THE DATA PROTECTION ACT, 2020

(Act of 2020)

ARRANGEMENT OF SECTIONS

PART I - Preliminary

  1. Short title and commencement.

  2. Interpretation and objects.

  3. Application of Act.

  4. Information Commissioner.

PART II - Rights of Data Subjects and Others

  1. Interpretation for Part II.

  2. Right of access to personal data.

  3. Manner and extent to which information shall be supplied under section 6.

  4. Grounds limiting compliance with request for access.

  5. Consent to processing.

  6. Consent required for direct marketing.

  7. Right to prevent processing.

  8. Rights in relation to automated decision-taking.

  9. Rectification of inaccuracies, etc.

PART III - Requirements for Data Controllers

  1. Interpretation for Part III.

  2. Prohibition on processing without registration.

  3. Provision of registration particulars.

  4. Register.

  5. Offences.

  6. Assessment by Commissioner required for specified processing.

  7. Appointment of data protection officers.

PART IV - Standards for Processing Personal Data

  1. Duty of data controller to comply with standards.

  2. The first standard.

  3. Conditions for processing personal data in accordance with the first standard.

  4. Conditions for processing sensitive personal data in accordance with the first standard.

  5. The second standard.

  6. The third standard.

  7. The fourth standard.

  8. The fifth standard.

  9. The sixth standard.

  10. The seventh standard.

  11. The eighth standard.

PART V - Exemptions to Data Protection Standards or to Disclosure to Data Subject Requirements

  1. Interpretation for Part V.

  2. National security.

  3. Law enforcement, taxation, statutory functions, etc.

  4. Regulatory activity.

  5. Journalism, literature and art.

  6. Research, history and statistics.

  7. Information available to the public by or under any enactment.

  8. Disclosures required by law or made in connection with legal proceedings, etc.

  9. Parliamentary privilege.

  10. Domestic purposes.

  11. Miscellaneous exemptions.

  12. Power to make further exemptions by order.

PART VI - Enforcement

  1. Enforcement notice.

  2. Data protection impact assessment.

  3. Requests for assessment.

  4. Assessment notices.

  5. Limitations on assessment notices.

  6. Information notices.

  7. Determination by Commissioner as to the special purposes.

  8. Restriction on enforcement in case of processing for the special purposes.

  9. Failure to comply with notice.

  10. Rights of appeal.

  11. Determination of appeals.

  12. Powers of entry and inspection.

PART VII - Miscellaneous and General

  1. Reports and guidelines to be laid before Parliament.

  2. Data-sharing code.

  3. Effect of data-sharing code.

  4. Assistance by Commissioner in cases involving processing for the special purposes.

  5. International co-operation.

  6. Unlawfully obtaining, disclosing, etc., personal data.

  7. Power of Commissioner to impose fixed penalty.

  8. Prohibition of requirements as to production of certain records.

  9. Avoidance of certain contractual terms relating to health records.

  10. Disclosure of information.

  11. Confidentiality of information.

  12. Prosecutions and penalties.

  13. Liability of body corporate, directors, etc.

  14. Liability for damage.

  15. Appeals.

  16. Service of notices.

  17. Application to Crown.

  18. Application to Parliament.

  19. Regulations.

  20. Amendment of monetary and fixed penalties.

  21. Transitional.

  22. Review of Act.

SCHEDULES.

A BILL

ENTITLED

AN ACT to Protect the privacy of certain data and for connected matters.

[]

BE IT ENACTED by the Queen’s Most Excellent Majesty, by and with the advice and consent of the Senate and House of Representatives of Jamaica, and by the authority of the same, as follows:

PART 1 - Preliminary

1. Short title and commencement.

  1. (1) This Act may be cited as the Data Protection Act, 2020, and shall come into operation on a day appointed by the Minister by notice published in the Gazette, and different days may be appointed in respect of different provisions of this Act.

(2) For the purposes of subsection (1), the Minister may specify different dates for bringing this Act into operation as regardsdifferent types of personal data specified in a notice made under that subsection.

2. Interpretation and objects.

(1) In this Act -

“biometric data”, in relation to an individual, means any information relating to the physical, physiological or behavioural characteristics of that individual, which allows for the unique identification of the individual, and includes -

  1. physical characteristics such as the photograph or other facial image, finger print, palm print, toe print, foot print, iris scan, retina scan, blood type, height, vein pattern, or eye colour, of the individual, or such other biological attribute of the individual as may be prescribed; and
  2. behavioural characteristics such as a person’s gait, signature, keystrokes or voice;

“Commissioner” means the office of Information Commissioner established by section 4;

“Court” means the Supreme Court;

“data controller” means any -

  1. person; or
  2. public authority,

who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller;

“data controller representative” means a person or other entity appointed for the purposes of section 3(2);

“data processor”, in relation to personal data, means any person, other than an employee of the data controller,who processes the data on behalf of the data controller;

“data protection standards” means the data protection standards as set out in sections 22 to 31, and reference to any of those standards by number means the standard as numbered in any of those sections;

“data subject” means a named or otherwise identifiable individual who is the subject of personal data, and in determining whether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual;

“disclosure to data subject requirements” means -

  1. the information mentioned in section 22(6) required to be given to a data subject under section 22(4); and
  2. the provisions of section 6;

“genetic data” means DNA as defined by the DNA Evidence Act, 2016;

“good practice” means such practice as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“health professional” means any of the following -

  1. a medical practitioner registered under the Medical Act;
  2. a person registered as a dentist under the Dental Act;
  3. a person entitled to practice optometry under the Opticians Act;
  4. a person registered as a pharmacist or pharmacy owner under the Pharmacy Act;
  5. a person registered as a nurse or midwife, or enrolled as an assistant nurse, under the Nurses and Midwives Act;
  6. a person registered as a member of a “specified profession” within the meaning of section 2 of the Professions Supplementary to Medicine Act;
  7. a regional hospital or public health facility, within the meaning of section 2 of the National Health Services Act;
  8. a private hospital or private health facility;
  9. the National Health Fund;
  10. a provider of ambulance services;
  11. the Hospital established pursuant to the University Hospital Act;

“health record” means any record which -

  1. is in the custody or control of a health professional in connection with the care of an individual; and
  2. consists of information relating to –
    1. the past or present physical or mental health, or condition, of an individual, for example -
      1. clinical information about diagnosis and treatment;
      2. genetic data;
      3. information about the testing of any body part orbodily substance, or the donation of a body part or bodily substance;
      4. biometric data;
    2. the registration of an individual for the provision of health services and any number, symbol or code assigned to uniquely identify the individual for those services;
    3. the name of the individual’s health care provider; or
    4. payments made by, or the eligibility of, the individual for the provision of health services,or any other health related information about the individual that is collected in the course of the provision of health services to that individual;

“minor” in relation to an individual means an individual under the age of eighteen years;

“personal data” -

  1. means information (however stored) relating to -
    1. a living individual; or
    2. an individual who has been deceased for less than thirty years,

who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller; and

  1. includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual;

“process” in relation to information or personal data means obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including -

  1. organisation, adaptation or alteration of the information or data;
  2. retrieving, consulting or using the information or data;
  3. disclosing the information or data by transmitting, disseminating or otherwise making it available; or
  4. aligning, combining, blocking, erasing or destroying the information or data, or rendering the data anonymous;

“public authority” means -

  1. a Ministry, department, Executive Agency or other agency of Government;
  2. a statutory body or authority, being a body corporate established by an Act of Parliament and over which the Government or an agency of the Government exercises control;
  3. the council of a Local Authority, within the meaning of the Local Governance Act;
  4. any company registered under the Companies Act, being a company in which the Government or an agency of the Government is in a position to direct the policy of that company;
  5. a commission of Parliament; or
  6. any other body or organization which provides services of a public nature which are essential to the welfare of Jamaican society, or such aspects of their operations, as may be specified by the Minister by order published in the Gazette;

“sensitive personal data” means personal data consisting of any of the following information in respect of a data subject -

  1. genetic data or biometric data;
  2. filiation, or racial or ethnic origin;
  3. political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature;
  4. membership in any trade union;
  5. physical or mental health or condition;
  6. sex life;
  7. the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject;

“the non-disclosure provisions” means the following provisions, to the extent to which they prohibit the disclosure in question -

  1. the first data protection standard, except to the extent to which disclosure is required for compliance with the conditions set out in sections 23 and 24;
  2. the second, third, fourth and fifth data protection standards; and
  3. sections 11 and 13(3) and (4);

“the special purposes” means any one or more of the following -

  1. the purposes of journalism;
  2. artistic purposes;
  3. literary purposes;

trade association” includes any body representing data controllers.

(2) For the purposes of this Act -

  1. “obtaining” or “recording”, in relation to personal data, includes obtaining or recording the information to be contained in the personal data; and
  2. “using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the personal data.

(3) The objects of this Act are to -

  1. define the general principles for the treatment of personal data relating to an individual; and
  2. provide for transparent oversight therefor, that will enable the public and private sectors to strengthen the protection of personal data.

3. Application of Act.

(1) Except as otherwise provided for in section 60, this Act applies to a data controller in respect of any personal data only if the data controller –

  1. is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and the personal data are processed in the context of that establishment; or
  2. though not established in Jamaica -
    1. uses equipment in Jamaica for processing the personal data otherwise than for the purpose of transit through Jamaica; or
    2. processes personal data, of a data subject who is in Jamaica, and the processing activities are related to -
      1. the offering of products or services to data subjects in Jamaica, irrespectiveof whether a payment of the data subject is required; or
      2. the monitoring of the behaviour of data subjects as far as their behaviour takes place within Jamaica.

(2) A data controller falling within subsection (1)(b) shall appoint for the purposes of this Act a representative established in Jamaica.

(3) For the purposes of subsections (1) and (2), each of the following shall be treated as established in Jamaica -

  1. an individual who is ordinarily resident in Jamaica;
  2. a body incorporated under the laws of Jamaica;
  3. a partnership or other unincorporated association formed under the laws of Jamaica;
  4. any person who does not fall within paragraph (a), (b) or (c) but who maintains in Jamaica -
    1. an office, branch or agency through which the person carries on any activity; or
    2. a regular practice

4. Information Commissioner.

(1) There is hereby established for the purposes of this Act an office to be known as the Information Commissioner, which shall be a body corporate to which the provisions of section 28 of the Interpretation Act applies.

First Schedule, Part I.

(2) The provisions of Part I of the First Schedule shall have effect as regards the constitution of the office of Information Commissioner.

(3) The Commissioner shall perform the functions -

  1. conferred on the Commissioner under this Act; and
  2. such other functions as may be conferred on the Commissioner by the Access to Information Act.

(4) For the purposes of this Act, the Commissioner shall act independently in the discharge of the functions of the Commissionerand shall not be subject to the direction or control of any person or other entity, except as provided in subsection (10).

(5) It shall be the duty of the Commissioner to -

  1. monitor compliance with this Act and any regulations made under this Act;
  2. give to the Minister such advice as the Commissioner considers appropriate, or as may be requested by the Minister, on any matter relating to the operation of this Act or otherwise for the protection of personal data;
  3. promote the observance of the requirements of this Act and the following of good practice by data controllers;
  4. arrange for the dissemination, in such form and manner as the Commissioner considers appropriate, of such information as it may appear to the Commissioner expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of the Commissioner’s functions under this Act, and the Commissioner may give advice to any person about any of those matters;
  5. prepare and disseminate, or direct the preparation and dissemination of, to such persons or other entities as the Commissioner considers appropriate, guidelines to be adhered to as good practice -
    1. where the Commissioner considers it appropriate; and
    2. after such consultation with trade associations or persons representing data controllers, data subjects, or persons representing data subjects, or such other entities having an interest in the matter, as appears to the Commissioner to be appropriate;
  6. where the Commissioner considers it appropriate to do so -
    1. encourage trade associations to prepare, and to disseminate to their members, self-initiated guidelines; and
    2. where any trade association submits self-initiated guidelines for the Commissioner’s consideration, consider the guidelines and, after such consultation with data subjects or persons representing data subjects, as appears to the Commissioner to be appropriate, notify the trade association whether in the Commissioner’s opinion the guidelines promote the following of good practice.

(6) A direction under subsection (5)(e) shall -

  1. describe the personal data or processing to which the guidelines are to relate, and may also describe the persons or classes of persons to whom the guidelines are to relate;
  2. be directed to the appropriate regulatory authority having responsibility for the subject matter concerned; and
  3. limit the time within which the draft guidelines shall be submitted to the Commissioner for approval.

(7) In determining the action required to discharge the duties imposed by subsection (5), the Commissioner may take account of any action taken to discharge the duty imposed by section 57 (data sharing code).

(8) The Commissioner may, at the written request of the data controller concerned, assess any processing of personal data as to the following of good practice and shall inform the data controller of the results of the assessment.

(9) The Commissioner may charge such fees as may be prescribed for any services provided by the Commissioner under subsection (8).

First Schedule, Part II.

(10) The Commissioner shall be subject to the oversight of the Data Protection Oversight Committee in accordance with Part II of the First Schedule.

(11) Without prejudice to section 67, the Commissioner may intervene as a party in any proceedings before a court, in respect of any matter concerning the processing of personal data or the enforcement of any provision of this Act, other than proceedings for the prosecution of an offence.

PART II - Rights of Data Subjects and Others

5. Interpretation for Part II.

For the purposes of this Part -

  1. in the case of an individual who -
    1. is a minor, the rights conferred by this Part may be exercised by a parent or legal guardian of the minor, or by the minor in any case where the law recognises the capacity of the minor to act in the matter to which the personal data relates; or
    2. by reason of any mental impairment is unable to act, the rights conferred by this Part may be exercised by the person’s nearest relative, within the meaning of section 3(3) of the Mental Health Act, so, however, that -
      1. such a relative need not be ordinarily resident in Jamaica; and
      2. the Court may, where it considers it appropriate in the circumstances, on an application made to it by a relative of the data subject, determine the nearest relative suitable to exercise the rights notwithstanding the order of precedence referred to in section 3(3) of the Mental Health Act;
  2. in the case of any other individual, the rights conferred by this Part may be exercised by -
    1. the legal personal representative of that individual; or
    2. another individual to whom the first mentioned individual delegates in writing, in such form and manner as may be prescribed, the exercise of the rights.

6. Right of access to personal data.

(1) The rights conferred by this section are subject to the exemptions set out in Part V, to the extent indicated in that Part, and a data controller shall determine in each case whether compliance with a request lawfully made under this section can be achieved without compromising the confidentiality of the exempt data, by severing the exempt data from any information required to be disclosed under this section.

(2) Subject to the provisions of this section and sections 7 and 8, an individual is entitled, upon making a written request to a data controller -

  1. to be informed by the data controller, free of charge, whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller;
  2. if personal data are being processed as described in paragraph (a), to be given by the data controller, free of charge, a description of -
    1. the personal data of which that individual is the data subject;
    2. the purposes for which the personal data are being, or are to be, processed; and
    3. the recipients or classes of recipients to whom they are, or may be, disclosed;
  3. upon payment of the prescribed fee -
    1. to have communicated to that individual in an intelligible form -
      1. the information constituting any personal data of which the individual is the data subject; and
      2. any information available to the data controller as to the source of those personal data; or
    2. where technically feasible, to have transmitted -
      1. to another data controller specified in the request; and
      2. in a structured, commonly used and machine-readable format,

the personal data of that data subject, which the data subject has provided to the first mentioned data controller; and

  1. where the processing, by automatic means, of personal data of which that individual is the data subject -
    1. is for the purpose of evaluating matters relating to that individual (such as, for example, the individual’s performance at work, creditworthiness, reliability, or conduct); and
    2. has constituted or is likely to constitute the sole basis for any decision significantly affecting the individual,

to be informed by the data controller, upon payment of the prescribed fee, of the logic involved in that decision-taking.

(3) An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(4) Subject to section 8(1), a data controller shall comply with a request under this section promptly and, in any event, before the end of the period of thirty days, or such longer maximum period as may be prescribed, beginning on the day on which the data controller has both the request and, where applicable, the payment referred to in subsection (2).

(5) For the purposes of -

  1. subsection (2)(c) and (d), different amounts may be prescribed for different circumstances;
  2. subsection (4), different periods may be prescribed for different circumstances.

(6) If the Commissioner is satisfied, on the written application of any individual who has made a request under this section, that -

  1. the data controller in question has, in contravention of this section, failed to comply with the request the Commissioner may order the data controller to comply with the request; or
  2. the data controller has complied with the provisions of this section in dealing with the request, the Commissioner may dismiss the application.

(7) For the purposes of determining any question whether an applicant under subsection (6) is entitled to information under this section (including any question whether any relevant personal data are exempt from this section by virtue of Part V), the Commissioner -

  1. may require the information constituting any personal data processed by or on behalf of the data controller in question and any information as to the logic for any decision as mentioned in subsection (2)(d) to be made available for the Commissioner’s inspection; and
  2. shall not, pending the determination of the question in the applicant’s favour, require the information to be disclosed to the applicant or the applicant’s representatives.

(8) The Commissioner may appoint a duly qualified mediator to consider any matter to be determined or inspected by the Commissioner under subsection (6) or (7) and make such recommendations to the Commissioner as the mediator thinks fit for the settlement of the matter, and the Commissioner may act on those recommendations.

