Courtney Bailey | Understanding data protection standards
The Data Protection Act 2020, the DPA, was recently passed by Jamaica’s Parliament, but is yet to be enacted.
Its primary obligations are imposed on data controllers, who the DPA defines as any person or public authority who, either alone or with others, determines the purposes for, and manner of, processing personal data.
In the DPA, personal data means information relating to individuals who are either alive or have died less than 30 years earlier, and who can be identified solely from the personal data in question, or in combination with other information in the data controller’s present or likely future possession.
Process, in relation to personal data, is defined as obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations on the information or data.
Given the scope of these definitions, many business operators and public authorities will be considered data controllers and, therefore, will be subject to the obligations imposed by the DPA. Such persons should therefore begin familiarising themselves with the provisions of the act.
In fact, the DPA requires data controllers to take all necessary measures to ensure full compliance with its provisions, especially the data protection standards, within two years from when it comes into operation. Additionally, it imposes a duty on data controllers to comply with data protection standards in relation to all personal data for which they are data controllers. Contravention of any of the data protection standards will be an offence punishable by significant fines or imprisonment.
Given these provisions, data controllers may wish to begin familiarising themselves with the data protection standards in the DPA, of which there are eight.
The first standard is that personal data must be processed fairly and lawfully.
In the context of the DPA, ‘fairly’ means that the personal data is legitimately obtained, and the individual who is the subject of the personal data – the ‘data subject’ – is informed about its processing. In determining whether personal data is processed fairly, the method by which the data is obtained must be considered, including whether the person from whom the data is obtained was deceived or misled as to the purpose for processing.
The DPA also provides that personal data is not to be treated as processed fairly unless obtained from the data subject directly or from a person authorised in writing to provide it, and the data controller ensures the data subject is provided with specific information.
This information includes the identity of the data controller, the purpose of the processing, the expected period of retention of the personal data, and the identity of any third party the data controller contemplates disclosing the data to. The information must be provided at the time when the data controller first processes or seeks the personal data – whichever is first – and, in any case, before making disclosure to a third party.
The second element of the first data protection standard, ‘lawfully’, means that there must be a legal basis for the processing. Section 23(1) of the DPA sets out the different legal bases on which personal data may be processed. Any processing of personal data must satisfy at least one of the following conditions to be lawful:
• The data subject consents to the processing;
• The processing is necessary: for the performance of a contract to which the data subject is a party or for the taking of steps with a view to entering into a contract; for compliance with any legal obligation to which the data controller is subject; in order to protect the vital interests of the data subject; for the administration of justice, the exercise of any functions conferred by or under any enactment, or for the exercise of any other functions of a public nature exercised in the public interest; for the purposes of legitimate interests pursued by the data controller or by any third party to whom the personal data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the data subject; and
• The data subject has published the personal data concerned.
Section 22(1)(a) of the DPA provides that personal data shall not be processed unless one of the conditions listed above is met. Accordingly, if a data controller is unable to identify a lawful basis for the processing of personal data from the list above, the processing would be illegal.
It should also be noted that at least one of a different list of conditions must be met for the lawful processing of sensitive personal data, which include information about the data subject’s race, political opinions, religious beliefs, health and sex life, and their biometric and genetic data.
This is the first of a three-part series on the Data Protection Act.
Courtney Bailey is an attorney at the law firm DunnCox in Kingston. firstname.lastname@example.org