Skip to main content

Navigating trusts in a data-driven world: Data protection principles for trustees

Advisory
A sleek black pen with 'Walkers' branding lies atop a closed notebook, both featuring raised 'Walkers' logos.

key takeaways

  • Trustees need to understand their role as both controllers and processors of data.

  • Trustees need to ensure they have an adequate data management system in place.

  • A trustee's data management system needs to recognise when personal data is special category data and deal with it appropriately.

This is the first article in a three-part series by the Walkers Guernsey Regulatory & Risk Advisory team.

We explore what trustees need to be aware of when dealing with data and complying with their obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 and related legislation (the "DP Law"). 

For any business, charity or trust, data protection is one of the most challenging areas of risk management. The law is wide-ranging, operates at Guernsey, UK, EU and international levels, is in a constant state of flux, and is often subject to high-profile legal challenges.

This three-part series of articles focusses on why trustees always need to be mindful of data protection and the responsibilities and issues that come with it. 

Primarily there are three key reasons:

  1. Trustees need to know what their obligations are under the DP Law when handling personal data.

  2. A major attraction of trust structures is their ability to preserve the confidentiality of sensitive information. Concerns have been voiced that the transparency principles of the DP Law could risk the confidentiality of trust information, and so it’s important for trustees to know what information they can and cannot provide to others.

  3. Guernsey has a relatively new data protection framework whereby those that handle personal data need to register, file an annual return, and pay a levy. Trustees and entities within a trust structure are likely to be caught by the regulations and so need to ensure they take appropriate steps to comply. 

This article sets out the key terms and concepts to keep in mind when applying the DP Law in the context of trusts.

What is personal data?

Personal data is any data that allows a living individual to be identified, such as a name, contact details, bank account number, date of birth, social security number, photo ID, pictures, video or audio recording and an IP address. It can be factual information or simply someone’s opinion. 
In the context of private client work, personal data will include:

  1. the name, age and date of birth of beneficiaries;

  2. biographical and employment information about beneficiaries; and

  3. financial information relating to assets held in trust.

Examples of the sources of personal data in the context of private client work will likely include:

  1. a will;
  2. a letter of wishes;
  3. notes of calls and meetings;
  4. copies of correspondence;
  5. financial records; 
  6. client due diligence;
  7. beneficial ownership registers;
  8. registers of members/directors; and
  9. powers of attorney.

People and organisations can also be ‘sources’ of personal data, for example where a client provides a trustee with personal information about their family member.

Unhelpfully, no list is exhaustive and so trustees need to make an assessment as to whether any piece of information they hold could be personal data, either on its own, or when that piece of information is combined with other information to identify someone.

What is a special category data?

The law classifies some types of personal data as being more sensitive than others. These are known as ‘special categories of personal data’ including:

  • ethnic origin;
  • political opinions;
  • religious beliefs;
  • medical information; and
  • sexual orientation.

Special category data needs to be handled with particular care and it cannot be processed unless specific conditions apply. For example, special category data can be processed where doing so is necessary to fulfil legal obligations. But the justification being relied on must be identified before the data is processed, and reliance on the justification needs to be documented in some way, such as in a data protection policy or notice. 

In a trust context, a trustee may be able to process special category data on the basis that they are advising clients in the context of their estates. However, trustees need to be careful only to process personal data that is relevant to their work as trustee and for which there is a lawful basis. 

The following examples may assist:

  1. A trustee is advising a client on setting up a trust to provide for a disabled family member. The trustee needs to have information about the person's health to be able to establish the trust. The trustee is therefore processing health data for the purpose of establishing someone’s legal claims to a trust, which is a permitted reason to process the health data.

  2. In contrast, if a trustee meets with a longstanding client to discuss their trust arrangements, and the client mentions various details in passing about members of their family which is not relevant to the client's trust arrangements, then the trustee should think carefully as to whether those details are relevant to their services. If not, they should not record them in their file note.

Are trustees caught by the DP Law?

Most of the obligations set out in the DP Law apply to ‘controllers’, meaning the entity or person who is responsible for the decisions made about why and how personal data is used. 

A ‘processor’ is any entity or person that is tasked with processing personal data by a controller. Processors do not determine the nature or the means of the processing; they simply do what the controller tells them to do. 

The term ‘processing’ refers to pretty much anything a controller or processor does with personal data. It includes activities like collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. 

For trusts, each of the trustees, law firms, and other advisers are likely to be both controllers and processors, depending on the rationale for the processing.

Conclusion

It is important for trustees to understand their role as both controllers and processors. Trustees need to ensure they have an adequate data management system in place. Furthermore, that data management system needs to recognise where personal data is special category data and treat it appropriately. 

The next article in this series is titled "Data privacy notices and data subject access requests" and will consider what proactive steps a trustee needs to take in relation to the data it holds and how a trustee might best respond to data subject access requests. 

About Walkers' Channel Islands' Regulatory & Risk advisory team

Walkers’ Guernsey Regulatory & Risk Advisory team can advise on all aspects of Guernsey data protection, including data protection policies, procedures, privacy notices, data subject access requests, and data protection audits.

We have a dedicated team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, corporate tax (including Pillar 2), economic substance, FATCA, and the CRS. Our team can also provide training to staff on a broad range of topics.

Authors

Key contacts

Get in touch with our team

Get the latest insights and expertise in your inbox 

Fluid ink image
Sign up