THE DATA PROTECTION ACT, 2020

UWI FACULTY OF LAW- EMPLOYMENT LAW 3020

PRESENTER: KHADREA FOLKES, ATTORNEY-AT-LAW
WORKSHEET 4, WEEK 7
OVERVIEW

INTRODUCTION Data Protection Act 2020

• Importance of Data, • Purpose,

• Types of Data breaches, • Key Concepts,
• Data Protection & Privacy • Obligations of Data
Rights; Processors,
• Exemptions,
• Enforcement,
• Rights of Data Subjects
 INTRODUCTION
Employee data collected from the stage of onboarding to separation, form part of
vital employee data which an employer will need to:
 Carry out administrative functions such as selection for employment, training and
promotion;
 Fulfill legal obligations such as the statutory requirements to keep records under
labour legislation (eg s16 Employment (Termination & Redundancy Payments)
Act, s8 of the Holidays with Pay Act)
 Disclose for litigation purposes or in response to queries by government
operatives or provide a reference for former workers.
With increase in electronically stored data, there is a significant risk of
unauthorized access and misuse. Therefore data needs to be safeguarded both in
transit and in storage.
 INTRODUCTION
Data breaches can result in reputational damage to businesses, loss of customers, litigation
and fines. Data breaches may be-
• Physical (corporate espionage)- involves the physical theft of documents or equipment
containing data. Items at risk include laptops and PCs, external hard drives, POS systems and
security. Access control measures which set access privileges to all business workflow, can
reduce this risk.
• Electronic- unauthorized access or deliberate attack on a system or network where data is
processed, stored or transmitted. Information transmitted electronically may need to be
encrypted or hard drive shedding and electronic media destruction adopted.
• Skimming- involves the capture and recording of magnetic strip data on the back of bank
cards, using an external device. The data collected is used to create counterfeit credit and
debit cards. Procedures to monitor handling of bank cards on POS terminals and PIN-pad
devices, as well as checking devices for evidence of tampering, may be necessary.
 INTRODUCTION
Data Protection and the Fundamental Right to Privacy
• The Charter of Fundamental Rights and Freedoms articulates a
qualified, fundamental human right to privacy, Section 13(3)(o) (see also
the United Nations Declaration on Human Rights, [UDHR] Art 12 and the
International Covenant on Civil and Political Rights, [ICCPR] Art 17.
• Privacy as a fundamental right affords individuals and societies by
extension, protection against the arbitrary and unjustified used of power
by reducing what can be known about us and done to us. It gives space
to be one’s self without judgement and discrimination, and establishes
boundaries by affording control over who knows what about us.
 INTRODUCTION
• The implications for the right to privacy which is presented by
advances in technology, is far-reaching. The capabilities for data
protection are unprecedented, as are the capabilities for surveillance
and data breaches, and the most concerning challenge to privacy is
the potential for the right to be compromised without the individual
affected being aware, for instance, secret surveillance.

• Individuals can be uniquely identified from mass data sets, it is

possible to monitor conversations, commercial transactions, track
locations visited, peer into our histories, observe all our actions and
even predict out future actions.
THE DATA PROTECTION ACT, 2020
• Long Title- AN ACT to protect the privacy of certain data and for
connected matters.
• With respect to the collection, use and protection of personal data, the Act -
oIdentifies the nature of protected data;
osets out the respective obligations and responsibilities of ‘data controllers’
‘data processors’ and ‘data subjects’ to include establishing data
protection standards and requirements for disclosure to data subjects;
oProvides for exemptions to data protection standards; and
oSets out an Enforcement Regime
THE DATA PROTECTION ACT, 2020
KEY CONCEPTS
“Data Controller” – the person/public authority who determines the
purposes for which and manner in which, any personal data is processed.
Eg Employers, Trade Unions

