About this notice

 

This privacy notice explains what information the GSC collects and what it is used for.

The GSC is a Data Controller for the purposes of the Data Protection Act 2018, the Data Protection (Application of GDPR) Order 2018 and the Data Protection (Application of LED) Order 2018, together with any regulations made under them (Isle of Man Data Protection Legislation). We are registered with the Information Commissioner’s Office as a Data Controller. Our registration number is: R002347.

When you use a GSC service we may ask you to share personal information with us. When we collect your personal information we will:

  • Only collect what we need and no more;
  • Keep your information secure;
  • Tell you how we will use your information;
  • Delete your information when it is no longer needed; and 
  • Only process your information to the extent permitted by Isle of Man Data Protection legislation.

This Privacy Notice defines what happens when you give personal information to the GSC and will explain:

  • What information is collected and why;
  • Who is collecting it;
  • How it is collected;
  • Why it is being collected;
  • How it will be used;
  • How long it will be kept;
  • Who it will be shared with;
  • How your information will be kept secure; and
  • Your rights, including how to access your information.

If you have any questions or comments on this Privacy Notice please email the GSC Data Protection Officer using the details at the bottom of this page.

 

Who we are and what we do

 

The GSC is regulatory body and statutory board as defined in in Section 1(1) of Schedule 1 of the Statutory Boards Act 1987. The GSC was appointed as the regulator for the medicinal cannabis sector on the Isle of Man, overseeing the licensing and supervision of cannabis cultivation, production, manufacturing, importation and exportation of industrial materials and products for medical use under the Transfer of Functions (Cannabis) Order 2020.

The GSC comprises of the Inspectorate (a team of Inspectors who manage a portfolio of licence holders) and the Commission, who sit once a month to consider regulatory matters and licence applications.

The GSC’s objectives means that a sophisticated framework must be used when assessing and managing risks, and supervising licensed activities to ensure that all stakeholders are competent, crime free and capable of contributing to a safe, trusted and efficient sector.

For this reason, the GSC aims to utilise information collected and created in the most efficient and secure manner possible in order to meet its objectives reliably and effectively.

 

What we use your data for

 

What we do:

  • Co-operating with cannabis regulatory authorities to prevent the misuse of drugs
  • Issuing licences for cannabis or hemp-related activities
  • Monitoring adherence to licence terms and conditions
  • Making provisions to prevent the misuse of cannabis
  • Conducting cannabis/hemp site visits and inspections
  • Serving notices on the occupier of licensees’ premises
  • Modifying or revoking licences
  • Staff administration
  • Accounts and records
  • Reporting and dealing with personal data breaches
  • Making enquiries or undertaking investigations in accordance with statutory functions and duties
  • General correspondence.
  • Ongoing monitoring of persons in controlling roles for fitness and integrity purposes 

 

Further information can be obtained by contacting the cannabis licensing team – canna@gov.im or the Data Protection Officer - DPO-GSC@gov.im

 

We collect and process information to provide efficient and effective services and meet our objectives:

  • To ensure that the licensed production and export of cannabis is conducted in a lawful and safe manner;
  • Protecting children and other vulnerable persons form being harmed or exploited by any of the activities carried out by licensees; and
  • Preventing licensees’ activities from being a source of crime, to be associated with crime or disorder and/or used to support crime.

 

The GSC exercises the above functions in order to meet its regulatory objective of preventing the misuse of cannabis under Section 5 (2A) of the Gambling Supervision Act 2010.

 

Our legal basis for processing your information

 

We will only process your personal information if there is a legal reason for us to do so. We may rely on:

  • The need to meet a legal obligation in carrying out statutory government functions;
  • The need to meet a request you have made for information or a service;
  • The fact that processing is necessary for us to comply with the law;
  • The necessity to perform a contract we have with you or your organisation, or because you have asked us to take specific steps before entering into a contract;
  • To carry out our functions as a law enforcement body or 'competent authority', including for the prevention, detection and investigation of suspected or actual violations of law;
  • The need to retain information for historical or archiving purposes by the Public Record Office under the Public Records Act 1999 – more information on retention is available from the Public Record Office.
  • Your consent – if we rely on your consent to process your information for a certain purpose you may withdraw your consent at any time by contacting the Data Protection Officer;

 

Why we process data
Legislation

Preventing the misuse of cannabinol, cannabinol derivatives, cannabis or cannabis resin.

