How the act applies to Jamaican Citizens Data
Since the establishment of General Data Protection in the EU, there has been a rush for other nations to create data protection regulations for the safety of their citizens. This, of course, includes Caribbean Nations. Among the nations, there has been a burst of activity in data privacy and protection. Many countries have either started tabling laws or passed laws into effect.
First drafted in June 2020 and then passed on December 1, 2021, the Jamaica Data Protection Act (modeled on the GDPR) governs all aspects of data processing, including collection, storage transmission disclosure, and erasure. Its foundation is based on “data protection principles spanning fairness and transparency to integrity and accountability and acts to protect the personal data and sensitive personal data of data subjects.”
The Data Protection Act went into full effect on December 1st, 2023, and it provides greater safeguards for the handling of Jamaicans’ personal information held in physical or electronic form. This article aims to provide a high-level overview of the Data Protection Act.
In this Guide
Who does the Jamaica Data Protection Act Apply To?
On an individual level, the act applies to public and private sector organizations and also applies to identifiable natural persons and individuals who have been deceased for less than 30 years – the time limit was implemented to acknowledge that certain data about deceased individuals might remain relevant and is thus subject to protection for a considerable period after their death.
On a territorial score, the act applies to a data controller who is established and has a presence in Jamaica, or any location where Jamaican law is applicable under international public law, and personal data is processed within that establishment. If the data controller is not physically based in Jamaica, the law still applies if they:
- Use equipment in Jamaica for processing personal data other than for transit through Jamaica
- Process personal data of a data subject in Jamaica, where the processing is related to:
- Offering products or services to data subjects in Jamaica, regardless of whether payment is required.
- Monitoring the behavior of data subjects if it takes place within Jamaica.
For clarification, the following are considered as being established in Jamaica:
- Any individual who usually resides in Jamaica
- A legal body or entity under Jamaican laws
- A partnership or other unincorporated association established under Jamaican laws.
- Any person not covered by the above categories but who maintains in Jamaica:
- An office, branch, or agency for conducting activities.
- A regular business practice.
Processing is a wide concept under the act. It encompasses a broad range of activities and is defined as acquiring, recording, or storing information or personal data. This data includes:
- Organization, adaptation, or alteration of information or data.
- Retrieving, consulting, or using information or data.
- Disclosing information or data through transmission, dissemination, or other means of availability.
- Aligning, combining, blocking, erasing, or destroying information or data, or making data anonymous.
Please note, that personal data that is processed for the sole purpose of transit through Jamaica, would be exempted from this Act!
Now, what does the act obligate those who fall under it to comply with?
What are the principles of the act?
All data controllers are obligated to comply with the following eight data protection standards presented by the act. They are as follows:Fairness and Lawfulness
Personal data processed must adhere to the principles of fairness and lawfulness, and must not be obtained by deception or any misleading information. The data subject must give explicit consent for their data to be processed, and this consent should then be informed, given by their own free will, specific and equivalent.
The data subject must be provided with all the relevant information regarding their data processing, enabling the data subject to make an informed decision. Note, however, that consent is not deemed ‘freely given’ if the data subject is required.
Accuracy
The personal data collected must be accurate and kept up-to-date. If the data subject or a third party provides inaccurate data, a company would not be considered violating this standard. It is up to the entity.
However, companies that process private and personal data must adopt reasonable measures to confirm and uphold the accuracy of the data. These measures include implementing processes to routinely review and update data, especially when changes are communicated by the data subject or identified through other means.
Data Minimization
Data collected must adhere to the principle of adequacy, relevance, and strict limitation to the intended purpose for which it is being processed. Companies are also obligated to ensure that the data collected is relevant to the specific purpose it was collected for and does not extend beyond what is necessary. Accumulating an excess of data may infringe upon individuals’ privacy rights, emphasizing the importance of restricting data processing to what is essential for the intended purpose.
Purpose Limitation
Personal data should only be collected for a distinct, clear, and lawful purpose, and its processing should along with those objectives. Furthermore, the data collected must not be obtained for any illegal or immoral purpose.
Companies must explicitly state the purpose for which they collect data. Any use of the data that deviates from the previously established purposes is strictly prohibited without first informing and, where necessary, receiving the data subject’s consent.
For example, suppose a company collects customer data like emails and phone numbers for a stated purpose. In that case, disclosing or selling this data to third-party companies for marketing without informing the data subjects is not permitted.
