Cygale Pennant | Data Protection Act – a practical perspective

The Data Protection Act came into force on December 31, 2023. It is still early days, and many people are unsure, and some apprehensive, about what this act entails.

The act broadly covers all, whether you are the private owner of a business or an organisation that processes, records, or stores the personal data for persons. This can be a pharmacy, a doctor’s office, a financial institution, a telecommunications company or a law office.

There have been talks around the Data Protection Act. People are aware that they are affected, but they may not understand how or why. A greater concern is that by all indications, it appears that the advent of this legislation means that as a business owner, they will now be required to add another staff (a data protection officer) to their payroll.

Daunting, it may seem. However, should people analytically assess what this legislation seeks to do, they will see that it is here to protect everyone.

In today’s technological landscape, and the niceties of operating in the “cloud”, we have unwittingly granted a large cross section of persons access to our personal data. It follows that there ought to be a mechanism in place that holds those with access to our personal data accountable, and this is what the Data Protection Act seeks to do.

Even the Government has not escaped accountability as it, too, is bound by the act’s provisions. The increase in the digitisation of certain social and economic infrastructure to enhance the delivery of public and welfare services – such as the National Health Fund Quick Prescript App and the move towards direct deposit of pensions – has resulted in the use of new digital technologies aimed at identity management, and although beneficial, this nonetheless has resulted in an increase in the flow of personal data in the digital landscape, therefore, the Government is also mandated to ensure that robust standards of privacy are maintained.

Notably, in addition to securing the confidentiality of personal data in the possession of both public and private entities, one of the main catalysts that urged the implementation of the act is inseparably linked to the issue of trust and establishing Jamaica as a formidable partner for trade.

Jamaica is a part of the Caribbean Forum (CARIFORUM), a subgroup of the Organisation of African, Caribbean and Pacific States, and it serves as a base for economic dialogue with the European Union.

On October 15, 2008, Jamaica became a signatory to The CARIFORUM-European Union Agreement (EPA), a region-to-region trade and development agreement. The EPA provides for immediate duty-free access to the European Union market for specified goods.

Inextricably linked to the execution of this agreement is an increase in transborder flow of personal data. Therefore, signatories to the EPA are mandated to establish appropriate legal and regulatory regime, conforming to existing international standards so as to ensure a vigorous standard of privacy around the world.

– Articles 119, 197, and 198 explicitly outline some of the terms of the agreement.

– Article 119 - the parties agree that the development of electronic commerce must be fully compatible with the highest international standard of data protection in order to ensure the confidence of users of electronic commerce.

– Article 197 - the Parties and the Signatory CARIFORUM States recognises the importance of maintaining effective data-protection regimes as a means of protecting the interests of consumers, stimulating investor confidence, and facilitating transborder flow of personal data.

– Article 198 - Appropriate mechanisms shall be in place to ensure compliance with the rules, including a high degree of awareness among data controllers of their obligations, and among data subjects of their rights and the means of exercising them; the existence of effective and dissuasive sanctions, and systems of direct verification by authorities, auditors, or independent data-protection officials.

The Data Protection Act is an execution of Jamaica’s international obligations and secures Jamaica’s seat at the globalised trade table as a nation serious about the privacy rights of individuals both domestic and international. The benefits are that implementation of the act primarily results in the expansion of our markets and the granting of access to goods and services that may not be readily available. Ultimately, it will lead to more competitive pricing and cheaper goods to consumers, especially as we inch closer to Vision 2030.

BENEFITS

Despite the international considerations that catapulted the Data Protection Act, there are simultaneous benefits to us as private citizens and private entities.

1. It helps to build trust

In today’s world, we are increasingly aware of our right to privacy and the right to the protection of our personal data.

Mismanagement of personal data can quickly damage an organisation’s reputation and quickly undermines the trust an individual may have. An organisation that demonstrates excellent compliance with the Data Protection Act is more likely to retain users or customers.

2. Data Protection as a brand

An organisation known for its services, as well as its diligent approach to data protection s more likely to retain customers.

3. It prevents fraud and cybercrimes.

Implementing strong data-protection measures not only protects an individual’s or a customer’s personal data, but also an organisation’s data. Thereby it will avoid considerable problems that may damage the reputation or an organisation’s confidential information.

The increase in the reported cases of serious cyber breaches at some of our financial institutions cannot go unnoticed. We have been granted access to a direct view of the debilitating psychological and economical effects of cyber-attacks; and each report erodes confidence in our financial institutions.

4. It saves money

Dealing with the aftermath of a breach of personal data, such as a cyber-attack is costly, as a business owner you will be mandated to pay fines and damages to victims. To reduce the risk of being faced with this predicament, strict adherence to the Data Protection Act is key.

OBLIGATIONS

Register the organisation or business, with the Information Commissioner. A data controller that process personal data without Registration commits an offence and if convicted will be made to pay a fine of up to two million dollars or faces imprisonment for six months.

• Nominate a Data Protection Officer, whose main function includes ensuring that the data controller processes personal data in compliance with the data protection standards. The legislation establishes eight standards outlined in Section 22 to Section 31.

• The Particulars of the Data Protection Officer must be given to the Information Commissioner.

• Annually submit a Data Privacy Impact Assessment for all personal data in the custody or control of the data controller

• Implement a Data Breach Policy. As a Data Controller, any security breach that affects or may affect personal data must be reported to the Commissioner within 72 hours of becoming aware of the data breach

FAILURE TO COMPLY

A Data Controller has a duty to comply with the Data Protection Standards and to report breaches to the Commissioner within 72 hours after becoming aware, a failure to do this amount to an offence, and if convicted before a parish court, the data controller may have to pay a fine of up to $2 million or spend a maximum of two years in prison.

The punishment before the Circuit Court is even more severe, as the maximum term of imprisonment is seven years and the Circuit judge is empowered to administer any fine that he or she deems fit.

Be on the right side of the law. Data Protection matters; data that falls in the wrong hands harms people businesses and organisations.

Cygale Pennant is crown counsel at the Office of the Director of Public Prosecutions, Cyber Crimes Unit. Send feedback to columns@gleanerjm.com