Section 5 (2A) of the Gambling Supervision Act 2010.

Entering into an agreement with a cannabis regulatory authority to prevent the misuse of drugs.

Section 6 (1A) of the Gambling Supervision Act 2010.

Schedule 2 - issues the circumstances under which information can be shared/disclosed

Schedule 2 of the Gambling Supervision Act 2010

Issuing a licence to override the prohibition on the exportation of cannabinol, cannabinol derivatives, cannabis or cannabis resin.

Section 3 (2)(b) of the Misuse of Drugs Act 1976.

Making provisions to make it lawful for persons to do things which would be unlawful under Sections 4(1), 5(1) and 6(1) of the 1976 Act, if done in accordance with licence terms and conditions.

Section 7 (1)(b) and (2) of the Misuse of Drugs Act 1976.

Making provisions to prevent the misuse of controlled drugs.

Section 10 (1) of the Misuse of Drugs Act 1976.

Serving notice on the occupier of any premises on which controlled drugs (cannabis, etc.) are (or are proposed to be) kept, to give directions as to precautions for the safe custody of any controlled drugs.

Section 11 (1) of the Misuse of Drugs Act 1976.

Authorising a person other than a Constable to enter the premises of a person carrying on business as a producer or supplier of any controlled drugs, and to demand the production of, and to inspect, any books or documents relating to dealings in cannabis etc., and to inspect the stock.

Section 23 (1) and (3A) of the Misuse of Drugs Act 1976.

Specifying the terms and conditions under which a licence or other authority may be issued, and modifying or revoking a licence.

Section 30 of the Misuse of Drugs Act 1976.

Allows the movement of a Medicinal product within member states.

Article 4 of the Single Convention on Narcotic Drugs 1961

Provides provision for the movement of Opioids and cultivation the same.

Article 23 of the Single Convention on Narcotic Drugs 1961

Allows for control on the production of cannabis.

Article 28 of the Single Convention on Narcotic Drugs 1961

Outlines the control of manufacture of drugs and specifically in respect of poppy (Opioid).

Article 29 of the Single Convention on Narcotic Drugs 1961

Outlines that gives rise to permission for possession.

Article 33 of the Single Convention on Narcotic Drugs 1961

Allows for supervision and inspection in line with the legislation.

Article 34 of the Single Convention on Narcotic Drugs 1961

Transfer the functions on the regulations to licence the production of such to the GSC.

Section 4 (1) and (2) of the Transfer of Functions Order 2020

Gives rise to the circumstances in which a licence may be granted.

Section 4, 5 and Schedule 1 of the Cannabis Regulations 2020

Statutory Board - Stands for the creation of the GSC as a regulatory body

Section 4 of the Gambling Supervision Act 2010 and Schedule 1 of the Statutory Board Act 1987

Law enforcement agency - Outlines that the GSC are a Law Enforcement Agency

Schedule 10 of the Financial Intelligence Unit Act

Allows for the consideration of those previous convictions which are normally considered "pent" into considerations to grant licenses

Schedule 1 part 3 of the Rehabilitation of Offenders Act (exemption) Order 2018

Official Authority - The inclusion that the GSC is an appropriate authority for the licencing and monitoring of the production of the medicinal cannabis

UK ICO Website

 

Types of personal information we collect

The GSC may collect and process different information based on your involvement with us. Below you will find an overview of the types of information we collect.

 

Information you provide to us directly

 

Category of information

Examples of that type of information

Personal details

Name, email address, telephone number, and address.

Employment details

Current employment details, employment history, income, and employment references.

Financial information

Financial and banking documentation in support of licence applications.

Source of wealth/funding.

Government identifiers

Copy of driving licence, passport, national ID, national insurance number or photo ID document.

Communication

Feedback, comments, complaints, and enquiries.

Personal identification information

Title, date of birth, nationality, and gender.

Education and training details

Academic and professional/industry-related qualifications.

Family, lifestyle and social circumstances

Dependents, marital status, and character references.

Criminal & Disclosure

Criminal convictions, offences and related criminal history.

Complainant Data

Customer-business history.

Supporting documents

Utility bills, proof of address documents and tax information.

