Courtney Bailey | Forget the transition. Start adopting data protection standards now
OP-ED CONTRIBUTION: DATA PROTECTION
Data has become an increasingly sensitive and protected resource in the rapidly expanding digital world of the information age.
The European Union’s General Data Protection Regulation, GDPR, which came into force on May 25, 2018, is one highly visible manifestation of the international movement towards protecting data.
GDPR has in the past year caught the attention of many Jamaican businesses, as they seek to determine whether they fall within its expressed extra-territorial application, and if so, what obligations must they comply with to avoid significant financial penalties.
However, the move towards enforced standards of data protection is also being locally manifested in form of a bill tabled in Parliament in October 2017, which if passed would become the Data Protection Act 2017. Accordingly, data protection standards will inevitably become a concern for Jamaican businesses, even where GDPR does not apply.
The bill, since its tabling in the House of Representatives, has not progressed beyond the stage of being considered by a Joint Select Committee of Parliament, which last met on March 27, 2018.
However, as indicated in the bill’s Memorandum of Objects and Reasons, Jamaica’s treaty obligations as part of Cariforum under the Economic Partnership Agreement entered with the EU in 2008, require it to “establish appropriate legal and regulatory regimes, in line with high international standards, with a view to ensuring an adequate level of protection of individuals with regard to the processing of personal data”.
Accordingly, irrespective of the ultimate length of its legislative gestation, the passage of this bill into law is simply a matter of time. Local enterprises would therefore be well advised to ascertain whether the bill, if passed, would impact their businesses, and if so to begin the process of preparing to meet the data protection standards that are likely to be imposed.
Whereas there are likely to be several changes to the bill in its current form before it is passed into law, general guidance can be gleaned from its provisions as to the data protection standards that firms will need to meet.
These standards are not likely to be changed significantly, as they are seemingly based on EU data protection standards – for example, all 7 of the EU’s GDPR data protection standards or principles are included in the eight Standards for Processing Personal Data prescribed in the Jamaican legislation, presumably to comply with the requirement under the EPA for Jamaica to implement legal and regulatory data protection regimes “in line with high international standards”.
As such, local entities can confidently begin to prepare for the eventual promulgation of the data protection legislation by seeking to meet these standards.
The bill applies to the processing of personal data, which is defined as data relating to a living individual who can be identified from the data, or from the data and other information in the possession or likely to come into the possession of a data controller.
A data controller is the person – natural or legal, including public authorities –¬ who, alone or in conjunction with others, determines the purposes for which and the ways in which any personal data is to be processed.
The bill defines processing as obtaining, recording or storing information or data, or carrying out any operation or set of operations on the information or data. It is apparent from these brief definitions that the bill will apply to many types of business operations when it comes into law.
The eight standards in the Jamaican bill stipulates that personal data:
● Must be processed fairly and lawfully, which essentially amounts to ensuring that the consent of the data subject – that is, the person who the personal data relates to – is obtained prior to processing the data or there is a legitimate basis for the processing;
● Is only to be obtained for specified purposes and is not to be processed for any other;
● Is to be adequate, relevant, and not excessive in relation to the purpose for which it is to be processed, essentially preventing data controllers from obtaining more information from data subjects than is necessary for the intended processing purposes;
● Must be accurate, and, where necessary, kept up to date;
● Must not be kept for longer than is necessary to satisfy the intended processing purposes and must be disposed of in accordance with regulations to be promulgated under the legislation;
● Must be processed in accordance with the rights of data subjects under the legislation;
● Is to be protected through appropriate technical and organisational measures and by prompt notification of security breaches to an Information Commissioner to be established under the legislation; and
● Must not be transferred outside Jamaica to another state without adequate levels of data protection for Jamaican data subjects.
Breaches of certain provisions of the legislation will constitute criminal offences attracting penalties both for corporations and individual corporate officers.
The bill includes a transitional provision of one year by which data controllers are required to take all necessary measures to ensure full compliance with the legislation, especially the data protection standards. The provision stipulates that no proceedings may be taken against a data controller in respect of any data processing done in good faith during the transitional period.
Notwithstanding the transitional provision, Jamaican businesses which handle personal data, would be well advised to begin adopting and implementing the standards now.
Courtney Bailey is an attorney with the DunnCox law firm in Kingston.