The Data Protection Standards

All data controllers are required to comply with the eight data protection standards set out under the Act. These data protection standards are as follows:

 

1. Fairness and lawfulness

Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information. There must be a legitimate reason for processing the data. The data subject, must expressly consent to the processing of their data and such consent must be informed, freely given, specific, and unequivocal.

The data subject must be provided with all the relevant information regarding the processing of their personal data which would enable the data subject to make an informed decision. Note, however, that consent is not deemed to be 'freely given' if the data subject is required, as a condition for the provision of goods or services, to consent to the collection, use, or disclosure of their personal data beyond what is reasonable for the provision of those goods/services.

 

2. Purpose limitation

Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Prior to collecting the personal data, companies would be required to specify the purpose for obtaining the data and would not be permitted to use the data for any other purpose without first informing, and where necessary, receiving the consent of the data subject. For example, where a company collects the personal data of its customers such as a telephone number or email address to provide a specific service, the company is prohibited from disclosing and/or selling the data to a third party for direct marketing purposes without first obtaining the customer's consent.

The Act defines 'direct marketing' as 'approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services'. Additionally, personal data must not be obtained for any illegal or immoral purpose.

 

3. Data minimization

Personal data must be adequate, relevant, and must only be limited to the purpose for which it is being processed. The data collected by companies must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required. The processing of too much data may amount to an invasion of privacy.

 

4. Accuracy

Personal data must be accurate and, where necessary, kept up to date. A company would not be in breach of this standard if the inaccurate data was provided by the data subject or a third party. However, companies that process personal data would be required to take reasonable steps to verify the accuracy of the data.

 

5. Storage limitation

Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the Act. This is, however, subject to any applicable retention periods prescribed by law. The Act does not speak to what would be considered an appropriate retention period for personal data. However, companies would be required to inform the data subject of the expected period of retention of their personal data, and this must be clearly set out in a privacy notice.

 

6. Rights of the Data Subject

Personal data must be processed in accordance with the rights of the data subject. Some of these rights include the right to access the data and the right to prevent processing of the data in certain specified circumstances.

 

7. Implementation of technical and organizational measures

Personal data must be protected using appropriate technical and organizational measures so as to prevent unauthorized or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data. Some of these technical and organizational measures would include:

  • conducting security audits;
  • implementing data protection policies and privacy notices;
  • proper training of employees on the handling, storage, and disclosure of personal data;
  • pseudonymisation and encryption of the data;
  • limiting employees' access to the data;
  • ensuring that any data-processing software and antivirus software used by the company are effectively maintained and up-to-date;
  • selecting data processors who sufficiently guarantee that they have adequate security measures in place and will report security breaches; and
  • the ability to restore the availability of and access to, personal data in a timely manner in the event of a physical or technical incident.

 

8. Cross-border transfers

Personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data. In determining what is considered an 'adequate level of protection', the Commissioner would consider, among other things:

  • the nature of the data;
  • the State or territory of final destination;
  • the laws of the State or Territory;
  • the international obligations of the State or Territory; and
  • the security measures taken by the State or territory.

The Act, however, imposes certain limitations on this standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract.