SlideShare a Scribd company logo

Jamaica's Data Protection Act: Compliance required from the business community

Compliance for the Jamaican Data Protection Act, 2020, which commences enforcement on 1 December 2023.

1 of 13
JAMAICA'S DATA
PROTECTION
ACT
Compliance required from the business
community
THE DATA PROTECTION
ACT
(ACT 7 OF 2020)
PART I—Preliminary
PART II—Rights of Data Subjects and Others
PART III—Requirements for Data Controllers
PART IV—Standards for Processing Personal Data
PART V—Exemptions to Data Protection Standards or to
Disclosure to Data Subject Requirements
PART VI—Enforcement
PART VII—Miscellaneous and General
12/1/2023 BCI - Data Protection Act Compliance 2
PRIVACY AND
PROTECTION OF PIIS
12/1/2023 BCI - Data Protection Act Compliance 3
Personally Identifiable Information (PII) in Privacy Law
1. PII and similar terms exist in the legislation of many countries and territories: In the
United States, the National Institute of Standards and Technology (NIST)’s Guide
to Protecting the Confidentiality of Personally Identifiable Information defines
“personally identifiable” as information like name, social security number, and
biometric records, which can be used to distinguish or trace an individual’s identity.
2. In the European Union, directive 95/46/EC defines “personal data” as information
which can identify a person via an ID number, or factors specific to physical,
physiological, mental, economic, cultural or social identity.
3. Jamaica passed its Data Protection Act (DPA) in June 2020 and, on December 1,
2021, appointed Celia Barclay as the first Information Commissioner. With that, the
process to implement a system to ensure compliance of data controllers with data
protection standards commenced. data controllers have a transition period of two
years, from December 1, 2021, to November 30, 2023, to ensure full compliance
with the requirements under the Act.
OFFICE OF THE INFORMATION
COMMISSIONER (OIC)
12/1/2023 BCI - Data Protection Act Compliance 4
The Information Commissioner ('the Commissioner') is the main regulator
under Part I, s. 4 of the DPA. The main powers, duties, and responsibilities
of the Commissioner include:
• monitoring compliance with the Act and any regulations made under the Act;
• providing advice to the relevant minister on any matter relating to the operation of the Act
or otherwise for the protection of personal data;
• promoting the observance of the requirements under the Act and the following of good
practice by data controllers;
• disseminating information to the public about the operation of the Act, about good practice,
and advising persons about any of those matters;
• preparing and disseminating guidelines under the Act; and
• the Commissioner may intervene as a party in any proceedings before a court, in respect
of any matter concerning the processing of personal data or the enforcement of any
provision of the Act, other than proceedings for the prosecution of an offence.
PRIVACY DEFINED UNDER THE
DPA
12/1/2023 BCI - Data Protection Act Compliance 5
Personal data is ‘information (however stored) relating to a living individual, or
an individual who has been deceased for less than 30 years, who can be
identified from that information alone or from that information and other
information in the possession of, or likely to come into the possession of, the
data controller, and which includes any expression of opinion about that
individual and any indication of the intentions of the data controller or any other
person in respect of that individual.’
Sensitive personal data is personal data consisting of any of the following
information in respect of a data subject:
• genetic data or biometric data;
• filiation, racial, or ethnic origin;
• political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar
nature;
• membership in any trade union;
• physical or mental health or condition;
• sex life; or
• the alleged commission of any offence by the data subject or any proceedings for any
offence alleged to have been committed by the data subject.
12/1/2023 BCI - Data Protection Act Compliance 6
Personal data can be processed where necessary for the administration of justice,
exercise of any functions conferred by or under any enactment, or conditions for
processing personal data in accordance with the first standard, and for the exercise of any
other functions of a public nature exercised in the public interest (Article 23(e) of the
Act).
Ad

Recommended

Data Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectData Privacy - Rights of the Data Subject
Data Privacy - Rights of the Data SubjectJDP Consulting
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
CIPPE_SampleQuestions_v6.0.pdf
CIPPE_SampleQuestions_v6.0.pdfCIPPE_SampleQuestions_v6.0.pdf
CIPPE_SampleQuestions_v6.0.pdfDusanPavlovic12
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
 

