Privacy Rights & Data Protection
What do I need to know about data protection and privacy?
I manage a lot of data.
Why Does Data Protection Matter?
As the volume of data exchanged online increases, so does the demand for data protection and security. Since data may contain sensitive intel like health data and more, ensuring it is managed and provided adequate and appropriate security is essential.
The Data Protection Act
In June 2020 the Data Protection Act was passed and on December 1, 2021, the two-year transition period for data controllers to take all necessary measures to ensure full compliance with the Act began.
The Data Protection Act of Jamaica is largely modeled on the General Data Protection Regulation (GDPR) and governs all aspects of data processing, including collection, storage transmission disclosure and erasure. Like the GDPR, the Data Protection Act is based on the data protection principles spanning fairness and transparency to integrity and accountability and acts to protect the personal data and sensitive personal data of data subjects.
What is Personal Data and Sensitive Personal Data
Personal data is ‘information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.’
Sensitive personal data is personal data consisting of any of the following information in respect of a data subject:
- genetic data or biometric data;
- filiation, racial, or ethnic origin;
- political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature;
- membership in any trade union;
- physical or mental health or condition;
- sex life; or
- the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject.
Aplicability of the act
Any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller.’
The Act does not just apply to data controllers in Jamaica but also those who use equipment in Jamaica for processing of personal data otherwise than for the purpose of transit through Jamaica; or processes personal data, of a data subject who is in Jamaica, and the processing activities are related to the offering of products or services to data subjects in Jamaica, irrespective of whether a payment of the data subject is required or the monitoring of the behaviour of data subjects as far as their behaviour takes place within Jamaica.
Duties of the Data Controller
The Act imposes various duties on the data controller including registration with the Information Commissioner’s Office, notification to the data subjects and the Information Commissioner in the event of a data breach and compliance with the data protection standards including processing personal data in accordance with the rights of the data subject.