7. Manner and extent to which information shall be supplied under section 6.

(1) The obligation imposed by section 6(2)(c)(i) shall be complied with by supplying the data subject with a copy of the information in permanent form unless -

  1. the supply of such a copy is not possible or would involve disproportionate effort; or
  2. the data subject agrees otherwise,and where any of the information referred to in section 6(2)(c)(i) is expressed in terms which are not intelligible without explanation, the copy shall be accompanied by an explanation of those terms.

(2) For the purposes of section 6(2)(c) “intelligible form”, in the case of a person with a disability (as defined by the Disabilities Act), means a form that would render the information readily accessible by the person, having regard to the special needs of the person, and regulations may prescribe circumstances in which the requirements of subsection (2)(c) shall be taken to have been met.

(3) The information to be supplied pursuant to a request under section 6 shall be supplied by reference to the personal data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.

8. Grounds limiting compliance with request for access

(1) Where a data controller -

  1. reasonably requires further information in order to satisfy himself as to the identity of an individual who makes a request under section 6 and to locate the information which that individual seeks; and
  2. has informed the individual of that requirement, the data controller is not obliged to comply with the request unless the further information is supplied to the data controller.

(2) Where a data controller cannot comply with a request under section 6 without disclosing information relating to another individual who can be identified from that information, the data controller is not obliged to comply with the request unless -

  1. the other individual consents to the disclosure of the information; or
  2. it is reasonable in all the circumstances to comply with the request without the consent of the other individual and the data controller has notified that other individual of the data controller’s intention to comply with the request.

(3) In subsection (2), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request, and that subsection shall not be construed as excusing a data controller from communicating only so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(4) For the purposes of subsections (2) and (3), another individual can be identified from the information being disclosed if that other individual can be identified from that information alone or from that information and other information which, in the reasonable belief of the data controller, is likely to be in, or come into, the possession of the data subject making the request.

(5) In determining for the purposes of subsection (2)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to -

  1. any duty of confidentiality owed to the other individual;
  2. any steps taken by the data controller with a view to seeking the consent of the other individual;
  3. whether the other individual is capable of giving consent; and
  4. any express refusal of consent by the other individual.

(6) Where a data controller has previously complied with a request made under section 6 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by the individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the subsequent request.

(7) In determining for the purposes of subsection (6) whether requests under section 6 are made at reasonable intervals, regard shall be had to the nature of the personal data, the purpose for which thepersonal data are processed and the frequency with which the personal data are altered.

(8) Section 6(2)(d) shall not be regarded as requiring the provision of information as to the logic for any decision if, and to the extent that, the information constitutes a trade secret.

(9) Where personal data requested under section 6 -

  1. is not in the custody or control of the data controller, the data controller shall in writing so inform the individual making the request; or
  2. are personal data which the data controller is entitled to refuse to disclose to the data subject by virtue of any provision of this Act, the data controller shall in writing inform the individual making the request that the disclosure is refused and identify the relevant provision relied on for the refusal,

within thirty days after receiving the request.

9. Consent to Processing.

(1) Any consent required to be given, by a data subject, to the processing of personal data -

  1. means any informed, specific, unequivocal, freely given, expression of will by which the data subject agrees to the processing of that data subject’s personal data;
  2. includes any such expression of consent given by -
    1. the legal personal representative of the data subject;
    2. any individual to whom the data subject delegates, in writing in such form and manner as may be prescribed, the right to give or withhold consent to the processing;
    3. in the case of a minor, (subject to section 5(a)(i)), a parent or legal guardian of the minor; or
    4. in the case of an individual who by reason of any mental impairment is unable to act, the person

entitled to act for that individual under section 5(a)(ii); and

  1. may be withdrawn in the same manner in which it may be given under paragraph (a).

(2) For the purposes of subsection (1) -

  1. “informed” with reference to the giving of consent means that at the time in question the data subject is informed about how the personal data will be processed, including the purpose for which the data will be used and the class of persons to whom the personal data may be transferred; and
  2. consent is not freely given if the data subject is required, as a condition for the provision of any goods or services to the data subject, to consent to the collection, use or disclosure of the data subject’s personal data beyond what is reasonable for the provision of those goods or services.

10. Consent required for direct marketing.

(1) A data controller shall not process personal data of a data subject for the purpose of direct marketing unless the data subject -

  1. consents to the processing for that purpose; or
  2. is subject to subsection (4), a customer of the data controller.

(2) A data controller shall not approach a data subject, whose consent is required in terms of subsection (1)(a), more than once in order to request that consent.

(3) A request for consent in terms of subsection (1)(a) shall be made in the prescribed form and manner.

(4) A data controller may, pursuant to subsection (1)(b), only process the personal data of a data subject who is a customer of that data controller -

  1. if the data controller has obtained the contact details of the data subject in the context of the sale of any goods or services;
  2. for the purpose of direct marketing of the data controller’s own similar goods or services; and
  3. if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of that data subject’s personal data -
    1. at the time the personal data was collected; and
    2. on the occasion of each communication with the data subject for the purpose of direct marketing if the data subject has not refused such use

(5) Any communication to a data subject for the purpose of direct marketing shall contain -

  1. the details of the identity of the sender or the person on whose behalf the communication has been sent; and
  2. an address or other contact details to which the recipient may send a request that such communication cease.

(6) In this Act, “direct marketing” means to approach a data subject in person or by any means of communication (whether electronic or otherwise) for the direct or indirect purpose of -

  1. promoting or offering to supply, in the ordinary course of business, any goods or services; or
  2. requesting a donation of any kind for any reason.

11. Right to prevent processing.

(1) Subject to subsection (3), on any of the grounds set out in subsection (2) an individual is entitled at any time, by notice in writing to the data controller, to require the data controller -

  1. within a period which is reasonable in the circumstances, to cease; or
  2. not to begin,

processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which the individual is the data subject.

(2) The grounds referred to in subsection (1) are that, for reasons which shall be specified in the notice under subsection (1) -

  1. the processing of the personal data, or the processing of the personal data for that purpose or in that manner, is causingor is likely to cause, substantial damage or substantial distress to the data subject or to another, and that the damage or distress caused or likely to be caused (as the case may be) is unwarranted;
  2. the personal data is incomplete, or irrelevant, having regard to the purpose of the processing;
  3. the processing of the personal data, or the processing of the personal data for that purpose or in that manner, is prohibited under any law; or
  4. the personal data has been retained by the data controller for longer than the period of time for which it may be retained by the data controller under any law.

(3) Subsection (1) does not apply -

  1. in a case where any of the conditions set out in section 23(1) is met; or
  2. in such other cases as the Minister may specify by order in accordance with section 74(3)(b).

(4) A data controller who receives a notice under subsection (1) shall, within twenty-one days after receiving the notice, give the individual who gave the notice a written statement -

  1. that the data controller has complied or intends to comply with the notice; or
  2. of the data controller’s reasons for regarding the notice as, to any extent, unjustified and the extent (if any) to which the data controller has complied or intends to comply with the notice.

(5) If the Commissioner is satisfied, on the written application of any individual who has given a notice under subsection (1) which appears to the Commissioner to be justified, or to be justified to any extent, that the data controller in question has failed to comply with the notice, the Commissioner may order the data controller to take such steps for complying with the notice (or complying with the notice to such extent) as the Commissioner thinks fit.

(6) The failure by a data subject to exercise the rights conferred on that individual by subsection (1) or section 12(2) shall not be construed as affecting any other right conferred on the data subject by this Part.

12. Rights in relation to automated decisiontaking.

(1) This section applies to a decision, other than an exempt decision, taken by or on behalf of a data controller and which significantly affects a data subject.

(2) An individual is entitled at any time, by notice in writing to the data controller, to require the data controller to ensure that no decision to which this section applies is based solely on the processing, by automatic means, of personal data in respect of the data subject for the purpose of evaluating matters relating to the data subject (for example, the individual’s performance at work, creditworthiness, reliability, or conduct).

(3) In any case where a data controller who has not received a notice under subsection (2) in respect of an individual takes a decision to which this section applies -

  1. the data controller shall, as soon as is reasonably practicable, inform the individual that the decision was made on the basis described in subsection (2); and
  2. the individual is entitled to, within thirty days after receiving the information under paragraph (a), by notice in writing require the data controller to reconsider the decision or make a new decision otherwise than on that basis.

(4) A data controller who receives a notice under subsection (3)(b) shall, within thirty days after receiving the notice, give the individual in question a written statement specifying the steps that the data controller intends to take to comply with the notice.

(5) If the Commissioner is satisfied on the application of a data subject that a data controller has failed to comply with a notice under subsection (2) or (3)(b), the Commissioner may order the data controller to reconsider the decision, or to take a new decision, that is not based solely on such processing as is described in subsection (2).

(6) An order under subsection (5) shall not affect the rights of any person other than the data subject and the data controller.

(7) In this section “exempt decision” means any decision -

  1. in respect of which the conditions set out in subsection (8) are met; or
  2. made in such other circumstances as may be prescribed.

(8) The conditions are that -

  1. the decision -
    1. is authorised or required by or under any enactment; or
    2. is made in the course of steps taken -
      1. for the purpose of considering whether to enter into a contract with the data subject or with a view to entering into such a contract; or
      2. in the course of performing a contract entered into with the data subject; and
  2. (b) either -
    1. the effect of the decision is to grant a request of the data subject; or
    2. steps have been taken to safeguard the legitimate interest of the data subject (for example, by allowing the data subject to make representations).

13. Rectification of inaccuracies, etc.

(1) An individual may in writing to a data controller request that the data controller rectify any inaccuracy in any personal data -

  1. in the possession or control of the data controller; and
  2. of which the individual is the data subject.

(2) For the purposes of subsection (1) -

“inaccuracy” includes any error or omission;“rectify” means amend, block, erase or destroy, as may be required to correct the inaccuracy.

(3) Where a data controller receives a request under subsection (1), the data controller shall, within thirty days after receiving the request, determine whether a rectification is required and -

  1. if no rectification is required, include with the personal data concerned an annotation of the correction that was requested, and notify the individual making the request that no rectification was made; or
  2. if a rectification is required, make the rectification and give notice of the rectification to -
    1. the individual making the request; and
    2. so far as is reasonably practicable, every person, or other entity, to whom the personal data was disclosed at any time during the period of twelve months immediately before the date of the request.

(4) Upon receiving a notification under subsection (3)(b), the person, or other entity, to whom the personal data was disclosed during the period mentioned in that provision shall make a corresponding rectification of such of the personal data concerned as is in that person or entity’s possession or control.

(5) A data subject may appeal in writing to the Commissioner against any determination made by a data controller under subsection (3) and if the Commissioner is satisfied -

  1. as to the actions taken by the data controller under this section, the Commissioner shall dismiss the appeal; or
  2. that the data controller erred in making a determination that no rectification is required, or erred in the type of rectification required to be effected, the Commissioner shall order such rectification of the personal data as the Commissioner considers appropriate, and the data controller shall comply with the order.

(6) Where an appeal is made to the Commissioner under this section, the Commissioner may appoint a duly qualified mediator to enquire into the matter and make such recommendations to the Commissioner for the resolution of the matter as the mediator considers appropriate, and the Commissioner may act on those recommendations.

PART III - Requirements for Data Controllers.

14. Interpretation for Part III

(1) In this Part, “registration particulars” means the particulars specified in section 16(2).

(2) For the purposes of this Part, so far as it relates to the address of data controllers and data controller representatives -

  1. the address of a registered company is that of its registered office; and
  2. the address of an entity (other than a registered company) carrying on a business is that of the entity’s principal place of business in Jamaica.

15. Prohibition on processing without registration.

(1) Except as provided in this section, personal data shall not be processed by a data controller unless the registration particulars of that data controller are included in the register maintained under section 17 (or is treated by virtue of regulations made under section 16(3) as being so included).

(2) Subsection (1) does not apply to -

  1. processing; or
  2. data controllers,

of a particular description specified by the Minister, after consultation with the Commissioner, for the purposes of this section by order published in the Gazette and subject to affirmative resolution, being processing which it appears to the Minister is unlikely to prejudice the rights and freedoms of data subjects.

16. Provision of registration particulars.

(1) A data controller who wishes to process personal data in circumstances in which registration is required under section 15(1) shall ensure that the Commissioner is provided with -

  1. the registration particulars set out in subsection (2), in relation to the data controller, and that the Commissioner is kept informed as to any changes in those particulars;
  2. a general description of the measures to be taken for the purpose of complying with section 30; and
  3. in any case where -
    1. personal data are being, or are intended to be, processed in circumstances where the prohibition imposed by section 15(1) is excluded by section 15(2); and
    2. the particulars provided under this section do not include the particulars in relation to those personal data,a statement of that fact.

(2) The registration particulars are -

  1. the data controller’s name, address and other relevant contact information;
  2. if the data controller has appointed a data controller representative for the purposes of this Act, the name, address and other relevant contact information of the data controller representative;
  3. the name, address and other relevant contact information of the data protection officer appointed under section 20;
  4. a description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of data subjects to which they relate;
  5. a description of the purpose or purposes for which the personal data are being, or are to be, processed;
  6. a description of any recipient or recipients to whom the data controller intends, or may wish, to disclose the personal data;
  7. the names of any States or territories outside of Jamaica to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the personal data;
  8. where the data controller is a public authority, a statement of that fact; and
  9. such information about the data controller as may be prescribed in regulations made under subsection (3).

(3) The information required under subsection (1) shall be submitted to the Commissioner in such form and manner as may be prescribed, together with such registration fee as may be prescribed, by regulations made by the Commissioner with the approval of the Minister.

(4) Regulations made under subsection (3) may make provision -

  1. as to the giving of notification by partnerships or in other cases where two or more persons are the data controllers in respect of personal data;
  2. for any fee paid under subsection (3) or section 17(3) to be refunded in specified circumstances;
  3. as to the form and contents of the register maintained under section 17;
  4. as to the time as from which any entry in respect of a data controller is to be treated as having been made;
  5. for longer or shorter periods than the period specified in section 17(3), and different periods may be prescribed in relation to different cases;
  6. as to fees for supplying certified copies under section 17(4).

(5) Where personal data are processed in any case where -

  1. section 15(1) does not apply to the processing, by virtue of the provisions of section 15(2); and
  2. the data controller has not provided the particulars specified in subsection (2),

the data controller shall, if requested to do so in writing by any person, make the particulars referred to in paragraph (b) available to the person free of charge, within thirty days after receiving the request.

(6) Subsection (5) shall be subject to any exemptions made thereto in regulations made under subsection (3).

(7) A data controller who contravenes subsection (5) commits an offence and shall be liable upon conviction before a Parish Court to a fine not exceeding one million dollars.

(8) It shall be a defence for a person charged with an offence under subsection (7) to show that the person exercised all due diligence to comply with subsection (5), and the standard of proof shall be on the balance of probabilities.

17. Register.

(1) The Commissioner shall maintain a register (hereinafter referred to as “the Register”) of persons who have provided information under section 16.

(2) Each entry in the Register shall consist of -

  1. the registration particulars notified under section 16(1)(a), updated as to changes as informed pursuant to that provision; and
  2. such other information as the Commissioner may be authorised or required by regulations made under section 16(3) to include in the Register.

(3) A data controller shall pay such annual fee as may be prescribed for the maintenance of the required particulars of that data controller in the Register, and no entry in the Register shall be retained in the Register for longer than twelve months except on payment of that prescribed fee.

(4) The Commissioner shall -

  1. make the information contained in the Register available for inspection by the public at all reasonable times, free of charge; and
  2. on the payment of such fee as may be prescribed by regulations made under section 16(3), supply any member of the public with a duly certified copy in writing of the particulars contained in any entry made in the Register.

18. Offences.

(1) A data controller who processes personal data to which section 15(1) applies, without complying with section 16, commits an offence.

(2) It shall be a defence for a person charged with an offence under subsection (1) to show that the person exercised all due diligence to comply with section 16, and the standard of proof shall be on the balance of probabilities.

(3) A person who commits an offence under subsection (1) shall be liable upon summary conviction before a Parish Court, to a fine not exceeding two million dollars or to imprisonment for a term not exceeding six months.

19. Assessment by Commissioner required for specified processing.

(1) This section applies to “specified processing”, being processing of a description specified in an order made by the Minister in accordance with section 74(3)(c), as appearing to the Minister to be particularly likely -

  1. to cause substantial damage or substantial distress; or
  2. to otherwise significantly prejudice the rights and freedoms of data subjects.

(2) Upon receiving any information from a data controller under section 16(1), the Commissioner shall -

  1. consider whether any of the processing to which the information relates is specified processing; and
  2. if so -
    1. having regard to the information provided by the data controller, consider whether that processing is likely to comply with the provisions of this Act; and
    2. within the period of thirty days beginning on the day on which the Commissioner received the information, give a notice to the data controller stating the extent to which, in the Commissioner’s assessment, the processing is likely or unlikely to comply with the provisions of this Act.

(3) Before the end of the period referred to in subsection (2)(b)(ii), the Commissioner may, by reason of special circumstances, extend that period by issuing an extension notice to the data controller -

  1. on one occasion only; and
  2. specifying the period of the extension, which shall not exceed fourteen days.

(4) No specified processing shall be carried on by a data controller unless the information required under section 16(1) has been provided to the Commissioner and either -

  1. the period of thirty days, beginning on the day on which the information is received by the Commissioner, and such further period as is specified in an extension notice under subsection (3) (in any case where such a notice is issued) has elapsed; or
  2. before the end of the period or further period (as the case may require) referred to in paragraph (a), the data controller receives a notice from the Commissioner under subsection (2)(b)(ii) in respect of the processing.