More Related Content

What's hot

Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Acknowledgement of receipt
Acknowledgement of receiptAcknowledgement of receipt
Acknowledgement of receiptAnneth Bun-as
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Jay Castillo
 
Introduction to Consideration
Introduction to ConsiderationIntroduction to Consideration
Introduction to ConsiderationPreeti Sikder
 
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data TransfersGeneral Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data Transferspi
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill Komal Gadia
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
FSM integration with SAP
FSM integration with SAPFSM integration with SAP
FSM integration with SAPCapgemini
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Russell_Kennedy
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
Privacy right under it act, 2000 and under other law
Privacy right under it act, 2000 and under other lawPrivacy right under it act, 2000 and under other law
Privacy right under it act, 2000 and under other lawNitya Nand Pandey
 

What's hot (19)

Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
Acknowledgement of receipt
Acknowledgement of receiptAcknowledgement of receipt
Acknowledgement of receipt
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
Data Privacy Act of 2012 (R.A. 10173) Briefing 2017
 
Introduction to Consideration
Introduction to ConsiderationIntroduction to Consideration
Introduction to Consideration
 
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data TransfersGeneral Data Protection Regulation (GDPR) - Cross-Border Data Transfers
General Data Protection Regulation (GDPR) - Cross-Border Data Transfers
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill An overview of the Indian Data Privacy Bill
An overview of the Indian Data Privacy Bill
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
FSM integration with SAP
FSM integration with SAPFSM integration with SAP
FSM integration with SAP
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)Privacy and Data Protection Act 2014 (VIC)
Privacy and Data Protection Act 2014 (VIC)
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
 
Privacy right under it act, 2000 and under other law
Privacy right under it act, 2000 and under other lawPrivacy right under it act, 2000 and under other law
Privacy right under it act, 2000 and under other law
 

Similar to Jamaica's Data Protection Act: Compliance required from the business community

Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfAHRP Law Firm
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxssuser36d167
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfDaviesParker
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptxPabRonaldCalanoc1
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRNupur Samaddar
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislationUlf Mattsson
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protectionInterlogica
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |Bivas Chatterjee
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfDaviesParker
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)Andrea Tino
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database ProtectionSinghania2015
 

Similar to Jamaica's Data Protection Act: Compliance required from the business community (20)

Indonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdfIndonesian Legislatives Passes Personal Data Protection Bill.pdf
Indonesian Legislatives Passes Personal Data Protection Bill.pdf
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptxPERSONAL-DATA-PROTECTION-BILL-2018.pptx
PERSONAL-DATA-PROTECTION-BILL-2018.pptx
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptx
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |General Data Protection Regulation (GDPR) | Privacy Law in India |
General Data Protection Regulation (GDPR) | Privacy Law in India |
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdf
 
Development & GDPR (v2)
Development & GDPR (v2)Development & GDPR (v2)
Development & GDPR (v2)
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
An Indian Outline on Database Protection
An Indian Outline on Database ProtectionAn Indian Outline on Database Protection
An Indian Outline on Database Protection
 

More from Emerson Bryan

Professional Certificate in Supervisory Management
Professional Certificate in Supervisory ManagementProfessional Certificate in Supervisory Management
Professional Certificate in Supervisory ManagementEmerson Bryan
 
RIM a filip to KM through the SECI Model
RIM a filip to KM through the SECI ModelRIM a filip to KM through the SECI Model
RIM a filip to KM through the SECI ModelEmerson Bryan
 
International Archives and Records and Information Management
International Archives and Records and Information ManagementInternational Archives and Records and Information Management
International Archives and Records and Information ManagementEmerson Bryan
 
Certified Archivist (CA)
Certified Archivist (CA)Certified Archivist (CA)
Certified Archivist (CA)Emerson Bryan
 
ACP Attestation - Emerson Bryan
ACP Attestation - Emerson Bryan ACP Attestation - Emerson Bryan
ACP Attestation - Emerson Bryan Emerson Bryan
 
UWI OC Letter of Attestation
UWI OC Letter of Attestation UWI OC Letter of Attestation
UWI OC Letter of Attestation Emerson Bryan
 
