About this notice

 

This privacy notice explains what information the GSC collects and what it is used for.

The GSC is a Data Controller for the purposes of the Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Manx Data Protection Legislation). We are registered with the Information Commissioner’s Office as a Data Controller. Our registration number is: R002347.

When you use a GSC service we may ask you to share personal information with us. When we collect your personal information we will:

  • Only collect what we need and no more;
  • Keep your information secure;
  • Tell you how we will use your information;
  • Delete your information when it is no longer needed; and 
  • Only process your information to the extent permitted by Manx Data Protection legislation.

This Privacy Notice defines what happens when you give personal information to the GSC and will explain:

  • What information is collected and why;
  • Who is collecting it;
  • How it is collected;
  • Why it is being collected;
  • How it will be used;
  • How long it will be kept;
  • Who it will be shared with;
  • How your information will be kept secure; and
  • Your rights, including how to access your information.

If you have any questions or comments on this Privacy Notice please email the GSC Data Protection Officer using the details at the bottom of this page.

 

Who we are and what we do

 

The GSC is regulatory body and statutory board as defined in in Section 1(1) of Schedule 1 of the Statutory Boards Act 1987. The GSC was appointed as the regulator for the medicinal cannabis sector on the Isle of Man, overseeing the licensing and supervision of cannabis cultivation, production, manufacturing, importation and exportation of industrial materials and products for medical use under the Transfer of Functions (Cannabis) Order 2020.

The GSC comprises of the Inspectorate (a team of Inspectors who manage a portfolio of licence holders) and the Commission, who sit once a month to consider regulatory matters and licence applications.

The GSC’s objectives means that a sophisticated framework must be used when assessing and managing risks, and supervising licensed activities to ensure that all stakeholders are competent, crime free and capable of contributing to a safe, trusted and efficient sector.

For this reason, the GSC aims to utilise information collected and created in the most efficient and secure manner possible in order to meet its objectives reliably and effectively.

 

What we use your data for

 

What we do:

  • Co-operating with cannabis regulatory authorities to prevent the misuse of drugs
  • Issuing licences for cannabis or hemp-related activities
  • Monitoring adherence to licence terms and conditions
  • Making provisions to prevent the misuse of cannabis
  • Conducting cannabis/hemp site visits and inspections
  • Serving notices on the occupier of licensees’ premises
  • Modifying or revoking licences
  • Staff administration
  • Accounts and records
  • Reporting and dealing with personal data breaches
  • Making enquiries or undertaking investigations in accordance with statutory functions and duties
  • General correspondence.

 

 

We collect and process information to provide efficient and effective services and meet our objectives:

  • To ensure that the licensed production and export of cannabis is conducted in a lawful and safe manner;
  • Protecting children and other vulnerable persons form being harmed or exploited by any of the activities carried out by licensees; and
  • Preventing licensees’ activities from being a source of crime, to be associated with crime or disorder and/or used to support crime.

 

The GSC exercises the above functions in order to meet its regulatory objective of preventing the misuse of cannabis under Section 5 (2A) of the Gambling Supervision Act 2010.

 

Our legal basis for processing your information

 

We will only process your personal information if there is a legal reason for us to do so. We may rely on:

  • Your consent – if we rely on your consent to process your information for a certain purpose you may withdraw your consent at any time by contacting the Data Protection Officer;
  • The need to meet a legal obligation in carrying out statutory government functions;
  • The need to meet a request you have made for information or a service;
  • The fact that processing is necessary for us to comply with the law;
  • The necessity to perform a contract we have with you or your organisation, or because you have asked us to take specific steps before entering into a contract;
  • To carry out our functions as a law enforcement body or 'competent authority', including for the prevention, detection and investigation of suspected or actual violations of law;
  • The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999 – more information on retention is available from the Public Record Office.

 

Why we process data

Legislation

Preventing the misuse of cannabinol, cannabinol derivatives, cannabis or cannabis resin.

Section 5 (2A) of the Gambling Supervision Act 2010.

Entering into an agreement with a cannabis regulatory authority to prevent the misuse of drugs.

Section 6 (1A) of the Gambling Supervision Act 2010.

Issuing a licence to disapply the prohibition on the exportation of cannabinol, cannabinol derivatives, cannabis or cannabis resin.

Section 3 (2)(b) of the Misuse of Drugs Act 1976.

Making provisions to make it lawful for persons to do things which would be unlawful under Sections 4(1), 5(1) and 6(1) of the 1976 Act, if done in accordance with licence terms and conditions.

Section 7 (1)(b) and (2) of the Misuse of Drugs Act 1976.

Making provisions to prevent the misuse of controlled drugs.

Section 10 (1) of the Misuse of Drugs Act 1976.

