Reinventing Data Protection
Newsletter - Vol. 30, Issue 1, March 2018
The data protection landscape in Jamaica may be reinvented by the passing of the Data Protection Bill. Since the advent of the internet which has revolutionized the way information is created, captured, shared and stored, the law has struggled to regulate and provide adequate protection for personal data. The Bill aims to govern the collection, regulation, processing, storage, use and disclosure of certain information, while providing individuals with an additional level of security in relation to how institutions handle their personal information. It is therefore imperative for all to understand the Bill and how it proposes to protect data. Currently, data protection is not specifically regulated by statute in Jamaica and as such there are no specific statutory restrictions on the transfer, storage or display of personal data outside of Jamaica. For many years, Jamaicans had to rely on the common law principles of confidentiality which protect information that is confidential in nature and was communicated under an obligation of confidence. The lack of a unified piece of legislation, the various hacking and data manipulation concerns; and the general ease of doing business online are among the several reasons which led to the drafting of the Bill tabled in Parliament on October 3, 2017.
Features of the Data Protection Bill
The Bill imposes an obligation on “data controllers” in possession of any individual’s personal data to deal with that information in such a manner that offers that person a level of protection and confidence.
How your information can be used?
1. Who data controllers are?
“Data controllers” are defined as any person or public authority, who either alone or jointly or in common with others determine the purposes and manner in which personal data are to be processed. Individuals, organisations, and companies that are either 'controllers' or 'processors' of personal data will be covered by the Bill.
2. Jurisdiction of data controller local and extra- territorial
The Bill applies to data controllers established in Jamaica or in any place where Jamaican law applies by virtue of international public law. Data controllers, not established in Jamaica, but who use equipment in the country for processing data, so long as not merely for transit purposes.
3. Data controllers must register with the Information Commissioner
Data Controllers are required under the Bill to be registered and shall furnish information such as their names, addresses and other relevant contact information to the Information Commissioner. Failure to do so would result in the data controllers being prohibited from processing personal data. The Information Commissioner is appointed under the Bill and is equipped with the responsibility of monitoring compliance of the provisions under the Bill by data controllers.
4. Must appoint a Data Protection Officer
In addition, data controllers would be required to appoint a data protection officer (‘DPO’), an ‘appropriately qualified’ person who is responsible for monitoring in an independent manner the data controller’s compliance with the Bill. Some of the functions of the DPO include assisting data subjects in the exercise of their rights and notifying the data controller if the DPO believes the data controller has contravened any of the provisions under the Bill.
5. Data Controller must have consent to disclose personal information
The Bill requires data controllers to comply with a series of data protection standards when processing personal information. These standards impose a number of restrictions on data controllers which include preventing the disclosure of personal information to third parties without the informed consent of the individual concerned or prohibiting the transfer of data outside of Jamaica unless the recipient country has an adequate level of protection against the unauthorised or unlawful processing of data.
6. Data Controllers must maintain effective data management systems
The Bill also imposes an obligation on local entities which currently collect and store personal data to maintain effective data management systems so as to ensure the integrity of personal data. Entities are required to implement appropriate technical and organizational measures to protect against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. 6. Data Controllers must maintain effective data management systems
The Bill also imposes an obligation on local entities which currently collect and store personal data to maintain effective data management systems so as to ensure the integrity of personal data. Entities are required to implement appropriate technical and organizational measures to protect against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.
Failure to comply with the standards could result in the data controller being subjected to fines or imprisonment of up to seven years.
Rights to your data!
The Bill affords certain rights and obligations which include for example, (1) the right to confirm whether or not personal information or data is being processed by an organisation and (2) the right to access information in the custody or control of an organisation, subject to certain exceptions, such as legal privileges.
- the "right to be forgotten" which empowers individuals to request to be removed from search results (such as Google), on the basis the information is outdated or irrelevant. The Bill proposal instead requires the information be inaccurate and/or cause significant distress in order for a case for the removal to be established; and
- the “right to innocence” which empowers the public to request social networks delete anything they posted before the age of 18.
Please Note: This article is for general information purposes only and does not constitute legal advice