(5) A data controller who contravenes subsection (4) or processes personal data other than in a manner in compliance with the assessment made by the Commissioner in a notice under subsection (2)(b)(ii) commits an offence and shall be liable upon -

  1. summary conviction in a Parish Court, to a fine not exceeding five million dollars or to imprisonment for a term not exceeding five years; or
  2. conviction on indictment in a Circuit Court to a fine, or to imprisonment for a term not exceeding ten years.

(6) The Minister may by order published in the Gazette amend this section by substituting a different number of days in respect of any period or further period referred to in subsection (2)(b)(ii), (3)(b) or (4)(a).

20. Appointment of data protection officer.

(1) A data controller falling within subsection (6) shall appoint an appropriately qualified person to act as the data protection officer responsible in particular for monitoring in an independent manner the data controller’s compliance with the provisions of this Act.

(2) A person shall not be qualified to be appointed under subsection (1) if there is or is likely to be any conflict of interest betweenthe person’s duties as data protection officer and any other duties of that person.

(3) The functions of a data protection officer shall include -

  1. ensuring that the data controller processes personal data in compliance with the data protection standards and in compliance with this Act and good practice;
  2. consulting with the Commissioner to resolve any doubt about how the provisions of this Act and any regulations made under this Act are to be applied;
  3. ensuring that any contravention of the data protection standards or any provisions of this Act by the data controller is dealt with in accordance with subsection (5); and
  4. assisting data subjects in the exercise of their rights under this Act, in relation to the data controller concerned.

(4) A data controller shall notify the Commissioner as to the name, address and other relevant contact information of the data protection officer appointed by the data controller under this section, and in the event of any changes thereto.

(5) Where the data protection officer has reason to believe that the data controller has contravened a data protection standard or any of the provisions of this Act, the data protection officer shall -

  1. forthwith in writing notify the data controller of the contravention; and
  2. if the data protection officer is not satisfied that the data controller has rectified the contravention within a reasonable time after the notification, report the contravention to the Commissioner.

(6) A data controller falls within this subsection if the data controller -

  1. is a public authority;
  2. processes or intends to process sensitive personal data or data relating to criminal convictions;
  3. processes personal data on a large scale; or
  4. falls within a class prescribed by the Commissioner by notice published in the Gazette as being a class of data controllers to whom subsection (1) applies,

but a data controller who processes personal data only for the purpose of a public register or which is a non-profit organisation established for political, philosophical, religious or trade union purposes, does not fall within this subsection.

PART IV - Standards for Processing Personal Data

21. Duty of data controller to comply with standards.

(1) It shall be the duty of a data controller to comply with the data protection standards in relation to all personal data with respect to which that data controller is the data controller.

(2) A data controller who processes personal data in contravention of any of the data protection standards or any of the provisions of this Part, or fails to make a report or notification required under subsection (3) or (5), commits an offence and shall be liable upon -

  1. summary conviction in a Parish Court to a fine not exceeding two million dollars or to imprisonment for a term not exceeding two years; or
  2. conviction on indictment in a Circuit Court, to a fine, or to imprisonment for a term not exceeding seven years.

(3) The data controller shall report to the Commissioner, in such form and manner as shall be prescribed -

  1. any contravention of the data protection standards; and
  2. any security breach in respect of the data controller’s operations which affects or may affect personal data, within seventy-two hours after becoming aware of the contravention or security breach (as the case may be).

(4) A report under subsection (3) shall set out -

  1. the facts surrounding the contravention or security breach;
  2. a description of the nature of the contravention or security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned;
  3. the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;
  4. the consequences of the breach; and
  5. the name, address and other relevant contact information of its data protection officer.

(5) Where a contravention or security breach mentioned in subsection (3) occurs, the data controller shall upon becoming aware of, or having reason to become aware of, the contravention or breach, notify each data subject, whose personal data is affected by the breach, of -

  1. the nature of the contravention or security breach;
  2. the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
  3. the name, address and other relevant contact information of its data protection officer, in such form and manner, and within such time, as shall be prescribed.

(6) Upon receiving a report under subsection (4), the Commissioner may -

  1. serve an enforcement notice under section 44 on the data controller concerned;
  2. direct the data controller to give to any data subject concerned such information as the Commissioner thinks fit concerning the contravention or security breach (as the case may be) and the measures taken, or proposed to be taken, to address it.

(7) It shall be a defence for a person charged with an offence under this section to show that the person exercised all due diligence to prevent the commission of the offence, and the standard of proof shall be on the balance of probabilities.

22. The first standard.

(1) The first standard is that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

  1. at least one of the conditions set out in section 23 is met; and
  2. in the case of sensitive personal data, at least one of the conditions set out in section 24 is also met.

(2) In determining for the purposes of this section whether personal data are processed fairly, regard shall be had to the method by which the data are obtained, including, in particular, whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

(3) For the purposes of this section, personal data are deemed to be obtained fairly if they consist of information obtained -

  1. from a person who is authorised by or under any enactment to supply it; or
  2. from a person who is required to supply it by or under any enactment, or by any instrument imposing an international obligation on Jamaica; or
  3. for the purposes of determining the suitability of a person for an honour, scholarship, prize, bursary or other award.

(4) Subject to subsection (3), for the purposes of this section personal data are not to be treated as processed fairly unless -

  1. the personal data are obtained directly from the data subject, or from a person authorised in writing to provide it by -
    1. the data subject; or
    2. the Commissioner;
  2. in the case of personal data obtained from the data subject or a person authorised in writing by the data subject to provide it, the data controller ensures so far as practicable that the data subject is provided with the information specified in subsection (6); and
  3. in any other case, the data controller ensures so far as practicable that, before the relevant time the data subject is provided with the information specified in subsection (6).

(5) In -

  1. subsection (4)(c), “the relevant time” means -
    1. at the time when the data controller first processes or seeks (whichever occurs first) the personal data; and
    2. in any case where disclosure to a third party is envisaged, before making the disclosure;
  2. subsection (6), “identity” includes official title, habitual residence or business address, telephone number and any other relevant contact information.

(6) The information referred to in subsection (4) is -

  1. the identity of the data controller;
  2. the identity of its data protection officer appointed under section 20;
  3. if the data controller has appointed a representative for the purposes of this Act, the identity of that representative;
  4. the purpose or purposes for which the personal data are intended to be processed;
  5. the identity of any third party to which disclosure of the personal data is contemplated;
  6. whether the provision, by the data subject, of the personal data sought is compulsory under any law, and the consequences of not providing the personal data;
  7. the legal authority for seeking the personal data, where applicable;
  8. the expected period of retention of the personal data; and
  9. any further information which is necessary, having regard to the specific circumstances in which the personal data are, or are to be, processed, to enable processing in respect of the data subject to be fair.

(7) Subsection (4)(c) does not apply where -

  1. the recording of the information to be contained in the personal data, or the disclosure of the personal data, by the data controller is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; or
  2. in such other circumstances as may be prescribed.

(8) Personal data which contain a general identifier falling within a prescribed description are not to be treated as processed fairly and lawfully unless they are processed in compliance with any conditions prescribed in relation to the general identifier of the prescribed description.

(9) In subsection (8), “general identifier” means any identifier (such as a number or code used for identification purposes) which - (a) relates to an individual; and (b) forms part of a set of similar identifiers which is of general application.

23. Conditions for processing personal data in accordance with the first standard.

(1) The conditions referred to in sections 11(3)(a) and 22(1)(a) are that -

  1. the data subject consents to the processing and has not withdrawn that consent;
  2. the processing is necessary -
    1. for the performance of a contract to which the data subject is a party; or
    2. for the taking of steps at the request of the data subject with a view to entering into a contract;
  3. the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
  4. the processing is necessary in order to protect the vital interests of the data subject;
  5. the processing is necessary -
    1. for the administration of justice;
    2. for the exercise of any functions conferred by or under any enactment; or
    3. for the exercise of any other functions of a public nature exercised in the public interest;
  6. the processing is necessary for the purposes of legitimate interests pursued by the data controller or by any third party to whom the personal data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject;
  7. the data subject has published the personal data concerned.

(2) Regulations made under this Act may specify particular circumstances in which the condition set out in subsection (1)(f) is, or is not, to be taken to be satisfied.

24. Conditions for processing sensitive personal data in accordance with the first standard.

(1) The conditions referred to in section 22(1)(b) are that -

  1. the data subject consents in writing to the processing of the sensitive personal data;
  2. the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred, or imposed, by law on that data controller in connection with employment or social security benefits;
  3. the processing is necessary -
    1. in order to protect the vital interests of the data subject or another individual, in any case where -
      1. consent cannot be given by or on behalf of the data subject; or
      2. the data controller cannot reasonably be expected to obtain the consent of the data subject,

the data controller having exhausted all reasonable efforts to obtain that consent; or

  1. in order to protect the vital interests of another individual, in any case where consent by or on behalf of the data subject has been unreasonably withheld;
  1. the processing -
    1. is carried out in the course of legitimate actions by any body or association which -
      1. is not established or conducted for profit; and
      2. exists for political, philosophical, religious or trade-union purposes;
    2. is carried out with appropriate safeguards for the rights and freedoms of data subjects;
    3. relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and
    4. does not involve disclosure of the personal data to a third party without the consent of the data subject;
  2. the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject;
  3. the processing -
    1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
    2. is necessary for the purpose of obtaining legal advice; or (iii) is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
  4. the processing is necessary for -
    1. the administration of justice; or
    2. the exercise of any functions conferred on any person by or under any enactment;
  5. the processing -
    1. is either -
      1. the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or
      2. any other processing by a person referred to in sub-paragraph (A) or another person of sensitive personal data so disclosed; and
    2. is necessary for the purposes of preventing fraud;
  6. the processing is necessary for medical purposes and is undertaken by -
    1. a health professional; or
    2. a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional;
  7. the processing -
    1. is of sensitive personal data consisting of information as to racial or ethnic origin;
    2. is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between individuals of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and
    3. is carried out with appropriate safeguards for the rights and freedoms of data subjects;
  8. the sensitive personal data are processed in circumstances specified in an order made by the Minister in accordance with section 74(3)(e) for the purposes of this section.

(2) In this section -

“anti-fraud organisation” means any unincorporated association, body corporate, or other person, who enables or facilitates any sharing of information to prevent fraud, or who has any of the aforementioned matters as one of its purposes;

“medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

(3) The Minister may by order in accordance with section 74(3)(e) -

  1. exclude the application of subsection (1)(b) or (g) in such cases as may be specified; or
  2. provide that, in such cases as may be specified, the condition in subsection (1)(b) or (g) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

(4) The Minister may, by order in accordance with section 74(3)(e), specify circumstances in which processing falling within subsection (1)(j)(i) or (ii) is, or is not, to be taken for the purposes of subsection (1)(j)(iii) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

(5) The Commissioner may by order in accordance with section 74(3)(f) specify the cases in which the conditions specified in subsection (1) shall be deemed not to have been met regardless of whether the consent of the data subject has been obtained.

(6) For the avoidance of doubt, a data subject may at any time withdraw consent to the processing of any sensitive personal data in respect of that data subject.

25. The second standard.

(1) The second standard is that personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.

(2) The purpose or purposes for which personal data are processed may in particular be specified -

  1. in information provided for the purposes of section 22(6); or
  2. in particulars given to the Commissioner under section 16.

(3) In determining whether any disclosure of personal data is compatible with the purpose for which the data were obtained, regard shall be had to the purpose for which the personal data are intended to be processed by any person to whom they are disclosed.

26. The third standard.

The third standard is that personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

27. The fourth standard.

(1) The fourth standard is that personal data shall be accurate and, where necessary, kept up to date.

(2) Subsection (1) shall not be regarded as being contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject, or a third party, in any case where the following requirements are met -

  1. having regard to the purpose for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the personal data; and
  2. if the data subject has notified the data controller of the data subject’s view that the personal data are inaccurate, the personal data indicate that fact.

28. The fifth standard.

(1) The fifth standard is that -

  1. personal data processed for any purpose shall not be kept for longer than is necessary for that purpose; and
  2. (b) the disposal of personal data by a data controller shall be in accordance with regulations made under section 74.

(2) Subsection (1)(a) is subject to the provisions under this Act with respect to the keeping of records and the provision of access to data.

29. The sixth standard.

(1) The sixth standard is that personal data shall be processed in accordance with the rights of data subjects under this Act.

(2) A person shall be regarded as contravening the sixth standard only if the person -

  1. contravenes section 6 by failing to supply information in accordance with that section;
  2. contravenes section 10 by processing personal data for purposes or direct marketing without the consent required under subsection (1) of that section;
  3. contravenes section 11 by failing to comply with a notice given under subsection (1) of that section to the extent that the notice is justified, or by failing to give a written statement under subsection (4) of that section; or
  4. contravenes section 12 by failing to comply with a notice given under subsection (2) or (3)(b) of that section or by failing to give the information as required under subsection (3)(a) of that section or a written statement under subsection (4) of that section.

30. The seventh standard.

(1) The seventh standard is that appropriate technical and organisational measures shall be taken -

  1. against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
  2. to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data.

(2) Having regard to the state of technological development and the cost of implementing any measures referred to in subsection (1), the measures shall ensure a level of security appropriate to -

  1. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in subsection (1); and
  2. the nature of the data to be protected.

(3) The data controller shall take reasonable steps to ensure that the data controller’s agents and employees who have access to the personal data are aware of, and comply with, the relevant security measures.

(4) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall, in order to comply with the seventh standard -

  1. choose a data processor who provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and the reporting of security breaches to the data controller; and
  2. take reasonable steps to ensure compliance with those measures.

(5) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall not be regarded as complying with the seventh standard unless -

  1. the processing is carried out under a contract -
    1. which is made or evidenced in writing; and
    2. under which the data processor is to act only on instructions from the data controller; and
  2. the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by subsection (1).

(6) For the purposes of subsection (1)(a), the technical and organisational measures include -

  1. pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability of, and access to, personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  5. measures to ensure adherence to the technical and organisational requirements specified in the other provisions of this Act.

(7) A person who, wilfully and without lawful authority, uses any means to breach any pseudonymisation or encryption applied to any personal data commits an offence and shall be liable upon conviction for that offence before -

  1. a Parish Court, to a fine not exceeding two million dollars; or
  2. a Circuit Court, to a fine.

(8) A person does not commit an offence under subsection

(7) if -

  1. the breach is -
    1. necessary for the prevention, detection or investigation of crime;
    2. required or authorised by a court or by or under any law;
    3. justifiable in the public interest;
    4. justifiable for the purposes of journalism, literature or art; or
    5. justifiable in the public interest with a view to testing the effectiveness of the technical and organisational measures referred to in subsection (1)(a) and the person -
      1. acted without intending to cause, or threaten to cause, damage or distress to a person; and
      2. without undue delay and, where feasible, within seventy-two hours after the breach, notified the Commissioner, or a data controller concerned, of the breach; or
  2. the person acted in the reasonable belief that -
    1. the person is a data subject in respect of the personal data concerned; or
    2. the person is the data controller in respect of the personal data or acted with the consent of that data controller.

31. The eighth standard.

(1) The eighth standard is that personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(2) For the purposes of subsection (1), an adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to -

  1. the nature of the personal data;
  2. the State or territory of origin of the information contained in the personal data;
  3. the State or territory of final destination of that information;
  4. the purposes for which and the period during which the personal data are intended to be processed;
  5. the law in force in the State or territory in question;
  6. the international obligations of that State or territory;
  7. any relevant codes of conduct or other rules which are enforceable in that State or territory (whether generally or by arrangement in particular cases); and
  8. any security measures taken in respect of the personal data in that State or territory.

(3) The eighth standard does not apply to a transfer falling within any of the cases specified in subsection (4), except in such circumstances and to such extent as the Minister may prescribe after consultation with the Commissioner.

(4) The cases referred to in subsection (3) are, where -

  1. the data subject consents to the transfer;
  2. the transfer is necessary -
    1. for the performance of a contract between the data subject and the data controller; or
    2. for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller;
  3. the transfer is necessary for the conclusion or performance of a contract, between the data controller and a person other than the data subject, which -
    1. is entered into at the request of the data subject;
    2. is in the interests of the data subject;
  4. the transfer is necessary for reasons of substantial public interest;
  5. the transfer -
    1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
    2. is necessary for the purpose of obtaining legal advice; or
    3. is otherwise necessary for the purpose of establishing, exercising, or defending, legal rights;
  6. the transfer is necessary in order to protect the vital interests of the data subject;
  7. the transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the personal data are or may be disclosed after the transfer;
  8. the transfer is made on terms (which may include contractual terms) that are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects;
    1. the transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects;
  9. the transfer is necessary for the purposes of national security or the prevention, detection or investigation of crime.

(5) The Minister may prescribe, by order published in the Gazette -

  1. circumstances in which a transfer is to be taken for the purposes of subsection (4)(d) to be necessary for reasons of substantial public interest;
  2. circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purposes of subsection (4)(d) to be necessary for reasons of substantial public interest; and
  3. the States and territories which shall be taken to have an adequate level of protection within the meaning of subsection (2).

