With technology increasingly pervading every aspect of our personal and business lives, the time has come for Jamaica to forge ahead with its promise to safeguard the privacy of individuals, by providing privacy and security protections over personal data that is managed by data controllers. Indeed, Jamaica is gearing to do so through the looming Data Protection Act (“the Act”). It was tabled in 2017 and positive strides have been made this year to move towards its enactment.
Under the Act, personal data relates to information on individuals who can be identified either from the data, or combination of the data and any other information in the possession of, or likely to come into the possession of, a data controller. Defined in the Act, a data controller is any person or public authority that either alone or jointly with other persons “determines the purposes for which and the manner in which any personal data are, or are to be, processed.”
The Act also specifically covers certain classes of sensitive personal data such as genetic or biometric data, and data regarding racial or ethnic origin, sex life, physical or mental health or condition, political opinions, philosophical and religious beliefs, trade union membership, or the commission or alleged commission of any offenses.
STANDARDS CRITERIA
There will be minimum data protection “standards” to comply with, including that such data:
be processed fairly and lawfully;
be obtained only for one or more specified and lawful purposes, and not be further processed in any manner incompatible with those purposes;
be adequate, relevant, and not excessive, in relation to the purpose for which it is processed;
be accurate and, where necessary, kept up to date;
not be kept for longer than is necessary for that purpose, and be disposed of in accordance with the regulations;
be processed in accordance with the rights of data subjects;
be protected using appropriate technical and organizational measures; and,
not be transferred to a State or territory outside of Jamaica, unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects.
Additionally, data controllers will be required to:
register personal data processing activities with, and report promptly data breaches to, the Information Commissioner (“IC”);
be established and process personal data in Jamaica or where Jamaican law applies by virtue of international public law, or, if not established in Jamaica, use equipment in Jamaica for processing such data other than for purposes of transit through Jamaica;
appoint a data protection officer responsible for monitoring in an independent manner the data controller’s compliance with the Act;
conduct an annual privacy impact assessment and submit it to the IC; and
allow individuals to exercise choice concerning direct marketing and automated decision-making and rectify inaccuracies in personal data.
NEW INFORMATION COMMISSIONER AND ENFORCEMENT
Key to the change is the establishment of the IC and its office which is charged with the responsibility of overseeing the way personal data in the possession of private and government entities is handled.
For many companies, compliance with the Act will mean incurring costs to put into place the necessary technical and institutional support to ensure protection of personal data within their custody or control. Companies not complying with the Act and any codes issued by the IC may:
· be issued with enforcement notices;
· risk facing class action, that up until now has not been a feature of civil litigation;
· be required to compensate individuals for damages suffered in contravention of the Act or relating to certain “special purposes”; and
be subject to various levels of civil and criminal penalties and fines.
In extreme situations, the IC may have the power to bring a business to a grinding halt if its core business involves the processing of personal data and it is in contravention of the Act.
It would be imprudent for any business to think that it can evade the new regime. An investigation by the IC can be instigated by several persons. Firstly, the data protection officer is obliged to report any data breach where there is a risk to the privacy rights of data subjects. Disgruntled employees can also make a report of any inappropriate activities or lack of proper safeguards. Most significantly, customers or data subjects themselves can also lodge complaints with the supervisory authority which can then lead to an investigation.
TRANSITION PERIOD
The Act provides for a one-year transition period. During this transition period the administrative parts of the Act are slated to be rolled out; that is the establishment and staffing of the Commission.
During this one-year period no proceedings under the Act will be taken against any data controller. This is logical because the IC and its office will require time to get its act together.
In the same spirit, it is common sense that companies too should be given a sufficient window to hire the right data protection experts, put processes in place and establish the technical safeguards needed to comply with the Act. Whilst a year may seem adequate, given the enormity of the impact the Act will have on day-to-day business operations, it may not be enough and thus wiser if companies start well ahead.
EXAMPLES OF WHAT WOULD CONSTITUTE A BREACH?
Gleaning from examples of breaches in countries where data protection laws already exist, we understand that in general all countries would consider any or a combination of the following as a data breach:
· where there is access to the data by an unauthorised third party;
· where there is deliberate or accidental action (or inaction) by a data controller or processor;
· where the data has been sent to an incorrect recipient;
· where the data is used for unsolicited marketing messages;
· where computing devices containing the data has been lost or stolen;
· where there is tampering/alteration of the data without permission; and
· where there is loss or deletion of the personal data.
A few examples illustrate its importance. In January 2020, a large retail outlet was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, compromising the private data of at least 14 million people. In June 2019, telecoms company EE Limited was fined £100,000 for sending over 2.5 million direct marketing messages to its customers, without consent. However, it is not just large corporations that have been held accountable. Government bodies as well as small businesses have also taken a hit. In November 2018, UK’s Metropolitan Police Service was issued with enforcement notices for retaining and processing personal data for longer than was necessary for its stated purposes. It also failed to erase personal data which should have been erased and adopt consistent data retention policies. In August 2019, a small finance company was issued with an enforcement notice for failing to respond to a subject access request by a customer.
FIND OUT MORE ABOUT THE ACT
The Act built on the framework of the European Union’s General Data Protection Regulation (GDPR) was introduced in the context of concerns raised over the increasing amount of personal data and other sensitive information entering the hands of companies and other entities.
Businesses must ensure that the requisite governance structures and technical solutions are in place to ensure the confidentiality, integrity, and availability of the personal data. We advise that companies record the steps they will actively take to comply and develop internal workflow and checklists so that the information is readily available should the IC ever come knocking. We also recommend business owners familiarize themselves with the Act and understand the implications for failing to abide by its tenets.
The information provided in this article does not, and is not intended to, constitute legal advice. If you have particular concerns regarding this or any other subject matter that you wish to have addressed, please contact an attorney so that your specific circumstances can be evaluated.
