Are HR practitioners paying


Are HR practitioners paying


Wednesday, October 21, 2020

Print this page Email A Friend!

In a recent poll of some 400 individuals which was conducted during a live broadcast of the Private Sector Organisation of Jamaica's (PSOJ's) CovidCastJa Live that discussed the Data Protection Act, the majority of the viewers, impressively, were aware of its passage. Anecdotally, however, the majority of business operators, while they may be aware of the Act, have formed the view that if they don't have a business-to-consumer business, where they treat with customer personal data, the legislation may not necessarily impact them. This view is incorrect, as employees — for the purposes of the Data Protection Act — are also data subjects.

This is not unusual as emphasis has often been placed on the privacy rights of consumers. A closer reading of the definition of the data subjects, as set out the Data Protection Act, coupled with the example of the recent monetary penalty of €35,258,707.95 issued by the German Commission of Data Protection against retail clothing juggernaut H&M on October 1, 2020, should quickly adjust this incorrect perception.

The Data Protection Act defines a data subject as a named or otherwise identifiable individual who is the subject of personal data. This wide definition includes customers, suppliers, members, employees, and all citizens of Jamaica whose personal data is processed by a data controller (an employer). It follows that if you operate a factory that sells to other businesses or any other business-to-business operation and have employees, and collect any form of personal data relating to the employee, you are subject to the Data Protection Act. As a data controller you are expected to respect the privacy rights of your employees in the same manner that you are to respect the privacy rights of your customers.

In the H&M decision it was a situation in which some of the employees were subject to extensive recording of their private life circumstances. For example, after vacation and sick leave, the senior staff conducted a so-called “Welcome Back Talk” with the employees. In this way, information on symptoms and diagnoses of illness were obtained and stored. In some cases, these recordings were very detailed, updated on an ongoing basis, and enriched with other known information about employees' private lives; for example, regarding known family problems or religious beliefs. These notes were accessible to other managers throughout the company. Among other things, the data was used to obtain a profile of the employees for decisions in the employment relationship.

The European General Data Protection Act, which is very similar to our Data Protection Act, states that personal data shall be processed lawfully, fairly, and in a transparent manner, and shall be lawful only if:

(a) the data subject has given consent to the processing of his personal data;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The commissioner found that the combination of collecting details about their private lives and the recording of their activities led to a serious encroachment on employees' civil rights. In light of the foregoing, the commissioner issued a penalty in the sum of €35,258,707.95. We take a deeper look at this decision in our weekly podcast Design Privacy Weekly.

This decision brings into sharp focus the type of personal data that is collected by human resource departments and the risks companies are exposed to by virtue of the processing of this data. The personal data collected by HR is often sensitive personal data; for example, information about a potential employees or employees' health status and criminal antecedents. The processing of sensitive personal data requires that additional steps be taken to protect the privacy of data subjects. On the flip side, as demonstrated by the H&M case, a breach of a data processing standard that involves sensitive personal data would attract higher monetary penalties.

Companies must now address their minds to what they do with, either solicited or unsolicited, resumes that they receive. Is your business in a position to account for all the resumes that have been received? Would you be able to account to an applicant who submitted an unsolicited resume in which you had no interest, if he were to exercise his first data subject right and request information about all the information that you are processing about him. Would you be able to provide him a copy of the resume he submitted. If you are interested in hiring an applicant and you decide to do background checks, or because you are a regulated entity you specifically required to do background checks, how do you go about this exercise? What information do you collect and, once collected, what do you do with it?

There are a multitude of issues that now arise as a result of the passage of the Data Protection Act that now have to be addressed by companies that have employees. In general, as a first step, personal data collected must be clearly defined, assessed, and evaluated in the light of rights and freedoms of the data subjects. Based on that, the process is drafted, defined, and adjusted beginning with data minimisation and purpose limitation, and then with fairness and lawfulness (before applying the rest of principles).

Chukwuemeka Cameron, LLM, is a podcaster and an attorney-at-law with a master's in information technology. He is also founder of Design Privacy, a consulting firm that helps you comply with privacy laws and build trust with your customers. Send comments to the Jamaica Observer or

Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at




1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper � email addresses will not be published.

2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.

3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.

4. Please do not write in block capitals since this makes your comment hard to read.

5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed:

6. If readers wish to report offensive comments, suggest a correction or share a story then please email:

7. Lastly, read our Terms and Conditions and Privacy Policy

comments powered by Disqus



Today's Cartoon

Click image to view full size editorial cartoon