Click here to print page

Ja's Data Protection Act gives citizens more control over their personal data

Shaista Peart

Sunday, December 16, 2018

We are now living in the digital age which is grossly powered by information. Through technological advancements it is becoming easier for us to share information about ourselves to conduct everyday tasks and to interact with others. Evidently, the sharing of personal data provides many benefits for us; however, it is not devoid of numerous risks.

A quick Google search will display the various data breaches that have occurred over the years as criminals see cybercrime as a lucrative business. In response, organisations and institutions need to implement measures to responsibly secure as well as lawfully process personal data. In light of these existing and growing concerns, Jamaica is currently drafting data protection legislation to protect the personal data of the Jamaican people. This piece of legislation is quite extensive, with the first copy of the Bill totalling 114 pages. It covers a multiplicity of topics, such as data protection standards, the information commissioner, individual's rights, fines and penalties. After a quick scan of the Bill, it can be agreed that reading the document in its entirety can be seen as daunting, as there is quite a bit to digest along with understanding the legal vernacular.

Essentially, the legislation aims to protect the personal data of individuals and to provide them with certain rights in an effort to offer them greater control over their personal data. These rights are stated below:

1) Right of access to personal data: Under the Data Protection Act individuals will have the right to request access to personal data about them held by an organisation (data controller). This is commonly called a 'subject access request'. This request must be submitted in writing to the organisation for it to be a valid request. An individual can request confirmation as to whether or not personal data is being processed by the organisation; description of the personal data being processed, the purposes for processing and who the personal data are being or to be shared with; and obtain a copy of their personal data and details of the source of the data.

It should be noted that the Bill states there will be a prescribed fee for requesting copies of the personal data held about you. Additionally, the organisation has a total of 30 days to comply with the subject access request. If an individual is dissatisfied with the way the organisation has dealt with their request, or if they have been unsuccessful in receiving a response after 30 days, then the issue can be reported to the information commissioner.

There might be instances where the personal information requested cannot be released, for example where the release of the information would reveal the personal data of another person and there is no way of preventing such a contravention.


2) Right to prevent processing likely to cause damage or distress: An individual has the right to object to the processing of their personal data if such processing causes, or is likely to cause, substantial unwarranted damage or distress to them.

Additionally, processing can be prevented if the data is incomplete or irrelevant in relation to the purpose for processing, the processing of the data is illegal and the data has been retained for longer than it should. For this request to be valid it must be submitted to the organisation in writing. Once the organisation receives the written request it must respond within 21 days stating their decision. If the individual is unhappy with the outcome provided to them, he/she can report the matter to the information commissioner.


3) Right to prevent processing for the purposes of direct marketing: Individuals are given the right to prevent their personal data being processed for the purpose of direct marketing. The data protection Bill defines direct marketing as any means of communication of any advertising or marketing material that is directed at particular individuals. Once an organisation receives such a request it must comply as soon as possible and cease processing for this purpose.

For example, you purchase products from a furniture store using hire purchase, as such you have to provide various categories of personal data, such as your living address, e-mail address, and phone number. Some time later you receive multiple e-mail and text messages from the store advertising other products as well as unrelated marketing material. You have the right to contact the store and ask that they stop sending these marketing materials to you. They should comply. If the store fails to comply with your request you have the right to inform the information commissioner of the issue.


4) Rights in relation to automated processing: This right states that individuals can require, in writing, that organisations refrain from making any decisions based solely by automatic means which could adversely affect them. If an automated decision has been taken, and will significantly affect the individual, the organisation should inform the individual that a decision has been made using this option as soon as reasonably possible. Additionally, within 21 days after being informed the individual is entitled to ask the organisation to review the decision and/or take a new decision on a different basis. The organisation subsequently has 30 days to respond and provide an outcome of their review.


5) Right to rectify inaccuracies: Individuals have the right to request that an organisation rectify any inaccurate personal data held on them. Rectify means to amend, block or destroy personal data if they are deemed inaccurate. The organisation has 30 days to comply with the request for rectification. The individual may report to the information commissioner if they are dissatisfied with the response received by the organisation.


6) Right to claim compensation: If an individual suffers damage because the organisation has breached any aspect of the Act, he/she is entitled to compensation. The word 'damage' is not defined to give context but mainly relates to financial loss of some kind. An individual can also claim compensation for distress if the breach relates to processing for special purposes, ie journalistic, artistic or literary.


The people of Jamaica should see this move as a positive one to give them more control over their personal data in an age where information is a prized commodity.


Shaista Peart is a data protection professional. Send comments to the Observer or