(6) For the purposes of subsection (5)(c) -

  1. a State or territory having an adequate level of protection as described in that subsection shall be included in the order only if such inclusion is necessary for the fulfilment of Jamaica’s international obligations; and
  2. the order may provide for such conditions and restrictions as may be applicable under the international obligation concerned.

(7) Where any question arises as to whether a transfer may be made to a State or territory, other than a State or territory included in an order made under subsection (5)(c), the matter shall be determined by the Commissioner, who shall issue a notice stating -

  1. the relevant public authority with responsibility for the protection of personal data in the State or territory concerned;
  2. the Commissioner’s determination as to the adequacy of the level of protection (within the meaning of subsection (2)) in the State or territory concerned; and
  3. where the Commissioner determines that the level of protection is not adequate, the extent to which the Commissioner considers that the level of protection is not adequate.

PART V - Exemptions to Data Protection Standards or to Disclosure to Data Subject Requirements

32. Interpretation for Part V.

(1) Except as provided by this Part, the disclosure to data subject requirements shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

(2) References in any of the data protection standards or any of Parts II or III to “personal data” or to the “processing of personal data” do not include references to personal data or processing which is exempt from that standard or Part by virtue of the provisions of this Part.

33. National security.

(1) The Minister responsible for national security may issue a certificate under subsection (2) where that Minister considers it necessary, for the purpose of safeguarding national security, to exempt any personal data from all or any of the provisions of -

  1. the data protection standards;
  2. Parts II, III and VI;
  3. section 61 (unlawfully obtaining, etc. personal data).

(2) A certificate mentioned in subsection (1) shall -

  1. be signed by the Minister responsible for national security;
  2. identify the personal data to which it applies, which identification may be by means of a general description; and
  3. specify the provisions referred to in subsection (1) from which the personal data is exempt.

(3) Personal data identified in a certificate issued under subsection (2) shall be exempt from the provisions referred to in subsection (1) to the extent specified in the certificate.

(4) Any person directly affected by the issuing of a certificate under subsection (2) may appeal to the Court against the issuing of the certificate.

(5) If on an appeal under subsection (4), the Court finds that, applying the standards applied by the Court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Court may allow the appeal and quash the certificate.

(6) Where in any proceedings under or by virtue of this Act it is claimed by a data controller that a certificate issued under subsection (2) and which identifies the personal data to which it applies by means of a general description, applies to any specific personal data -

  1. any other party to the proceedings may appeal to the Court on the ground that the certificate does not apply to the specific personal data in question; and
  2. subject to any determination by the Court under subsection (7), the certificate shall be conclusively presumed to apply to the specific personal data in question.

(7) On an appeal under subsection (6), the Court may determine that the certificate does not apply to the specific personal data in question.

(8) A document purporting to be a certificate issued under subsection (2) shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of the Minister as a true copy of a certificate issued under subsection (2) by that Minister, shall in any legal proceedings be evidence of that certificate.

(10) Before acting under subsection (1), the Minister responsible for national security shall consult with the Minister responsible for technology.

34. Law enforcement, taxation, statutory functions, etc.

(1) Personal data processed for any of the following purposes -

  1. the prevention, detection, or investigation of crime;
  2. the apprehension or prosecution of offenders; or
  3. the assessment or collection of any tax or duty or of any imposition of a similar nature,

are exempt from -

  1. the first data protection standard, except to the extent that that standard requires compliance with the conditions set out in sections 23(1) and 24(1); and
  2. section 6,

to the extent to which the application of those provisions to the data is likely to prejudice any of the purposes mentioned in paragraph (a), (b) or (c).

(2) Personal data which -

  1. are processed for the purpose of discharging statutory functions; and
  2. consist of information obtained for such a purpose from a person who had the information in that person’s possession for any purpose mentioned in subsection (1)(a), (b) or (c),

are exempt from the disclosure to data subject requirements to the same extent as personal data processed for any of the purposes mentioned in subsection (1)(a), (b) or (c).

(3) Personal data are exempt from the non-disclosure provisions in any case in which -

  1. the disclosure is for any of the purposes mentioned in subsection (1)(a), (b) or (c); and
  2. the application of the non-disclosure provisions in relation to the disclosure is likely to prejudice any of the purposes mentioned in subsection (1)(a), (b) or (c).

(4) Personal data in respect of which the data controller is a public authority and which -

  1. consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes -
    1. the assessment or collection of any tax or duty or any imposition of a similar nature; or
    2. the prevention, detection or investigation of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public moneys; and
  2. are processed for either of the purposes mentioned in paragraph (a),

are exempt from section 6 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4), “public moneys” has the meaning assigned to it by section 2 of the Financial Administration and Audit Act.

35. Regulatory activity.

(1) Personal data processed for the purposes of discharging any function to which this subsection applies are exempt from the disclosure to data subject requirements to the extent to which the application of those requirements in any case is likely to prejudice the proper discharge of those functions.

(2) Subsection (1) applies to any function -

  1. which is -
    1. conferred on a person by or under any enactment; or
    2. of a public nature, is exercised in the public interest and is connected with -
      1. public safety;
      2. breaches of ethics for regulated professions; or
      3. important national economic or financial interests such as monetary, budgetary or taxation matters; and
  2. which is designed for protecting members of the public against -
    1. maladministration by public authorities;
    2. the failure of a public authority to provide a service which it is a function of that public authority to provide; or
    3. conduct by persons carrying on any trade or business, which may adversely affect the public interest;
  3. designed for regulating -
    1. agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition, in connection with any commercial activity; or
    2. conduct, on the part of one or more undertakings, which amounts to the abuse of a dominant market position; or
  4. relating to the consideration of any complaint referred to in paragraph 12 or 13 of the First Schedule of the Child Care and Protection Act, by the Children’s Advocate or a relevant authority as defined by that Act.

(3) In subsection (2)(a), “regulated professions” means any profession subject to regulation by a body pursuant to any enactment.

36. Journalism, literature and art.

(1) Personal data which are processed only for the special purposes are exempt from the provisions specified in subsection (2) if -

  1. the processing is undertaken with a view to, or consists of, the publication by any person of any journalistic, literary or artistic material;
  2. the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression or the right to seek, receive, distribute or disseminate information, opinions and ideas through any media, publication would be in the public interest; and
  3. the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

(2) The provisions referred to in subsection (1) are -

  1. the data protection standards, other than the seventh standard;
  2. section 6;
  3. section 11;
  4. section 12; and
  5. section 13(3) and (4).

(3) In considering for the purposes of subsection (1)(b) whether the belief is a reasonable one, regard may be had to the data controller’s compliance with any code of practice which -

  1. is relevant to the publication in question; and
  2. is designated by the Commissioner by order published in the Gazette for the purposes of this subsection.

(4) Where at any time (“the relevant time”) in any proceedings against a data controller under section 6(6), 11(5), 12(5) or 13(5), or by virtue of section 69, the data controller claims, or it appears to the Commissioner, that any personal data to which the proceedings relate are being processed -

  1. only for the special purposes; and
  2. with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller,

the Court shall stay the proceedings until either of the conditions specified in subsection (5) is met.

(5) The conditions mentioned in subsection (4) are -

  1. that a determination of the Commissioner under section 50 (determination by Commissioner as to the special purposes) with respect to the personal data in question takes effect; or
  2. in a case where the proceedings were stayed on the making of a claim, that claim is withdrawn. (6) For the purposes of this Act, “publish”, in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

37. Research, history and statistics.

(1) In this section -

“research purposes” includes statistical or historical purposes;

“the relevant conditions” are that the personal data -

  1. are not processed to support measures or decisions with respect to particular individuals; and
  2. are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

(2) For the purposes of the second data protection standard, the further processing of personal data only for research purposes in compliance with the relevant conditions shall not be regarded as incompatible with the purposes for which they were obtained.

(3) Notwithstanding the fifth data protection standard, personal data which are processed only for research purposes may be kept indefinitely if the relevant conditions are met.

(4) Personal data which are processed only for research purposes are exempt from section 6 if -

  1. the relevant conditions are met; and
  2. the results of the research or any resulting statistics are not made available in a form which identifies the data subjects or any of them.

(5) For the purposes of subsections (2) to (4), personal data shall not be treated as processed otherwise than for research purposes merely because the personal data are disclosed -

  1. to any person, for research purposes only;
  2. to the data subject or to a person acting on his behalf;
  3. at the request, or with the consent, of the data subject or a person acting on his behalf; or
  4. in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

(6) A data controller shall not be taken to be in breach of the data protection standards if personal data is disclosed by that data controller for research purposes if -

  1. the research purposes cannot reasonably be accomplished unless the personal data are provided in a form which identifies the data subjects or any of them;
  2. the personal data are disclosed subject to the condition that -
    1. it not be used for the purpose of contacting a person to participate in research; and
    2. the party to whom it is disclosed complies with the data protection standards; and
  3. the relevant conditions are met.

(7) A data controller may disclose personal data for archival or historical purposes if the relevant conditions are met and -

  1. the personal data relate to an individual who has been deceased for thirty years or such number of years as may be prescribed for the purposes of this section; or
  2. the personal data are in a record which has been in existence for thirty years or such number of years as may be prescribed for the purposes of this section.

38. Information available to the public by or under any enactment.

Personal data consisting of information which the data controller is obliged by or under any enactment, other than the Access to Information Act, to make available to the public (whether by publishing the information, making it available for inspection, or otherwise, and whether gratuitously or on payment of a fee) are exempt from -

  1. the disclosure to data subject requirements;
  2. the fourth data protection standard and section 13(3) and (4); and
  3. the non-disclosure provisions.

39. Disclosures required by law or made in connection with legal proceedings, etc.

(1) Personal data data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court -

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary -

  1. for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings); or
  2. for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

40. Parliamentary privilege.

Personal data are exempt from -

  1. the first data protection standard, except to the extent to which that standard requires compliance with the conditions set out in sections 23(1) and 24(1);
  2. the second, third, fourth and fifth data protection standards;
  3. section 6; and
  4. sections 11 and 13(3) and (4),

if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

41. Domestic purposes.

(1) Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection standards and the provisions of Parts II and III.

42. Miscellaneous exemptions. Second Scheudle.

The matters set out in the Second Schedule shall be exempt from the provisions of this Act to the extent specified in that Schedule.

43. Power to make further exemptions by order.

(1) After consultation with the Commissioner, the Minister may by order published in the Gazette exempt, from the disclosure to data subject requirements, personal data consisting of information the disclosure of which is prohibited or restricted by or under any enactment, if and to the extent that the Minister considers it necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual that the prohibition or restriction ought to prevail over those requirements.

(2) The Minister may, by order published in the Gazette, exempt from the non-disclosure provisions any disclosures of personal data made in circumstances specified in the order, if the Minister considers that the exemption is necessary for the safeguarding of the interests of the data subject or the rights and freedoms of any other individual.

PART VI - Enforcement

44. Enforcement notice.

(1) In this Part, “enforcement notice” means a notice under subsection (2).

(2) Where the Commissioner is satisfied that a data controller has contravened, or is contravening, any of the data protection standards, the Commissioner may serve the data controller with a notice in accordance with subsections (6) to (8) requiring the data controller, with a view to achieving compliance with the data protection standards, to do any or all of the following -

  1. to take specified steps within a specified time, or to refrain from taking specified steps after a specified time;
  2. to refrain from processing any personal data, or any personal data of a specified description; or
  3. to refrain from processing personal data for a specified purpose or in a specified manner, after a specified time,

and for the purposes of this subsection “specified” means specified in the notice.

(3) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any individual damage or distress.

(4) An enforcement notice, relating to a contravention of the fourth data protection standard -

  1. which requires a data controller to rectify, block, erase or destroy any inaccurate personal data may also require the data controller to rectify, block, erase or destroy any other personal data held by the data controller and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate personal data;
  2. in the case of personal data which accurately record information received or obtained by the data controller from the data subject or a third party, may require the data controller either to -
    1. rectify, block, erase or destroy any inaccurate personal data and any other personal data held by the data controller and containing an expression of opinion as mentioned in paragraph (a); or
    2. take such steps as are specified in the notice for securing compliance with the requirements specified in section 27(2) and, if the Commissioner thinks fit, for supplementing the personal data with such statement of the true facts relating to the matters dealt with by the personal data as the Commissioner may approve.

(5) Where -

  1. an enforcement notice requires the data controller to rectify, block, erase or destroy, any personal data; or
  2. the Commissioner is satisfied that personal data which have been rectified, blocked, erased, or destroyed, had been processed in contravention of any of the data protection standards,

an enforcement notice may, if reasonably practicable, require the data controller to notify third parties, to whom the personal data have been disclosed, of the rectification, blocking, erasure, or destruction.

(6) For the purposes of determining whether it is reasonably practicable to require notification of third parties under subsection (5), regard shall be had, in particular, to the number of persons who would have to be notified.

(7) An enforcement notice shall contain -

  1. a statement of the data protection standard or standards which the Commissioner is satisfied have been or are being contravened, and the Commissioner’s reasons for reaching that conclusion; and
  2. particulars of the rights of appeal conferred by section 53.

(8) Subject to subsection (9), an enforcement notice shall not require any of the provisions of the notice to be complied with before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice need not be complied with pending the determination or withdrawal of the appeal.

(9) Subsection (8) shall not apply if the Commissioner, in the enforcement notice -

  1. includes a statement to the effect that by reason of special circumstances the Commissioner considers that an enforcement notice should be complied with as a matter of urgency, together with the Commissioner’s reasons for reaching that conclusion; and
  2. specifies a time within which the notice shall be complied with, being not less than seven days beginning with the day on which the notice is served.

(10) Regulations made under this Act may make provision as to the effect of the service of an enforcement notice on any entry in the register maintained under section 17.

(11) This section has effect subject to section 51(1).

(12) If the Commissioner considers that all or any of the provisions of an enforcement notice need not be complied with in order to ensure compliance with the data protection standards to which the notice relates, the Commissioner may cancel or vary the notice by written notice to the person on whom the enforcement notice was served.

(13) A person on whom an enforcement notice has been served may, at any time after the expiration of the period during which an appeal can be brought against that notice, apply in writing to the Commissioner for the cancellation or variation of that notice on the ground that, by reason of any change in circumstances, all or any of the provisions of the notice need not be complied with in order to ensure compliance with the data protection standards to which the notice relates.

45. Data protection impact assessment.

(1) Unless otherwise specified in a notice under subsection (4), a data controller shall, in respect of each calendar year -

  1. within ninety days after the end of the relevant calendar year; and
  2. in such form as may be prescribed by the Commissioner by notice published in the Gazette,

submit to the Commissioner a data protection impact assessment in respect of all personal data in the custody or control of the data controller.

(2) The Commissioner shall evaluate each data protection impact assessment received under subsection (1) and shall, as the Commissioner considers appropriate, issue such directions to the data controller concerned -

  1. to make such amendments to the data controller’s systems of operation or other activities; or
  2. to implement such other recommendations,

as may be necessary to secure compliance with this Act.

(3) The data protection impact assessment form prescribed under subsection (1) shall require at least the following information -

  1. a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms, of data subjects, referred to in subsection (5); and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

(4) The Commissioner may publish a notice in the Gazette, and in such other manner as the Commissioner considers appropriate to bring the notice to the attention of data controllers, specifying the classes or kinds of personal data, or data controllers, to which subsection (1) shall apply or shall not apply.

(5) In determining any class or kind for the purposes of subsection (4), the Commissioner shall have regard to the likely level of risk to the rights and freedoms of data subjects involved in processing the data concerned, taking into account the nature, scope, context and purposes of the processing.

46. Request for assessment.

(1) A request may be made to the Commissioner by or on behalf of any individual who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been, or is being, carried out in compliance with the provisions of this Act.

(2) Subject to subsection (3), on receiving a request under subsection (1), the Commissioner shall make an assessment in suchmanner as appears to the Commissioner to be appropriate, unless the Commissioner has not been supplied with such information as the Commissioner may reasonably require in order to be -

  1. satisfied as to the identity of the individual making the request; and
  2. able to identify the processing in question.

(3) The matters to which the Commissioner may have regard in determining in what manner it is appropriate to make an assessment include -

  1. the extent to which the request appears to the Commissioner to raise a matter of substance;
  2. any undue delay in making the request; and
  3. whether or not the individual making the request is entitled to make an application under section 6 in respect of the personal data in question.

(4) Where the Commissioner receives a request under subsection (1), the Commissioner shall notify the individual who made the request -

  1. whether the Commissioner has made an assessment as a result of the request; and
  2. of any conclusion formed or action taken as a result of the request, to the extent that the Commissioner considers it appropriate having regard to any exemption from section 6 applying to the personal data concerned.

47. Assessment notices.

(1) The Commissioner may serve a data controller with a notice in accordance with subsection (2) (hereinafter referred to as an “assessment notice”) for the purpose of enabling the Commissioner to determine whether the data controller has complied with, or is complying with, the data protection standards.

(2) An assessment notice is a notice which requires the data controller to do all or any of the following -

  1. permit the Commissioner to enter any specified premises for the purposes mentioned in subsection (1);
  2. direct the Commissioner to any documents on the premises that are of a specified description;
  3. assist the Commissioner to view any information of a specified description that is capable of being viewed using equipment on the premises;
  4. comply with any request from the Commissioner for -
    1. a copy of any of the documents to which the Commissioner is directed;
    2. a copy (in such form as may be requested) of any information which the Commissioner is assisted to view;
  5. direct the Commissioner to any equipment or other material on the premises which is of a specified description;
  6. permit the Commissioner to inspect or examine any of the documents, information, equipment or material to which the Commissioner is directed or which the Commissioner is assisted to view;
  7. permit the Commissioner to observe the processing of any personal data that takes place on the premises;
  8. make available for interview by the Commissioner such specified persons or the persons of a specified description who process personal data on behalf of the data controller as the Commissioner may require to be interviewed.

