How to avoid a personal data

How to avoid a personal data

Legal Notes

With Samantha Moore

Wednesday, February 26, 2020

Print this page Email A Friend!

The recent inadvertent disclosure of personal data at some major financial institutions in Jamaica has signalled the need for organisations to take a very robust approach to the way in which they handle the personal data of customers. Organisations may face significant penalties and fines for failing to properly handle the personal data of its customers in a safe, secure, and confidential manner.

Under the Banking Services Act, there is a general duty of confidentiality or secrecy imposed upon employees and agents of financial institutions as it relates to customer information. Any employee or agent of a financial institution who unlawfully divulges or reveals any information regarding a customer account commits a criminal offence under the Act and may be liable to a fine of up to $7.5 million or to imprisonment for a term not exceeding five years.

Likewise, a personal data breach under the European Union's General Data Protection Regulation (GDPR) may result in a company being liable to a fine of up to €20 million or four per cent of its global annual turnover whichever is higher. Just recently, Marriott International was found to be in breach of the GDPR due to the negligent exposure of the personal records of approximately 339 million guests. Marriott International was fined a total sum of 99 million by the UK's data protection regulator.

What is distinct about the GDPR is that it is extraterritorial in scope, in that, it applies to any organisation which processes personal data of EU citizens by offering goods or services to EU citizens, irrespective of whether the organisation is located within or outside the EU. Financial institutions in Jamaica would therefore be caught by the GDPR once they provide financial services to an EU citizen and collect their personal data.

Organisations should also be mindful of the data protection obligations under the impending Data Protection Act, 2017 which is expected to be passed in Jamaica in a few months. Based on the provisions of the latest draft of the Act, a personal data breach under the Act can result in an organisation being liable to a fine of up to 10 per cent of its annual gross income. A director, manager, secretary, or other similar officer of the organisation may also be held personally liable for failing to comply with their data protection obligations under the impending Act. Additionally, any person who can prove that they have suffered some sort of damage from the breach would be entitled to compensation from the organisation under the Act.

In light of the severity of the fines and penalties which organisations may face, it is important that certain best practices be adopted in order to minimise the risks of a personal data breach. Having regard to the applicability of the GDPR to some organisations as well as the provisions under the Data Protection Act, 2017, the following best practices may be useful.


Organisations ought to conduct security audits to ensure that they are operating in accordance with both local and international data protection standards. These security audits may be conducted biannually or quarterly. The security audits will give organisations the opportunity to conduct an assessment of all the personal data collected by it and determine whether requiring such information is still required. Organisations will also have the opportunity to review existing contracts with employees, customers/clients and suppliers; security procedures and systems; and procedures regarding the retention and destruction of personal data.


Organisations must ensure that they obtain the express consent of their customers prior to collecting, storing, processing, using, and disclosing the customer's personal data. Consent must be freely given, specific, unambiguous and shown either by a statement or a clear affirmative action which signifies agreement to the processing. Customers must be provided with all the relevant information regarding the processing of their personal data which will enable them to make an informed decision.


Organisations must implement data protection policies, standards, and procedures which govern the way in which personal data is processed, stored, retained, and destroyed by the organisation. These policies are to be written in plain and clear language, and accessible to not only customers but employees as well. Ensure that both customers and employees agree to be bound by the terms of the policies.

The policies are to be reviewed and revised on an annual basis and all third-party service providers engaged by the organisation must be required to comply with said policies.


Employees' access to personal data must be based on a need-to-know basis and all employees who have access to personal data ought to be subject to confidentiality/non-disclosure agreements. Employees must also be properly trained in this area and must be required to report any actual or suspected security breach as soon as it occurs.


Organisations must implement certain technical and organisational security measures to prevent unauthorised or unlawful disclosure of customers' personal data. For example, all e-mail containing the personal data of customers ought to be encrypted. Personal data of customers stored on mobile or portable devices must also be password-protected and an organisation should be able to remotely erase customers' personal data in the event of theft of such device.

Organisations must also ensure that any data-processing software and antivirus software used are effectively maintained and up-to-date.

A personal data breach can result in the loss of existing and potential business for organisations as well as loss of clients and customers' trust. It is therefore prudent for all organisations to ensure that they are operating in accordance with their local and international data protection obligations. Every effort should be made to avoid the serious implications of a personal data breach.

Samantha Moore is an Associate at Myers, Fletcher & Gordon and is a member of the firm's Commercial Department. Samantha may be contacted via or This article is for general information purposes only and does not constitute legal advice.

Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at




1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper � email addresses will not be published.

2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.

3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.

4. Please do not write in block capitals since this makes your comment hard to read.

5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed:

6. If readers wish to report offensive comments, suggest a correction or share a story then please email:

7. Lastly, read our Terms and Conditions and Privacy Policy

comments powered by Disqus



Today's Cartoon

Click image to view full size editorial cartoon