Understanding data protection standards – Part 3
OP-ED CONTRIBUTION: DATA LAW
The first two parts of this article looked at five of the data protection standards established by the recently passed Data Protection Act 2020, the DPA. In this final instalment we will briefly explore the remaining three standards.
“The sixth standard is that personal data shall be processed in accordance with the rights of data subjects under,” says Section 29 of the DPA.
This means that data controllers will need to process personal data in keeping with the rights conferred on data subjects under the legislation.
Section 29(2) specifies that a person will be regarded as contravening this standard only if they:
• Fail to supply information in response to a request from an individual under Section 6 – which includes requests to be informed whether that individual’s personal data is being processed by or for that data controller, for descriptions of such personal data, the purposes for which it is being processed and the persons to which it is disclosed, and to be provided with the information and its source;
• Process personal data for direct marketing purposes without obtaining the consent required under Section 10(1);
• fail to comply with a notice issued by an individual under Section 11(1) requiring the data controller not to process personal data in relation to that individual;
• Fail to comply with notices issued by individuals under Section 12 in relation to automated decision-making.
In effect, this standard gives teeth to the data subject rights conferred by Sections 6 and 10 to 12, by making the breach of these rights an offence liable to punishment by fines and imprisonment pursuant to Section 21.
The seventh standard requires firstly, that appropriate technical and organisational measures are to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. Secondly, it imposes a duty on data controllers to ensure that the Information Commissioner is immediately notified of any breach of the data controller’s security measures affecting any personal data.
Additionally, the data controller shall take reasonable steps to ensure that its agents and employees who have access to the personal data are aware of, and comply with, the relevant security measures.
Section 30(2) of the DPA stipulates that having regard to the state of technological development and the cost of implementation, the required technical and organisational measures should ensure a level of security appropriate to: the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage to personal data; and the nature of the data to be protected.
This standard therefore requires business operators to identify the available technology to protect personal data in their possession against security breaches, and to utilise the most appropriate technology having regard to cost, risk and the nature of the data being protected.
Section 30(6) of the DPA provides that the technical and organisational measures to be taken by data controllers in order to comply with the seventh standard include: pseudonymisation and encryption of personal data; systems to safeguard the ongoing confidentiality, integrity, availability and resilience of processing systems and services; back up and restoration systems; a system for testing and evaluating the effectiveness of existing technical and organisational measures; and whatever measures are necessary to ensure adherence to the technical and organisational requirements specified in the DPA.
Earlier this year, two Jamaican financial institutions suffered data security breaches in which client information was leaked or stolen. If similar events were to occur after the DPA comes into operation this could amount to a contravention of the seventh standard, if the data breaches in question could be traced to a failure to implement available technical and organisational measures appropriate to the nature of the data compromised.
It should also be noted, that where a data controller outsources the processing of personal data to third party data processors, this will not relieve it of its obligation to meet the seventh standard.
To comply with the seventh standard in such circumstances, the data controller must choose a data processor who provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and the reporting of security breaches to the data controller. And even after doing so, the data controller must still take reasonable steps to ensure compliance with those measures.
Additionally, the data controller must ensure that the processing is carried out under a written contract by which the data processor is to act only on instructions from the data controller.
The eighth and final standard is that personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data. This provision will be significant to business operators who conduct some of their data processing overseas, either because of outsourcing to foreign entities or because this function is carried out in head offices or centralised IT departments located overseas.
Entities that find themselves in this position will need to seek legal advice to determine whether the data protection standards of the relevant state provide an adequate level of protection to data subjects based on factors outlined in Section 31(2).
Alternatively, they could seek advice as to whether they could bring themselves within the exemptions provided under Section 31(4), which include the consent of the data subject to the transfer of the data.
Courtney Bailey is an attorney in the Kingston office of law firm DunnCox.