More data privacy schooling for companies in DPA grace period
Justine Collins, a partner in the law firm Hart Muirhead Fatta, says that while the Office of the Information Commissioner, OIC, website is not yet live for registration, accounts can be created, as companies position to comply with the new law on the handling of personal data that safeguards privacy rights.
The Data Protection Act took effect on December 1, 2023, but companies have been allowed a six-month grace period to register with the OIC.
The organisations required to register are referred to as ‘data controllers’. They include public authorities, financial institutions, educational institutions, health service providers, security services providers, other large-scale processors, and processors of sensitive personal data.
The fees to register range from $5,000 to $15,000, according to company type.
Those that fail to register face penalties ranging from $7,500 to $25,000 in fines.
Speaking at a webinar organised for local companies by Calibra Solutions Limited in collaboration with partnership with Hart Muirhead Fatta and Data Privacy & Security Advisors, Collins said, regarding the sharing of data, that companies are expected to prepare privacy notices that outline the type of data collected, as well as the legal basis for the collection.
“The statement should also include consequences of not providing the data, and the length of time the data will be kept,” said Collins.
Expectations are that the privacy notices will be published by companies, for example, on their websites.
The law gives the subject of the data, or ‘data subject’, the right to know why the data is being processed and the intended recipient, which might be the central bank or law enforcement, both of which can legally demand information.
Additionally, companies must have documented proof of how they obtained consent for the collection of data from data subjects. That consent is typically built into contracts or agreements at the point of data collection. However, there are circumstances where data can otherwise be legally processed for sharing, for example, where information is sought under the Proceeds of Crime Act.
Among the compliance issues raised during debate on the Data Protection Act was the need for a clear indication of which entities fall into the category of ‘data controller’. The designation is given to companies or organisations, not the people who run them.
“A data controller can be a natural or legal person, such as a company … . A business which requires personal information in order to provide accounts or services is a data controller,” she said.
However: “The CEO is only a representative of the DC. The data controller is the business or bank and must create an account with the commissioner.”
Persons who process data on behalf of a data controller qualifies as a ‘data processor’, whether operating inside or outside the organisation.
As such, software providers may qualify, and where certain functions are outsourced, such as payroll, the outsourced company also qualifies as a processor.
The data controller is required to appoint an independent person – a data protection officer, or DPO – to monitor their compliance with the DPA.
“They supervise and identify gaps. They need also to be accountable to the information commissioner,” Collins advised. That accountability includes the filing of annual reports on the DC’s compliance with the law.
Collins also suggested that it would be in a company’s interest to have the data officer report regularly to the board of directors.
The position is only legally required for controllers that are public authorities and entities that process sensitive personal data or process data on a large scale.
The data protection officer should have no conflicting roles in the organisation, such as a chief operating officer whose job may entail determining the manner and purpose of processing data, the lawyer noted.
The role is best filled by someone who knows the business, it was suggested. But: “They also need legal knowledge or specialised privacy training. If the individual is not a lawyer, they can get training in privacy, communications and compliance needs,” she advised.
Under Jamaica’s DPA, only data controllers are required to register with the OIC, however, “the controller must advise the OIC how many processors it uses, and the name and details of the data protection officer,” Collins said.
With the passage of the new law, companies have to be more circumspect in the handling of personal data. And Collins suggested that companies become familiar with data mapping, using technology, to identify sensitive personal data that may fall within the Data Protection Act and therefore require special handling.
The DPA requires a culture shift in handling of personal information and the approaches companies traditionally take in going after customers and market share.
Collins noted, for instance, that consent from data subjects is required for direct marketing, which might include text messages and other personal contact. And persons must be allowed to opt out of offers.
Amid the transition, Collins said there was wide concern regarding data breaches.
“It is not a matter of if, but when. A data breach is a breach of confidentiality. It ranges from loss of equipment to cyberattacks and ransomware attacks. Simply sending an email to the wrong recipient is a data breach,” she warned.
The proliferation of cyberthreats has led to warnings from tech firms that companies will need to buttress their cybersecurity systems so as not to run afoul of the DPA.
Touching on that, Collins remarked that “a lot of companies have plans for earthquake and fire, but not many have for cybersecurity or data breaches”.
Such a plan, she stated, should involve isolating the incident and consulting with experts.
In the event of a breach, a report must be made to the OIC within 72 hours. “Document each step. The OIC will want to know,” she said, adding that if the breach resulted from a cybercrime, it should also be reported by the relevant law-enforcement and regulatory authorities.
James Koons, a partner at Data Privacy & Security Advisors, which conducts assessments for organisations for data protection readiness, noted that while the OIC website is currently incomplete, complaints can still be filed regarding breaches of the data protection standards.
Asked whether the role of data protection officer can be outsourced, Koons said doing so might present a conflict of interest if the third party selected has business ties with the organisation.
Collins said the law allows for the role to be outsourced, but that the person providing the service cannot serve multiple controllers. Still, she said, it is hoped that the latter element, barring service to multiple controllers, will be eliminated when the DPA regulations have been finalised.
As for the costs associated with compliance with the law, Koons said in other countries the fines for non-compliance “are pretty steep, to the point of company extinction”.
For Jamaica, the cost of compliance would include expenditures on the DPO position, training, technology and reporting structures, but the investment is expected to vary widely, with no clear indication as to size of the spending required for a typical firm.
As for the penalties, breaches of the law can incur million-dollar fines. For a data controller, the fines cannot exceed four per cent of the company’s annual turnover, or gross income.