(3) In subsection (2), references to the Commissioner include references to the Commissioner’s officers and staff.

(4) An assessment notice shall -

  1. in relation to each requirement imposed by the notice, specify -
    1. the time at which the requirement is to be complied with; or
    2. the period during which the requirement is to be complied with; and
  2. state the rights of appeal conferred by section 53.

(5) The Commissioner may cancel an assessment notice by written notice to the data controller on whom the assessment notice was served.

(6) The Commissioner shall issue a code of practice as to the manner in which the Commissioner’s functions under this section are to be exercised, and the code shall -

  1. specify the factors to be considered in determining whether to serve an assessment notice on a data controller;
  2. specify descriptions of documents and information that -
    1. are not to be examined or inspected in pursuance of an assessment notice; or
    2. are to be examined or inspected, in pursuance of an assessment notice, only by persons of a description specified in the code, and in particular as concerns documents and information concerning an individual’s physical or mental health or the provision of social care for an individual;
  3. describe the nature of inspections and examinations that may be carried out in pursuance of an assessment notice; and
  4. set out the procedure for preparing, issuing and publishing assessment reports by the Commissioner in respect of data controllers who are served with assessment notices.

(7) For the purposes of -

  1. subsection (6)(b), “social care” includes all forms of personal care and other practical assistance provided for individuals who by reason of financial need, age, illness, disability, pregnancy, childbirth, dependence on alcohol or drugs, or any other similar circumstances, are in need of such care or other assistance;
  2. subsection (6)(d), an assessment report is a report that contains -
    1. a determination as to whether a data controller has complied, or is complying with, the data protection standards;
    2. recommendations as to any steps that the data controller ought to take, or to refrain from taking, to ensure compliance with any of the data protection standards; and
    3. such other matters as are specified in the code.

48 Limitations on assessments notices.

(1) A time specified in an assessment notice under section 47(4) in relation to a requirement shall not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.

(2) If by reason of special circumstances the Commissioner determines that it is necessary for a data controller to comply with a requirement in an assessment notice as a matter of urgency -

  1. the Commissioner may include in the notice a statement to that effect and a statement of the reasons for that determination; and
  2. for the purposes of subsection (1), the time specified in the assessment notice shall not fall, or the period so specified must not begin, before the end of the period of seven days beginning on the day on which the notice is served.

(3) A requirement imposed by an assessment notice does nothave effect so far as compliance with the requirement would result in the disclosure of any communication that is subject to legal professional privilege.

(4) Nothing in section 47 authorizes the Commissioner to serve an assessment notice on -

  1. a member of the judiciary; or
  2. (b) a body specified in section 5(8) of the Access to Information Act (bodies falling within the definition of “security or intelligence services”).

(5) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would expose that person to proceedings for an offence by revealing evidence of the commission of that offence, other than an offence under this Act or an offence under section 8 of the Perjury Act (false voluntary declarations and other false statements without oath).

49. Information notices.

(1) Where the Commissioner -

  1. has received a request under section 46;
  2. reasonably requires any information for the purpose of determining whether a data controller has complied, or is complying, with the provisions of this Act; or
  3. has reasonable grounds for suspecting that, in a case in which proceedings have been stayed under section 36(4) (stay of proceedings pending determination as to whether processing is for the special purposes), the personal data to which the proceedings relate -
    1. are not being processed only for the special purposes; or
    2. are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

the Commissioner may serve the data controller concerned with a notice (in this Act referred to as an “information notice”) requiring the data controller to furnish the Commissioner with the specified information relating to the request or to compliance with the provisions of this Act (as the case may be).

(2) For the purposes of subsection (1), the specified information is information -

  1. specified, or described, in the information notice; or
  2. falling within a category which is specified, or described, in the information notice,

and may include information about processing of personal data and the documentation thereof, as well as information relating to the security and confidentiality of such processing and documentation.

(3) An information notice may specify the form in which the information shall be furnished, and shall -

  1. subject to subsection (4), specify the period within which, or the time and place at which, the information shall be furnished;
  2. contain -
    1. in any case falling within subsection (l)(a), a statement that the Commissioner has received a request under section 46 in relation to the processing specified in the notice;
    2. in any case falling within subsection (l)(b), a statement that the Commissioner regards the specified information as relevant for the purpose of determining whether the data controller has complied, or is complying, with this Act and the Commissioner’s reasons for regarding the information as relevant for that purpose;
    3. in any case falling within subsection (l)(c), a statement -
      1. that the Commissioner regards the specified information as relevant for thepurpose of ascertaining whether they are being processed as mentioned in subsection (l)(c); and
      2. of the Commissioner’s grounds for suspecting that the personal data are not being processed as mentioned in subsection (l)(c);
  3. set out the particulars of the rights of appeal conferred by section 53; and
  4. if by reason of special circumstances, the Commissioner determines that the information is required as a matter of urgency, include a statement to that effect together with the Commissioner’s reasons for that determination.

(4) The period or time specified under subsection (3)(a) -

  1. in any case falling within subsection (3)(d), shall not require the information to be furnished before the end of the period of seven days beginning on the day on which the notice is served;
  2. in any other case, shall not require the information to be given before the end of the period within which an appeal can be brought against the notice,

and if an appeal is brought against the notice, the information need not be furnished pending the determination or withdrawal of the appeal.

(5) A person shall not be required by virtue of this section to furnish the Commissioner with any information in respect of any communication that is subject to legal professional privilege.

(6) A person shall not be required by virtue of this section to furnish the Commissioner with any information if the furnishing of that information would expose that person to proceedings for an offence by revealing evidence of the commission of that offence, other than an offence under this Act or an offence under section 8 of the Perjury Act (false voluntary declarations and other false statements without oath).

(7) Any relevant statement provided by a person in response to a requirement under this section may not be used in evidence against that person or on a prosecution for any offence under this Act, other than an offence under section 52 (failure to comply with notice), unless in the proceedings -

  1. in giving evidence, the person provides information inconsistent with the statement; or
  2. evidence relating to the statement is adduced, or a question relating to the statement is asked, by that person or on that person’s behalf.

(8) In subsection (7), “relevant statement”, in relation to a requirement under this section, means -

  1. an oral statement; or
  2. a written statement made for the purposes of the requirement.

(9) The Commissioner may cancel an information notice by written notice to the person on whom the information notice was served.

(10) This section has effect subject to section 51(3).

50. Determination by Commissioner as to the special purposes.

(1) Where at any time it appears to the Commissioner (whether as a result of the service of an information notice or otherwise) that any personal data -

  1. are not being processed only for the special purposes; or
  2. are not being processed with a view to the publication by any person of any journalistic, literary or artistic material which has not previously been published by the data controller,

the Commissioner may make a determination in writing to that effect.

(2) Notice as to a determination under subsection (1) shall -

  1. be given to the data controller concerned; and
  2. contain the particulars of the right of appeal conferred by section 53.

(3) A determination under subsection (1) shall not take effect until the end of the period within which an appeal can be brought and, where an appeal is brought, shall not take effect pending the determination or withdrawal of the appeal.

51. Restriction on enforcement in case of processing for the special purposes.

(1) The Commissioner may not at any time serve an enforcement notice on a data controller with respect to the processing of personal data for the special purposes unless -

  1. a determination under section 50(1) with respect to those personal data has taken effect; and
  2. the Court has granted leave for the notice to be served.

(2) The Court shall not grant leave for the purposes of subsection (l)(b) unless it is satisfied -

  1. that the Commissioner has reason to suspect a contravention of the data protection standards which is of substantial public importance; and
  2. except where the case is one of urgency, that the data controller has been given, in accordance with rules of court, notice of the application for leave.

(3) The Commissioner may not serve an information notice on a data controller with respect to the processing of personal data for the special purposes unless a determination under section 50(1) with respect to those personal data has taken effect.

52. Failure to comply with notice.

(1) A person who fails to comply with an enforcement notice, an assessment notice or an information notice commits an offence.

(2) A person who, in purported compliance with an information notice or an assessment notice -

  1. makes a statement which the person knows to be false in a material respect; or
  2. recklessly makes a statement which is false in a material respect,

commits an offence.

(3) It is a defence for a person charged with an offence under subsection (1) to prove that the person exercised all due diligence to comply with the notice in question.

(4) A person who commits an offence under subsection (1) or (2) shall be liable upon conviction in a Parish Court to a fine not exceeding one million dollars.

53. Rights of appeal.

(1) A person on whom an enforcement notice, an assessment notice, or an information notice, has been served may appeal to the Court against the notice.

(2) A person on whom an enforcement notice has been served may appeal to the Court against the refusal of an application under section 44(13) for cancellation or variation of the notice.

(3) Where an enforcement notice, an assessment notice or an information notice, contains a statement by the Commissioner in accordance with section 44(9), 48(2) or 49(3)(d), then, whether or not the person appeals against the notice, the person may appeal against -

  1. the Commissioner’s decision to include the statement in the notice; or
  2. the effect of the inclusion of the statement as respects any part of the notice.

(4) A data controller in respect of whom a determination has been made under section 50(1) may appeal to the Court against the determination.

54. Determination of appeals.

(1) On an appeal under section 53(1) -

  1. if in any case the Court considers -
    1. that the notice against which the appeal is brought is not in accordance with the law; or
    2. to the extent that the notice involved an exercise of discretion by the Commissioner, that the Commissioner ought to have exercised his discretion differently, the Court shall allow the appeal or substitute such other notice or decision as could have been served or made by the Commissioner; and
  2. in any other case, the Court shall dismiss the appeal.

(2) On an appeal under section 53(1), the Court may review any determination of fact on which the notice in question was based.

(3) If on an appeal under section 53(2), the Court considers that the enforcement notice ought to be cancelled or varied by reason of a change in circumstances, the Court shall cancel or vary the notice.

(4) On an appeal under section 53(3), the Court may direct -

  1. that the notice in question shall have effect as if it did not contain any such statement as is mentioned in section 53(3); or
  2. that the inclusion of the statement shall not have effect in relation to any part of the notice,

and may make such modifications to the notice as may be required for giving effect to the direction.

(5) On an appeal under section 53(4), the Court may quash the determination of the Commissioner.

55. Powers of entry and inspection. Third Schedule.

The provisions of the Third Schedule shall have effect as to the powers of entry and inspection under this Act.

PART VII. - Miscellaneous and General

56. Reports and guidelines to be laid before Parliament.

(1) The Commissioner shall lay annually before each House of Parliament a report on the exercise of the Commissioner’s functions under this Act.

(2) The Commissioner may from time to time lay before each House of Parliament such other reports with respect to those functions as the Commissioner thinks fit.

(3) Where the Commissioner prepares or approves guidelines under section 4(5)(e), the Commissioner shall lay the guidelines before each House of Parliament.

57. Data-sharing code.

(1) The Commissioner shall prepare and submit to the Minister a code of practice (in this Act referred to as “the data-sharing code”) which contains -

  1. practical guidance in relation to the sharing of personal data in accordance with the requirements of this Act; and
  2. such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data.

(2) Before a code is prepared under this section, the Commissioner shall consult such of the following as the Commissioner considers appropriate -

  1. trade associations;
  2. persons who appear to the Commissioner to represent the interests of data controllers.
  3. data subjects; and
  4. persons who appear to the Commissioner to represent the interests of data subjects.

(3) In this section, a reference to the sharing of personal data is to the disclosure of the personal data by transmission, dissemination or otherwise making the data available.

(4) Where a data sharing code is submitted to the Minister under subsection (1), the Minister shall -

  1. approve the code and lay the code before the Houses of Parliament for affirmative resolution; or
  2. withhold approval of the code if it appears to the Minister that the terms of the code could result in Jamaica being in breach of any of its treaty obligations or any other international obligation, and shall publish in the Gazette a notice of the reasons for withholding approval.

(5) Where a code is not approved and affirmed under subsection (4)(a), the Commissioner shall prepare another code of practice in accordance with this section.

(6) A data-sharing code which is affirmed under subsection (4)(a) comes into operation upon the publication of the code in the Gazette, together with the affirmative resolution, unless a later date is specified in the code as the date on which it is to come into operation, in which case the code shall come into operation on that later date.

(7) A data-sharing code may include transitional or savings provisions.

(8) The Commissioner shall keep the data-sharing code under review and in any event shall review the code within eighteen months after the code first comes into operation and thereafter at least once every three years.

(9) Any amendment or repeal of the data-sharing code shall be done in accordance with the procedure set out in this section for the making of the code (including the provisions as to prior consultation).

58. Effects of data-sharing code.

(1) A failure on the part of any person to act in accordance with any provision of the data-sharing code does not of itself render that person liable to any legal proceedings in any court or tribunal.

(2) The data-sharing code is admissible in evidence in any legal proceedings.

(3) If any provision of the data-sharing code appears to -

  1. a court conducting any proceedings under this Act;
  2. a court or tribunal conducting any other legal proceedings; or
  3. the Commissioner carrying out any function under this Act,

to be relevant to any question arising in the proceedings, or in connection with the exercise of that jurisdiction or the carrying out of those functions, in relation to any time when the code was in force, that provision of the code shall be taken into account in determining that question.

59. Assistance by Commissioner in cases involving processing for the special purposes.

- (1) An individual who is an actual or prospective party to any proceedings -

  1. under section 6(6), 11(5), 12(5), or 13(5); and
  2. which relate to personal data processed for the special purposes,

may apply to the Commissioner for assistance in relation to those proceedings.

(2) The Commissioner -

  1. shall, as soon as reasonably practicable after receiving an application under subsection (1), consider the application and decide whether and to what extent to grant the application; and
  2. shall not grant the application unless, in the Commissioner’s opinion, the case involves a matter of substantial public importance.

(3) If the Commissioner decides to provide assistance under this section, the Commissioner shall, as soon as reasonably practicable after making the decision, notify the applicant, stating the extent of the assistance to be provided.

(4) If the Commissioner decides not to provide assistance under this section, the Commissioner shall, as soon as reasonably practicable after making the decision, notify the applicant of the Commissioner’s decision and the reasons therefor.

(5) In this section -

  1. references to “proceedings” include references to prospective proceedings
  2. (b) “applicant”, in relation to assistance under this section, means an individual who applies for assistance.

60. International co-operation.

The Minister may, after consultation with the Minister responsible for foreign affairs, make regulations as to co-operation by the Commissioner with authorities in foreign States exercising functions analogous to those of the Commissioner under this Act, in connection with the performance of their respective duties and, in particular, as to the exchange of information with such authorities.

61. Unlawfully obtaining, disclosing, etc., personal data.

(1) Subject to subsection (2), a person shall not knowingly or recklessly, without the consent of the data controller concerned -

  1. obtain or disclose personal data, or any information contained in personal data; or
  2. procure the disclosure to another person of any information contained in personal data.

(2) Subsection (1) does not apply to a person who shows that -

  1. the obtaining, disclosing or procuring was required or authorised by or under any enactment, by any rule of law, or by the order of a court;
  2. the person acted in the reasonable belief that the person had in law the right to obtain or disclose the personal data or information or, as the case may be, to procure the disclosure of the information to the other person;
  3. the person acted in the reasonable belief that the person would have the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it; or
  4. in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) commits an offence.

(4) A person who sells personal data commits an offence if the person obtains the personal data in contravention of subsection (1).

(5) A person who offers to sell personal data commits an offence if the person -

  1. obtains the personal data in contravention of subsection (1); or
  2. subsequently obtains the personal data in contravention of subsection (1).

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the personal data.

(7) Section 2(2) does not apply for the purposes of this section.

(8) For the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(9) References in this section to personal data do not include references to personal data which by virtue of section 33 (national security) are exempt from this section.

(10) A person who commits an offence under this section shall be liable upon -

  1. summary conviction in a Parish Court to a fine not exceeding five million dollars or to imprisonment for a term not exceeding five years; or
  2. conviction on indictment in a Circuit Court to a fine, or to imprisonment for a term not exceeding ten years.

62. Power of Commissioner to impose fixed penalty.

(1) The Commissioner may serve a data controller with a fixed penalty notice if the Commissioner has reason to believe that -

  1. the data controller has committed an offence to which this section applies;
  2. the contravention was of a kind likely to cause substantial damage or substantial distress; and
  3. the contravention was deliberate, or the data controller knew or ought to have known -
    1. that there was a risk that the contravention would occur; and
    2. that such contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.

(2) For the purposes of subsection (1), the Commissioner may take into account any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of -

  1. an assessment notice; or
  2. an assessment under section 4(8) (assessment with consent of data controller).

(3) The offences to which this section applies are -

  1. an offence under section 21(2) (failure of controller to comply with standards or to make a required report or notification) or section 16(7) (failure to provide particulars); and
  2. any other offence prescribed under subsection (11).

(4) A fixed penalty notice under this section is a notice in writing in the prescribed form offering the data controller the opportunity to discharge any liability to conviction of an offence to which this section applies by payment of a fixed penalty under this section.