Serving notice on the occupier of any premises on which controlled drugs (cannabis, etc.) are (or are proposed to be) kept, to give directions as to precautions for the safe custody of any controlled drugs.

Section 11 (1) of the Misuse of Drugs Act 1976..

Authorising a person other than a Constable to enter the premises of a person carrying on business as a producer or supplier of any controlled drugs, and to demand the production of, and to inspect, any books or documents relating to dealings in cannabis etc., and to inspect the stock.

Section 23 (1) and (3A) of the Misuse of Drugs Act 1976.

Specifying the terms and conditions under which a licence or other authority may be issued, and modifying or revoking a licence.

Section 30 of the Misuse of Drugs Act 1976.

 

Types of personal information we collect

The GSC may collect and process different information based on your involvement with us. Below you will find an overview of the types of information we collect.

 

Information you provide to us directly

 

Category of information

Examples of that type of information

Personal details

Name, email address, telephone number, and address.

Employment details

Current employment details, employment history, income, and employment references.

Financial information

Financial and banking documentation in support of licence applications.

Source of wealth/funding.

Government identifiers

Copy of driving licence, passport, national ID, national insurance number or photo ID document.

Communication

Feedback, comments, complaints, and enquiries.

Personal identification information

Title, date of birth, nationality, and gender.

Education and training details

Academic and professional/industry-related qualifications.

Family, lifestyle and social circumstances

Dependents, marital status, and character references.

Criminal & Disclosure

Criminal convictions, offences and related criminal history.

Complainant Data

Customer-business history.

Supporting documents

Utility bills, proof of address documents and tax information.

 

 

We may also process certain special categories of information for specific and limited purposes such as detecting and preventing crime under our legislation, and modifying or revoking licences, for which the GSC is responsible. 

We will only process special categories of information where we have obtained your explicit consent or are otherwise lawfully permitted to do so. We may process certain special categories of data as defined in the Applied GDPR. This may include:

  • Information about racial or ethnic origin;
  • Religious or philosophical;
  • Genetic data, biometric data;
  • Criminal proceedings, outcomes and sentences; and
  • Offences (including alleged offences).

The GSC endeavours to collect the minimum necessary amount of special category data required to fulfil a specified purpose. Where the GSC obtains special category data which is either superfluous or excessive in relation to the purpose for processing, it will endeavour to securely destroy such data in line with the Retention & Destruction Schedule.

 

Information provided to us by third parties

 

We may obtain data from third parties in order to confirm, verify or authenticate information supplied to us in the application process and/or for the purposes of suitability assessments.

 

Category of information

Examples of that type of information

Personal details

Name, email address, telephone number, and address.

Employment details

Current employment details, employment history, income, and employment references.

Financial information

Invoice number, amount, and financial and banking documentation in support of licence applications.

Source of wealth/funding.

 

Personal identification information

Title, date of birth, nationality, and gender.

Education and training details

Academic qualifications and memberships.

Family, lifestyle and social circumstances

Dependents, marital status, and character references.

Criminal & Disclosure

DBS Forms, criminal convictions, offences, and relevant criminal history.

Other

Utility bills, tax information.

 

 

 

Sharing your information

 

We may share your personal information with third parties to confirm, verify or authenticate information supplied to us in the application process and/or for the purpose of fitness and propriety assessments.

 

We share data with / collect it from …

In order to...

Your Nominated Corporate Service Provider (CSP)

 

 

Process an application you are involved in.

Obtain further information relating to your application(s).

Arrange and invite you to Commission Hearings.

Obtaining, maintaining, surrendering or revoking a licence.

Our licence holders, with your consent

Process and investigate a complaint you have made about the licence holder in question

Information Commissioner’s Office

Reporting a data breach.

Other Government Departments, Boards and Offices

Provide a service or information you have requested, where there are arrangements in place to do so.

The Courts

On production of a valid court order.

The Attorney General’s Chambers

In order to obtain legal opinions on relevant matters, statutory interpretation or criminal proceedings.

Regulatory Bodies

Administer complaints, and initiate proceedings where applicable

Your previous or current employer(s), with your consent or upon your request

Obtain references from previous employers, or provide a reference to current or prospective employers where you have been employed by us.

Open Source Platforms

To verify information provided by yourself as a part of an application.

The Department for Enterprise, with your consent

Respond to queries or feedback, where you have been signposted to us by the DfE or vice versa.

Law enforcement agencies on the Isle of Man

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

 

Conduct fitness and propriety assessments on licence and job applicants.

Verify the authenticity of information provided in an application.

Law enforcement agencies in the United Kingdom

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

Conduct fitness and propriety assessments on licence and job applicants, where applicable.

To co-operate with a Cannabis Regulatory Authority to prevent the misuse of drugs.

