The Data Protection Bill was passed in the Jamaican Senate on Friday, June 12, 2020 to pave the way for greater data protection rights in Jamaica. There will be a two-year transitional period to allow time for data controllers to ensure full compliance with the provisions of the Act. The race to full compliance has now begun.

The Act underscores to the right to privacy contained in Jamaica’s Charter of Fundamental Rights and Freedoms, 2011 and seeks to ensure Jamaica’s compliance with the Economic Partnership Agreement (EPA) between CARIFORUM and the European Union. By the EPA, states recognized “the importance of maintaining effective data protection regimes as a means of protecting the interests of consumers, stimulating investor confidence and of facilitating transborder flows of personal data”. 

The Memorandum of Objects and Reasons to the Act stipulates that it is intended to “establish appropriate legal and regulatory regimes, in line with high international standards, with a view to ensuring an adequate level of protection of individuals with regard to the processing of personal data”. The Act is therefore styled “an Act to protect the privacy of certain data and for connected matters”. 

Changes in the way we do business resulting from the Covid19 pandemic are undeniable. E-commerce is now at the forefront of everyone’s mind. As public authorities, companies and businesses migrate the provision of their products and services to online platforms during the Covid19 era, and for the foreseeable future, there is every indication that data protection will be of even greater concern. Companies and businesses will have an on-going duty to ensure their digital platforms are not only operational but legally compliant to the extent data protection issues arise.

Imagine the instance of an application which facilitates food delivery service or an application which allows access to medical services online. In providing these services, the company may require customers/patients to provide names, addresses, phone numbers, email addresses, credit card data, and other personal information. Having received this information, the recipient will have a multifaceted duty regarding the processing of that information. The recipient of the information, under the Act, will be known as a “data controller”, while the named or identifiable individual to whom the data relates will be the “data subject”.

The Act also covers “sensitive personal data” which includes genetic or biometric data, data regarding sex life, racial or ethnic origin, physical or mental health or condition, political opinions, philosophical and religious beliefs, trade union membership, or the alleged commission of any offence. Any person (whether natural and juristic) or public authority which will require this type of information for execution of its functions will therefore have obligations under the Act. 

Some of the duties which will be applicable under the Act are set out below.

A data controller will not be able to process personal data without first being registered under the Act. To the extent a company or business will process personal data, it must now take steps to be compliant with the Act to facilitate this registration. Processing is widely defined under the Act as, among other things, obtaining, recording, retrieving, disclosing, organizing or erasing the data or information. 

The data subject will have a right to be informed free of charge, upon making a written request to the data controller, whether his personal data is being processed by the data controller. If yes, the data controller must provide a description of the data, purpose for processing, and the recipients to whom it will be disclosed.

The Act also contains data protection “standards” for the processing of personal data, including that the data must be:

1. processed fairly and lawfully; where data is being processed it must be done with the prior consent of the data subject or be “necessary” for one of the reasons set out in the Act;
2. obtained only for one or more specified and lawful purposes, and not be further processed in any manner incompatible with those purposes;
3. adequate, relevant, and not excessive, in relation to the purpose for which it is processed;
4. accurate and, where necessary, kept up to date;
5. kept for no longer than is necessary for the purpose, and be disposed of in accordance with the regulations;
6. processed in accordance with the rights of data subjects under the Act;
7. protected by use of appropriate technical and organizational measures; and,
8. transferred only to a State or territory outside of Jamaica which ensures an adequate level of protection for the rights and freedoms of data subjects.

There are criminal sanctions applicable where a data controller processes personal data in contravention of these data protection standards. It is therefore prudent for all entities to use the two-year transitional period to ensure full compliance with the data protection standards and the Act generally. This process may involve creation of data protection policies, training programs for staff and internal audits.

A data subject will also be entitled to give notice, either orally or in writing, to the data controller to cease from, or not to begin, processing any of his personal data for direct marketing purposes. Direct marketing is defined to mean communication geared at advertising or marketing, directed at individuals, by whatever means. So, for example, unwarranted emails or text messages may be curtailed where individual invoke this provision. The companies and businesses market their products and services may therefore be impacted.

The data subject may also request rectification of inaccuracies in data relating to them occurring by error or omission. Rectification includes destruction, erasure or amendments. There is a right of appeal to the Information Commissioner (established as a body corporate under the Act) where the request for rectification is denied by the data controller.

Compliance with the Act will mean, for many companies operating in Jamaica, increased operational costs to implement technical and institutional support to ensure protection of personal data within their custody or control. For example, the Act includes an obligation to appoint a data protection officer who is appropriately qualified to monitor independently compliance with the Act.  

The duty will, no doubt, be more complicated in light of increased cyber security concerns. Now more than ever, businesses may have to consider the commercial aspects of implementing measures for increased data security. The Act acknowledges, however, that the level of security required may vary from entity to entity depending on the nature of the data to be protected and the harm likely to result from unlawful or unauthorized processing, loss or destruction.

The data controller will have a duty to report to the Commissioner, without undue delay, any contravention of the data protection standards or any security breach in respect of the data controller’s operations which affects, or may affect, personal data.

Under the Act, data must not be transferred to a State or territory outside of Jamaica, unless that State or territory ensures an adequate level of protection of the rights and freedoms of the individual from whom the data has been collected. Entities which have operations in multiple jurisdiction which require processing of data outside of the jurisdiction will need to be more vigilant in this respect.

Data protection ought to be an item on the agenda for every company, business or public authority within the coming months. The sooner processes are initiated to ensure full compliance with the Act, the better.

Please note that this article is for general information purposes only and does not constitute legal advice. Independent legal advice should be sought on the subject matter.

For questions or comments related to the blog content, please contact directly Mr Litrow Hickson at litrowhickson705@gmail.com.