2. THE DATA PROTECTION
ACT
(ACT 7 OF 2020)
PART I—Preliminary
PART II—Rights of Data Subjects and Others
PART III—Requirements for Data Controllers
PART IV—Standards for Processing Personal Data
PART V—Exemptions to Data Protection Standards or to
Disclosure to Data Subject Requirements
PART VI—Enforcement
PART VII—Miscellaneous and General
12/1/2023 BCI - Data Protection Act Compliance 2
3. PRIVACY AND
PROTECTION OF PIIS
12/1/2023 BCI - Data Protection Act Compliance 3
Personally Identifiable Information (PII) in Privacy Law
1. PII and similar terms exist in the legislation of many countries and territories: In the
United States, the National Institute of Standards and Technology (NIST)’s Guide
to Protecting the Confidentiality of Personally Identifiable Information defines
“personally identifiable” as information like name, social security number, and
biometric records, which can be used to distinguish or trace an individual’s identity.
2. In the European Union, directive 95/46/EC defines “personal data” as information
which can identify a person via an ID number, or factors specific to physical,
physiological, mental, economic, cultural or social identity.
3. Jamaica passed its Data Protection Act (DPA) in June 2020 and, on December 1,
2021, appointed Celia Barclay as the first Information Commissioner. With that, the
process to implement a system to ensure compliance of data controllers with data
protection standards commenced. data controllers have a transition period of two
years, from December 1, 2021, to November 30, 2023, to ensure full compliance
with the requirements under the Act.
4. OFFICE OF THE INFORMATION
COMMISSIONER (OIC)
12/1/2023 BCI - Data Protection Act Compliance 4
The Information Commissioner ('the Commissioner') is the main regulator
under Part I, s. 4 of the DPA. The main powers, duties, and responsibilities
of the Commissioner include:
• monitoring compliance with the Act and any regulations made under the Act;
• providing advice to the relevant minister on any matter relating to the operation of the Act
or otherwise for the protection of personal data;
• promoting the observance of the requirements under the Act and the following of good
practice by data controllers;
• disseminating information to the public about the operation of the Act, about good practice,
and advising persons about any of those matters;
• preparing and disseminating guidelines under the Act; and
• the Commissioner may intervene as a party in any proceedings before a court, in respect
of any matter concerning the processing of personal data or the enforcement of any
provision of the Act, other than proceedings for the prosecution of an offence.
5. PRIVACY DEFINED UNDER THE
DPA
12/1/2023 BCI - Data Protection Act Compliance 5
Personal data is ‘information (however stored) relating to a living individual, or
an individual who has been deceased for less than 30 years, who can be
identified from that information alone or from that information and other
information in the possession of, or likely to come into the possession of, the
data controller, and which includes any expression of opinion about that
individual and any indication of the intentions of the data controller or any other
person in respect of that individual.’
Sensitive personal data is personal data consisting of any of the following
information in respect of a data subject:
• genetic data or biometric data;
• filiation, racial, or ethnic origin;
• political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar
nature;
• membership in any trade union;
• physical or mental health or condition;
• sex life; or
• the alleged commission of any offence by the data subject or any proceedings for any
offence alleged to have been committed by the data subject.
6. 12/1/2023 BCI - Data Protection Act Compliance 6
Personal data can be processed where necessary for the administration of justice,
exercise of any functions conferred by or under any enactment, or conditions for
processing personal data in accordance with the first standard, and for the exercise of any
other functions of a public nature exercised in the public interest (Article 23(e) of the
Act).
7. DATA CONTROLLER & DATA PROCESSOR
12/1/2023 BCI - Data Protection Act Compliance 7
A data controller is defined under the Act as 'any person
or public authority, who, either alone or jointly or in
common with other persons determines the purposes for
which and the manner in which any personal data are, or
are to be, processed, and where personal data is
processed only for purposes for which they are required
under any enactment to be processed, the person on
whom the obligation to process the personal data is
imposed by or under that enactment is for the purposes of
this Act a data controller'.
A data processor is defined under the Act as 'any person,
other than an employee of the data controller, who
processes the data on behalf of the data controller'.
8. Prior to processing personal data, all data controllers must pay a
prescribed fee and register certain 'registration particulars' with the
Commissioner.
Additionally, certain categories of data controllers are required to
appoint a data protection officer ('DPO') under the Act. These categories
include:
• data controllers who are public authorities;
• data controllers who process or intend to process sensitive personal
data or data relating to criminal convictions;
• data controllers who process personal data on a large scale; and
• data controllers that are designated by the Commissioner as
requiring a DPO.