BNSI - Letter of Attestation
BNSI - Letter of AttestationBNSI - Letter of Attestation
BNSI - Letter of AttestationEmerson Bryan
 
Certified Records Analyst (CRA)
Certified Records Analyst (CRA)Certified Records Analyst (CRA)
Certified Records Analyst (CRA)Emerson Bryan
 
Certified Records Analyst (CRA) Qualification
Certified Records Analyst (CRA) QualificationCertified Records Analyst (CRA) Qualification
Certified Records Analyst (CRA) QualificationEmerson Bryan
 
MIND Policy Forum - December 2017
MIND Policy Forum - December 2017MIND Policy Forum - December 2017
MIND Policy Forum - December 2017Emerson Bryan
 
E. Bryan - Changing the Paradigm - Record and Information Management for Pub...
E. Bryan -  Changing the Paradigm - Record and Information Management for Pub...E. Bryan -  Changing the Paradigm - Record and Information Management for Pub...
E. Bryan - Changing the Paradigm - Record and Information Management for Pub...Emerson Bryan
 
Feith - Records Management Diploma
Feith - Records Management DiplomaFeith - Records Management Diploma
Feith - Records Management DiplomaEmerson Bryan
 
University Certificate: Museum Conservation Skills
University Certificate: Museum Conservation SkillsUniversity Certificate: Museum Conservation Skills
University Certificate: Museum Conservation SkillsEmerson Bryan
 
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017The CARIFESTA XIII Symposium - Schedule August 11-23, 2017
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017Emerson Bryan
 
E. Bryan Digital curation of digital cultural assets- Mutual interest of AL...
E. Bryan   Digital curation of digital cultural assets- Mutual interest of AL...E. Bryan   Digital curation of digital cultural assets- Mutual interest of AL...
E. Bryan Digital curation of digital cultural assets- Mutual interest of AL...Emerson Bryan
 
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...Emerson Bryan
 
IVCC - Certificate (Basico II)
IVCC - Certificate (Basico II)IVCC - Certificate (Basico II)
IVCC - Certificate (Basico II)Emerson Bryan
 
SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2Emerson Bryan
 
SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2Emerson Bryan
 

More from Emerson Bryan (20)

Professional Certificate in Supervisory Management
Professional Certificate in Supervisory ManagementProfessional Certificate in Supervisory Management
Professional Certificate in Supervisory Management
 
RIM a filip to KM through the SECI Model
RIM a filip to KM through the SECI ModelRIM a filip to KM through the SECI Model
RIM a filip to KM through the SECI Model
 
International Archives and Records and Information Management
International Archives and Records and Information ManagementInternational Archives and Records and Information Management
International Archives and Records and Information Management
 
Certified Archivist (CA)
Certified Archivist (CA)Certified Archivist (CA)
Certified Archivist (CA)
 
ACP Attestation - Emerson Bryan
ACP Attestation - Emerson Bryan ACP Attestation - Emerson Bryan
ACP Attestation - Emerson Bryan
 
UWI OC Letter of Attestation
UWI OC Letter of Attestation UWI OC Letter of Attestation
UWI OC Letter of Attestation
 
BNSI - Letter of Attestation
BNSI - Letter of AttestationBNSI - Letter of Attestation
BNSI - Letter of Attestation
 
Certified Records Analyst (CRA)
Certified Records Analyst (CRA)Certified Records Analyst (CRA)
Certified Records Analyst (CRA)
 
ICRM Email - CRA
ICRM Email - CRAICRM Email - CRA
ICRM Email - CRA
 
Certified Records Analyst (CRA) Qualification
Certified Records Analyst (CRA) QualificationCertified Records Analyst (CRA) Qualification
Certified Records Analyst (CRA) Qualification
 
MIND Policy Forum - December 2017
MIND Policy Forum - December 2017MIND Policy Forum - December 2017
MIND Policy Forum - December 2017
 
E. Bryan - Changing the Paradigm - Record and Information Management for Pub...
E. Bryan -  Changing the Paradigm - Record and Information Management for Pub...E. Bryan -  Changing the Paradigm - Record and Information Management for Pub...
E. Bryan - Changing the Paradigm - Record and Information Management for Pub...
 