Storage limitation
Personal Data should not be retained longer than is needed and must be appropriately disposed of in compliance and accordance with any regulations under the Act. While the Act does not specify a definitive standard for an appropriate retention period, companies are required to communicate the anticipated duration of retaining personal data to the data subject. This information should be explicitly outlined in a privacy notice, providing transparency and clarity regarding the handling of their personal information.
Cross-border Transfer
It is prohibited to transfer personal data to a state or territory outside of Jamaica unless that state guarantees adequate protection for the rights and freedoms of the data subjects concerning the processing of their data. To determine the needed level of protection, the Act provides the following factors to take into account:
- the nature of the data;
- the State or territory of the final destination;
- the laws of the State or Territory;
- the international obligations of the State or Territory;
- the security measures are taken by the State or territory.
However, the Act introduces certain constraints to this standard. For example, exceptions are made when the data subject has provided explicit consent for the transfer or when the transfer is deemed necessary due to substantial public interest or for executing a contract.
Rights of Data Subject
The processing of personal data must align with the rights granted to the data subject. These rights include the ability to access their data and the authority to prevent the processing of their data under specific circumstances as outlined by the relevant provisions. Implementation of technical and organizational measures To protect from unauthorized or unlawful processing, as well as accidental loss, destruction or damage of personal data, it is important to employ the use of suitable technical and organizational measures. Some of these measures include:- conducting security audits;
- implementing data protection policies and privacy notices;
- proper training of employees on the handling, storage, and disclosure of personal data;
- pseudonymisation and encryption of the data;
- limiting employees’ access to the data;
- ensuring that any data-processing software and antivirus software used by the company are effectively maintained and up-to-date;
- selecting data processors who sufficiently guarantee that they have adequate security measures in place and will report security breaches;
- the ability to restore the availability of and access to, personal data promptly in the event of a physical or technical incident.
Controller and Processor Obligations
This section will expand on the data controller’s obligations. Before they collect personal data, all data controllers should pay a prescription fee, known as ‘registration particulars,’ to the Commissioner. They must also submit a Data Protection Impact Assessment (‘DPIA’) concerning all data in their possession to the Commissioner.
Data Processing Notifications
Under the Act, all data controllers must register specific details, known as ‘registration particulars,’ with the Commissioner before processing personal data. These particulars include:
- Data controller’s contact information.
- Contact details of any appointed data controller representative and Data Protection Officer (DPO).
- Description of the personal data and related data subjects.
- Purpose(s) for processing personal data.
- Description of intended recipients of personal data.
- Information on states or territories for data transfers.
- Statement if the data controller is a public authority.
- Prescribed information about the data controller as per regulations.
Additionally, the data controller must describe measures to comply with technical and organizational standards. It must be stated if processing is based on an order specifying activities unlikely to harm data subjects’ rights.
Data controllers pay an annual fee for maintaining these particulars in the register. If the fee is unpaid, entries are not retained beyond 12 months.
Exemptions only exist for processing that are not likely to harm data subjects’ rights, as the Minister in the Official Government Gazette specified.
Data Transfer
The Data Protection Act enforces a general obligation on data controllers to obtain explicit consent before transferring personal data to third parties. These third parties should also be subject to similar data protection obligations to protect personal data against security breaches.
Data Protection Impact Assessment
Data controllers must submit a DPIA to the commissioner unless stated otherwise annually. The Commissioner has the authority to define which classes of personal data or data controllers are subject to or exempt from Data Protection Impact Assessments (DPIAs), taking into account the potential risk to data subjects’ rights and freedoms during processing.
Following submitting a DPIA, the Commissioner provides directives to the data controller, recommending system adjustments or activities to ensure compliance with the Data Protection Act.
In situations where the Minister issues an order, the Commissioner may conduct a preliminary consultation to evaluate specific processing operations that could significantly impact data subjects’ rights and freedoms. Within 30 days of receiving the relevant information, the Commissioner notifies the data controller, specifying the degree of compliance. If necessary, the Commissioner can extend this period by up to 14 days.
If not except, this submission is due within 90 days after each calendar year and must include:
- Information on the planned processing of personal data specifies the purpose and legitimate interests pursued by the controller.
- An evaluation of the risks to the rights and freedoms of data subjects.
- A detailed description of the planned processing of personal data, specifying the purposes and legitimate interests pursued by the data controller.
- An assessment of the necessity and proportionality of processing operations concerning the purposes.
- The anticipated measures address risks, including safeguards, security measures, and mechanisms to ensure personal data protection and demonstrate Act compliance, considering the rights and interests of data subjects and other involved individuals.
