Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Guernsey: ODPA issues guidance on data sharing, ESG, and DSAR responses

On January 8, 2024, the Office of the Data Protection Authority (ODPA) published guidance covering data sharing (the Data Sharing Guidance), handling data subject access requests (DSARs) (the DSARs Guidance), as well as environmental, social, and governance (ESG) reporting (the ESG Guidance).

Data sharing

The Data Sharing Guidance provides information on how to share information about people in an appropriate and lawful way and highlights key points to note when sharing data including:

  • that there must be a valid reason for the sharing of data;
  • if you are relying on consent as the legal basis for sharing personal data, ensure that you have obtained specific, informed, and freely given consent from the individual(s) concerned; and
  • data sharing must be done as securely as appropriate for the data involved.


The DSARs Guidance confirms that it applies when it is necessary to respond to an individual's DSAR in the circumstances where the requested information includes information about other people. Specifically, the DSARs Guidance details that all decisions must be documented, as companies may be asked to justify how they arrived at the decisions about what information they included, or excluded from, a DSAR response. The DSARs Guidance also contains a flow chart designed to help companies consider all the relevant steps when applying to DSARs.


The ESG Guidance outlines three aspects to consider at the outset regarding ESG reporting: data collection, risk to individuals, and public disclosure of data. Regarding best practices, among others, the ESG Guidance notes that companies should consider whether it is necessary to conduct a Data Protection Impact Assessment (DPIA) to identify and mitigate potential risks to individual rights when processing personal data for ESG reporting.

You can read the press release and the guidance here.