Lost in the controversy surrounding the National Identification System (NIDS) was another legislation, the Data Protection Bill, arguably, just as important for everyday life in Jamaica, and designed to protect personal data; and how it is used, including under NIDS, which was struck down by the Supreme Court.
Many Jamaicans have suffered from some form of data theft, such as the stealing of their credit card details; and unfortunately, the country has also developed an unwanted reputation for fraud, due to the lottery scam.
Meanwhile, a global scandal about data misuse has damaged the reputation of a company which many Jamaicans spend hours daily interacting with – Facebook, which also owns Instagram and WhatsApp.
Legislation is already in place, in other countries and regions, where Jamaican companies do business, such as the European Union. In the EU, citizens’ data are protected by the General Data Protection Regulation (GDPR), under which large companies, such as British Airways and Marriott, were recently fined US$230 million and US$123 million, respectively, for breaches.
These events add to the significance of the local Data Protection Bill, which was tabled in Parliament in 2017 and is to be reviewed by a reconstituted Joint Select Committee of Parliament, which should have commenced sittings in July. The bill provides new rights of protection for citizens, such as: the right of consent for your data to be collected; the right to know and choose when an organisation is processing data about you; and the right to prevent your data being processed for direct marketing purposes.
“Everyone needs to care about this bill. Now more than ever before, our participation in society is managed digitally”, says Jamaicans for Justice (JFJ) executive director, Rodje Malcolm. “Our personal data is used to identify us, determine what services we receive, what products are marketed to us and even how we are monitored– what we buy, where we go, what services we use, who we communicate with, etc.,”
“Increasingly we hear about data breaches, misuse of personal data and the selling of people’s personal information for commercial purposes. Without laws to protect our personal data and give people autonomy about how and when their data is used or shared, Jamaicans will continue to be at serious risk in an increasingly digital world,” he outlined.
“This bill is everybody’s business,” Mr Malcolm insists.
As with any new item of legislation, the bill did generate debate; but, not every sector seems aware, or made a submission to Parliament in response. Media interests have perhaps been the most vocal, in expressing their concerns that provisions under the bill could be used to limit investigative journalism.
Jamaicans not Treating Data Protection as a Priority
Collin Burgess, IT infrastructure manager at MC Systems, states that many Jamaicans, whether businesses or citizens, are not yet treating data protection as a priority. And, they may wait until it is too late. He explained that, in the future, where a data leak causes the personal data of individual persons to be abused, then the company responsible will be fined, if the bill becomes law.
“Consider, as an individual, who you give your personal data to and for what purpose. As organisations and businesses, we should also mirror that consideration, by ensuring that the data we handle was acquired correctly; and that, we use it only for the purposes for which we gained consent. Therefore, for instance: that mailing list you acquired, as a favour from outside your organisation, should be a red flag,” says Burgess.
“All of us, as Jamaicans, can benefit from a culture, whereby, personal data is not viewed as a limitless resource to be exploited. Regardless of legislation, it is good business practice to be respectful of the data we hold. That means, we should consider this each and every time we decide to contact our customer database because abuse of data and consent means that Jamaicans sometimes feel unduly spammed, whether by direct marketing or from following an entity, which over-posts on social media.”
In finalising the bill, legislators should consider keeping up with changes in technology, while balancing the objective of protecting the individual’s right to data protection, without placing unreasonable restrictions on businesses.
The bill defines ‘individuals‘ as ‘data subjects,’ and ‘organisations,’ as ‘data controllers,’ for which it would need to register and file annual returns with the Information Commissioner – in a similar manner that it would originally have done, with the Companies Office of Jamaica.
The following controls/standards can prevent and minimise exposure of data.
- Implementing a security policy
- Conducting continuous risk assessments
- Devising suitable controls-physical and technical
- Implementing and monitoring the effectiveness of controls
- Using cryptographic methods for confidentiality and integrity of data
- Education and training of staff
Standards to Protect Businesses:
- National Institute of Standards and Technology (NIST), publication 800-122 guide to protects the confidentiality of personal information.
- ISO/IEC27002 standard
- Payment Card Industry Data Security Standard
- (PCI DSS)
By Civic Tech Organisation Slash Roots Foundation: How four Jamaicans could be affected by the Data Protection Bill: a farmer, an entrepreneur, a former drug addict and a tech star.
Name: Ricardo Brown
Scenario: Wanting to expand his farming business, Ricardo applies for a loan from a Credit Union. The Credit Union pulls his farmer registration information from RADA to make its decision. However, Ricardo knows that he has not spoken to RADA in four years, and his data is outdated.
How Ricardo Will Be Affected:
- Ricardo can request that his Credit Union tell him whether they have made a decision, based solely on automated processing of data from RADA. After being notified, Ricardo has 21 days to require that they reconsider and make a new decision on another basis.
- Ricardo can request that his Credit Union not make a decision solely based on automatically processing his data from RADA, and instead allow him to provide his updated data.
Name: Collette Simpson:
Scenario: Collett is an entrepreneur who previously ran a business selling designer sandals. She is now looking to start a new business to provide catering services and wants to market to her previous customer base.
How Collette Will Be Affected:
- Collette will need to update her registration information with the Information Commissioner, indicating what data she will collect and how she will use it
- She will also need to get consent from her customers before she can start marketing her catering service to them
- If a former customer indicates that he or she does not want to receive information about her new business, then she cannot send marketing information to them.
Name: James Johnson:
Scenario: James received services from a local NGO, which helped him overcome drug addiction. Now trying to move on with his life, he is worried that the information he shared with the NGO could resurface elsewhere and affect his job prospects.
How James Will Be Affected:
- He can request that the NGO disclose what personal data it holds about him; how the data will be used; and with whom it has been shared.
- He can also request a copy of this data.
- In addition, he can reject any previous consent he may have given to the NGO to use his data internally or share his data with other entities
Name: Tarik Johnson
Scenario: Tarik wants to launch a new online dating service and wants to test his product prototype with Jamaican consumers.
How Tarik will be affected:
- Before he can collect personal data, Tarik must register with the Information Commissioner. In doing so he must provide, among other details, specific information about what data he will collect and appoint a Data Protection Officer.
- When signing up new customers, he must communicate to them why the data is being collected and how it will be used
- In storing data in the cloud, he must select hosting services in jurisdictions that have equivalent data protection to Jamaica. He cannot share their data to jurisdictions which lack this without first obtaining the consent of his users
- If his service gets hacked or the data compromised, Tarik must notify the Information Commissioner and potentially all his users.