Human rights group Jamaicans For Justice (JFJ) has pointed to a “significant limitation” in the Data Protection Act (DPA) that leaves the law powerless when disclosure of the HIV/AIDS health status of individuals is made by their friends or family.

According to JFJ, while the legislation primarily offers protections for personal data, including sensitive health information like HIV status, “within the context of unauthorised HIV disclosure, the most significant limitation of the Act is that its scope is largely confined to institutional or organisational contexts where data is collected, processed, or stored systematically — such as health-care facilities, employers, or private businesses”.

“It applies to data controllers who handle personal data in a structured manner, meaning it is most effective against unauthorised disclosures by entities like hospitals, clinics, or businesses that mishandle patient records. For instance, if a health-care provider shares a patient’s HIV status with family members without consent, the DPA could be invoked due to the institutional breach. In contrast, unauthorised disclosures within family or community settings, often by relatives or neighbours — where at least 70 per cent of such incidents occur based on complaints received by JFJ — typically fall outside the DPA’s purview,” JFJ said in its most recent report titled ‘Unauthorised HIV Disclosure and Privacy: A Legal Analysis’.

“These are private, informal acts not involving a data controller in an institutional sense, such as a family member revealing status during a dispute or a community member spreading it via gossip. The DPA does not extend to regulate personal, non-professional interactions unless the disclosure involves data originally obtained from a protected source [example, a leaked medical record shared by a family member]. Even then, liability would likely target the institutional source rather than the individual discloser,” JFJ said.

Under the Data Protection Act (2020) “physical or mental health or condition” is explicitly classified as sensitive personal data, which grants it enhanced protection. The Act outlines eight core data protection principles that data controllers must follow, including the requirement for lawful, fair, and transparent processing, meaning that any disclosure of HIV status without legal justification or informed consent constitutes a direct violation.

Additionally the measure ensures that HIV status information can only be collected and processed for specific, legitimate purposes, such as health care, and not for improper uses like gossip or discrimination. It further restricts the collection and processing of HIV-related information to the minimum necessary, reducing the risk of misuse.

The Act’s storage limitation principle mandates that HIV status information should not be retained longer than necessary, thus reducing the risk of unauthorised access or disclosure over time.

In some cases, individuals can request the deletion of their HIV status data, such as when it is no longer necessary for the original purpose or if consent has been withdrawn. Moreover, individuals have the right to object to the processing of their HIV-related data if they believe it is being used unfairly or unlawfully, and they can also restrict how their data is processed, potentially preventing disclosure to unauthorised parties.

In terms of enforcement, the Act offers several mechanisms to protect individuals’ rights; it requires that any data breach, including unauthorised disclosure of HIV status, be reported to the information commissioner and affected individuals within 72 hours. This promotes transparency and ensures timely action in addressing breaches. Additionally, the information commissioner has the authority to issue enforcement notices, compelling data controllers to cease unlawful processing of HIV-related data.

A company that breaches the law can face fines up to a maximum of four per cent of its global annual gross revenue for the preceding tax year, as determined by the Income Tax Act. In addition to corporate liability, individuals within the organisation, such as directors, managers, secretaries, or anyone acting in similar capacities, may also be held personally accountable for violations.

In the meantime, individuals who commit offences under the Act can face substantial penalties, including fines of up to $10 million and/or imprisonment for up to 10 years. In addition to criminal remedies, any person who can demonstrate that they have suffered harm due to a data controller’s breach of their obligations under the Act may seek compensation.