Garth Rattray | Clock is ticking on Data Protection Act

The Data Protection Act is due to come into effect on December 1. The vast majority of individuals and businesses are either ignorant of how the act functions or feel frightened and dismayed by the new complex and stringent rules, regulations, and penalties. Many are fretting about the additional expenses of doing business in Jamaica. Many businesses are fragile and struggling to remain afloat.

The National Identification System (NIDS) is being put into place by the Government of Jamaica (GOJ). The NIDS has made it necessary for the country to adopt a robust data protection system. In order to achieve that, the Data Protection Act has been designed to protect the privacy of all individuals. It will regulate how data is collected, received, disclosed, viewed, used, processed, stored, shared, retrieved, and destroyed.

Jamaica has chosen to pattern the European data protection system in designing its Data Protection Act. This system is “primarily regulated by the General Data Protection Regulation (GDPR). The GDPR is a set of regulations that govern the protection and processing of personal data within the European Union (EU) and European Economic Area (EEA).” The obvious advantage of doing this is to earn the trust of and easily do business with our EU and EEA business partners. We will also be demonstrating our willingness and resolve to adopt international data protection standards.

Data Controllers

The Data Protection Act was passed in The House of Representatives mid-2020. Among many other things, the act outlines: the rights of data subjects and others, the right of access to personal data, requirements for Data Controllers (individuals or businesses that possess personal data), the appointment of Data Protection Officers (individuals that ensure that the Data Controller is complying with the act), standards for processing personal data, data transfer, exemptions to Data Protection Standards or to disclosure to Data Subject Requirements, and enforcement.

The Data Protection Act will impact a wide range of businesses that collect and/or store our personal data. It will impact all private companies that collect and process personal data. It will severely impact government agencies, public bodies, all financial institutions, including banks, small loan companies, insurance companies, credit unions, and a plethora of other institutions.

The entire range of ‘healthcare providers’ will be significantly affected. Obviously, legal institutions and lawyer’s offices will be affected. Telecommunications companies, utility companies, cable providers, digital support services, e-commerce entities, and website managers will fall under the act. All educational institutions, marketing and advertising companies, market research companies, and labour unions will also be required to comply. Most businesses that generate receipts will likely come under the act.

The goal of the act is to protect the privacy of our citizens. It is designed to protect any aspect of our personal data including, but not limited to, genetic, biometric, ethnic data, detailed personal and characteristic features of individuals, signature, voice, political opinions/affiliation, and even Internet browsing preferences. This extends to individuals that have been deceased for less than 30 years. To that end, there will be established the Office of the Information Commissioner which will oversee, monitor, regulate and enforce compliance with the act.

In order to handle personal data in a safe, secure and confidential manner, data controllers must comply with the following: informed and uncoerced consent before data is collected, outlining the purpose of the collection, stringent limitations on the amount of data collected and its use, data security, the rights of individuals to access their personal data, the transferring of data to third parties (locally or globally), and the reporting of data breaches.

LEGAL FRAMEWORK

The legal framework of the act calls upon said Office of the Information Commissioner to oversee all aspects of compliance. Data controllers must [officially] appoint a Data Protection Officer (DPO) – a person or public authority, acting alone or in common with others to ensure that individuals and organisations (data controllers) understand and comply with data protection laws and regulations. This individual must be knowledgeable, free from any conflict of interest and/or fear from repercussions when executing his/her duty. Consequently, some entities may require an external DPO, which will be expensive for businesses that are already under financial pressure.

Because of the seriousness of the Data Protection Act and the penalties for breaching it, there is rapidly mounting apprehension and confusion. The GOJ has been minimally forthcoming with explaining what is expected from citizens come December 1, therefore, the information hiatus is being filled by entrepreneurs. Unfortunately, some are opportunistic and are quoting exorbitant fees for assisting in compliance with the act. Although the deadline is rapidly approaching, at this juncture, the GOJ is not yet ready for the implementation of the act.

We need to be reliably and officially informed by the Government. Time is running out, serious public sensitisation should have begun in 2020. I urge the GOJ to put in place public education broadcasts, podcasts, town hall meetings, and easily accessible [online] information to guide us [step by step] in matters concerning the act. No one has said what kind of annual fees must be paid to the Office of the Information Commissioner. Will the fees be the same for individuals, micro, mini, and macro entities? Will there be a grace period?

Something so monumental demands extensive and intensive public education. Otherwise, there will be chaos.

- Garth A. Rattray is a medical doctor with a family practice. Send feedback to columns@gleanerjm.com and garthrattray@gmail.com