Feith - Records Management Diploma
Feith - Records Management DiplomaFeith - Records Management Diploma
Feith - Records Management Diploma
 
University Certificate: Museum Conservation Skills
University Certificate: Museum Conservation SkillsUniversity Certificate: Museum Conservation Skills
University Certificate: Museum Conservation Skills
 
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017The CARIFESTA XIII Symposium - Schedule August 11-23, 2017
The CARIFESTA XIII Symposium - Schedule August 11-23, 2017
 
E. Bryan Digital curation of digital cultural assets- Mutual interest of AL...
E. Bryan   Digital curation of digital cultural assets- Mutual interest of AL...E. Bryan   Digital curation of digital cultural assets- Mutual interest of AL...
E. Bryan Digital curation of digital cultural assets- Mutual interest of AL...
 
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...
E. Bryan - Traditional Knowledge Digital Repository - Considerations for Domi...
 
IVCC - Certificate (Basico II)
IVCC - Certificate (Basico II)IVCC - Certificate (Basico II)
IVCC - Certificate (Basico II)
 
SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2
 
SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2SLCC 2016 Presentation Schedule - Day 2
SLCC 2016 Presentation Schedule - Day 2
 

Recently uploaded

SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdf
SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdfSYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdf
SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdfSyed Muhammad Humza Hussain
 
The Services of Our Criminal Solicitors in Manchester
The Services of Our Criminal Solicitors in ManchesterThe Services of Our Criminal Solicitors in Manchester
The Services of Our Criminal Solicitors in ManchesterBridgeWest.eu
 
AI and Arbitration - Ethical considerations
AI and Arbitration - Ethical considerationsAI and Arbitration - Ethical considerations
AI and Arbitration - Ethical considerationsNino Sievi
 
The Transfer pricing agreements in the Cooperative Compliance Environment
The Transfer pricing agreements in the Cooperative Compliance EnvironmentThe Transfer pricing agreements in the Cooperative Compliance Environment
The Transfer pricing agreements in the Cooperative Compliance EnvironmentUniversity of Ferrara
 
POSH Act 2013 Awareness And Training Module
POSH Act 2013 Awareness And Training ModulePOSH Act 2013 Awareness And Training Module
POSH Act 2013 Awareness And Training Modulestudyneur
 
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdfJack Pringle
 
Australia Skilled Occupation list 2024 Updated
Australia Skilled Occupation list 2024 UpdatedAustralia Skilled Occupation list 2024 Updated
Australia Skilled Occupation list 2024 Updatedkashishsharma321339
 
How is Personal Injury Compensation Calculated?
How is Personal Injury Compensation Calculated?How is Personal Injury Compensation Calculated?
How is Personal Injury Compensation Calculated?BridgeWest.eu
 

Recently uploaded (9)

SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdf
SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdfSYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdf
SYNOPSIS ON THE COMPANIES REGULATIONS, 2024 .pdf
 
Turn premiums into profit - MIJS 5726_04.pdf
Turn premiums into profit - MIJS 5726_04.pdfTurn premiums into profit - MIJS 5726_04.pdf
Turn premiums into profit - MIJS 5726_04.pdf
 
The Services of Our Criminal Solicitors in Manchester
The Services of Our Criminal Solicitors in ManchesterThe Services of Our Criminal Solicitors in Manchester
The Services of Our Criminal Solicitors in Manchester
 
AI and Arbitration - Ethical considerations
AI and Arbitration - Ethical considerationsAI and Arbitration - Ethical considerations
AI and Arbitration - Ethical considerations
 
The Transfer pricing agreements in the Cooperative Compliance Environment
The Transfer pricing agreements in the Cooperative Compliance EnvironmentThe Transfer pricing agreements in the Cooperative Compliance Environment
The Transfer pricing agreements in the Cooperative Compliance Environment
 
POSH Act 2013 Awareness And Training Module
POSH Act 2013 Awareness And Training ModulePOSH Act 2013 Awareness And Training Module
POSH Act 2013 Awareness And Training Module
 
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf
2024-02-16 Building Soul Force- Changing to Stay Stable in Challenging Times.pdf
 
Australia Skilled Occupation list 2024 Updated
Australia Skilled Occupation list 2024 UpdatedAustralia Skilled Occupation list 2024 Updated
Australia Skilled Occupation list 2024 Updated
 
How is Personal Injury Compensation Calculated?
How is Personal Injury Compensation Calculated?How is Personal Injury Compensation Calculated?
How is Personal Injury Compensation Calculated?
 

