Data Protection Officer (FOI)

Request

Under the Target Operating Model for Data Protection the Government of Jersey (GOJ) has decided to have the Data Protection Officer (DPO) as a managed service from a third party supplier.

Can you please advise how this decision was taken; what other options were considered and why dismissed In favour of this model; what the procurement process was to make this award?

Given the extremely sensitive nature of the role, typically done by a specialist, plus the need for a named DPO to be readily accessible both to all SOJ staff, as well as to the population / citizenship of Jersey, please advise which Chief Officer and which Minister approved this decision?

Response

The decision was taken by the Group Director, Modernisation and Digital in conjunction with the Chief Operating Officer and colleagues in Modernisation and Digital, following consideration of the options available, the ‘as is’ position, and in recognition of the constraints relating to the impact of Covid-19.

Five options were considered:

1. continue with the use of contractors

2. appoint someone internally

3. recruit someone externally

4. pilot a Managed Service for 1 year

5. enter into a multi-year contract for a Managed Service

Option four was chosen on the basis of cost, ease of implementation (particularly during Covid-19 restrictions), speed of implementation and the level of professional resilience provided.

The procurement was undertaken under an exemption to competitive tender exercise as set out in the Public Finance Manual

The decision was approved by the Chief Operating Officer.