Data has become an increasingly sensitive and protected resource in the rapidly expanding digital world of the Information Age. The European Union’s General Data Protection Regulation (GDPR), which came into force on May 25, 2018, is one highly visible manifestation of the international movement towards protecting data.
GDPR has in the past year caught the attention of many Jamaican businesses, as they seek to determine whether they fall within its expressed extra-territorial application, and if so, what obligations must they comply with to avoid significant financial penalties. However, the move towards enforced standards of data protection is also being locally manifested in form of a bill tabled in Parliament in October 2017, which if passed would become the Data Protection Act, 2017 (the Bill). Accordingly, data protection standards will inevitably become a concern for Jamaican businesses, even where GDPR does not apply.
The Bill, since being tabled in the House of Representatives, has not progressed beyond the stage of being considered by a Joint Select Committee of Parliament (which last met on March 27, 2018). However, as indicated in the Bill’s Memorandum of Objects and Reasons, Jamaica’s treaty obligations (as part of CARIFORUM) under the Economic Partnership Agreement entered with the EU in 2008 (the EPA), require it to “establish appropriate legal and regulatory regimes, in line with high international standards, with a view to ensuring an adequate level of protection of individuals with regard to the processing of personal data”. Accordingly, irrespective of the ultimate length of its legislative gestation, the passage of this Bill into law is simply a matter of time.
Local enterprises would therefore be well advised to ascertain whether the Bill, if passed, would impact their businesses, and if so to begin the process of preparing to meet the data protection standards that are likely to be imposed. Whereas there are likely to be several changes to the Bill in its current form before it is passed into law, general guidance can be gleaned from the Bill’s Standards for Processing Personal Data as to the data protection standards that will need to be met by any firms to which the legislation will apply.
These standards are not likely to be changed significantly, as they are seemingly based on EU data protection standards (for e.g. all 7 of the EU’s GDPR data protection standards / principles are included amongst the 8 Standards for Processing Personal Data prescribed in the Bill), presumably to comply with the requirement under the EPA for Jamaica to implement legal and regulatory data protection regimes “in line with high international standards”. As such, local entities can confidently begin to prepare for the eventual promulgation of the data protection legislation by seeking to meet these standards.
The Bill applies to the processing of personal data; defined as data relating to a living individual who can be identified from the data, or from the data and other information in the possession or likely to come into the possession of a data controller. A data controller is the person (natural or legal, including public authorities) who, alone or in conjunction with others, determines the purposes for which and the way any personal data are, or are to be processed. The Bill defines processing as obtaining, recording or storing information or data, or carrying out any operation or set of operations on the information or data. It is apparent from these brief definitions that the Bill will apply to many types of business operations when it comes into law.
The Bill seeks to impose the following eight data protection standards for processing personal data.
- Personal data must be processed fairly and lawfully (sections 22-24); which essentially amounts to ensuring that the consent of the data subject (i.e. the person who the personal data relates to) is obtained prior to processing the data or there is a legitimate basis for the processing.
- Personal data is only to be obtained for specified purposes and is not to be processed for any other purposes (section 25).
- Personal data is to be adequate, relevant, and not excessive in relation to the purpose for which it is to be processed (section 26); essentially preventing data controllers from obtaining more information from data subjects than is necessary for the intended processing purposes.
- Personal data must be accurate, and, where necessary, kept up to date.
- Personal data must not be kept for longer than is necessary to satisfy the intended processing purposes and must be disposed of in accordance with regulations to be promulgated under the legislation.
- Personal data must be processed in accordance with the rights of data subjects under the legislation.
- Personal data is to be protected by taking the appropriate technical and organizational measures and by prompt notification of security breaches to an Information Commissioner to be established under the legislation.
- Personal data must not be transferred outside Jamaica to another state without adequate levels of data protection for Jamaican data subjects.
Breach of certain provisions of the legislation will constitute criminal offences attracting penalties both for corporations and individual corporate officers. The Bill includes a transitional provision (section 77) by which data controllers are required to take all necessary measures to ensure full compliance with the legislation, especially the data protection standards, within a year after the commencement of the legislation (the transitional period).
However, this provision stipulates that no proceedings may be taken against a data controller in respect of any data processing done in good faith during the transitional period. Notwithstanding the transitional provision, Jamaican businesses which handle personal data, would be well advised to presently begin adopting and implementing the above listed data protection standards in order to satisfy international best practices for the protection of data as well as to be ready to comply with the Data Protection Act, 2017 when it eventually comes into force.
This article is intended to provide general information only and is not to be relied on in place of legal advice.
Mr. Courtney Bailey is an Attorney-at-Law in the Kingston office of the law firm DunnCox, located at 48 Duke Street, Kingston. You may contact him at courtney.bailey@dunncox.com