Jamaica's Data Protection Act: Compliance required from the business community

  • 2. THE DATA PROTECTION ACT (ACT 7 OF 2020) PART I—Preliminary PART II—Rights of Data Subjects and Others PART III—Requirements for Data Controllers PART IV—Standards for Processing Personal Data PART V—Exemptions to Data Protection Standards or to Disclosure to Data Subject Requirements PART VI—Enforcement PART VII—Miscellaneous and General 12/1/2023 BCI - Data Protection Act Compliance 2
  • 3. PRIVACY AND PROTECTION OF PIIS 12/1/2023 BCI - Data Protection Act Compliance 3 Personally Identifiable Information (PII) in Privacy Law 1. PII and similar terms exist in the legislation of many countries and territories: In the United States, the National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, social security number, and biometric records, which can be used to distinguish or trace an individual’s identity. 2. In the European Union, directive 95/46/EC defines “personal data” as information which can identify a person via an ID number, or factors specific to physical, physiological, mental, economic, cultural or social identity. 3. Jamaica passed its Data Protection Act (DPA) in June 2020 and, on December 1, 2021, appointed Celia Barclay as the first Information Commissioner. With that, the process to implement a system to ensure compliance of data controllers with data protection standards commenced. data controllers have a transition period of two years, from December 1, 2021, to November 30, 2023, to ensure full compliance with the requirements under the Act.
  • 4. OFFICE OF THE INFORMATION COMMISSIONER (OIC) 12/1/2023 BCI - Data Protection Act Compliance 4 The Information Commissioner ('the Commissioner') is the main regulator under Part I, s. 4 of the DPA. The main powers, duties, and responsibilities of the Commissioner include: • monitoring compliance with the Act and any regulations made under the Act; • providing advice to the relevant minister on any matter relating to the operation of the Act or otherwise for the protection of personal data; • promoting the observance of the requirements under the Act and the following of good practice by data controllers; • disseminating information to the public about the operation of the Act, about good practice, and advising persons about any of those matters; • preparing and disseminating guidelines under the Act; and • the Commissioner may intervene as a party in any proceedings before a court, in respect of any matter concerning the processing of personal data or the enforcement of any provision of the Act, other than proceedings for the prosecution of an offence.
  • 5. PRIVACY DEFINED UNDER THE DPA 12/1/2023 BCI - Data Protection Act Compliance 5 Personal data is ‘information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.’ Sensitive personal data is personal data consisting of any of the following information in respect of a data subject: • genetic data or biometric data; • filiation, racial, or ethnic origin; • political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature; • membership in any trade union; • physical or mental health or condition; • sex life; or • the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject.
  • 6. 12/1/2023 BCI - Data Protection Act Compliance 6 Personal data can be processed where necessary for the administration of justice, exercise of any functions conferred by or under any enactment, or conditions for processing personal data in accordance with the first standard, and for the exercise of any other functions of a public nature exercised in the public interest (Article 23(e) of the Act).
  • 7. DATA CONTROLLER & DATA PROCESSOR 12/1/2023 BCI - Data Protection Act Compliance 7 A data controller is defined under the Act as 'any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller'. A data processor is defined under the Act as 'any person, other than an employee of the data controller, who processes the data on behalf of the data controller'.
  • 8. Prior to processing personal data, all data controllers must pay a prescribed fee and register certain 'registration particulars' with the Commissioner. Additionally, certain categories of data controllers are required to appoint a data protection officer ('DPO') under the Act. These categories include: • data controllers who are public authorities; • data controllers who process or intend to process sensitive personal data or data relating to criminal convictions; • data controllers who process personal data on a large scale; and • data controllers that are designated by the Commissioner as requiring a DPO. Also, data controllers are required to submit annually to the Commissioner, a Data Protection Impact Assessment ('DPIA') with respect to all data in their possession. 12/1/2023 BCI - Data Protection Act Compliance 8 THE DATA PROTECTION OFFICER
