To safeguard the right to privacy and data protection when procuring various services, Information Commissioner Celia Barclay has urged data subjects to carefully review the fine print details of all documents they ratify.

The terms and conditions for services usually accompanying most applications, she said, sometimes bear clauses that may give data controllers the right to utilise the information collected for certain purposes.

In the wake of numerous outcries from customers who often complain about the unlawful sharing and use of some personal data by companies in third-party arrangements, Barclay called for the proper review of policies by data subjects who she believes, in many instances, do give consent to the use of their information without even knowing, when they fail to read and carefully examine the conditions of documents to which they agree and how their information will be stored or processed after it is logged.

"A lot of persons will say I did not give permission to do this, but really when they fill out certain forms which require information, there is a usually a part at the bottom which sometimes may very well appear in fine print, which many customers often just sign without taking the time to read and understand what it means for them and the use of their information," she said while speaking at a Jamaica Observer Business Forum held recently.

Citing the difficulties of convoluted language, lengthy paragraphs, fine print wording and the use of too many legal jargons, she said many subjects often also disregard the need to review the tenets of these documents, opting instead to quickly sign up and benefit from a service, a move which they sometimes later regret.

Referencing global data protection trends, Barclay said that newer practices have, however, began to see countries moving towards having clearer and more effective forms of information communication. The practices, she said, often result in the drafting of policies which ensure that communication is simple, done in a comprehensive manner, documents are easily read and understood and data subjects are made clear about what it is that they are agreeing to.

"The trend in data protection law is that organisations should move towards informed consent in its truest sense. Therefore, if the information is communicated in a manner which can't be reasonably understood or read through, then these organisations are not considered to have properly informed the subject," she told journalists during the forum.

She said that while the recently passed Data Protection Act (DPA) remains fairly new with its legislative framework undergoing constant build out, current provisions which aim to deal with various breaches of data protection will overtime see adjustments as steps are taken to address new issues including those concerning data sharing and securing informed consent.

"As we go forward these are some of the determinations that will be made with further directives issued," she said.

Barclay further said that while the Act was not designed to prevent the necessary processing of data as needed by some companies in their operations to fuel growth and drive commerce and development in the country, it is important that a balance be maintained and the customer's right to data protection in these transactions be protected.

"There are also some rights that organisations will have, so if it is that customers don't like the terms and conditions that are attached to some goods and services, they don't have to accept it, as there are other alternatives which they could use," she advised.

Asserting that liability under the legislation expected to take effect on December 1 will rest with companies for certain breaches, Barclay stressed the need for data controllers to seek the consent of subjects to whom they must also clearly communicate how the information collected will be used.

"Consent needs to be express and in writing — so either they [controllers] are going to be writing it out or the data subjects will need to write out what it is that they are giving consent for. Consent also needs to be unequivocal and unambiguous.

"The Act is very detailed in terms of what constitutes consent and it will tell you that consent is supposed to be informed, therefore the relevant data which will allow the data subject to make a decision should be clearly communicated to them," she said.

The DPA passed by the senate in 2020 is the chief legislation which seeks to protect the privacy and personal information of citizens. On completion of the upcoming two-year transitional period, data controllers in becoming compliant with the regulations are being encouraged to start engaging in the necessary activities that will support consumer privacy rights. This should see them ensuring that they categorise data and collate the legitimate reasons for collecting/using the information in their possession, review contracts with third-party vendors to ensure that policies adhere to the regulations, identify whether they have consent to collect and use personal information and also to determine if the necessary guidelines are being put in place to share, move or store information outside of Jamaica.

"The Act is very specific as to what constitutes proper and lawful consent under the law," Barclay noted.