With the Data Protection Act (2020) taking full effect on December 1, 2023, the #1 question you, as a business owner, should be asking yourself is: am I ready/ am I compliant? Spoiler alert: if you haven’t thought about this question yet, the answer is probably no. Anyone who collects any personally identifiable information (PII) like names, addresses, contact information, etc. from persons in Jamaica will be regulated by the Data Protection Act as of December 1, 2023. Of course, medical practitioners, attorneys, pharmacies, schools, financial institutions and others who collect sensitive personal information will have higher compliance requirements, but the way the Act is written, even if you are an artist or a boutique shop and you collect email addresses for your mailing list, you are required to register with the Information Commissioner. Failure to do so could result in civil and/or criminal liability.
Your readiness and compliance will be dependent on a few factors. As we briefly explore the Act, you will get a better sense of who you are, as a business owner, in relation to the Act. This is not a comprehensive breakdown of the Act, but rather an introduction to the concepts of the Act. We recommend that our clients and prospective clients seek legal advice as it pertains to their business and their state of readiness.
- Personal Data as defined in the Act is, “information (however stored) relating to a living individual or an individual who has been deceased for less than thirty years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller; and includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other persons in respect of that individual” This would include, for example, Names, Addresses (both mailing, email, IP), Telephone/ Fax numbers, Social Security numbers, Tax Registration Number (TRN), NIS number, Passport number, drivers licence number, credit card information/numbers, bank account number/information etc.
- Sensitive Personal Data defined in the Act is, “Personal data consisting of any of the following information in respect of a data subject, [that being ] genetic data or biometric data; filiation, or racial or ethnic origin; political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature; membership in any trade union; physical or mental health or condition; sex life; the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject” This would include, for example, fingerprints, facial recognition, eye/iris scans and voiceprints, mouth/tongue swabs, ‘DNA’, ancestry, health records etc.
- Data Subject defined in the Act is, “a named or otherwise identifiable individual who is the subject of personal data, and in determining whether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person, to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual.” In other words, if you give your Personal Data to someone else, you are a Data Subject.
- Process defined in the Act is, “in relation to information or personal data means obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including organisation, adaption or alteration of the information or data; retrieving, consulting or using the information or data; disclosing the information or data by transmitting, disseminating or otherwise making it available; or aligning, combing, blocking, erasing or destroying the information or data, or rendering the data anonymous”. If you collect Personal Data, and store it (like on a mailing list), you are processing Personal Data under the Act.
- Data Controller defined in the Act is, “any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a Data Controller.”
- Data Processor defined in the Act is, “in relation to personal data, means any person, other than an employee of the data controller, who processes the data on behalf of the data controller.”
Having looked at these key definitions, you should be closer to having an idea of who you are in relation to the Act, and how it might apply to you. If you are a business owner, you are mostly going to be either a Data Controller or a Data Processor, and in some cases you will also be a Data Subject. The distinguishing feature between a controller and a processor is that the Controller determines the purpose and manner in which the personal data or sensitive personal data will be processed, as opposed to the Processor, who follows the instruction of the Controller as to the processing of the Personal Data.
The customers/clients/ patients/ persons that you, as a business owner, provide goods and/or services to, would be considered Data Subjects under the law because you have in your possession personal data and/or personal sensitive data that identifies who they are. It should also be noted that your employees are also Data Subjects because of the personal data that you have in your possession that identifies them (e.g., their HR/Personnel File).
HOW DOES THE DATA PROTECTION ACT APPLY TO ME?
Having identified who you are under the Act, it should be highlighted that there are many limbs to compliance, starting with the requirements of Data Controllers. If you are a Data Controller – in other words, if you collect or process information of a Data Subject whether living, or dead within the last thirty years, then you are required by the Act to register with the Information Commissioner, and pay the applicable fee. Many – if not most – businesses in Jamaica will fall into this category. In addition, if you are a Data Controller that collects or processes Sensitive Personal Data – like health information, biometric data like fingerprints (including for attendance – like sometimes used in time clocks or to access secure areas), information on criminal records or religious or political beliefs – or if you collect or process Personal Data on a large scale (this is not defined in the Act), you are required to appoint a Data Protection Officer. A Data Protection Officer is an “appropriately qualified person,” who independently monitors your compliance with the Act, and reports periodically to the
You will also need to have a plan in place, including appropriate security measures (technical and organisational) with respect to collecting and processing of Personal Data, as well as a plan for what to do when and if a breach occurs, not just to assess the damage, but also to report the breach to the Information Commissioner within 72 hours of the breach. This includes but is not limited to a Data Protection Impact Assessment, Privacy by design practices and Data Protection Breach Response Plan.
Data Controllers are required to adhere to certain standards governing the collection and maintenance of Personal Data.
- You can only collect or process personal data for one or more specified and lawful purpose, where the Data Subject has consented (and in circumstances of Sensitive Personal Data, the consent should be in writing) and has not withdrawn their consent.
- The Personal Data you collect or process should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed – in other words, don’t collect more information than you need.
- You should ensure that the Personal Data collected or processed is accurate, and kept up to date, and it should not be kept longer than is necessary.
- You should ensure that you use appropriate technological and organizational measures (e.g., limit the number of people who have access to the data, and make sure they are trained on how to protect data – have you ever accidentally bcc’d ) to protect against unauthorized or unlawful processing or a security breach.
- You must ensure that you don’t transfer Personal Data to a territory/state/country outside of Jamaica UNLESS that country/territory/state has adequate protection for the rights and freedoms of Data Subjects (this is particularly important when you store information in the cloud – make sure you know the physical location of the servers on which your data is stored!).
- And last, but definitely not least, you must make sure that the collecting and processing of Personal Data is done in accordance with the rights of Data Subjects (and collecting or processing Personal Data for the purposes of direct marketing without the consent of the Data Subject is NOT considered to comply – it is a breach of the Act).
For most – if not all – businesses in Jamaica, your preparedness for December 1, 2023 will require an operational and administrative shift, if your business has not had Data Protection as a priority before now. A start however, would be to ask yourself the following questions:
- How would my business be classified under the Act?
- What information do we collect?
- What information do we NEED to collect?
- Where do we store the information, and who has access to it? Is it secure enough?
- Have we gotten explicit consent from persons to collect or process their data?
- Are we required by the Act to appoint a Data Protection Officer?
For more information, or to schedule a free 15 minute consultation about how the Data Protection Act might apply to you, please contact us at email@example.com or (876) 855-6676 and mention code ROCKDPA.