Data Protection and Officer Appointment
The Data Controller needs to appoint a qualified individual to act as the DPO who will be responsible for monitoring independently the data controller’s compliance with the provisions of the Data Protection Act and the data controller must then notify the Commissioner of the name, address, and other relevant contact information of the DPO, and in the event of any changes thereto (Section 20(4) of the Data Protection Act).
A person shall not be qualified to be appointed as a DPO if there is or is likely to be any conflict of interest between the person’s duties as a DPO and any other duties of that person.
The DPO’s Role and Professional
The DPO’s functions include:
- Guarantee that the controller’s processing of data aligns with data protection standards and best practices.
- Seeking guidance from the Commissioner to address any uncertainties regarding the application of the provisions of the Data Protection Act.
- Ensuring that any violation of data protection standards is addressed by Section 20(5).
- Providing support to data subjects in exercising their rights.
Data Breach Notification
The Data Controller is required to report any security breaches in respect of the data controller’s operations that affect or may affect personal data to the Commissioner within 72 hours of becoming aware of the breach. This report must include:
- the facts surrounding the security breach;
- a description of the nature of the security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned;
- the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;
- the consequences of the breach; and
- the name, address, and other relevant contact information of its DPO.
A data controller is also obligated to promptly inform each data subject affected by a security breach, following the prescribed timeline. This notification must include:
- The nature of the security breach.
- Measures taken or planned to mitigate or address potential adverse effects of the breach.
- The DPO’s name, address, and other pertinent contact details.
Furthermore, by the Banking Services Act, employees and agents of financial institutions bear a general duty of confidentiality regarding customer information. Illegally disclosing customer account information by any employee or agent is considered a criminal offense under the Act, carrying a possible fine, of up to JMD 7.5 million (approximately $48,395), or imprisonment for a maximum of five years.
Data Retention
The act does not specify a defined period for the appropriate retention of personal data. It does, however, mandate that personal data should not be stored longer than necessary. Data controllers are also obligated to inform data subjects about the expected retention duration of their data. This information must be provided to the data subject at the earliest of either the initial processing by the data controller or the request for personal data.
Children’s Data
The act stipulates that if personal data belongs to a minor, the rights granted to a data subject can be exercised by the minor’s parent or legal guardian, or by the minor if recognized by the law. In cases requiring consent for processing, the consent for minors must be given by a parent or legal guardian unless the law acknowledges the minor’s capacity to give consent independently.
Special categories of personal data
Regarding sensitive personal data, including information about race, ethnic origin, sex life, and criminal convictions, the Act outlines conditions for lawful processing. These conditions include obtaining written consent from the data subject, processing for legal obligations, protection of vital interests, actions by non-profit organizations, public disclosure by the data subject, and processing for specific legal purposes.
Controller and Processor Contracts
The legislation mandates that when a data processor handles personal data on behalf of a data controller, the data controller must:- Ensure processing occurs under a written contract specifying the data processor’s obligation to act solely on the data controller’s instructions and comply with obligations equivalent to those of the data controller.
- Select a data processor providing sufficient guarantees regarding technical and organizational security measures, including reporting security breaches to the data controller.
- Take reasonable steps to ensure compliance with these measures.
Data Subject Rights
Please note that the data subject’s rights under the Act are subject to certain exemptions such as, where the personal data is being processed in the interests of national security or for journalistic purposes. The rights are:- The right to be informed whether their personal data is being processed by or on behalf of the data controller.
- The right to request that the data controller rectify any inaccuracy in any personal data in its possession or control. For the Act, the term ‘rectify’ means to amend, block, erase, or destroy and the term ‘inaccuracy’ includes any error or omission.
- The right to opt-out/object
- The right to prevent processing where:
- where the processing is likely to cause substantial damage or substantial distress to the data subject or another person and that the damage or distress caused or likely to be caused (as the case may be) is unwarranted;
- where the processing of the data is incomplete or irrelevant;
- where the processing of the data is prohibited by law; or
- where the data has been retained by the data controller for a period longer than required by law
- where the processing of data is for direct marketing
- The right to request that a data controller does not make any decision that would significantly affect them solely based on the results of the automated processing, these decisions include matters related to the evaluation of the data subject’s work performance, creditworthiness, reliability, or conduct.
Penalties
When a corporate entity violates the provisions of the Act, it may face penalties of a fine not exceeding 4% of its annual gross worldwide turnover for the preceding year, as determined by the Income Tax Act.
Individual accountability includes directors, managers, secretaries, or similar officers of the corporation, or anyone acting in such a capacity, who can be held personally liable.
