JCC wants clarity on data protection bill, three-year implementation
Melanie Subratie, chair of the legislation and regulations committee of Jamaica Chamber of Commerce and CEO of Stanley Motta, accedes to the need for a data protection law, but says the powers of proposed commissioner needs to be clarified and a suitable time table set for implementation of the legislation once the bill is enacted.
The draft Data Protection Act is currently under review, and the JCC rep is suggesting at least three years for implementation once it passes into law.
“The JCC also wishes to participate in a consultation process on the codes of practice. We want to get this right. We want to ensure that Jamaica has the right laws in place that are proportionate to smaller companies which have five or six persons,” said Subratie on Thursday at a breakfast seminar on the bill hosted by the business group.
“So we are hoping for a period of consultation and that the government will help us in developing that,” she said.
The Data Protection Bill introduced in Parliament in October 2017 is based on the European Union General Data Protection Regulation, the GDPR, which itself took effect last Friday, May 25, after a gestation period of three years.
Andrea Kinach, a partner in the law firm Patterson Mair Hamilton, who made a special presentation on the Jamaican legislation at the seminar, said the bill embodies the need to protect individual right to privacy.
The law aims to create a new regime with a Commissioner of Information as overseer who will in turn report to the Ministry of Science, Energy & Technology. The Office of the Commissioner will produce a Data Controller Registry for individuals within companies who are responsible for processing information, such as for bank accounts, medical information and payment details.
The data collected also covers biometric data, racial and ethnic origin, religious and political affiliation, as well as the commission of any offence.
The bill extends to information collected through electronic processing.
“Any organisation that keep records, including medical or credit, are subject to the bill,” said Kinach.
The legislation defines a data controller as anyone involved in any kind of processing that results in the collection of information, either specific or anonymous. Specific information directly identifies an individual, while anonymous information may have sufficient characterisations to identify the individual.
The acquired data, said Kinach, should be solicited for lawful and fair purposes, and if obtained for one reason, should not be used for another.
“Data requests must be adequate, relevant and not excessive,” she said. Data should also be adequate and kept up to date, and the information should not be stored for longer than necessary.
Kinach said data collected cannot be transmitted outside of Jamaica, as proposed under the bill, unless it is being sent to a jurisdiction where an equivalent data protection law exists.
“Your trading partners,” she commented, “may start sending you waivers and indemnities."
Data controllers are expected to disclose where they are keeping and transmitting data. They will pay both a registration fee and an annual fee to the Commission. Failure to register will attract a fine of $2 million or imprisonment not exceeding five years.
Registered data controllers are expected to self report, disclosing to the Commission any breaches of the act and compensation to be awarded to persons affected. The bill provides protection for living persons only, not those who are deceased.
Breaches include unfairly obtaining and disclosing personal data.
Kinach said the draft code sets separate levels of civil and criminal penalties with fines ranging from $500,000 to 10 per cent of gross annual revenue
Companies are expected to have compliance systems, and need to nominate a compliance officer who is independent and not an employee, to avoid collusion, the lawyer said.
Regulated companies may lose their licence if found to be in breach of the data protection law, and will need to assign data protection officers to avoid that outcome, she said.
Subratie and Kinach both spoke of the need for a suitable time frame to implement the law.
“The EU took three years to get to this point. I think we should have at least a three-year implementation period for the Data Protection Act while we try to figure the right way to go about it,” said Subratie.
The Jamaica Chamber also wants clarifications on the exceptions to registration, as well as the powers the law will convey.
“Any individual who handles information, no matter how innocuous is subject to the draft bill. This relates to both companies operating for profit and nonprofits. All data controllers must register. For the purposes of small commercial companies, associations and clubs, some urgent clarity and maybe exemptions is desired,” Subratie noted.
“The Minister of National Security has the power to exempt personal data from the reach of the act. This appears to be based on state secrets and national security concerns. We require more clarification of the circumstances in which such a power would be exercised,” she said.
“Similarly we note that under the provisions of the draft bill, the Commissioner will have the power to access the data of individuals. The circumstances under which the power is to be exercised is required to be clarified where data security and fundamental rights are concerned.”