jersey Audit Office, contractors and other third parties who have a business need to know. They will only process your personal data on the instructions of the Jersey Audit Office, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and the Jersey Office of the Information Commissioner of a breach where we are legally required to do so.

 

How long do we keep your data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including the purpose of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Details of retention periods for different aspects of your personal data are available in our Retention Policy which you will find on our website https://www.jerseyauditoffice.je/wp-content/uploads/2025/10/JAO-Retention-Schedule-October-2025.pdf

 

What are your data protection rights?

Data protection legislation provides data subjects with a number of rights. These include:

1. The right to know what type of personal data we hold about you, to be given details about how we use it and to be provided with a copy of the personal data held
2. The right to have any errors or omissions corrected
3. In certain circumstances, the right to request erasure of all your personal data that we hold
4. The right to request we restrict the processing of your personal data
5. The right to object to the further processing of your personal data, including the right to object to direct marketing
6. The right to withdraw consent if you had previously given us consent to process your data
7. The right to request that personal data that you have given to us be moved to a third party; and
8. The right to lodge a complaint.

Please note that Schedule 1 of the Data Protection (Jersey) Law 2018 sets out that certain of the rights referred to above may be restricted in certain circumstances, including where it is necessary to avoid obstructing official or legal inquiries, investigation or procedures or to avoid prejudicing the prevention, detection, investigation or prosecution of a criminal offence.

If you wish to exercise any of these rights, please email our DPO at [email protected]. In your request, please make clear (a) what personal information is concerned, and (b) which of the above rights you would like to enforce. For your protection, we only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we will need to verify your identity before implementing your request.

You can also write to our DPO at Jersey Audit Office, de Carteret House, 7 Castle Street, St Helier Jersey, JE2 3BT.

We will comply with your request as soon as reasonably practicable.

When you make a request, we will consider any lawful exemptions that may apply and that prevent us from responding to your request in the manner you may wish. It is possible that there is something that will prevent us from responding to your request in the way you would like. If that is the case, we will explain this to you in writing when we respond to your request.

 

Your right to complain

We aim to meet the highest standards when processing personal data.

If at any stage you became dissatisfied with the manner in which we collect, hold or process your personal data or if you have any questions, please contact us in the first instance.

If you remain dissatisfied with our response, you have the right to raise your concern with the Information Commissioner at the address below.

The Jersey Data Protection Authority

5 Castle Street. St Helier. Jersey JE2 3BT

1. +44 (0)1534 716530
2. [email protected]