(5) A data controller shall not be liable to be convicted of an offence to which this section applies, in respect of which -

  1. the data controller pays the fixed penalty in accordance with this section; and
  2. the requirement in respect of which the offence was committed is complied with,

before the expiration of the thirty days following the date of the fixed penalty notice referred to in subsection (4) or such longer period as may be specified in the notice, or the date on which proceedings are begun, whichever event last occurs.

(6) Where a data controller is served with a fixed penalty notice under this section in respect of an offence, proceedings shall not be taken against any person for that offence until the end of the thirty days following the date of the notice or such longer period as may have been specified therein.

(7) In subsections (5) and (6), “proceedings” means any criminal proceedings in respect of the act or omission constituting the offence concerned, and “convicted” shall be construed in like manner.

(8) Payment of a fixed penalty under this section shall be paid to the Collector of Taxes specified pursuant to subsection (11), and in any proceedings a certificate that payment of a fixed penalty was or was not made to the Collector of Taxes by a date specified in the certificate shall, if the certificate purports to be signed by the Collector of Taxes, be admissible as evidence of the facts stated therein.

(9) A notice under subsection (1) shall -

  1. give such particulars of the offence alleged as are necessary for giving reasonable information of the allegation;
  2. state -
    1. the period (whether thirty days or a longer period) during which, by virtue of subsection (6) proceedings will not be taken for the offence; and
    2. the amount of the fixed penalty and the Collector of Taxes to whom and the address at which it may be paid; and
  3. require the data controller, in the event that the fixed penalty is not paid within the period specified pursuant to paragraph (b), to attend before the court having jurisdiction to try the offence to answer the charge on such date as may be specified, being a date not earlier than ten days after the expiration of the period specified pursuant to paragraph (b), and that requirement shall constitute a summons for the data controller to attend court to answer the charge if the fixed penalty is not paid within the period specified pursuant to paragraph (b).

(10) In any proceedings for an offence to which this section applies, no reference shall be made after the conviction of the accused to the giving of any notice under this section or to the payment or nonpayment of a fixed penalty thereunder unless in the course of the proceedings or in some document which is before the court in connection with the proceedings, reference is made by or on behalf of the accused to the giving of such a notice, or, as the case may be, to such payment or non-payment.

(11) The Minister may, by order subject to affirmative resolution, make provision as to any matter incidental to the operation of this section, and, in particular, any such order may -

  1. prescribe -
    1. the form of notice under subsection (1), and the Collector of Taxes to whom a fixed penalty is payable;
    2. the nature of the information to be furnished to the Collector of Taxes along with any payment;
    3. the arrangements for the Collector of Taxes to furnish to the Commissioner information with regard to any payment pursuant to a notice under this section;
    4. the amount of the fixed penalty; and
    5. without prejudice to any offence mentioned in subsection (3), any other offences under this Act to which this section shall apply;
  2. provide that a fixed penalty notice may not be served on a data controller with respect to the processing of personal data for the special purposes except in circumstances specified in the order;
  3. make provision for the cancellation or variation of fixed penalty notices.

63. Prohibition of requirements as to production of certain records.

(1) A person concerned with the provision of goods, facilities or services to the public or a section of the public, whether for payment or not, shall not as a condition of providing or offering to provide any goods, facilities or services to an individual, require that individual to supply or produce a relevant record.

(2) Subsection (1) does not apply to a person who shows -

  1. that the imposition of the requirement was required or authorised by any other law or by the order of a court; or
  2. that in the particular circumstances the imposition of the requirement was justified as being in the public interest.

(3) A person who contravenes subsection (1) commits an offence and shall be liable upon -

  1. summary conviction in a Parish Court to a fine not exceeding two million dollars or to imprisonment for a term not exceeding two years; or
  2. conviction on indictment in a Circuit Court, to a fine, or to imprisonment for a term not exceeding five years.

(4) In this section “a relevant record” means any record which -

Fourth Schedule.

  1. has been or is to be obtained by a data subject from a data controller specified in the first column of the Fourth Schedule in the exercise of the right conferred by section 6 (right of access to personal data); and

  2. contains information relating to any matter specified in relation to that data controller in the second column of the Fourth Schedule,and includes a copy of such a record or part of such a record.

(5) For the purposes of this section -

  1. a record is not a relevant record to the extent that it relates, or is to relate, only to personal data that is recorded information held by a public authority other than by means which enable the data to be processed automatically, or to be structured either by reference to individuals or criteria relating to individuals so that specific information relating to a particular individual is readily available;
  2. a record which states that a data controller is not processing any personal data relating to a particular matter shall be taken to be a record containing information relating to that matter.

(6) The Minister may, by order published in the Gazette, amend the Fourth Schedule.

64. Avoidance of certain contractual terms relating to health records.

(1) This section applies to any record which -

  1. has been or is to be obtained by a data subject in the exercise of a right conferred by section 6 (right to access personal data); and
  2. consists of the information contained in any health record.

(2) Any term or condition of a contract is void in so far as it purports to require an individual -

  1. to supply any other person with a record to which this section applies, or with a copy of such record or part of such a record; or
  2. to produce to any other person such a record, copy or part.

65. Disclosure of information.

(1) A person shall disclose to the Commissioner or the Appeal Tribunal referred to in section 70, as the case may require, anyinformation required by the Commissioner or Appeal Tribunal (as the case may be) for the discharge of functions under this Act, unless precluded from such disclosure under any enactment or rule of law.

(2) Nothing in subsection (1) shall be construed as requiring an individual to disclose -

  1. anything that tends to incriminate that individual; or
  2. any information protected from disclosure by legal professional privilege.

66. Confidentiality of information.

(1) No person who is or has been the Commissioner, a member of the Commissioner’s staff or an agent of the Commissioner shall disclose any information which -

  1. has been obtained by, or furnished to, the Commissioner under or for the purposes of this Act or the Access to Information Act;
  2. relates to an identified or identifiable individual or business; and
  3. is not at the time of the disclosure, and has not previously been, available to the public from other sources,

unless the disclosure is made with lawful authority.

(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if, and to the extent that -

  1. the disclosure is made with the consent of the individual or of the person for the time being carrying on the business (as the case may be);
  2. the information was provided for the purpose of its being made available to the public (in whatever manner) under any provision of this Act or the Access to Information Act;
  3. the disclosure is made for the purposes of, and is necessary for, the discharge of -
    1. any functions under this Act or the Access to Information Act; or
    2. any of Jamaica’s obligations under an international treaty;
  4. the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Act or the Access to Information Act or otherwise; or
  5. having regard to the rights and freedoms or legitimate interests of any individual, the disclosure is necessary in the public interest.

(3) Any person who knowingly or recklessly discloses information in contravention of subsection (1) commits an offence and shall be liable upon -

  1. summary conviction in a Parish Court, to a fine not exceeding two million dollars or to imprisonment for a term not exceeding two years; or
  2. conviction on indictment in a Circuit Court to a fine, or to imprisonment for a term not exceeding ten years.

67. Prosecutions and penalties.

(1) No proceedings for an offence under this Act shall be instituted except -

  1. by the Director of Public Prosecutions; or
  2. by the Commissioner, with the consent of the Director of Public Prosecutions.

(2) Subject to subsection (3), the court by or before which a person is convicted of an offence under -

  1. section 18(1) (processing without registration), 19(5) (carrying on specified processing other than via assessment by the Commissioner), 61 (unlawfully obtaining, etc. personal data) or 63 (prohibition on requiring certain records); or
  2. section 52(1) (failure to comply with notice), as concerns an enforcement notice,

may order that any document or other material used in connection withthe commission of the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

(3) A court shall not make an order under subsection (2) in relation to any material where a person, other than the offender, claiming to be the owner of the material, or otherwise interested in the material, applies to be heard by the court, is given an opportunity to be heard, and shows cause why the order should not be made.

68. Liability of body corporate, directors, etc.

(1) Notwithstanding any other penalty specified in this Act, where a body corporate commits an offence under this Act, the body corporate shall be liable to a fine not exceeding four percent of the annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act.

(2) In determining the quantum of any fine under subsection (1), a court shall take into account -

  1. the estimated economic cost to consumers, users of the services concerned and any other persons, of the contravention giving rise to the offence;
  2. the estimated economic benefit derived by the body corporate from the commission of the offence;
  3. the period for which the contravention continued;
  4. the number and severity of any other offences under this Act committed by the body corporate; and
  5. any other factors which the court considers relevant.

(3) Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, manager, secretary, similar officer of the body corporate or any person who was purporting to act in any such capacity, that director, manager, secretary, similar officer or other person (as the case may be) shall be liable, as well as the body corporate to be proceeded against and punished accordingly.

(4) Where the affairs of a body corporate are managed by its members, subsection (3) shall apply in relation to the acts and defaults of a member in connection with that member’s functions of management as if the member were a director of the body corporate.

69. Liability for damage.

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation, from the data controller, for that distress if -

  1. the individual also suffers damage by reason of the contravention; or
  2. the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section, it is a defence to prove that the person took all such care in all the circumstances as was reasonably required to comply with the requirement concerned.

70. Appeals.

(1) A person aggrieved by a decision of the Commissioner, other than a decision in respect of an enforcement notice, assessment notice or information notice, may appeal to the Appeal Tribunal in accordance with such procedure as may be prescribed.

Fifth Schedule.

(2) The provisions of the Fifth Schedule shall have effect in respect of the constitution and functions of the Appeal Tribunal.

(3) On hearing an appeal under this section, the Appeal Tribunal may -

  1. dismiss the appeal; or
  2. allow the appeal in whole or in part, and direct the appropriate person or body to take any action or make any decision which could have been taken or made (as the case may be), by that person or body regarding the matter in respect of which the appeal is allowed.

71. Service of notices.

(1) Any notice authorised or required by this Act to be served on or given to any person by the Commissioner may -

  1. if that person is an individual, be served on the person -
    1. by hand-delivering it to the person; or
    2. by sending it to the person by registered post addressed to the person’s usual or last-known place of residence or business, or by leaving it for the person at that place;
  2. if that person is a body corporate or unincorporated body, be served on that body -
    1. by sending it by registered post addressed to an officer of the body at the body’s principal office; or
    2. by addressing it to an officer of the body and leaving it at the body’s principal office.

(2) This section is without prejudice to any other lawful method of serving or giving a notice.

72. Application to Crown.

(1) This Act binds the Crown. (2) For the purposes of this Act, each public authority shall be treated as a person separate from any other public authority. (3) A public authority shall not be liable to prosecution under this Act.

73. Application t o Parliament.

(1) Subject to the following provisions of this section and to section 40 (exemption relating to parliamentary privilege), this Act applies to the processing of personal data by or on behalf of either House of Parliament as it applies to the processing of personal data by other persons.

(2) Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of either House of Parliament, the data controller in respect of those personal data for the purposes of this Act shall be the Clerk to the Houses.

74. Regulations.

(1) The Minister may make regulations for the purpose of giving effect to the provisions of this Act, and such regulations may -

  1. make different provision for different cases; and
  2. make such supplemental, incidental, consequential, transitional or savings provisions as the Minister considers appropriate.

(2) Without limiting the generality of subsection (1), regulations made under this section may -

  1. provide additional safeguards in relation to sensitive personal data;
  2. prescribe retention periods for personal data, to be observed by data controllers;
  3. prescribe the fees which may be imposed under this Act;
  4. prescribe offences for the contravention of the regulations and the penalties therefor, which penalties may exceed the amount specified in section 29(1)(b) of the Interpretation Act but shall not in any event exceed five million dollars; and
  5. prescribe the methods by which personal data may be disposed of.

(3) The following instruments mentioned in this Act shall be subject to affirmative resolution -

  1. regulations under section 2 prescribing attributes considered to be biometric data;
  2. orders under section 11(3)(b) (order specifying additional grounds on which processing of personal data may be prevented);
  3. orders under section 19(1) (order describing “specified processing” for which assessment is required);
  4. regulations under section 22(7) prescribing additional circumstances in which a data controller is not obliged to disclose to a data subject the information referred to in section 22(4);
  5. orders under section 24(1)(k), (3) or (4) (orders concerning processing of sensitive personal data);
  6. orders under section 24(5) specifying cases in which conditions for processing sensitive personal data are deemed not to be met regardless of consent of data subject;
  7. regulations mentioned in section 28, prescribing methods for disposal of personal data;
  8. orders under section 31(5) prescribing circumstances when transfer to another State or territory is or is not necessary in the public interest;
  9. orders under section 62(11)(a)(iv) or (v) varying the amount of the fixed penalty imposed for breach of the data protection standards or specifying other offences under this Act to which the fixed penalty shall apply;
  10. orders under section 63(6) amending the Fourth Schedule;
  11. orders under paragraph 6(2) of the Second Schedule specifying the matters to be taken into account in determining whether exemption from the disclosure to data subject requirements is warranted.

75. Amendment of monetary and fixed penalties.

The Minister may by order subject to affirmative resolution amend any monetary penalty or fixed penalty imposed by this Act.

76. Transitional.

(1) A data controller shall take all necessary measures to ensure its full compliance with the provisions of this Act, and, in particular, the data protection standards, on or before the expiration of a period of two years from the earliest day appointed under section 1(1).

(2) No proceedings under this Act may be taken against a data controller in respect of any processing, of personal data, done in good faith during the period referred to in subsection (1).

(3) Personal data that is recorded information held other than by means which enable the data to be processed automatically, or to be structured either by reference to individuals or criteria relating to individuals so that specific information relating to a particular individual is readily available, are, until the earliest day appointed under section 1(1), exempt from -

  1. the first, second, third, fifth, seventh and eighth data protection standards;
  2. the sixth data protection standard, except so far as that standard relates to the rights conferred on data subjects by sections 6 and 13;
  3. sections 10, 11 and 12;
  4. Part III;
  5. section 61 (unlawfully obtaining, etc. personal data); and
  6. section 69 (liability for damage), except so far as it relates to damage caused by a contravention of section 6 (rights of access to personal data) or of the fourth data protection standard, and to any distress which is also suffered by reason of that contravention.

77. Review of Act.

This Act shall be reviewed every five years from the earliest day appointed under section 1(1).

FIRST SCHEDULE (Section 4)

PART 1

The Commissioner

Appointment.

  1. (1) Subject to sub-paragraph (2), The Governor-General shall appoint a person having expertise in the area of information communication technology, data protection or privacy rights, or other like skills, to be the Information Commissioner, by instrument under the Broad Seal after consultation with the Prime Minister and the Leader of the Opposition.

(2) A person shall be disqualified for appointment under sub-paragraph (1) if the person is -

  1. a Minister, Parliamentary Secretary or member of Parliament;
  2. a Judge of the Parish Courts, Judge of the Supreme Court or Judge of the Court of Appeal;
  3. the holder of a public office within the meaning of section 2 of the Constitution of Jamaica;
  4. a member of a Local Authority, as defined by the Local Governance Act;
  5. a person who has a financial or other interest in any enterprise or activity which is likely to affect the discharge of the person’s functions as Commissioner;
  6. an undischarged bankrupt; or
  7. a person who has been convicted of any offence involving dishonesty.

(3) The office of Commissioner, or of any staff appointed by the Commissioner (except as provided in paragraph 4(3)) shall not be a public office within the meaning of section 2 of the Constitution of Jamaica.

Tenure of office.

  1. (1) Subject to the provisions of this paragraph, the Commissioner shall hold office for such term not exceeding seven years as may be specified at the time of the Commissioner’s appointment, and shall, subject to sub-paragraph (3) be eligible for re-appointment on the expiration of that term.

(2) The Commissioner may at any time resign the office by notice in writing transmitted to the Governor-General.

(3) The office of Commissioner shall become vacant -

  1. upon the expiration of the term for which the Commissioner is appointed;
  2. if the Commissioner resigns or is removed from office under sub-paragraph (6); or
  3. if the Commissioner contravenes sub-paragraph (5) or is appointed to any office of emolument in the public service.

(4) The Commissioner shall in any case vacate the office on completing fourteen years of service as Commissioner.

(5) The Commissioner shall not engage in any other occupation for reward while holding the office.

(6) The Commissioner may be removed from the office by the Governor-General acting on the advice of the Prime Minister after consultation with the Leader of the Opposition, on the grounds that the Commissioner -

  1. has become incapable of effectively performing the functions of Commissioner due to any infirmity of body or mind; or
  2. has engaged in any misconduct,or for any other cause.

(7) Where advice is given to the Governor-General pursuant to sub-paragraph (6), the Governor-General, after consultation with the Prime Minister and the Leader of the Opposition, shall appoint a tribunal which shall consist of a chairperson and not less than two other members selected from among persons who hold or have held office as a Judge of a court having unlimited jurisdiction in civil and criminal matters in the Commonwealth.

(8) The tribunal appointed under sub-paragraph (7) shall enquire into the matter and report on the facts thereof to the Governor-General and advise the Governor-General as to whether the Commissioner ought to be removed from office in accordance with this paragraph.

(9) The provisions of sections 8 to 16 of the Commissions of Enquiry Act shall apply, with the necessary modifications, in relation to a tribunal appointed under sub-paragraph (7) or, as the context may require, to the members thereof, as they apply in relation to Commissions or commissioners appointed under that Act.

(10) Where the question of removal of the Commissioner from office has been referred to a tribunal appointed under subparagraph (7), and the tribunal has advised the Governor-General that the Commissioner ought to be removed from office, the Governor-General shall by instrument in writing remove the Commissioner from office.

