The Data Protection Act, 2020 (the DPA) was recently passed by Jamaica’s Parliament. After it receives the Royal Assent, it will come into operation on a day to be appointed by the Minister of Science, Energy and Technology by notice published in the Gazette.
The Act’s primary obligations are imposed on data controllers. A data controller (as defined in the DPA) is any person or public authority who, either alone or with others, determines the purposes for and manner of processing personal data. In the DPA, personal data means information relating to individuals who are either alive or have died less than thirty years earlier, and who can be identified solely from the personal data in question, or in combination with other information in the data controller’s present or likely future possession. Process in relation to personal data is defined in the DPA as obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations on the information or data.
Given the scope of these definitions, many business operators and public authorities will be considered data controllers and therefore will be subject to the obligations imposed by the DPA. Such persons should therefore begin familiarizing themselves with the provisions of the DPA.
In fact, the Act requires data controllers to take all necessary measures to ensure full compliance with its provisions, especially the data protections standards, within two years from when it comes into operation. Additionally, the DPA imposes a duty on data controllers to comply with the Act’s data protection standards in relation to all personal data for which they are data controllers. Contravention of any of the data protection standards will be an offence punishable by significant fines or imprisonment.
Given these provisions, data controllers may wish to begin familiarizing themselves with their obligations under the DPA by understanding the data protection standards. This article is the first in a series which seek to provide a rudimentary explanation of the 8 data protection standards established by the DPA and begins by considering the first standard.
The first data protection standard is that personal data must be processed fairly and lawfully.
In the context of the DPA, “fairly” means that the personal data is legitimately obtained, and the individual who is the subject of the personal data (the “data subject”) is informed about the processing. In determining whether personal data are processed fairly the method by which the data are obtained must be considered, including whether the person from which the data are obtained is deceived or misled as to the purpose for processing.
The Act also provides that personal data are not to be treated as processed fairly unless obtained from the data subject directly or from a person authorized in writing to provide it, and the data controller ensures the data subject is provided with specific information. This information includes the identity of the data controller, the purpose of the processing, the expected period of retention of the personal data and the identity of any third party that the data controller contemplates disclosing the data to. This information must be provided at the time when the data controller first processes or seeks the personal data (whichever is first), and in any case before making disclosure to a third party.
The second element of the first data protection standard, “lawfully”, means that there must be a legal basis for the processing. Section 23(1) of the DPA sets out the different legal bases on which personal data may be processed. Any processing of personal data must satisfy at least one of the following 7 conditions to be lawful:
- the data subject consents to the processing;
- the processing is necessary:
- for the performance of a contract to which the data subject is a party or for taking of steps with a view to entering into a contract;
- for compliance with any legal obligation to which the data controller is subject;
- in order to protect the vital interests of the data subject;
- for the administration of justice, the exercise of any functions conferred by or under any enactment, or for the exercise of any other functions of a public nature exercised in the public interest;
- for the purposes of legitimate interests pursued by the data controller or by any third party to whom the personal data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the data subject;
- the data subject has published the personal data concerned.
Section 22(1)(a) of the DPA provides that personal data shall not be processed unless one of the 7 conditions listed above is met. Accordingly, if a data controller is unable to identify a lawful basis for the processing of personal data from the list above, the processing would be illegal.
It should also be noted that at least one of a different list of conditions must be met for the lawful processing of sensitive personal data, which include information about the data subject’s race, political opinions, religious beliefs, health and sex life, and their biometric and genetic data.
Business operators who are data controllers under the DPA, should seek legal advice as to the lawful basis on which they are processing personal data in order to avoid contravention.
This article is intended to provide general information only and is not to be relied on in place of legal advice.
Mr. Courtney Bailey is an Attorney-at-Law in the Kingston office of the law firm DunnCox, located at 48 Duke Street, Kingston. You may contact him at Courtney.bailey@dunncox.com.