The recent inadvertent disclosure of personal data at some major financial institutions in Jamaica have signaled the need for organizations to take a very robust approach to the way in which they handle the personal data of customers. Organizations may face significant penalties and fines for failing to properly handle the personal data of its customers in a safe, secure and confidential manner.
Under the Banking Services Act, there is a general duty of confidentiality or secrecy imposed upon employees and agents of financial institutions as it relates to customer information. Any employee or agent of a financial institution who unlawfully divulges or reveals any information regarding a customer account, commits a criminal offence under the Act and may be liable to a fine of up to J$7.5 million or to imprisonment for a term not exceeding 5 years.
Likewise, a personal data breach under the European Union’s General Data Protection Regulation (GDPR), may result in a company being liable to a fine of up to €20 million or, four percent of its global annual turnover whichever is higher. Just recently, Marriott International was found to be in breach of the GDPR due to the negligent exposure of the personal records of approximately 339 million guests. Marriott International was fined a total sum of £99 million by UK’s Data Protection Regulator. What is distinct about the GDPR is that it is extra-territorial in scope, in that, it applies to any organization which processes personal data of EU citizens by offering goods or services to EU citizens, irrespective of whether the organization is located within or outside the EU. Financial institutions in Jamaica would therefore be caught by the GDPR once they provide financial services to an EU citizen and collect their personal data.
Organizations should also be mindful of the data protection obligations under the impending Data Protection Act, 2017 which is expected to be passed in Jamaica in a few months. Based on the provisions of the latest draft of the Act circulated, a personal data breach under the Act can result in an organization being liable to a fine of up to 10 percent of its annual gross income. A director, manager, secretary or other similar officer of the organization may also be held personally liable for failing to comply with their data protection obligations under the impending Act. Additionally, any person who can prove that they have suffered some sort of damage from the breach would be entitled to compensation from the organization under the Act.
In light of the severity of the fines and penalties which organizations may face, it is important that certain best practices be adopted in order to minimize the risks of a personal data breach. Having regard to the applicability of the GDPR to some organizations as well as the provisions under the Data Protection Act, 2017, the following best practices may be useful.
Organizations ought to conduct security audits to ensure that they are operating in accordance with both local and international data protection standards. These security audits may be conducted bi-annually or quarterly. The security audits will give organizations the opportunity to do an assessment of all the personal data collected by it and determine whether such information is still required to be retained by it. Organizations will also have the opportunity to review existing contracts with employees, customers/clients and suppliers; review security procedures and systems in place; and review procedures regarding the retention and destruction of personal data.
Organizations must ensure that they obtain the express consent of their customers prior to collecting, storing, processing, using and disclosing the customer’s personal data. Consent must be freely given, specific, unambiguous and shown either by a statement or a clear affirmative action which signifies agreement to the processing. Customers must be provided with all the relevant information regarding the processing of their personal data which will enable them to make an informed decision.
Data Protection Policies
Organizations must implement data protection policies, standards and procedures which govern the way in which personal data is processed, stored, retained and destroyed by the organization. These policies are to be written in plain and clear language, and accessible to not only customers but employees as well. Ensure that both customers and employees agree to be bound by the terms of the policies.
The policies are to be reviewed and revised on an annual basis and all third-party service providers engaged by the organization must be required to comply with the said policies.
Employees access to Personal Data
Employees’ access to personal data must be based on a need-to-know basis and all employees who have access to personal data ought to be subject to confidentiality/non-disclosure agreements. Employees must also be properly trained in this area and must be required to report any actual or suspected security breach as soon as it occurs.
Technical and organizational security measures
Organizations must implement certain technical and organizational security measures to prevent unauthorized or unlawful disclosure of customers’ personal data. For example, all emails containing the personal data of customers ought to be encrypted. Personal data of customers stored on mobile or portable devices must also be password protected and an organization should be able to remotely erase customer’s personal data in the event of theft of such device.
Organizations must also ensure that any data processing software and anti-virus software used by it are effectively maintained and up to date.
A personal data breach can result in the loss of existing and potential business for organizations as well as loss of clients and customers’ trust. It is therefore prudent for all organizations to ensure that they are operating in accordance with their local and international data protection obligations. Every effort should be made to avoid the serious implications of a personal data breach.
Samantha Moore is an Associate at Myers, Fletcher & Gordon and is a member of the firm’s Commercial Department. Samantha may be contacted via firstname.lastname@example.org or www.myersfletcher.com This article is for general information purposes only and does not constitute legal advice.