  • 9. THE 8 DATA RIGHTS PRINCIPLES 12/1/2023 BCI - Data Protection Act Compliance 9 1. Personal data must be processed fairly and lawfully (sections 22-24); which essentially amounts to ensuring that the consent of the data subject (i.e. the person who the personal data relates to) is obtained prior to processing the data or there is a legitimate basis for the processing. 2. Personal data is only to be obtained for specified purposes and is not to be processed for any other purposes (section 25). 3. Personal data is to be adequate, relevant, and not excessive in relation to the purpose for which it is to be processed (section 26); essentially preventing data controllers from obtaining more information from data subjects than is necessary for the intended processing purposes. (minimalist approach) 4. Personal data must be accurate, and, where necessary, kept up to date. 5. Personal data must not be kept for longer than is necessary to satisfy the intended processing purposes and must be disposed of in accordance with regulations to be promulgated under the legislation. 6. Personal data must be processed in accordance with the rights of data subjects under the legislation. 7. Personal data is to be protected by taking the appropriate technical and organizational measures and by prompt notification of security breaches to an Information Commissioner to be established under the legislation. 8. Personal data must not be transferred outside Jamaica to another state without adequate levels of data protection for Jamaican data subjects.
  • 10. DPA AND OTHER RELATED INITIATIVES 12/1/2023 BCI - Data Protection Act Compliance 10 Local laws and initiatives: • There are local initiatives such as NIDS, and Jamaica Eye; • As outlined in Clause 76 of the DPA Jamaica, there will be a transition period to allow for compliance and to facilitate administrative restructuring. DPA Penalties (local): • Breach of certain provisions of the legislation will constitute criminal offences attracting penalties both for corporations and individual corporate officers. • Corporate: fine not exceeding 4% of annual gross worldwide turnover for the preceding year of assessment in accordance with the Income Tax Act. Individuals: JMD 5 million (approx. €32,050) and/or imprisonment up to a maximum of 10 years. GDPR Penalties (global): • Two levels of fines based on the GDPR: 1. The first is up to €10 million or 2% of the company's global annual turnover of the previous financial year, whichever is higher. 2. The second is up to €20 million or 4% of the company's global annual turnover of the previous financial year, whichever is higher.
  • 11. OVERALL DPA COMPLIANCE CLOSING THE GAP: 8 DATA PRINCIPLES 1. Consent (sec. 22-24) 2. Notification as to reason for collection (sec. 25) 3. Minimalist approach to collection (sec. 26) 4. Data must be accurate (sec. 27) 5. Data retention must be for minimum period (sec. 11.(2)(d) & 28) 6. Rights of data subjects respected (Part II & sec. 29) 7. Personal data to be protected (sec. 30) 8. Personal data restricted to Jamaican jurisdiction (sec. 31) TARGET AUDIENCE All Visitors Vendors Staff Office of the Information Commissioner (OIC) COST SAVINGS Monitoring System on new platform (Reports to Internal Stakeholders) Compliance under the DPA (Annual Reports to the OIC) Cybersecurity & Risk Management EASY TO USE Data Protection Notice Data Protection Policy/Procedures Registration as a Data Controller with OIC Data Protection Officer (DPO) Data Protection Impact Assessment (DPIA) Training and Awareness Programme Data Incident Reporting Mechanism Annual Reports 12/1/2023 BCI - Data Protection Act Compliance 11
  • 12. BCI - Data Protection Act Compliance 12/1/2023 12

Editor's Notes

  1. RELATED DOCUMENTS Enterprise Risk Management Reporting Calendar GraceKennedy Risk Management Group Policy GraceKennedy Risk Appetite Governance Standard GraceKennedy Risk Assessment Guideline GraceKennedy Risk Assessment Reporting Standard GraceKennedy Business Continuity and Crisis Response Group Policy GraceKennedy Delegation of Authority Policy Information Security Management Policy Privacy Policy
  2. Under sec. 24. (2) of the DPA, 2020, anti-fraud organization is accommodated, and this would be the window under which the Bank would be able to collect personal data using the AI for the purposes mentioned in the case. Closing the Gap using the Data Principles under Part IV of the DPA