A NEW ERA OF PROTECTING DATA DATA PROTECTION WHAT YOU SHOULD KNOW A publication of the Organisational Records & Information Management (ORIM) Unit May 2024
The Data Protection Act The Jamaica Data Protection Act (JDPA) came into effect December 1, 2023, providing greater protection for the handling of personal information of Jamaicans held in physical or electronic form. The legislation, which was passed in 2020, is poised to transform the way organisations manage personal data, including the collection, storage, utilisation, disclosure, and disposal. Entities, particularly those that process personal information daily, are required to implement measures to ensure the safety, security, and confidentiality of the data that they handle, and failure to do so could result in them facing harsh penalties, including hefty fines. Why Does Data Protection Matter? As the volume of data exchanged online increases, so does the demand for data protection and security. Since data may contain sensitive intel like health data, applying strong data protection measures not only protect individuals’ personal data, but also the organisation’s data. Therefore, data protection safeguards confidential information, maintains compliance with laws and regulations, builds trust and reputation, and mitigates security risks. Data Protection Benefits • It is a fundamental right protected by law. • It helps to build trust. • It can be part of the organisation’s branding. • It prevents fraud and cybercrimes. • It saves time and money. HRM&D-ORIM-Data Protection - What You Should Know May 2024 1
What is Personal Data and Sensitive Personal Data (Data Protection Act 2020 p.7) Personal data is information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual. Sensitive personal data is personal data consisting of any of the following information in respect of a data subject: • genetic data or biometric data • filiation, racial, or ethnic origin • political opinions, philosophical beliefs, religious beliefs, or other beliefs of a similar nature • membership in any trade union • physical or mental health or condition • sex life; or • the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject. Trade Union Membership Religious Beliefs Political Beliefs Biometric Data Race/Ethnic Orgin Sex Life or Sexual Orientation Health Data Genetic Data 2 HRM&D-ORIM-Data Protection - What You Should Know May 2024
The 8 Data Protection Standards (Data Protection Act 2020 p.34-47, s.22-31) Fairness and Lawfulness Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information. There must be a legitimate reason for processing the data. The data subject, must expressly consent to the processing of their data and such consent must be informed, freely given, specific, and unequivocal. The data subject must be provided with all the relevant information regarding the processing of their personal data which would enable the data subject to make an informed decision. Note, however, that consent is not deemed to be ‘freely given’ if the data subject is required, as a condition for the provision of goods or services, to consent to the collection, use, or disclosure of their personal data beyond what is reasonable for the provision of those goods/services. Purpose Limitation Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Prior to collecting the personal data, companies would be required to specify the purpose for obtaining the data and would not be permitted to use the data for any other purpose without first informing, and where necessary, receiving the consent of the data subject. For example, where a company collects the personal data of its customers such as a telephone number or email address to provide a specific service, the company is prohibited from disclosing and/or selling the data to a third party for direct marketing purposes without first obtaining the customer’s consent. The Act defines ‘direct marketing’ as ‘approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services’. Additionally, personal data must not be obtained for any illegal or immoral purpose. 3 HRM&D-ORIM-Data Protection - What You Should Know May 2024
Data Minimisation Personal data must be adequate, relevant, and must only be limited to the purpose for which it is being processed. The data collected by companies must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required. The processing of too much data may amount to an invasion of privacy. Accuracy Personal data must be accurate and, where necessary, kept up to date. A company would not be in breach of this standard if the inaccurate data was provided by the data subject or a third party. However, companies that process personal data would be required to take reasonable steps to verify the accuracy of the data. Storage Limitation Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the Act. This is, however, subject to any applicable retention periods prescribed by law. The Act does not speak to what would be considered an appropriate retention period for personal data. However, companies would be required to inform the data subject of the expected period of retention of their personal data, and this must be clearly set out in a privacy notice. Rights of the Data Subject Personal data must be processed in accordance with the rights of the data subject. Some of these rights include the right to access the data and the right to prevent processing of the data in certain specified circumstances. Implementation of Technical and Organisational Measures Personal data must be protected using appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data. Some of these technical and organisational measures would include: • conducting security audits • implementing data protection policies and privacy notices • proper training of employees on the handling, storage, and disclosure of personal data • pseudonymisation and encryption of the data • limiting employees’ access to the data 4 HRM&D-ORIM-Data Protection - What You Should Know May 2024
• ensuring that any data-processing software and antivirus software used by the company are effectively maintained and up-to-date • selecting data processors who sufficiently guarantee that they have adequate security measures in place and will report security breaches; and • the ability to restore the availability of and access to, personal data in a timely manner in the event of a physical or technical incident. Cross-Border Transfers Personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedom of the data subjects in relation to the processing of personal data. In determining what is considered an ‘adequate level of protection’, the Commissioner would consider, among other things: • the nature of the data • the State or territory of destination • the laws of the State or Territory • the international obligations of the State or Territory; and • the security measures taken by the State or territory. The Act, however, imposes certain limitations on this standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract. HRM&D-ORIM-Data Protection - What You Should Know May 2024 5