Law enforcement agencies outside the UK

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

Conduct fitness and propriety assessments on licence and job applicants, where applicable.

To co-operate with a Cannabis Regulatory Authority to prevent the misuse of drugs.

 

How we keep your personal information

 

How long we keep your information

 

We will only keep your information for the minimum time necessary, with exceptions of when longer retention can be justified for statutory, regulatory, legal or security reasons, or for their historical value.

This may be to:

  • Respond to an enquiry or complaint from you;
  • Continue to monitor licensees and ‘key persons’ throughout their involvement with the GSC;
  • Confirm the transfer of information to other regulatory bodies;
  • Meet Isle of Man Government Financial Regulations;
  • Meet statutory requirements;
  • To analyse the use and quality of our services and to make improvement;
  • Records are only retained for longer term periods if their retention can be justified for statutory, regulatory, and legal or security reasons or for their historic value.

 

For further details about retention periods, or to see the GSC’s Retention and Destruction Schedule, please contact the GSC Data Protection Officer at DPO-GSC@gov.im.

Your personal data may be permanently retained for research use at the Isle of Man Public Record Office if the records containing your personal data are selected for permanent preservation under the Public Records Act 1999. The Isle of Man Public Record Office preserves records of Isle of Man public authorities that are of long-term historic and cultural value. To find out more, click here.

Access to and use of records at the Isle of Man Public Record Office is governed by legislation, in particular the Public Records Act 1999, the Public Records Order 2015 and the Freedom of Information Act 2015. Some records are made available to the public for research use, whilst others are covered by access restrictions to ensure sensitive information that should be confidential for a period of time is protected. Where your personal data is included in records transferred to the Record Office, an assessment will be made of whether the records should be covered by an access restriction based on this legislation. Access restrictions will be applied to records as appropriate under this legislation to prevent unlawful access to your personal data. Your personal data will not be used by the Isle of Man Public Record Office for any automated decision making.

 

The Isle of Man Public Record Office is part of the Department for Enterprise and can be contacted at: public.records@gov.im, or Unit 40A Spring Valley Industrial Estate, Braddan, Isle of Man, IM2 2QS. The Department for Enterprise Data Protection Officer can be contacted at DPO-DfE@gov.im.

 

How we keep your information secure

The security and confidentiality of your information is very important to us.

We will ensure that:

  • Safeguards are in place to make sure personal information is kept securely;
  • Only authorised staff are able to access your information;
  • We maintain security of the systems which hold personal information in line with Government Standards; and
  • We comply with the regulatory and compliance requirements of the Information Commissioner.

We may share your information as described under ‘Sharing Your Information’. Your personal information will not be disclosed to any third party without your prior consent, or where we are permitted or required to do so to exercise our functions as a law enforcement body.

 

We will not sell your personal information to other companies, organisations or individuals. The GSC may share your personal information with other companies, organisations or individuals where there is a legal requirement to do so or where their use will be consistent with our functions described above.

.

Your rights

To ask if we hold personal information about you

 

You can ask to see what information we hold about you by submitting a ‘Subject Access Request’ to the GSC Data Protection Officer.

You can review your personal information and ensure it is accurate

Where possible we will provide you with access to the information we hold about you so that you can view this information and provide a means for you to have this information changed if it is not accurate.

Alternatively you can ask for the information we hold about you to be changed by making a request to the GSC Data Protection Officer. See 'How to request your personal information' at the end of this notice.

.

To remove your personal information

In certain circumstances you can ask for your information to be deleted. Please note that as part of the GSC’s statutory functions, certain information may need to be retained.

You can request this by contacting the GSC Data Protection Officer.

.

To make a complaint

If you are unhappy with the way we deal with your personal information you can submit a complaint to the GSC Data Protection Officer who will work with you to resolve any issues.

The Isle of Man’s Information Commissioner is the independent supervisory body responsible for upholding the public's information rights and promoting and enforcing compliance with the Island's information rights legislation.

You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Manx Data Protection Legislation. Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.

 

Will this notice change?

This Privacy Notice may change according to our legal obligations and operational requirements. We will not reduce your rights under this Privacy Notice without your consent. If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice. 

This privacy notice was last updated on the 19th of August 2021.

 

How to request your personal information

Under Article 15 of the Applied GDPR you have a right of access to your personal data and to check the accuracy of that data by making a Subject Access Request.

A subject access request is made by filling in our Subject Access Request Formor by contacting the Data Protection Officer.

We have a guidance sheet that gives you details on the process.

To make a request of the DPO for the GSC contact:

GSC,
Ground Floor,
St. George’s Court,
Myrtle St.
Douglas,
Isle of Man,
IM1 1ED

Email: DPO-GSC@gov.im
Phone: +44 1624 694331