 

 

We may also process certain special categories of information for specific and limited purposes such as detecting and preventing crime under our legislation, and modifying or revoking licences, for which the GSC is responsible. 

We will only process special categories of information where we have obtained your explicit consent or are otherwise lawfully permitted to do so. We may process certain special categories of data as defined in the Applied GDPR. This may include:

  • Information about racial or ethnic origin;
  • Religious or philosophical;
  • Genetic data, biometric data;
  • Criminal proceedings, outcomes and sentences; and
  • Offences (including alleged offences).

The GSC endeavours to collect the minimum necessary amount of special category data required to fulfil a specified purpose. Where the GSC obtains special category data which is either superfluous or excessive in relation to the purpose for processing, it will endeavour to securely destroy such data in line with the Retention & Destruction Schedule.

 

Information provided to us by third parties

 

We may obtain data from third parties in order to confirm, verify or authenticate information supplied to us in the application process and/or for the purposes of suitability assessments.

 

Category of information

Examples of that type of information

Personal details

Name, email address, telephone number, and address.

Employment details

Current employment details, employment history, income, and employment references.

Financial information

Invoice number, amount, and financial and banking documentation in support of licence applications.

Source of wealth/funding.

 

Personal identification information

Title, date of birth, nationality, and gender.

Education and training details

Academic qualifications and memberships.

Family, lifestyle and social circumstances

Dependents, marital status, and character references.

Criminal & Disclosure

DBS Forms, criminal convictions, offences, and relevant criminal history.

Other

Utility bills, tax information.

 

 

 

Sharing your information

 

We may share your personal information with third parties to confirm, verify or authenticate information supplied to us in the application process and/or for the purpose of fitness and propriety assessments.

 

We share data with / collect it from …

In order to...

Your Nominated Corporate Service Provider (CSP)

 

 

Process an application you are involved in.

Obtain further information relating to your application(s).

Arrange and invite you to Commission Hearings.

Obtaining, maintaining, surrendering or revoking a licence.

Our licence holders, with your consent

Process and investigate a complaint you have made about the licence holder in question

Information Commissioner’s Office

Reporting a data breach.

Other Government Departments, Boards and Offices

Provide a service or information you have requested, where there are arrangements in place to do so.

The Courts

On production of a valid court order.

The Attorney General’s Chambers

In order to obtain legal opinions on relevant matters, statutory interpretation or criminal proceedings.

Regulatory Bodies

Administer complaints, and initiate proceedings where applicable

Your previous or current employer(s), with your consent or upon your request

Obtain references from previous employers, or provide a reference to current or prospective employers where you have been employed by us.

Open Source Platforms

To verify information provided by yourself as a part of an application.

The Department for Enterprise, with your consent

Respond to queries or feedback, where you have been signposted to us by the DfE or vice versa.

Law enforcement agencies on the Isle of Man

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

 

Conduct fitness and propriety assessments on licence and job applicants.

Verify the authenticity of information provided in an application.

Law enforcement agencies in the United Kingdom

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

Conduct fitness and propriety assessments on licence and job applicants, where applicable.

To co-operate with a Cannabis Regulatory Authority to prevent the misuse of drugs.

Law enforcement agencies outside the UK

To prevent, detect and investigate crime in relation to our cannabis licensing and supervision activities.

Conduct fitness and propriety assessments on licence and job applicants, where applicable.

To co-operate with a Cannabis Regulatory Authority to prevent the misuse of drugs.

 

How we keep your personal information

How long and how we keep your information

The GSC uses a Customer Relationship Management system called Atlas to store data relating to licence holders. All of the GSC’s data and information is held on the Isle of Man Governments secure network – further details can be obtained via the Data Protection Officer. 

We will only keep your information for the minimum time necessary, with exceptions of when longer retention can be justified for statutory, regulatory, legal or security reasons, or for their historical value.

This may be to:

  • Respond to an enquiry or complaint from you;
  • Continue to monitor licensees and ‘key persons’ throughout their involvement with the GSC;
  • Confirm the transfer of information to other regulatory bodies;
  • Meet Isle of Man Government Financial Regulations;
  • Meet statutory requirements;
  • To analyse the use and quality of our services and to make improvement;
  • Records are only retained for longer term periods if their retention can be justified for statutory, regulatory, and legal or security reasons or for their historic value.