What is the role of a Data Protection Officer (DPO) and how do you choose one? (Data Protection Act 2020 p.30-32, s.20) Not every Data Controller who processes personal data is required to appoint a DPO. However, the Data Protection Act (DPA) underscores the importance of organisations appointing a DPO. Having a DPO can greatly assist in ensuring compliance with the DPA. Here are some of the key functions of a DPO. • Advice: DPOs guide policy development and its implementation, promote staff awareness of data protection, and consult with the Information Commissioner on interpreting and applying DPA provisions. • Data Protection Impact Assessments (DPIAs): DPOs lead the process of conducting DPIAs for high-risk data processing, assessing privacy impact and suggesting risk mitigation. • Monitoring: DPOs regularly monitor the organisation’s data processing activities to assess their compliance with data protection standards and recommend measures for remedying any noncompliance. • Data Breach Management: DPOs investigate and manage data breaches, notify affected individuals, report to the Information Commissioner, minimise impact, and recommend preventive measures. Here are some important considerations when selecting a DPO. • Familiarity and Access: Deep knowledge of the organisation, its processes, and sector, with unrestricted access to observe data processing activities in all areas. • Legal Knowledge and/or Specialised Privacy Training: A deep understanding of data protection laws, regulations, and good practices to ensure compliance across all organisational levels. • Audit or Compliance Experience: Skill in identifying data processing risks and analysing adherence to legal requirements and established protection procedures. • Technical Skills and Independence: Understanding of IT and data security and freedom to report to the Information Commissioner any violations of the data protection standards. • Excellent Communication Skills: Capability to foster data privacy culture among employees and collaborate with stakeholders for a holistic data protection approach organisation-wide. 6 HRM&D-ORIM-Data Protection - What You Should Know May 2024
Obligations of Data Controllers under the Data Protection Act (DPA) (Data Protection Act 2020 p.32-33, s.21) The Data Protection Act (DPA) of Jamaica stands as a critical framework ensuring the responsible handling and protection of personal information. As stewards of personal data, Data Controllers play a pivotal role in safeguarding the privacy rights of individuals, ensuring compliance with legal standards, and fostering a culture of trust and transparency in the digital landscape of Jamaica. • Data controllers who process personal data must register with the Information Commissioner as processing personal data without being registered is an offence. • The DPA requires a data controller to have a DPO if it is a Public authority; mandated by a Commissioner’s notice; or processes sensitive personal data, personal data relating to convictions, or personal data on a large scale. • A data controller must submit a DPIA covering all personal data in their control to the Information Commissioner within the first 90 days of each calendar year. • Data controllers must comply with the 8 standards for processing personal data prescribed by the Act. These relate to fairness and lawfulness, purpose limitation, data minimisation, accuracy, technical and organisational measures, adequacy requirements, storage limitation, and respect for data subject rights in the processing of personal data. • The DPA mandates data controllers to report breaches or contraventions of the Act to the Information Commissioner within 72 hours of becoming aware and to alert affected data subjects. 7 HRM&D-ORIM-Data Protection - What You Should Know May 2024
Who is a Large-Scale Data Processor? (https://oic.gov.jm/) There are factors a data controller should consider to determine whether they qualify as large-scale processors and need to appoint a DPO. • The volume (in terms of actual quantity) and/or variety (the range or number of different types) of personal data being processed. Example: Insurance companies processing both health and financial information. • The number of employees processing the personal data and/or the number of locations at which the data is processed. Example: Business Processing Outsourcing (BPO) and financial institutions with hundreds of employees in branches island wide. • The geographical extent of processing, that is, whether local only or also regional or international. Example: Airline companies and travel agencies processing personal data of travellers in various countries. • Whether the filing system is singular or complex and/or the duration or permanence of the processing including how long data is retained. Example: Financial institutions storing customer data for several years to meet regulatory requirements and provide ongoing financial services. 8 HRM&D-ORIM-Data Protection - What You Should Know May 2024
What is Personal Data? Personal data is any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Who is a Data Subject? Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity. What is Considered Processing of Personal Data? Processing of personal data means using personal data in any way, including, collecting, storing, analysing, accessing, sharing, transmitting, and erasing. What is consent? Consent is defined as any freely given, specific, informed, and unambiguous indication of a person’s wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data. Who is a Data Controller? The data controller determines the purposes for which and how personal data is processed. 9 HRM&D-ORIM-Data Protection - What You Should Know May 2024
Stakeholders A stakeholder is an individual or group that has an interest in any decision or activity of an organisation. Typical stakeholders are but not limited to employees, contractors, trainees, regulators, or customers. What is the role of the Data Protection Officer? The Data Protection Officer (DPO) is responsible for, among other things, monitoring internal compliance with the Data Protection Act, informing, and advising the organisation on data protection obligations, providing advice regarding privacy assessments, and acting as a contact point for data subjects and the supervisory authority. Does HEART share stakeholder information? The HEART/NSTA Trust treats customers’ and members’ personal information as private and confidential and only shares this information if it is legally permitted to do so. The Organisation may disclose personal information with affiliated or non-affiliated third parties, who provide services for employees that are necessary to meet contractual obligations or as necessary for the purposes of legitimate interests. The Trust will also disclose information, where necessary, to comply with any legal obligation to which the organisation is subject, e.g., disclosure to a regulatory body. What are stakeholder rights under the JDPA? The JDPA gives stakeholder five rights over their personal data, subject to certain conditions. Rights: • of access to personal data • to consent to processing • to prevent processing • in relation to Automated Decision making • to rectification How long does the HEART/NSTA Trust keep stakeholders’ information? The Trust will keep stakeholder’ information for as long as there is an active record with the organisation, and thereafter, for a specified time required to satisfy any legal obligation to retain records. 10 HRM&D-ORIM-Data Protection - What You Should Know May 2024
The HEART/NSTA Trust is committed to protecting privacy rights of personal information. Excerpts were collated from: • https://oic.gov.jm/ • https://www.jngroup.com/ • Data Protection Act of Jamaica • HEART Records and Information Management Policy This publication is endorsed by the University of the West Indies (UWI) Data Protection Office 11 HRM&D-ORIM-Data Protection - What You Should Know May 2024