Standards for Processing Personal Data
The Data Protection Act, 2020 (the “Act”) was recently passed by the Government of Jamaica (“GOJ”) but has not yet been enacted. The Act will not come into operation, until the GOJ has publicly appointed a date that the Act will take effect. Once the Act takes effect, it will no doubt have an impact on the manner in which personal data is processed i.e. collected, stored, used, disclosed and destroyed by companies. Companies that process personal data will be required to ensure that the data is being processed in compliance with the eight (8) Data Protection Standards specified in the Act. These Standards are discussed below.
Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information. The person who is the subject of the personal data i.e. the data subject, must expressly consent to the processing of his/her data and such consent must be informed, freely given, specific and unambiguous. The data subject must be provided with all the relevant information regarding the processing of his/her personal data which will enable the data subject to make an informed decision. Note, however, that consent is not deemed to be “freely given” if the data subject is required, as a condition for the provision of goods or services, to consent to the collection, use or disclosure of his/her personal data beyond what is reasonable for the provision of those goods/services.
Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Prior to collecting personal data, companies will be required to specify the purpose for obtaining the data and will not be permitted to use the data for any other purpose without first informing and, where necessary, receiving the consent of the data subject. For example, where a company collects the personal data of its customers such as a telephone number or email address to provide a specific service, the company will not be allowed to sell the data to a third party for direct marketing purposes without first obtaining the customer’s consent. Additionally, personal data must not be obtained for any illegal or immoral purpose.
Personal data must be adequate, relevant and must be limited to the purpose for which it is being processed. The data collected must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required.
Personal data must be accurate and, where necessary, kept up to date. A company would not be in breach of this standard if the inaccurate data was provided by the data subject. However, companies who process personal data will be required to take reasonable steps to ensure the accuracy of the data.
Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations under the Act. This is, however, subject to any applicable retention periods prescribed by law.
Personal data must be processed in accordance with the rights of the data subjects under the Act. Some of these rights include the right to access the data and the right to prevent processing for direct marketing purposes.
Personal data must be protected using appropriate technical and organizational measures to prevent unauthorized or unlawful processing as well as any accidental loss, destruction of, or damage to the data. Some of these technical and organizational measures include the pseudonymization and encryption of personal data as well as the ability to restore access to personal data in a timely manner in the event of a security breach. The measures that would be deemed appropriate for a given company will depend on the potential harm that could result from a security breach as well as the nature of the data to be protected.
Where the company engages a third-party to process personal data on its behalf i.e. a data processor, the company must ensure that the processing is carried out under a written contract which requires the data processor to act only on the company’s instructions. The contract must also require the data processor to comply with obligations equivalent to those imposed upon the company under the Act.
Personal data must not be transferred to a state or territory outside of Jamaica unless that state or territory ensures an adequate level of protection for the rights of data subjects in relation to the processing of data. This would have a significant impact on companies who outsource the processing of personal data to foreign entities.
It should be noted that there are exceptions to this Standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract.
Where a company is in breach of any of the Standards outlined above, the company will be required to report such breach to the relevant authority within 72 hours of becoming aware of such breach. The company will also be required to notify the data subject of any security breach affecting his/her personal data within such time as prescribed.
The processing of personal data by a company in contravention of any of the Standards outlined above may result in the company being liable to a fine not exceeding four percent (4%) of its annual gross worldwide turnover. A director, manager, secretary or similar officer of the company may also be held personally liable for the breach. The Act does provide for a two year transition period for companies to become compliant, however, given the severity of the fines and penalties, it is important that preparatory steps are taken so as to avoid and/or minimize the risk of a security breach.
Samantha Moore is an Associate at Myers, Fletcher & Gordon and is a member of the firm's Commercial Department. Samantha may be contacted via firstname.lastname@example.org or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.