Reinventing Data Protection
In a few months, the data protection landscape in Jamaica may be transformed by the implementation of the Data Protection Act. The proposed provisions of the Act are outlined in the Data Protection Bill (“the Bill”). The Internet has revolutionised the way information is created, captured, shared and stored, however the law has struggled to regulate and provide adequate protection for personal data. The Bill seeks to change how businesses and public sector organisations handle customers’ information and how individuals view their personal data and become more interested in protecting such data. It is therefore important for all players to understand what the Data Protection Bill is about and how personal data will be protected.
The purpose of the Data Protection legislation
Currently, data protection is not specifically regulated by statute in Jamaica and consequently there are no statutory restrictions on the transfer, storage or display of personal data outside of Jamaica. For many years, Jamaicans relied on the common law principles of confidentiality to protect information communicated in circumstances suggesting an obligation of confidence.The lack legislation coupled with various hacking and data manipulation concerns as well as the general ease of doing business online, led to the drafting of the Data Protection Bill which was tabled in Parliament on October 3, 2017.
The Bill aims to govern the collection, regulation, processing, storage, use and disclosure of certain information, while providing individuals with an additional level of security in relation to how institutions handle their personal information.
Features of the Data Protection Bill
One of the most important features of the Bill is that it imposes an obligation on “data controllers” in possession of an individual’s personal data to deal with that information in such a manner that offers that person a level of protection and confidence. “Data controllers” are defined as any person or public authority, who either alone or jointly or in common with other persons determine the purposes for and the manner in which any personal data are, or are to be processed. The Bill applies to data controllers established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and to data controllers not established in Jamaica but who use equipment in the country for processing data, so long as not merely for transit purposes.
How personal data can be used
Consent is required to disclose personal data
The Bill requires data controllers to comply with a series of data protection standards when processing personal information. These standards impose a number of restrictions on data controllers which include preventing the disclosure of personal information to third parties without the informed consent of the individual concerned or prohibiting the transfer of data outside of Jamaica unless the recipient country has an adequate level of protection against the unauthorised or unlawful processing of data. Failure to comply with the standards could result in the data controller being subjected to fines or imprisonment of up to seven years.
Effective data management systems must be maintained
The Bill also imposes an obligation on local entities which currently collect and store personal data to maintain effective data management systems so as to ensure the integrity of personal data. Entities are required to implement appropriate technical and organizational measures to protect against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.
Data controllers must register with the Information Commissioner
Data Controllers are required under the Bill to be registered and shall furnish information such as their name, address and other relevant contact information to the Information Commissioner. Failure to do so could result in the data controllers being prohibited from processing personal data. The Information Commissioner is appointed under the Bill and is responsible for monitoring compliance of data controllers.
Data Controllers must appoint a Data Protection Officer
Data controllers are required to appoint a Data Protection Officer (‘DPO’), which is defined as an independent ‘appropriately qualified’ person with responsibility for monitoring the data controller’s compliance with the Act.
Rights to your data!
Individuals are conferred with the right to enquire whether personal information or data is being processed by an organisation, and the right to access information in the custody or control of an organisation, subject to certain exceptions, such as legal privilege.
The Bill is definitely a step in the right direction. However, the concept of data protection is one which experts describe as evolutionary and not revolutionary. This means it will continue to change as the global digital landscape continues to change. It is for this reason that the Bill fails to address these additional protections more suitable for the digital era and that have been recently introduced in the European General Data Protection Regulation (“GDPR”) which will come into force in May 2018, such as:
- the "right to be forgotten" which empowers individuals to request to be removed from search results (such as Google), on the basis that the information is outdated or irrelevant. The Bill proposal instead requires the information to be inaccurate and/ or cause significant distress in order for a case for the removal to be established; and
- the “right to innocence” which empowers individuals to request social networks to delete anything posted before the age of 18.
A high level of data protection is essential to foster people’s trust in online services and in the digital economy in general. Privacy concerns are among the top reasons for people to refrain from buying goods and services online. Individual trust in both off-line and online services is vital for stimulating economic growth in Jamaica. With the increasing globalisation of data flows, and the growth of cloud computing, there is a risk of people losing control of their data. The Bill gives persons greater control of their personal data, and helps to foster trust in social media and communication in general.
Samantha Moore and Danielle Stiebel-Johnson are Associates at Myers, Fletcher & Gordon, and are members of the firm’s Commercial Department. They may be contacted via firstname.lastname@example.org, email@example.com or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.