Also, data controllers are required to submit annually to the
Commissioner, a Data Protection Impact Assessment ('DPIA') with
respect to all data in their possession.
12/1/2023
BCI - Data Protection Act
Compliance
8
THE DATA PROTECTION
OFFICER
9. THE 8 DATA RIGHTS
PRINCIPLES
12/1/2023 BCI - Data Protection Act Compliance 9
1. Personal data must be processed fairly and lawfully (sections 22-24); which essentially amounts to
ensuring that the consent of the data subject (i.e. the person who the personal data relates to) is
obtained prior to processing the data or there is a legitimate basis for the processing.
2. Personal data is only to be obtained for specified purposes and is not to be processed for any other
purposes (section 25).
3. Personal data is to be adequate, relevant, and not excessive in relation to the purpose for which it is to
be processed (section 26); essentially preventing data controllers from obtaining more information from
data subjects than is necessary for the intended processing purposes. (minimalist approach)
4. Personal data must be accurate, and, where necessary, kept up to date.
5. Personal data must not be kept for longer than is necessary to satisfy the intended processing
purposes and must be disposed of in accordance with regulations to be promulgated under the
legislation.
6. Personal data must be processed in accordance with the rights of data subjects under the
legislation.
7. Personal data is to be protected by taking the appropriate technical and organizational measures and
by prompt notification of security breaches to an Information Commissioner to be established under the
legislation.
8. Personal data must not be transferred outside Jamaica to another state without adequate levels of
data protection for Jamaican data subjects.
10. DPA AND OTHER RELATED INITIATIVES
12/1/2023 BCI - Data Protection Act Compliance 10
Local laws and initiatives:
• There are local initiatives such as NIDS, and Jamaica Eye;
• As outlined in Clause 76 of the DPA Jamaica, there will be a transition period to
allow for compliance and to facilitate administrative restructuring.
DPA Penalties (local):
• Breach of certain provisions of the legislation will constitute criminal offences
attracting penalties both for corporations and individual corporate officers.
• Corporate: fine not exceeding 4% of annual gross worldwide turnover for the preceding
year of assessment in accordance with the Income Tax Act. Individuals: JMD 5 million
(approx. €32,050) and/or imprisonment up to a maximum of 10 years.
GDPR Penalties (global):
• Two levels of fines based on the GDPR:
1. The first is up to €10 million or 2% of the company's global annual turnover of the
previous financial year, whichever is higher.
2. The second is up to €20 million or 4% of the company's global annual turnover of
the previous financial year, whichever is higher.
11. OVERALL DPA COMPLIANCE
CLOSING THE GAP: 8 DATA
PRINCIPLES
1. Consent (sec. 22-24)
2. Notification as to reason for collection (sec. 25)
3. Minimalist approach to collection (sec. 26)
4. Data must be accurate (sec. 27)
5. Data retention must be for minimum period (sec. 11.(2)(d) & 28)
6. Rights of data subjects respected (Part II & sec. 29)
7. Personal data to be protected (sec. 30)
8. Personal data restricted to Jamaican jurisdiction (sec. 31)
TARGET AUDIENCE
All Visitors
Vendors
Staff
Office of the Information Commissioner (OIC)
COST SAVINGS
Monitoring System on new platform
(Reports to Internal Stakeholders)
Compliance under the DPA
(Annual Reports to the OIC)
Cybersecurity & Risk Management
EASY TO USE
Data Protection Notice
Data Protection Policy/Procedures
Registration as a Data Controller with OIC
Data Protection Officer (DPO)
Data Protection Impact Assessment (DPIA)
Training and Awareness Programme
Data Incident Reporting Mechanism
Annual Reports
12/1/2023 BCI - Data Protection Act Compliance 11
12. BCI - Data Protection Act Compliance
12/1/2023 12
RELATED DOCUMENTS
Enterprise Risk Management Reporting Calendar
GraceKennedy Risk Management Group Policy
GraceKennedy Risk Appetite Governance Standard
GraceKennedy Risk Assessment Guideline
GraceKennedy Risk Assessment Reporting Standard
GraceKennedy Business Continuity and Crisis Response Group Policy
GraceKennedy Delegation of Authority Policy
Information Security Management Policy
Privacy Policy
Under sec. 24. (2) of the DPA, 2020, anti-fraud organization is accommodated, and this would be the window under which the Bank would be able to collect personal data using the AI for the purposes mentioned in the case.
Closing the Gap using the Data Principles under Part IV of the DPA