(11) Where the question of removal of the Commissioner has been referred to a tribunal under sub-paragraph (7), the Governor-General, after consultation with the Prime Minister and the Leader of the Opposition, may suspend the Commissioner from performing any function relating to the office, and any such suspension may at any time be revoked by the Governor-General and shall cease to have effect if the tribunal advises the GovernorGeneral that the Commissioner ought not to be removed from office.

(12) In this paragraph “office” means the office of Commissioner.

Remuneration.

  1. (1) The Commissioner shall be entitled to such emoluments and be subject to such other terms and conditions of service as may from time to time be prescribed by or under any law or by a resolution of the House of Representatives.

(2) The emoluments and terms and conditions of service of the Commissioner, other than allowances that are not taken into account in computing pensions, shall not be altered to the Commissioner’s disadvantage during the period of the Commissioner’s appointment or reappointment, as the case may be.

(3) The emoluments for the time being payable to the Commissioner under this Act shall be charged on and paid out of the Consolidated Fund.

(4) The provisions of the Appendix shall have effect with respect to the pension and other benefits to be paid to or in respect of a person who has held office as Commissioner.

Appointment of staff.

  1. (1) The Commissioner may appoint and employ for the purposes of this Act, at such remuneration and on such terms and conditions as may be approved by the Committee constituted under sub-paragraph (2) -
    1. one Deputy Commissioner; and
    2. such number of other officers and staff as the Commissioner considers necessary for the purposes of this Act.

(2) The Committee referred to in sub-paragraph (1) shall consist of -

  1. the Speaker of the House of Representatives;
  2. the President of the Senate;
  3. the person designated by the Prime Minister as Leader of Government Business in the House of Representatives;
  4. the person designated by the Leader of the Opposition as Leader of Opposition Business in the House of Representatives;
  5. the person designated by the Leader of the Opposition as Leader of Opposition Business in the Senate; and
  6. the Minister responsible for finance or nominee.

(3) The Governor-General may, subject to such conditions as the Governor-General may impose, approve the appointment, to the staff of the Commissioner, of any officer in the public service, provided that in relation to pension, gratuity, allowance and other rights as public officers, such officer shall be deemed to be in the public service while so employed.

(4) The Deputy Commissioner shall perform the functions of the Commissioner during any vacancy in that office or at any time when the Commissioner is for any reason unable to act.

(5) Without prejudice to sub-paragraph (4), any functions of the Commissioner may, to the extent authorised by the Commissioner, be performed by any of the Commissioner’s officers or staff

Seal of the Commissioner.

  1. (1) The application of the seal of the Commissioner shall be authenticated by the Commissioner’s signature or by the signature of some other person authorised for the purpose.

(2) Any document purporting to be an instrument issued by the Commissioner and to be duly executed under the Commissioner’s seal or to be signed by or on behalf of the Commissioner shall be received in evidence and shall be deemed to be such an instrument unless the contrary is shown.

Funds.

  1. The funds of the office of Commissioner shall consist of fees and other sums received by the Commissioner in the exercise of the Commissioner’s functions, such sums as may from time to time be placed at the disposition of the Commissioner by Parliament, and such other sums as may lawfully be paid to the Commissioner.

Protection from suit.

  1. No action or other proceedings for damages shall be brought against the Commissioner, or any employee or agent of the Commissioner for any act done, or omission made, in good faith in the performance of any functions, or the exercise of any powers, conferred on the Commissioner by this Act.

PART II

Data Protection Oversight Committee

  1. (1) There is hereby established a Data Protection Oversight Committee (in this Act referred to as the Committee).

(2) The objective of the Committee shall be to hold the Information Commissioner accountable to the public in the performance of the Commissioner’s functions under this Act.

(3) The Committee shall consist of the following persons appointed as members by the Governor-General, upon the recommendation of the Prime Minister after consultation with the Leader of the Opposition -

  1. a retired Judge of the Supreme Court;
  2. an attorney-at-law having expertise in the area of data protection or privacy rights;
  3. a person representing the interests of data subjects;
  4. a person representing the interests of data controllers; and
  5. three other persons having expertise in any one or more of the following areas -
    1. information communication technology;
    2. finance;
    3. governance and public administration.

(4) The following persons shall not be eligible to be appointed as members of the Committee -

  1. a member of -
    1. either House of Parliament; or
    2. the Council of a Municipal Corporation, City Municipality or Town Municipality;
  2. a bankrupt within the meaning of the Insolvency Act; or
  3. a person who has been convicted of an offence involving dishonesty or moral turpitude.

(5) A person shall be eligible to be appointed as a member of the Committee if that person is a person of integrity, capable of exercising competence, diligence, sound judgment and impartiality, in fulfilling that person’s functions as a member of the Committee pursuant to the provisions of this Act.

(6) Subject to sub-paragraph (7) and paragraphs 7 and 8, a person appointed under sub-paragraph (3) shall serve as a member of the Committee for a period of three years and is eligible to be reappointed for one further period of three years.

(7) A person shall not continue to be a member of the Committee, and shall not be eligible to be re-appointed as a member of the Committee if any circumstances exist which render that person no longer eligible to be appointed as described in subparagraphs (4) and (5).

  1. The functions of the Committee shall be to -
    1. monitor and review the performance of the functions of the Information Commissioner;
    2. report to both Houses of Parliament on any matter relating to the performance of the functions of the Information Commissioner;
    3. review the reports laid before Parliament under section 56 and make recommendations thereon to both Houses of Parliament, in the report referred to in paragraph (b); and
    4. perform such other functions as may be necessary for promoting the objective of the Committee under paragraph 1(2).
  2. The Committee -
    1. may investigate any aspect of the operations of the Information Commissioner, or any conduct of the Information Commissioner, or any employee of the office of the Information Commissioner in relation to their functions under this Act;
    2. is entitled to take copies of any document in relation to any matter under investigation by the Committee;
    3. may require the Information Commissioner to supply information, or provide documents, in respect of any matter relating to the operations of the office of the Information Commissioner or the conduct of any employee in relation to their functions under this Act; and
    4. for the purposes of an investigation under subparagraph (a), shall have the powers, protections and immunities conferred upon a Commission under the Commissions of Enquiry Act, and the provisions of that Act shall apply to any person summoned by or appearing before the Committee in the same manner as it applies to a person summoned or appearing before a Commission of Enquiry.
  3. The Governor-General shall cause the names of the members of the Committee, and any change in membership of the Committee, to be published by notice in the Gazette.
  4. The members of the Committee shall elect one of their number to be the chairperson of the Committee.
  5. The Committee shall appoint a secretary whose duties shall be to -
    1. attend the meetings of the Committee;
    2. record minutes of the proceedings of the Committee and keep the minutes in proper form; and
    3. perform such other duties connected with the work of the Committee as the Committee may require.
  6. A member of the Committee shall be removed from office by the Governor-General, on the recommendation of the Prime Minister after consultation with the Leader of the Opposition, if that member -
    1. is absent, without reasonable excuse, from three consecutive meetings of the Committee without the leave of -
      1. the Governor-General, in the case of the chairperson;
      2. the chairperson, in the case of any member other than the chairperson;
    2. becomes incapable of satisfactorily discharging the functions of member; or
    3. has a mental disorder within the meaning of the Mental Health Act.
  7. A member of the Committee may resign office by giving written notice of the resignation to -
    1. the Governor-General, in the case of the chairperson; or
    2. the chairperson, in the case of any member other than the chairperson.
  8. Documents made by, or decisions of, the Committee may be signed under the hand of the chairperson, or any member of the Committee authorised to act in that behalf.
  9. (1) The Committee shall meet as often as it considers necessary for the proper conduct of its affairs, but shall in any event meet not less than once per month.

(2) The chairperson, or any member elected by the Committee to act temporarily as chairperson, shall preside at a meeting of the Committee.

(3) A quorum of the Committee shall be four.

(4) Decisions of the Committee shall be by a majority of votes of the members, and the chairperson shall have a casting vote in addition to an original vote, in any case where the voting is equal.

(5) Proper records of all proceedings of the Committee shall be kept.

  1. No action, suit, prosecution, or other proceedings, shall be brought or instituted personally against any member of the Committee in respect of any act done or omission made bona fide in pursuance of the provisions of this Act.
  2. A member of the Committee who has any interest, directly, or indirectly, in any matter before the Committee shall -
    1. as soon as possible as the relevant facts have come to the knowledge of that member, disclose the nature of the interest at a meeting of the Committee; and
    2. be absent during the deliberations of the Committee, and not take any part in its decision, with respect thereto.
  3. There shall be paid to the Committee from the funds of the Information Commissioner, such remuneration, whether by way of honorarium, salary or fees, such allowances as the Minister responsible for the public service may determine.
  4. The Commissioner shall provide to the Committee such resources as the Committee reasonably requires for the discharge of its functions.

APPENDIX TO FIRST SCHEDULE (Paragraph 3(4))

Pensions and Gratuities

Interpretation.

  1. In this Appendix “pensionable emoluments” has the same meaning as in the Pensions Act.

Entitlement to pensions and gratuities.

  1. (1) Where a person holding the office of Commissioner retires in pensionable circumstances the person shall, subject to the provisions of this Appendix, be paid pension and gratuity in accordance with this Act in lieu of any pension, allowance or gratuity which the person may have been granted pursuant to the Pensions Act.

(2) A person entitled to a pension or gratuity pursuant to sub-paragraph (1) may, by memorandum in writing to the GovernorGeneral, elect to forgo the person’s entitlement under this Act and be granted instead such award under the Pensions Act as would be payable under that Act if the office of Commissioner were a pensionable office under that Act.

(3) For the purposes of this sub-paragraph and subparagraph (4), a person retires in pensionable circumstances if the person -

  1. retires -
    1. on or after completing one term of service as Commissioner; or
    2. by reason of ill health prior to such completion; or
  2. has a minimum of seven years service.

(4) For the purposes of this Act, a person retires from the office of Commissioner on the ground of ill health if the person -

  1. retires on medical evidence, to the satisfaction of the Governor-General, that the person is incapable by reason of any infirmity of mind or body of discharging the duties of Commissioner and that such infirmity is likely to be permanent; or
  2. is removed from office, in accordance with paragraph 2(6) of Part I of the First Schedule, for reason of inability arising from infirmity of mind or body, to perform the functions of the office of Commissioner.

(5) A person who, pursuant to paragraph 2(6) of Part I of the First Schedule, is removed from the office of Commissioner for misconduct or for any other cause other than inability arising from infirmity of mind or body or who retired otherwise than in pensionable circumstances may, subject to sub-paragraph (2), be granted by the Governor-General, in lieu of any pension, allowance or gratuity for which the person may have been eligible pursuant to the Pensions Act such pension and gratuity -

  1. as the Governor-General thinks fit; and
  2. not exceeding the pension and gratuity to which the person would have been entitled had the person retired in pensionable circumstances from the office of Commissioner,

and, for the purposes of sub-paragraph (6), the date of such removal from office or retirement shall be deemed to be the date of retirement in pensionable circumstances.

(6) Pension payable in accordance with this paragraph shall be -

  1. charged on and payable out of the Consolidated Fund; and
  2. paid monthly in arrears with effect, subject to paragraph 4, from the date of retirement in pensionable circumstances and shall, subject to the provisions of this Act, continue to be paid during the lifetime of the person entitled thereto.

Rate of pension.

  1. The rate of pension payable pursuant to paragraph 2 to any person shall be an annual rate equivalent to the sum of onehalf of the person’s pensionable emoluments at the date of retirement and one-three hundred and sixtieth of such pensionable emoluments in respect of each month of service as Commissioner

Reduced pension and gratuity.

  1. (1) Any person to whom a pension (in this paragraph referred to as the original pension) is payable pursuant to paragraph 2 may, at his option exercisable at his retirement in pensionable circumstances or within such period prior or subsequent to his retirement as the Governor-General may allow, be paid, in lieu of the original pension, a reduced pension at the rate of three-fourths of the annual rate of the original pension together with a gratuity (in this Act referred to as a commuted pension gratuity) equal to twelve and one-half times one-quarter of the annual rate of the original pension.

(2) The option referred to in sub-paragraph (1) shall be irrevocable unless the Governor-General, on such terms as the Governor-General considers reasonable, otherwise permits.

Gratuity on death.

  1. (1) Where a person dies while holding the office of Commissioner, there shall be paid to the person’s legal personal representative a gratuity of an amount equivalent to -
    1. one year’s pensionable emoluments; or
    2. the commuted pension gratuity for which the person had a right to opt pursuant to paragraph 4 on the assumption that the person retired in pensionable circumstances at the date of the person’s death, whichever is the greater.

(2) Where a person dies while in receipt of a pension pursuant to paragraph 2, there shall be paid to the person’s legal personal representative a gratuity of an amount equivalent to one year’s pensionable emoluments of that person at the date of the person’s retirement or removal from office, from which gratuity shall be deducted any pension or gratuity already paid to that person under this Act or under the Pensions Act.

Pensions to dependants in case of injuries received or disease contracted in discharge of duties.

  1. Where a person holding the office of Commissioner dies as a result of injuries received -
    1. in the actual discharge of the person’s duties;
    2. in circumstances in which the injury is not wholly or mainly due to or seriously aggravated by the person’s own serious and culpable negligence or misconduct; and
    3. on account of circumstances specifically attributable to the nature of the person’s duties,

while in that office, it shall be lawful for the Governor-General to grant to the deceased officer’s widow, children, parents or other dependants such award as would have been made under the Pensions Act if the office of Commissioner were a pensionable office for the purposes of that Act.

Pensions, etc., not to be assigned.

  1. A pension or gratuity payable under this Act shall not be assignable or transferable except for the purpose of satisfying -
    1. a debt due to the Government; or
    2. an order of any court for the payment of periodical sums of money towards the maintenance of the spouse or former spouse or the minor children, of the person to whom the pension or gratuity is payable,

and shall not be liable to be attached, sequestered or levied upon, for or in respect of any debt or claim whatever except a debt due to the Government.

Family Benefits pensions.

  1. (1) For the purposes of the Pensions (Public Service) Act, the office of Commissioner shall be deemed to be a pensionable office in the service of Jamaica.

(2) Where a person dies while holding the office of Commissioner or while entitled to a pension under paragraph 2, there shall be paid to the person’s widow a pension at an annual rate equivalent to one-fifth of pensionable emoluments of the person at the date of the person’s death or, if at that date the person was entitled to receive a pension under paragraph 2, at the date of his retirement or, as the case may be, removal from office in accordance with this Act.

(3) Pension payable to a widow pursuant to sub-paragraph (2) shall -

  1. be charged on and payable out of the Consolidated Fund; and
  2. be paid monthly in arrears with effect from the date of the husband’s death and shall, subject to the provisions of this Act, continue to be paid during the widow’s lifetime.

(4) Pension payable to a widow pursuant to sub-paragraph (2) shall be without prejudice to any pension to which the widow may be entitled under the Pensions (Public Service) Act.

(5) In paragraph 6 and sub-paragraphs (2) and (3) of this paragraph, references to a widow shall, in the case of a female appointed Commissioner, be deemed to include references to a widower and cognate expressions shall be construed accordingly and similarly, references to a husband shall be deemed to include references to a wife.

Gratuities where length of service does not qualify for pension.

  1. Where a person retires without a minimum of ten years service, the person shall be granted in respect of that person’s service, the commuted pension gratuity for which that person had a right to opt pursuant to paragraph 4 if the person had retired in pensionable circumstances.

SECOND SCHEDULE (Section 42)

Miscellaneous Exemptions

Confidential references given by data controller.

  1. Personal data are exempt from section 6 if they consist of a reference given or to be given in confidence by the data controller for the purposes of -
    1. the education, training or employment, or prospective education, training or employment, of the data subject;
    2. the appointment, or prospective appointment, of the data subject to any office; or
    3. the provision, or prospective provision, by the data subject of any service.

Jamaica Defence Force.

  1. Personal data are exempt from the disclosure to data subject requirements in any case to the extent to which the application of those requirements would be likely to prejudice the combat effectiveness of the Jamaica Defence Force.

Judicial appointments and honours.

  1. Personal data processed for the purposes of -
    1. assessing any person’s suitability for judicial office or the office of Queen’s Counsel; or
    2. the conferring of any honour or award under the National Honours and Awards Act,are exempt from the disclosure to data subject requirements.

Public service employment and Ministerial appointments.

  1. The Minister may by order exempt from the disclosure to data subject requirements personal data processed for the purposes of assessing any individual’s suitability for -
    1. employment to any office of emolument in the public service; or
    2. any office to which appointments are made by the Governor-General or by a Minister.

Management forecasts, etc.

  1. Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from the disclosure to data subject requirements in any case to the extent to which the application of those provisions would be likely to prejudice the conduct of that business or other activity.

Corporate finance.

  1. (1) Where personal data are processed for the purposes of, or in connection with, a corporate finance service provided by a relevant person -
    1. the personal data are exempt from the disclosure to data subject requirements in any case to the extent to which either -
      1. the application of those provisions to the personal data could affect the price of any instrument which is already in existence or is to be or may be created; or
      2. the data controller reasonably believes that the application of those provisions to the personal data could affect the price of any such instrument; and
    2. to the extent that the personal data are not exempt from the disclosure to data subject requirements by virtue of paragraph (a), they are exempt from those provisions if the exemption is required for the purpose of safeguarding an important economic or financial interest of Jamaica.

