Julian Robinson | Aggressive public education campaign needed for Data Protection Act

The Government is being urged to implement an aggressive public education campaign to inform persons of their rights under the Data Protection Act.

The call was made by Member of Parliament for South Eastern St Andrew Julian Robinson in his contribution to the debate on the Act in Parliament on Tuesday.

Following is the full text of the presentation by Robinson, who is also Opposition spokesman on science and technology.

We on this side of the aisle support and commend the passage of the Data Protection Act. This legislation is critical in defining the rights of data owners, who and how their data can be accessed and utilised, and penalties and fines for the abuse and misuse of their data.

Data Protection within the context of the Government’s CARE programme

Since the advent of COVID-19, the Government of Jamaica has launched a programme to assist individuals and businesses who have been adversely affected as a result of the downturn in our economy. Close to 500,000 Jamaicans have applied to the Government for assistance under the CARE Programme. In completing their applications, they have submitted personal information, such as name, address, occupation, telephone number, email address, place of work.

Under the data protection legislation, this data is owned by the person who submitted it and can only be used for the purpose for which it was collected.

Section 25 – (1) The second standard is that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.

It would be an offence under the Data Protection Act, to share this data with a third party without the consent of the data subject and for the data to be used for any other purpose other than the one which it was collected under.

Section 24D (iv) does not involve disclosure of the personal data to a third party without the consent of the data subject.

Section 24K (6) – For the avoidance of doubt, a data subject may at any time withdraw consent to the processing of any sensitive personal data in respect of that data subject.

The Information Commissioner

A critical new feature of this legislation is the establishment of an oversight committee which will hold the information commissioner accountable. The information commissioner will have enormous powers, and it is important that there is a body that oversees its work. While the information commissioner will report to Parliament, many of the parliamentary oversight committees have not been effective in holding these office holders accountable. It is hoped that this hybrid model will be effective.

The commissioner shall be subject to the oversight of the Data Protection Oversight Committee, in accordance with Part II of the First Schedule.

Data Protection Oversight Committee

(1) There is hereby established a Data Protection Oversight Committee (in this Act referred to as the ‘Committee’).

2) The objective of the committee shall be to hold the information commissioner accountable to the public in the performance of the commissioner’s functions under this Act.

(3) The committee shall consist of the following persons appointed as members by the governor general, upon the recommendation of the prime minister after consultation with the leader of the Opposition –

(a) A retired judge of the Supreme Court;

(b) An attorney-at-law having expertise in the area of data protection or privacy rights;

(c) A person representing the interests of data subjects;

(d) A person representing the interests of data controllers; and

(e) Three other persons having expertise in any one or more of the following areas:

(i) information communications technology; (ii) finance; (iii) governance and public administration.

Another new feature of the legislation is the seven-year appointment of the information commissioner, which ensures the appointment is not tied to, or subjected to, a single political term of office of five years. This should give the information commissioner a greater sense of independence from the political directorate.

2. (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding seven years as may be specified at the time of the commissioner’s appointment, and shall, subject to sub-paragraph (3), be eligible for re-appointment on the expiration of that term.

Consent for directing marketing (Opting in vs opting out)

A feature of the Data Protection Act is the requirement that an individual has to explicitly consent to become the recipient of direct marketing programmes. In other words, even if you have provided your personal information to a company for access to free Wi-Fi, for example, or having used the product or service of a company, you would still need to explicitly state you are willing to receive directing marketing.

10. (1) A data controller shall not process personal data of a data subject for the purpose of direct marketing unless the data subject – (a) consents to the processing for that purpose; or (b) is, subject to subsection (4), a customer of the data controller.

(4) A data controller may, pursuant to Subsection (1)(b), only process the personal data of a data subject who is a customer of that data controller:

(a) if the data controller has obtained the contact details of the data subject in the context of the sale of any goods or services;

(b) for the purpose of direct marketing of the data controller’s own similar goods or services; and

Consent required for direct marketing.

(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of that data subject’s personal data – (i) at the time the personal data was collected; and (ii) on the occasion of each communication with the data subject for the purpose of direct marketing if the data subject has not refused such use.

Data Protection legislation and NIDS

One of the issues that arose in the Supreme Court ruling on NIDS was the absence of data-protection legislation. While it was not explicitly stated, the promulgation of data-protection legislation is an important prerequisite to the passing of a new NIDS.

As we contemplate a new NIDS, we must be guided by provisions in our new Data Protection Act. One is Section 26.

Section 26. The third standard is that personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

One of the most effective ways to ensure that the Data Protection Act is implemented well is for all citizens to know what their rights are under the Act. I am therefore calling on the Government to implement an aggressive public education campaign to inform persons of their rights. Concurrently, institutions need to be aware of their obligations and requirements under the Act.

I wish to commend the current minister, Fayval Williams, for her dedication and commitment to getting the work of the committee done. I also wish to commend the technical team led by Wahkeen Murray and Kaydian Smith from MSTEM, the chief parliamentary counsel, the solicitor general and team from the AG’s Department, the Legal Reform Department, and the other civil servants who worked on this groundbreaking legislation.

I would also like to thank the many stakeholder groups who took the time to read and make comments on the bill.

The parliamentary process of utilising joint select committees ensures broad-based consultation and participation in the development of legislation. I expect the same process will be utilised when the new NIDS Bill is brought to Parliament.