Technology in Focus | Protecting personal data in Jamaica

Lost in the controversy surrounding the National Identification System and the legal challenge to the act on which it was pinned was another critical piece of legislation, the Data Protection Bill. Arguably just as important for everyday life in Jamaica, the bill was designed to protect personal data and help govern how it is used.

Many Jamaicans have suffered from some form of data theft, including the stealing of credit card details, and the country has also developed an unenviable reputation for fraud internationally because of the lottery scam.

Meanwhile, a global scandal about data misuse has damaged the reputation of a company which many Jamaicans spend hours daily interacting with – Facebook, which also owns Instagram and WhatsApp.

Data protection legislation is already in place in several countries and regions in which Jamaican companies do business, including the European Union (EU). In the EU, citizens’ data are protected by the General Data Protection Regulation, under which large companies such as British Airways and Marriott were recently fined US$230 million and US$123 million, respectively, for breaches.

EVERYONE IS AFFECTED

These events add to the significance of the local Data Protection Bill, which was tabled in Parliament in 2017 and is being reviewed by a reconstituted joint select committee of Parliament. The bill provides new rights of protection for citizens, such as the right of consent for your data to be collected; the right to know and choose when an organisation is processing data about you; and the right to prevent your data being processed for direct marketing purposes.

“Everyone needs to care about this bill. Now, more than ever before, our participation in society is managed digitally,” said executive director for Jamaicans for Justice, Rodje Malcolm. “Our personal data is used to identify us, determine what services we receive, what products are marketed to us and even how we are monitored, [including] who we communicate with.

“Increasingly, we hear about data breaches, misuse of personal data, and the selling of people’s personal information for commercial purposes. Without laws to protect our personal data and give people autonomy about how and when their data is used or shared, Jamaicans will continue to be at serious risk in an increasingly digital world,” he said.

“This bill is everybody’s business,” Malcolm insisted.

While the Data Protection Bill had generated some debate months ago, not all relevant sectors made submissions to Parliament in response. Media interests have, perhaps, been the most vocal, expressing concern over provisions that could hobble the Fourth Estate in pursuing and bringing certain issues to light in the nation’s interest.

 

Collin Burgess, IT infrastructure manager at MC Systems, believes many Jamaican businesses and citizens are not yet seeing data protection as a priority. And they could eventually open their eyes too late, he warned.

Burgess said that under the legislation, companies could be fined for data leaks or abuse of customers’ personal data.

“All of us, as Jamaicans, can benefit from a culture whereby personal data is not viewed as a limitless resource to be exploited. Regardless of legislation, it is good business practice to be respectful of the data we hold. That means, we should consider this each and every time we decide to contact our customer database, because abuse of data and [lack of] consent means that Jamaicans sometimes feel unduly spammed, whether by direct marketing or from following an entity which ‘over-posts’ on social media,” he added.

In finalising the bill, legislators should consider keeping up with changes in technology, while balancing the objective of protecting the individual’s right to data protection, without placing unreasonable restrictions on businesses.

The bill defines ‘individuals’ as ‘data subjects’, and ‘organisations’ as ‘data controllers’, for which it would need to register and file annual returns with the information commissioner in a similar manner that it would originally have been done with the Companies Office of Jamaica.

 

 

Name: Ricardo Brown, farmer

Scenario: Wanting to expand his farming business, Ricardo applies for a loan from a credit union, which pulls his farmer registration information from the Rural Agricultural Development Authority (RADA) to make its decision. However, Ricardo knows that he has not spoken to RADA in four years and his data are outdated.

 

How Ricardo will be affected

• Ricardo can request that his credit union tell him whether they have made a decision based solely on automated processing of data from RADA. After being notified, Ricardo has 21 days to require that they reconsider and make a new decision on another basis.

• Ricardo can request that his credit union not make a decision solely based on automatically processing his data from RADA and instead allow him to provide his updated data.

 

Name: Collette Simpson, entrepreneur

Scenario: Collette is an entrepreneur who previously ran a business selling designer sandals. She is now looking to start a new business to provide catering services and wants to market to her previous customer base.

 

How Collette will be affected

• Collette will need to update her registration information with the information commissioner, indicating what data she will collect and how she will use it.

• She will also need to get consent from her customers before she can start marketing her catering service to them.

• If a former customer indicates that he or she does not want to receive information about her new business, she cannot send marketing information to them.

 

Name: James Johnson, former drug addict

Scenario: James received services from a local non-governmental organisation (NGO), which helped him overcome a drug addiction. Now trying to move on with his life, he is worried that the information he shared with the NGO could resurface elsewhere and affect his job prospects.

 

How James will be affected

• He can request that the NGO disclose what personal data it holds about him, how the data will be used, and with whom it has been shared.

• He can also request a copy of this data.

• In addition, he can reject any previous consent he may have given to the NGO to use his data internally or share his data with other entities.

 

Name: Tarik Johnson, tech star

Scenario: Tarik wants to launch a new online dating service and wants to test his product prototype with Jamaican consumers.

 

How Tarik will be affected

• Before he can collect personal data, Tarik must register with the information commissioner. In doing so, he must provide, among other details, specific information about what data he will collect and appoint a data protection officer.

• When signing up new customers, he must communicate to them why the data are being collected and how they will be used.

• In storing data in the cloud, he must select hosting services in jurisdictions that have equivalent data protection to Jamaica. He cannot share their data to jurisdictions that lack similar protections without first obtaining the consent of his users.

• If his service gets hacked or the data are compromised, Tarik must notify the information commissioner and, potentially, all his users.

Information provided by SlashRoots Foundation, a civic tech organisation.