For individuals found guilty of offenses under the Act, may also be subjected to substantial fines, reaching a maximum of JMD 5 million (approximately $32,260), and/or imprisonment for up to ten years may be imposed.
Additionally, individuals who can demonstrate that they have suffered damage due to a data controller’s breach of obligations under the Act may be eligible for compensation from the data controller for the incurred damage.
It is therefore imperative for companies to start implementing technical, administrative, and organizational measures to ensure they are operating their business by the Act.
Definition of Key Terms
- Data controller: A data controller is defined under the Act as ‘any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and how any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for this Act a data controller’.
- Data processor: A data processor is defined under the Act as ‘any person, other than an employee of the data controller, who processes the data on behalf of the data controller’.
- Personal data: Personal data is defined under the Act as ‘information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual’.
- Sensitive data: Sensitive personal data is defined under the Act as personal data consisting of any of the following information in respect of a data subject:
- genetic data or biometric data;
- filiation, racial, or ethnic origin;
- political opinions, philosophical beliefs, religious beliefs, or other beliefs of a similar nature;
- membership in any trade union;
- physical or mental health or condition;
- sex life; or
- the alleged commission of any offense by the data subject or any proceedings for any offense alleged to have been committed by the data subject.
- Health data: A ‘health record’ is defined under the Act as any record which:
- is in the custody or control of a health professional in connection with the care of an individual; and
- consists of information relating to:
- the past or present physical or mental health, or condition, of an individual, for example:
- clinical information about diagnosis and treatment;
- genetic data;
- information about the testing of any body part or bodily substance, or the donation of a body part or bodily substance, or
- biometric data;
- the registration of an individual for the provision of health services and any number, symbol, or code assigned to identify the individual for those services uniquely;
- the name of the individual’s health care provider; or
- payments made by, or the eligibility of, the individual for the provision of health services, or any other health-related information about the individual that is collected during the provision of health services to that individual.
- Biometric data: Biometric data is defined as any information relating to the physical, physiological, or behavioral characteristics of that individual, which allows for the unique identification of the individual, and includes:
- physical characteristics such as the photograph or other facial image, fingerprint, palm print, toe print, footprint, iris scan, retina scan, blood type, height, vein pattern, or eye color, of the individual, or such other biological attribute of the individual as may be prescribed; and
- behavioral characteristics such as a person’s gait, signature, keystrokes, or voice.
- Direct Marketing: The Act defines ‘direct marketing’ as ‘approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services’.
Definition of Key Terms
- Data controller: A data controller is defined under the Act as ‘any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and how any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for this Act a data controller’.
- Data processor: A data processor is defined under the Act as ‘any person, other than an employee of the data controller, who processes the data on behalf of the data controller’.
- Personal data: Personal data is defined under the Act as ‘information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual’.
- Sensitive data: Sensitive personal data is defined under the Act as personal data consisting of any of the following information in respect of a data subject:
- genetic data or biometric data;
- filiation, racial, or ethnic origin;
- political opinions, philosophical beliefs, religious beliefs, or other beliefs of a similar nature;
- membership in any trade union;
- physical or mental health or condition;
- sex life; or
- the alleged commission of any offense by the data subject or any proceedings for any offense alleged to have been committed by the data subject.
- Health data: A ‘health record’ is defined under the Act as any record which:
- is in the custody or control of a health professional in connection with the care of an individual; and
- consists of information relating to:
- the past or present physical or mental health, or condition, of an individual, for example:
- clinical information about diagnosis and treatment;
- genetic data;
- information about the testing of any body part or bodily substance, or the donation of a body part or bodily substance, or
- biometric data;
- the registration of an individual for the provision of health services and any number, symbol, or code assigned to identify the individual for those services uniquely;
- the name of the individual’s health care provider; or
- payments made by, or the eligibility of, the individual for the provision of health services, or any other health-related information about the individual that is collected during the provision of health services to that individual.
- Biometric data: Biometric data is defined as any information relating to the physical, physiological, or behavioral characteristics of that individual, which allows for the unique identification of the individual, and includes:
- physical characteristics such as the photograph or other facial image, fingerprint, palm print, toe print, footprint, iris scan, retina scan, blood type, height, vein pattern, or eye color, of the individual, or such other biological attribute of the individual as may be prescribed; and
- behavioral characteristics such as a person’s gait, signature, keystrokes, or voice.
- Direct Marketing: The Act defines ‘direct marketing’ as ‘approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services’.