 

For further details about retention periods, or to see the GSC’s Retention and Destruction Schedule, please contact the GSC Data Protection Officer at DPO-GSC@gov.im.

Your personal data may be permanently retained for research use at the Isle of Man Public Record Office if the records containing your personal data are selected for permanent preservation under the Public Records Act 1999. The Isle of Man Public Record Office preserves records of Isle of Man public authorities that are of long-term historic and cultural value. To find out more, click here.

Access to and use of records at the Isle of Man Public Record Office is governed by legislation, in particular the Public Records Act 1999, the Public Records Order 2015 and the Freedom of Information Act 2015. Some records are made available to the public for research use, whilst others are covered by access restrictions to ensure sensitive information that should be confidential for a period of time is protected. Where your personal data is included in records transferred to the Record Office, an assessment will be made of whether the records should be covered by an access restriction based on this legislation. Access restrictions will be applied to records as appropriate under this legislation to prevent unlawful access to your personal data. Your personal data will not be used by the Isle of Man Public Record Office for any automated decision making.

 

The Isle of Man Public Record Office is part of the Department for Enterprise and can be contacted at: public.records@gov.im, or Unit 40A Spring Valley Industrial Estate, Braddan, Isle of Man, IM2 2QS. The Department for Enterprise Data Protection Officer can be contacted at DPO-DfE@gov.im.

 

How we keep your information secure

The security and confidentiality of your information is very important to us.

We will ensure that:

  • Safeguards are in place to make sure personal information is kept securely;
  • Only authorised staff are able to access your information;
  • We maintain security of the systems which hold personal information in line with Government Standards; and
  • We comply with the regulatory and compliance requirements of the Information Commissioner.

We may share your information as described under ‘Sharing Your Information’. Your personal information will not be disclosed to any third party without your prior consent, or where we are permitted or required to do so to exercise our functions as a law enforcement body.

 

We will not sell your personal information to other companies, organisations or individuals. The GSC may share your personal information with other companies, organisations or individuals where there is a legal requirement to do so or where their use will be consistent with our functions described above.

.

Your rights

To ask if we hold personal information about you

 

You can ask to see what information we hold about you by submitting a ‘Subject Access Request’ to the GSC Data Protection Officer.

You can review your personal information and ensure it is accurate

Where possible we will provide you with access to the information we hold about you so that you can view this information and provide a means for you to have this information changed if it is not accurate.

Alternatively you can ask for the information we hold about you to be changed by making a request to the GSC Data Protection Officer. See 'How to request your personal information' at the end of this notice.

.

To remove your personal information

In certain circumstances you can ask for your information to be deleted. Please note that as part of the GSC’s statutory functions, certain information may need to be retained.

You can request this by contacting the GSC Data Protection Officer.

.

To make a complaint

If you are unhappy with the way we deal with your personal information you can submit a complaint to the GSC Data Protection Officer who will work with you to resolve any issues.

The Isle of Man’s Information Commissioner is the independent supervisory body responsible for upholding the public's information rights and promoting and enforcing compliance with the Island's information rights legislation.

You have the right to request the Information Commissioner to undertake an assessment as to whether the processing of your personal data has been carried out in accordance with the provisions of the Isle of Man Data Protection Legislation. Further information regarding complaints to the ICO can be obtained through its website or by calling +44 1624 693260.

 

Will this notice change?

This Privacy Notice may change according to our legal obligations and operational requirements. We will not reduce your rights under this Privacy Notice without your consent. If any significant change is made to this Privacy Notice we will provide a prominent notice on this website so that you can review the updated Privacy Notice. 

This privacy notice was last updated on the 4th of  July 2024.

 

How to request your personal information

Under Article 15 of the Applied GDPR you have a right of access to your personal data and to check the accuracy of that data by making a Subject Access Request.

A subject access request is made by filling in our Subject Access Request Form, or by contacting the Data Protection Officer.

The Isle of Man Information Commissioner provides guidance on making subject access requests. Information can be found on their website

To make a request of the DPO for the GSC please contact:

GSC,
Ground Floor,
St. George’s Court,
Myrtle St.
Douglas,
Isle of Man,
IM1 1ED

Email: DPO-GSC@gov.im
Phone: +44 1624 694331