(2) For the purposes of sub-paragraph (1)(b), the Minister may by order specify -

  1. matters to be taken into account in determining whether exemption from the disclosure to data subject requirements is required for the purpose of safeguarding an important economic or financial interest of Jamaica; or
  2. circumstances in which exemption from those requirements is, or is not, to be taken to be required for that purpose.

(3) In this paragraph -

“corporate finance service” means a service consisting in -

  1. underwriting in respect of issues of, or the placing of issues of, any instrument;
  2. advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings; or
  3. services relating to such underwritings as is mentioned in sub-paragraph (a);

“instrument” means -

  1. transferable securities;
  2. money-market instruments;
  3. units in collective investments schemes (as defined by the Securities Act);
  4. options, futures, swaps, forward rate agreements and any other derivative contracts relating to securities, currencies, interest rates or yields, or other derivative financial instruments, financial indices or financial measures which may be settled physically or in cash;
  5. options, futures, swaps, forward rate agreements and any other derivative contracts relating to commodities that must be settled in cash or may be settled in cash at the option of one of the parties (otherwise than by reason of a default or other termination event);
  6. options, futures, swaps, and any other derivative contract relating to commodities that can be physically settled provided that they are traded on a regulated market or a multilateral trading facility;
  7. options, futures, swaps, forwards and any other derivative contracts relating to commodities, that can be physically settled not otherwise mentioned in subparagraph (f) and not being for commercial purposes, which have the characteristics of other derivative financial instruments, having regard to whether, inter alia, they are cleared and settled through recognized clearing houses or are subject to regular margin calls;
  8. derivative instruments for the transfer of credit risk;
  9. financial contracts for differences; or
  10. options, futures, swaps, forward rate agreements and any other derivative contracts relating to climatic variables, freight rates, emission allowances or inflation rates or other official economic statistics that must be settled in cash or may be settled in cash at the option of one of the parties (otherwise than by reason of a default or other termination event), as well as any other derivative contracts relating to assets, rights, obligations, indices and measures not otherwise mentioned in this section, which have the characteristics of other derivative financial instru-ments, having regard to whether, inter alia, they are traded on a regulated market or a multilateral trading facility, are cleared and settled through recognized clearing houses or are subject to regular margin calls;

“multilateral trading facility “ means a multilateral system, operated by an investment firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments in the system and in accordance with non-discretionary rules;

“price” includes value;

“relevant person” means a person licensed to carry on a securities business or investment advice business under the Securities Act.

Negotiation.

  1. Personal data which consist of records of the intentions of the data controller in relation to any negotiations with the data subject are exempt from the disclosure to data subject requirements in any case to the extent to which the application of those provisions would be likely to prejudice those negotiations.

Examination marks.

  1. (1) Section 6 shall have effect subject to the provisions of sub-paragraphs (2) to (4) in the case of personal data consisting of marks or other information processed by a data controller -
    1. for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined; or
    2. in consequence of the determination of any such results.

(2) Where the relevant day falls before the day on which the results of the examination are announced, the period mentioned in section 6(4) shall be extended until -

  1. the end of three months beginning with the relevant day; or
  2. the end of forty days beginning with the date of the announcement,

whichever is the earlier.

(3) Where by virtue of sub-paragraph (2) a period longer than the prescribed period elapses after the relevant day before the request is complied with, the information to be supplied pursuant to the request shall be supplied both by reference to the personal data in question at the time when the request is received and (if different) by reference to the personal data as from time to time held in the period beginning when the request is received and ending when the request is complied with.

(4) For the purposes of this paragraph the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.

(5) In this paragraph -

“examination” includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity;

“the prescribed period” means thirty days or such other period as is for the time being prescribed under section 6(4) in relation to the personal data in question;

“relevant day”, in relation to a request under this paragraph, means the first day on which the data controller has -

  1. the request;
  2. if a fee is payable under section 6(2)(c) in respect of the request, that fee; and
  3. if further information is required under section 8(1) in respect of the request, that information.

Examination scripts, etc.

  1. (1) Personal data consisting of information recorded by candidates during an academic, professional or other examination are exempt from section 6.

(2) In this paragraph, “examination” has the same meaning as in paragraph 8.

Legal professional privilege.

  1. Personal data are exempt from the disclosure to data subject requirements if the personal data consist of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings.

Self-incrimination.

  1. (1) A person need not comply with any request or order under section 6 to the extent that compliance would, by revealing evidence of the commission of any offence, other than an offence under this Act or an offence under section 8 of the Perjury Act (false voluntary declarations and other false statements without oath), expose the person to proceedings for that offence.

(2) Information disclosed by any person in compliance with any request or order under section 6 shall not be admissible against that person in proceedings for an offence under this Act.

Correctional services.

  1. Personal data consisting of any report on an inmate of a correctional institution are exempt from section 6, where the disclosure could reasonably be expected to reveal information supplied in confidence.

THIRD SCHEDULE (Section 55)

Powers of Entry and Inspection

Issue of warrants.

  1. (1) In this schedule, “Judge” means a Judge of the Parish Courts.

(2) If a Judge is satisfied by information on oath supplied by the Commissioner that there are reasonable grounds for suspecting that -

  1. a data controller has contravened or is contravening any of the data protection standards; or
  2. an offence under this Act has been or is being committed,

and that evidence of the contravention or the commission of the offence is to be found on any premises specified in the information, the Judge may, subject to sub-paragraph (5) and paragraph 2, grant a warrant to the Commissioner.

(3) Sub-paragraph (4) applies if a Judge is satisfied, by information on oath supplied by the Commissioner, that a data controller has failed to comply with a requirement imposed by an assessment notice.

(4) Subject to sub-paragraph (5) and paragraph 2, the Judge may, for the purpose of enabling the Commissioner to determine whether the data controller has complied, or is complying with, the data protection standards, grant a warrant to the Commissioner in relation to any premises that were specified in the assessment notice.

(5) A Judge shall not issue a warrant under this Schedule in respect of any personal data processed for the special purposes unless a determination by the Commissioner under section 50 (determination by Commissioner as to the special purposes) with respect to those personal data has taken effect.

(6) A warrant issued under this Schedule shall authorise the Commissioner or any of his officers or staff at any time within seven days after the date of the warrant -

  1. to enter the premises;
  2. to search the premises;
  3. to inspect, examine, operate and test any equipment found on the premises and which is used, or intended to be used, for the processing of personal data;
  4. to inspect and seize any documents or other material found on the premises and which -
    1. in the case of a warrant issued under subparagraph (2), may be such evidence as is mentioned in that sub-paragraph;
    2. in the case of a warrant issued under subparagraph (4), may enable the Commissioner to determine whether the data controller has complied, or is complying with the data protection standards;
  5. to require any person on the premises to provide an explanation of any document or other material found on the premises;
  6. to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the data controller has contravened, or is contravening, the data protection standards.

(7) A Judge shall not issue a warrant under this Schedule unless the Judge is satisfied that -

  1. the Commissioner has given seven days’ notice in writing to the occupier of the premises in question, demanding access to the premises;
  2. either -
    1. access was demanded at a reasonable hour and was unreasonably refused; or
    2. although entry to the premises was granted, the occupier unreasonably refused to comply with a request by the Commissioner or any of the Commissioner’s officers or staff to permit the Commissioner or the officer or member of staff, as the case may be, to do any of the things referred to in sub-paragraph (6); and
  3. the occupier has, after the refusal, been notified by the Commissioner of the application for the warrant and has had an opportunity of being heard by the Judge on the question whether or not the warrant should be issued.

(8) In determining whether the Commissioner has given an occupier the seven days’ notice referred to in sub-paragraph (7)(a), any assessment notice served on the occupier is to be disregarded.

(9) Sub-paragraph (7) shall not apply if the Judge is satisfied that the case is one of urgency or that compliance with that sub-paragraph would defeat the object of the entry.

(10) A Judge who issues a warrant under this Schedule shall also issue two copies of the warrant and certify the copies clearly as copies.

Execution of warrants.

  1. (1) A person executing a warrant under this Schedule may use such reasonable force as may be necessary.

(2) A warrant issued under this Schedule shall be executed at a reasonable hour unless it appears to the person executing the warrant that there are reasonable grounds for suspecting that the objects of the warrant would be defeated if the warrant were so executed.

(3) If the person who occupies the premises in respect of which a warrant is issued under this Schedule is -

  1. present when the warrant is executed, the person shall be shown the warrant and supplied with a copy of it; and
  2. not present when the warrant is executed, a copy of the warrant shall be left in a prominent place on the premises.

(4) A person seizing anything in pursuance of a warrant under this Schedule shall give a receipt for it if asked to do so.

(5) Subject to sub-paragraph (6), anything seized in pursuance of a warrant under this Schedule may be retained for so long as is necessary in all the circumstances, but the person in occupation of the premises in question shall be given a copy of any document seized, and a receipt for any other item seized, if the person so requests and the person executing the warrant considers that the request can be complied with without undue delay.

(6) A Judge of a Parish Court may direct the release of anything seized under this Act if the Judge is satisfied, on the application of the person from whom the thing is seized, that the thing does not fall within paragraph 1(6)(d) or its retention is no longer necessary for the purposes of that sub-paragraph.

Matters exempt from inspection and seizure.

  1. (1) The powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of personal data which by virtue of section 33 (national security) are exempt from any of the provisions of this Act.

(2) Subject to the provisions of this paragraph, the powers of inspection and seizure conferred by a warrant issued under this Schedule shall not be exercisable in respect of -

  1. any communication between an attorney-at-law and his client in connection with the giving of legal advice to the client with respect to the client’s obligations, liabilities or rights under this Act; or
  2. any communication between an attorney-at-law and his client, or between the attorney-at-law or the client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Court) and for the purposes of such proceedings.

(3) Sub-paragraph (2) also applies to -

  1. any copy, or other record, of any communication mentioned in that sub-paragraph; and
  2. any document or article enclosed with, or referred to, in any such communication, if made in connection with the giving of any advice or, as the case may be, in connection with or in contemplation of and for the purposes of any proceedings mentioned in that subparagraph.

(4) Sub-paragraphs (2) and (3) do not apply to anything in the possession of any person other than the attorney-at-law or his client, or to anything held with the intention of furthering a criminal purpose.

(5) In this paragraph, references to the client of an attorneyat-law include references to any person representing that client.

(6) If the person in occupation of any premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure under the warrant of any material on the grounds that it consists partly of matters in respect of which those powers are not exercisable, the person shall, if the person executing the warrant so requests, furnish the person executing the warrant with a copy of so much of the material as is not exempt from those powers.

Return of warrants.

  1. A warrant issued under this Schedule shall be returned to the court from which it was issued -
    1. after being executed; or
    2. if not executed within the time authorised for its execution, and the person by whom any such warrant is executed shall make an endorsement on it stating what powers have been exercised by that person under the warrant.

Offences.

  1. A person commits an offence if the person -
    1. intentionally obstructs a person in the execution of a warrant issued under this Schedule;
    2. fails without reasonable excuse to give any person executing a warrant issued under this Schedule such assistance as the person executing the warrant may reasonably require for the execution of the warrant;
    3. makes a statement in response to a requirement under paragraph 1(6)(e) or (f), which that person knows to be false in a material respect; or
    4. recklessly makes a statement which is false in a material respect in response to such a requirement.

Vessels, vehicles, etc.

  1. In this Schedule, “premises” includes any vessel, vehicle, aircraft or hovercraft, and references to the occupier of any premises include references to the person in charge of the vessel, vehicle, aircraft or hovercraft (as the case may be).

Selfincrimination.

  1. An explanation given, or information provided, by a person in response to a requirement under paragraph 1(6)(e) or (f) may only be used in evidence against that person -
    1. on a prosecution for an offence under -
      1. paragraph 5; or
      2. section 8 of the Perjury Act (false voluntary declarations and other false statements without oath);
    2. on a prosecution for any other offence where -
      1. in giving evidence that person makes a statement inconsistent with that explanation or information; and
      2. evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf

FOURTH SCHEDULE (Section 63)

Column 1

Column 2

  1. The Commissioner of Police or such other person as is appointed under section 43 of the Criminal Justice (Administration) Act
  1. Convictions.
  1. Clerks of the Circuit and Parish Courts.
  1. Returns of persons convicted of criminal offences, pursuant to functions under section 45 of the Criminal Justice (Administration) Act.
  1. The Commissioner of Police or his designate under section 54D of the Criminal Justice (Administration) Act.
  1. Particulars as torestricted persons;and registrationcertificates relating to restricted persons.
  1. The Criminal Records (Rehabilitation of Offenders) section 19 of the Board.
  1. Its functions under section 19 of the Criminal Justice (Administration) Act.

FIFTH SCHEDULE (Section 70)

Appeal Tribunal

Constitution.

  1. (1) The Appeal Tribunal shall, subject to sub-paragraph (3), consist of five members (including the chairperson appointed pursuant to paragraph 3), appointed by the Governor-General after consultation with the Prime Minister and the Leader of the Opposition.

(2) The members appointed under sub-paragraph (1), other than the chairperson, shall be persons having expertise in the field of data protection or privacy rights.

(3) For the hearing of any appeal under this Act the Appeal Tribunal may consist of one member sitting alone, if the parties to the appeal agree.

Tenure.

  1. The members of the Appeal Tribunal shall, subject to the provisions of this Schedule, hold office for a period of five years and shall be eligible for reappointment.

Chairperson.

  1. The Governor-General shall appoint to be the chairperson of the Appeal Tribunal a retired Judge of the Supreme Court or Court of Appeal.

Acting appointments.

  1. The Governor-General, after consultation with the Prime Minister and the Leader of the Opposition, may appoint -
    1. in the case of the absence or inability to act of the chairperson, another retired Judge of the Supreme Court or Court of Appeal to act in place of the chairperson; or
    2. in the case of the absence or inability to act of any other member of the Appeal Tribunal, any person to act in place of that member.

Resignation.

  1. (1) Any member of the Appeal Tribunal other than the chairperson may at any time resign the office by instrument in writing addressed to the Governor-General and transmitted through the chairperson, and from the date of receipt by the GovernorGeneral of the instrument that member shall cease to be a member of the Appeal Tribunal.

(2) The chairperson may at any time resign the office by instrument in writing addressed to the Governor-General, and such resignation shall take effect as from the date of receipt by the Governor-General of the instrument.

Revocation of Appointment.

  1. The Governor-General, after consultation with the Prime Minister and the Leader of the Opposition, may terminate the appointment of any member of the Appeal Tribunal who -
    1. becomes of unsound mind or becomes permanently unable to perform his functions by reason of ill health;
    2. becomes bankrupt or compounds with, or suspends payment to, his creditors;
    3. is convicted and sentenced to a term of imprisonment or to death;
    4. is convicted of any offence involving dishonesty; or
    5. fails to carry out the functions conferred or imposed on the member by this Act.

Filling of vacancies.

  1. If any vacancy occurs in the membership of the Appeal Tribunal, such vacancy shall be filled by the appointment of another member.

Publication of membership.

  1. The names of all the members of the Appeal Tribunal as first constituted, and every change in membership thereof, shall be published in the Gazette.

Remuneration of members.

  1. There shall be paid to the chairperson and other members of the Appeal Tribunal, in respect of each appeal, such remuneration (whether by way of honorarium, salary or fees) and such allowances as may be determined by the Minister responsible for the public service.

Voting.

  1. Subject to paragraph 1(2), the decisions of the Appeal Tribunal shall be by a majority of votes of the members, and in addition to an original vote, the chairperson shall have a casting vote in any case in which the voting is equal.

Power to regulate own proceedings.

  1. Subject to the provisions of this Act, the Appeal Tribunal shall regulate its own proceedings.

Office not a public office.

  1. The office of chairperson or member of the Appeal Tribunal shall not be a public office for the purposes of Chapter V of the Constitution of Jamaica.

MEMORANDUM OF OBJECTS AND REASONS

A decision has been taken to enact legislation in order to secure the confidentiality of personal data which may be in the possession of entities (including Government authorities) and to provide for the rights of individuals in relation to their personal data in the possession of those entities. This Bill seeks to give effect to that decision and, among other things, establishes the office of an Information Commissioner charged with the responsibility of overseeing the manner in which personal data in the possession of those entities is handled.

It should also be noted that Jamaica, as part of CARIFORUM, entered into an Economic Partnership Agreement (EPA) with the European Union on October 15, 2008. The EPA requires signatory CARIFORUM States to establish appropriate legal and regulatory regimes, in line with existing high international standards, with a view to ensuring an adequate level of protection of individuals with regard to the processing of personal data.

Responsibility for the implementation and administration of this legislation will fall under the portfolio of the Minister responsible for information and communications technology. FAYVAL WILLIAMS Minister of Science, Energy and Technology.

FAYVAL WILLIAMS
Minister of Science, Energy and Technology.

----------------------------------------------------

A BILL

ENTITLED

AN ACT to Protect the privacy of certain data and for connected matters.



As introduced by the Honourable Minister of Science, Energy and Technology



PRINTED BY JAMAICA PRINTING SERVICES (1992) LTD., (GOVERNMENT PRINTERS), DUKE STREET, KINGSTON, JAMAICA



----------------------------------------------------

PS. You can download oru simpified guide as a PDF.

Our PDF version breaks down the key points of the law in simple English. You can download it for free, click to Download guide.

Please share with your colleagues. We would appreciate it very much 😄.