In 2 previous articles we considered 5 of the data protection standards established by the recently passed Data Protection Act, 2020 (the DPA). In this final installment we will briefly explore the remaining three standards.
“The sixth standard is that personal data shall be processed in accordance with the rights of data subjects under” the Act (s. 29 DPA). This means that data controllers will need to process personal data in keeping with the rights conferred on data subjects in Part II (ss. 5-13) of the DPA.
Section 29(2) of the Act specifies that a person will be regarded as contravening this standard only if they:
- fail to supply information in response to a request from an individual under s. 6 (which includes requests to be informed whether that individual’s personal data is being processed by or for that data controller, for descriptions of such personal data, the purposes for which it is being processed and the persons to which it is disclosed, and to be provided with the information and its source);
- process personal data for direct marketing purposes without obtaining the consent required under s. 10(1);
- fail to comply with a notice issued by an individual under s. 11(1) requiring the data controller not to process personal data in relation to that individual;
- fail to comply with notices issued by individuals under s. 12 in relation to automated decision making.
In effect this standard gives teeth to the data subject rights conferred by ss. 6 and 10-12, by making the breach of these rights an offence liable to punishment by fines and imprisonment pursuant to s. 21.
The seventh standard requires firstly, that appropriate technical and organizational measures are to be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. Secondly, it imposes a duty on data controllers to ensure that the Information Commissioner is immediately notified of any breach of the data controller’s security measures affecting any personal data. Additionally, the data controller shall take reasonable steps to ensure that its agents and employees who have access to the personal data are aware of, and comply with, the relevant security measures.
Section 30(2) of the DPA stipulates that having regard to the state of technological development and the cost of implementation, the required technical and organizational measures should ensure a level of security appropriate to (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage to personal data, and (b) the nature of the data to be protected.
This standard therefore requires business operators to identify the available technology to protect personal data in their possession against security breaches, and to utilize the most appropriate technology having regard to cost, risk and the nature of the data being protected.
Section 30(6) of the DPA provides that the technical and organizational measures to be taken by data controllers in order to comply with the seventh standard include: (a) pseudonymization and encryption of personal data; (b) systems to safeguard the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) back up and restoration systems; (d) a system for testing and evaluating the effectiveness of existing technical and organizational measures; and (e) whatever measures are necessary to ensure adherence to the technical and organizational requirements specified in the DPA.
Earlier this year 2 Jamaican financial institutions suffered data security breaches in which client information was leaked or stolen. If similar events were to occur after the DPA comes into operation this could amount to a contravention of the seventh standard, if the data breaches in question could be traced to a failure to implement available technical and organizational measures appropriate to the nature of the data compromised.
It should also be noted, that where a data controller outsources the processing of personal data to third party data processors, this will not relieve it of its obligation to meet the seventh standard. To comply with the seventh standard in such circumstances, the data controller must choose a data processor who provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and the reporting of security breaches to the data controller. And even after doing so, the data controller must still take reasonable steps to ensure compliance with those measures. Additionally, the data controller must ensure that the processing is carried out under a written contract by which the data processor is to act only on instructions from the data controller.
The eighth and final standard is that personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data. This provision will be significant to business operators who conduct some of their data processing overseas, either because of outsourcing to foreign entities or because this function is carried out in head offices or centralized I.T. departments located overseas.
Entities that find themselves in this position will need to seek legal advice to determine whether the data protection standards of the relevant state provide an adequate level of protection to data subjects based on factors outlined in s. 31(2). Alternatively, they could seek advice as to whether they could bring themselves within the exemptions provided under s. 31(4), which include the consent of the data subject to the transfer of the data.
This article is intended to provide general information only and is not to be relied on in place of legal advice.
Mr. Courtney Bailey is an Attorney-at-Law in the Kingston office of the law firm DunnCox, located at 48 Duke Street, Kingston. You may contact him at Courtney.bailey@dunncox.com.