Recently, I had the honour of participating in TechCon, tTech Limited’s fifth annual technology and business conference in Kingston, Jamaica, under the theme ‘INSPIRE: Accelerating Your Digital Maturity’.
For the last five years, TechCon has been cementing itself among the region’s top technology conferences, bringing together a wide array of experts, an abundance of research, and participants with a series of robust discussions. This year was no different as discussions on ‘accelerating our digital maturity’ were inspirational and added a wealth of knowledge to the space.
I had the opportunity to talk a little bit about the new paradigm of data protection and privacy that the Government has embarked on and how our National Identification System (NIDS) is built on the core principles of data protection, privacy, and solid independent oversight.
PROTECTING OUR DATA
The Data Protection Act passed in 2020 is a significant step in reframing the concept of data protection, and will revolutionise Jamaica’s data protection and privacy landscape. The Data Protection Act codifies our right as data subjects, it also imposes myriad responsibilities on those who have access to and control our data.
Critically, the fundamental concept that data should be processed fairly and lawfully is enshrined. This is in addition to seven other standards that data controllers must adhere to under our Data Protection Act (DPA) when processing personal data, which include:
• that personal data shall be obtained only for specified and lawful purposes
• that the collection of personal data shall be adequate, relevant, and limited to what is necessary for the specific purpose
• that any personal data collected shall be accurate and, where necessary, kept up to date
There is no doubt that these standards add a level of accountability and privacy, which are critical to our digital transformation journey. A journey that must also consider the need to accurately identify individuals with their consent via a secure National Identification System . We must stress that the NIDS will exist in a complementary fashion to our data protection legislation and firmly established information security policies.
THE NEW NATIONAL ID
Having the benefit of being developed after the DPA, this new NIDS is significantly different from other forms of IDs as the core of its legislative frameworks are hinged on privacy and data security by design. Therefore, the NIDS legislative framework is explicitly designed to facilitate a consent-based identity verification process on behalf of the data subject (the holders of a national ID) to third parties. This arrangement is entrenched in law, and the only other route for disclosure is via the courts.
The National Identification and Registration Authority (NIRA) is the entity that will be established to manage the NIDS, and by law, its officers are not given the privilege of discretion. The “requests for information or for the authentication and verification services” framework is clearly defined under section 25 of the National Identification and Registration Act. The verification of identity is at the individual’s request or an accredited third party with that individual’s consent. In addition, under section 24, Disclosure of Identity Information, the law makes provision for three specific ways in which identity information may be disclosed:
“24.—(1) The Authority shall not disclose identity information stored in the national identification databases about an individual, except— (a) in accordance with the request of the individual concerned, subject to such fee as may be prescribed; (b) in accordance with an order of a judge, made pursuant to subsection (3) or (c) as may otherwise be provided by this Act or any other law.”
NIRA must register as a data controller under the DPA, and as such, NIRA and its officers are accountable under the DPA and must comply with data privacy and security.
NIDS and NIRA have a built-in double oversight mechanism. Under the DPA, the information commissioner, who was appointed in late 2021, will provide practical monitoring of NIDS relating to data protection and privacy. An independent oversight body, to be called the National Identification and Registration Inspectorate, will be mandated to monitor the authority’s compliance with the NIDS law and report its findings directly to the Parliament of Jamaica.
The inspectorate will also be empowered to take action independently or bring to the attention of the appropriate regulatory/disciplinary body where it is found that the authority or its employees have violated the enabling legislation.
Additionally, outside of the legislative framework, steps are being taken to ensure that the system design is given the highest priority. The audit trails of the system will be protected using blockchain technology to hold the operators of NIDS accountable. In other words, it will be difficult for the operators of NIDS to circumvent the audit trails. This will undoubtedly discourage people from going outside of the legal framework, and if anyone goes outside of the legal framework the penalties under the law will apply. Therefore, the privacy and accountability built into the system are a significant deterrence as people will be notified whenever their identity information is disclosed or verified.
This is the first time we have had such a robust oversight and governance framework for an ID system in Jamaica.
THE NEW FUTURE
A secure National Identification System for Jamaica has the potential to positively transform the efficiency and transparency of interactions between the Government, the public, and the private sector. Importantly, it will provide an avenue for greater security and privacy of personal information when carrying out electronic and paper-based transactions.
Let us reshape the present and create a new future for our children and our country.
Floyd Green is Member of Parliament for St Elizabeth South Western and an attorney-at-law.