1. What is the Jamaica Data Protection Act 2020

  • It is a law that provides individuals with a new set of rights relating to their personal data.
  • Personal data” means information which relates to a living individual or an individual who has been deceased for less than 30 years who can be identified:
    • From that information, or
    • From other information which is in the possession of, or likely to come into the possession of the data controller.

2. Who is responsible for regulation?

  • The Information Commission will oversee and regulate compliance with the Data Protection Act 2020.

3. Who must comply with the act?

The act applies to both entities established in and outside Jamaica under the following conditions

  • Entities established in Jamaica - data controllers who are established in Jamaica or any place where Jamaican law applies, by virtue of international law and personal data is processed in the context of that establishment.
  • Entities not established in Jamaica - data controllers who are not established in Jamaica but:
    • Use equipment in Jamaica for processing personal data otherwise than for the purpose of transit through Jamaica.
    • Process the personal data of a data subject who is in Jamaica and the processing of the personal data relates to:
      • Offering of products or goods to data subjects in Jamaica regardless of if payment is required or not.
      • The monitoring of behaviour of data subjects as far as their behaviour takes place in Jamaica.

4. What happens if an entity breaches Jamaica's Data Protection Act 2020?

  • There are Fines and penalties for non-compliance with the Data Protection Act 2020.

    • Under section 68 it states that a body corporate that commits an offence under the Act shall be liable to a fine not exceeding 4% of their annual gross worldwide turnover.
    • section 21 of the act states that any controller who does not comply with the data protection standards or fail to report a data breach commits an offence and is liable to a parish court summary conviction not exceeding 2 years imprisonment or a fine not exceeding $2 million.
  • Business and other entities that process personal data must comply with the Jamaica Data Protection Act 2020.

5. What are the standards under the Jamaica Data Protection Act?

There are eight (8) Data Protection Standards under the Act.

  1. Standard 1 – Fair and lawful processing - Personal data must be processed in a fair, lawful and transparent manner. It should not be processed unless one of the legal requirements under section 23 is met and in the case of sensitive personal data, at least one of the requirements under section 24 is also met.
  2. Standard 2 – Purpose limitation - Personal data should only be obtained for one or more specified lawful purpose(s) and should not be further processed in a manner that is incompatible with the initial purpose(s).
  3. Standard 3 – Data Minimisation - Personal data collected should be adequate, relevant and limited to what is necessary for the purpose for processing.
  4. Standard 4 – Data Accuracy - Personal data processed must be accurate and kept up to date where necessary.
  5. Standard 5 – Data Retention - Personal data collected should not be kept for longer than necessary for that purpose. The disposal of personal data should be in accordance with the regulations under section 74 of the Act. (Code).
  6. Standard 6 – Consideration of data subjects’ rights - Personal data should be processed in accordance with the rights afforded to data subjects under this Act.
  7. Standard 7 – Data Security - Data controllers should implement technical and organisational measures to prevent:
    • Unauthorised or unlawful processing of personal data
    • Accidental loss, destruction and damage of personal data.
  8. Standard 8 – International transfers  - Personal data should not be transferred to a territory outside of Jamaica unless that territory has an adequate level of protection for the rights and freedom of data subjects in relation to processing personal data.

6. What rights do persons have?

Jamaica's Data Protection Act gives persons numerous rights. These rights are:

  • Right of access
  • Right to prevent processing
  • Rights in relation to automated decision making
  • Consent required for direct marketing
  • Rectifications of inaccuracies

7. Is a Data Protection Officer required?

Yes, Data controllers who meet the requirements must appoint an appropriately qualified Data Protection Officer (DPO) to independently monitor the data controller’s compliance with the Act. A person should not be appointed if it is likely to cause a conflict of interest in the role of data protection officer and any other role carried out by that person.

Requirements to appoint a Data Protection Officer

  • The organisation is a public authority;
  • processes or intends to process sensitive personal data or data relating to criminal convictions;
  • processes personal data on a large scale; or
  • falls within a class prescribed by the Commissioner by notice published in the Gazette as being a class of data controllers to whom subsection (1) applies

The functions of the data protection officer are:

  • ensuring that the data controller processes personal data in compliance with the data protection standards and in compliance with this Act and good practice;
  • consulting with the Commissioner to resolve any doubt about how the provisions of this Act and any regulations made under this Act are to be applied;
  • ensuring that any contravention of the data protection standards or any provisions of this Act by the data controller is dealt with in accordance with subsection (5); and
  • assisting data subjects in the exercise of their rights under this Act, in relation to the data controller concerned.

8. What are the key terms everyone should know?

  • “Personal data” means information which relates to a living individual or an individual who has been deceased for less than 30 years who can be identified:
    • From that information, or
    • From other information which is in the possession of, or likely to come into the possession of the data controller.
  • “Sensitive personal data” means personal data consisting of the following:
    • genetic data or biometric data;
    • filiation, or racial or ethnic origin;
    • political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature;
    • membership in any trade union;
    • physical or mental health or condition;
    • sex life; 
    • the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject;
  • “Process or processing” means any operation(s) carried out on personal data which includes the following:
    • Obtaining, recording or holding information or data
    • Organising, adaption or alteration of the information or data;
    • Retrieval, consultation or use of the information or data
    • Disclosure of the information by transmission, dissemination or making it available
    • Alignment, combination, blocking, erasure or destruction.
  • “Data Controller” means a person or public authority who alone, or jointly with others determine the purpose(s) and manner in which personal data should be processed.
  • “Data Processor” means any person, other than an employee of the data controller who processes personal data on behalf of the controller.
  • “Data subject” means a named or identifiable individual who the personal data relates to.

PS. Contact for support to comply with Jamaica's Data Protection Act of 2020 and Cyber Security Services.

Contact us today to get started, click HERE.