Like most legislations, the Data Protection Act (the Act) recently passed in the Senate with little reaction from the public. The Act, however, has far-reaching consequences not only for organisations who handle the personal data of others, but also for the regular Joe, who can now make demands in respect of the use of his personal data. Grave concerns about aspects of the Act aside, this edition of Legal Scoop will strive to provide a simplified overview of the Act from the vantage points of both those who process personal data and those whose personal data are processed.
To begin with, the Act applies to personal data only as distinct from organisational data. The Act defines personal data as information about a living person or a deceased person – who has been dead for less than thirty years – from which the person can be identified.
To fall under the purview of the Act, the “personal data” must be “processed” by an individual whom the Act describes as a “data controller.” A data controller can be a living person or a public authority. The data controller is the person who, either alone or jointly with others, determines the purpose for which any personal data are to be processed. Thus, a data controller could be as small as the “banker” in a small “pardner” who collects and stores names, phone numbers, email addresses of the participants; or medium-sized, such as a store that collects the email addresses and phone numbers of customers who buy shoes from them; or as big as a mega financial institution that collects all kinds of personal data from customers.
Unless excluded by the minister, or otherwise, a data controller must be registered with the data commissioner to process personal data. A data controller who processes personal data without being registered commits an offence and is liable to a fine not exceeding two million dollars or to imprisonment for up to six months.
To fall within the tenets of the Act, a data controller must “process” the personal data. The definition of “processing” is quite wide and involves almost any conceivable use of the personal data, including obtaining, recording, storing, organising, consulting, or using the data.
It goes without saying that the Act applies to data controllers established in Jamaica. A data controller does not have to be established in Jamaica, however, for the Act to apply. For instance, the Act applies to a data controller who though not established in Jamaica, processes the personal data of someone in Jamaica for the purpose of offering that person goods or services. Given the definition mentioned before, an online company, such as Amazon.com, which processes the personal data of persons in Jamaica to the end of offering them products or services, but is established elsewhere, would presumably qualify as a data controller for the purposes of the Act.
The Act grants various rights to those persons whose personal data have been processed (data subjects). These rights are summarised below.
Right of Access – A data subject has the right to request that a data controller provide him with access to any personal data that the data controller may have for him in the data controller’s possession. The data subject even has the right to request the sources who provided the personal information. The Act provides various exemptions to this right, however, including exemptions for national security, law enforcement, taxation and journalistic purposes, amongst others. Unless there are justifiable grounds limiting compliance, a data controller must provide the information requested within 30 days or face serious penalties.
Right to prevent processing – A data subject also has the right to require a data controller to cease processing or not to begin to process his personal data. The request should be in writing and should state one of the grounds set out in the Act. The grounds include that the processing of the data would likely result in substantial damage or distress or is incomplete or irrelevant.
Right to request that errors be rectified – A data subject can also request that a data controller rectify an error in his/her personal data
The Act sets out seven standards that data controllers must observe in the processing of personal data. Failure to observe these standards expose the data controller to harsh penalties of up to seven years in prison and uncapped fines. The standards are summarised below
Personal data shall be:
1. Processed fairly and lawfully.
2. Obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
Thus a telecoms provider who uses or sells your personal data to third parties who then annoys you with ads can now be called to book for such sharing of one’s personal data.
3. Adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
4. Accurate, and where necessary, kept up to date.
5. Processed in accordance with the rights of data subjects under this Act.
6. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose; and
7. Appropriate technical and organisational measures shall be taken:
a. against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
b. to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data.
The seventh standard, above, has enormous implications for organisations, especially. Satisfactory systems should be put in place to ensure that personal data are accessed only by those authorised to and to prevent unauthorised sharing (such as accidental emailing).
The Data Protection Act must be taken seriously even if for no other reason than that the penalties under the Act are quite staggering. Where a company, for instance, commits an offence under the Act, that company, in addition to any other penalty, shall be liable to a fine not exceeding four per cent of the annual gross worldwide turnover of the company for the preceding year of assessment. Directors, secretaries, management personnel, and others found wanting, are also liable to be punished in addition to the offending Company.
- Shena Stubbs-Gibson is an attorney-at-law and a legal commentator. Send feedback to shena.stubbs@gleanerjm.com or follow her on Twitter: @shenastubbs. This column is printed every other week.