“Data Subject” – a named or otherwise identifiable individual who is the

subject of personal data. In determining whether an individual is
identifiable, account shall be taken of all means used or reasonably likely to
be used by the data controller or any other person to identify the individual
eg. a reference to an identification number or other identifying
characteristics (whether physical, social or otherwise) which are reasonably
likely to lead to the identification of the individual.
THE DATA PROTECTION ACT, 2020
KEY CONCEPTS
“Data Processor”- in relation to personal data means any person,
other than an employee of the data controller, who processes the data
on behalf of the data controller.
“Process” – in relation to information or personal data means
obtaining, recording or storing the information or personal data or
carrying out any operation or set of operations including … retrieving,
consulting or using the information or data; c) disclosing the
information or data by transmitting, disseminating or otherwise making
it available; aligning, blocking, erasing or rendering data anonymous
 THE DATA PROTECTION ACT, 2020
KEY CONCEPTS- Types of data covered
”Biometric data”- information relating to physical, physiological or behavioural characteristics of an
individual which allows for unique identification eg physical characteristics such as photo, finger
(palm, toe, foot) print, blood type, iris scan and behavioural characteristic eg a person’s gait,
signature, keystrokes or voice
“Genetic data” – DNA as defined by the DNA Evidence Act
“Health Record”- any record which; a. is in the custody of a health professional in connection with
the care of an individual; and b. consisting of information relating to:
i. Past or present mental health or condition eg clinical info, diagnosis, treatment, genetic data,
information on testing or biometric data;
ii. Any number or code which uniquely identifies an individual who has registered for health
services;
iii. The name of the individual’s health care provider;
iv. Payments made by of the individual’s eligibility for the provision of health services.
 THE DATA PROTECTION ACT, 2020
KEY CONCEPTS- Types of data covered
“Personal Data”
Information relating to an individual (living or dead < 30 years) who can
be identified from that information alone or with other information in the
possession of or likely to come unto the possession of the data controller.
Includes expression of opinion about the individual by the data controller;
 THE DATA PROTECTION ACT, 2020
KEY CONCEPTS- Types of data covered
“Sensitive Personal Data”- personal data consisting of any of the following
information in respect of a data subject-
a. genetic or biometric data
b. Filiation or racial or ethnic origin
c. Political opinions, philosophical, religious or other beliefs
d. Membership in any trade union
e. Physical or mental health or condition
f. Sex life
g. The alleged commission of any offence by the data subject or proceedings for same
*[ILO Convention No. 111 on Discrimination (Employment & Occupation), 1958 applies in
relation to protection from discrimination in access to as well as terms and conditions of
employment. Suggested therefore that a worker who gives inaccurate or incomplete answers
should not be subject to termination of employment or other disciplinary measure]- ILO Code of
Practice on Protection of Workers’ Data
THE DATA PROTECTION ACT, 2020-
OBLIGATIONS OF DATA PROCESSORS
 A data processor who processes personal data must register with the
Information Commissioner (who shall maintain a register), and provide
inter alia, particulars of -it’s registered office or principal place of
business and other contact details, technical and organizational
measures, details of nature of personal data being processed and the
recipients including other States where data is transmitted.
 A data protection officer is to be appointed to ensure compliance with
the Act and good practice. However a data processor who
processes data as a non-profit organization established for
political, philosophical, religious or trade union purposes is
exempt from the scope of this provision.
THE DATA PROTECTION ACT, 2020-
OBLIGATIONS OF DATA PROCESSORS
STANDARDS FOR PROCESSING ‘PERSONAL DATA’ TO INCLUDE
‘SENSITIVE PERSONAL DATA at each stage of the data management
process’:
1. Satisfy lawful basis for processing data- personal data must be
processed :
a. ‘fairly’ (method by which obtained/ must not have been deceived or
misled, from an authorised person eg the data subject or the
Commissioner, person legally obligated to supply, for determining
suitability for honour/scholarship etc
b. Lawfully- must fall within one of lawful bases for processing viz;
 THE DATA PROTECTION ACT, 2020
• Personal data- consent of data subject obtained and not withdrawn, processing
necessary for -the negotiating/processing of a contract, compliance with legal
obligation of the data controller/vital to interests of the data subject/necessary
for the administration of justice, exercise of function under enactment or other
functions of a public nature exercised in the public interest/already published
by data subject/protect vital interests of data subject
• Sensitive personal data- consent obtained in writing/processing necessary for
exercising right or obligation in connection with employment or social security
benefits/ processing (i) is carried out in the course of legitimate actions
by any body or association which is not established or conducted for
profit and exists for political, philosophical, religious or trade union
purposes;
 THE DATA PROTECTION ACT, 2020
*[Employers should not collect personal data concerning the workers’
membership of a workers’ organization or the workers’ trade union
activities, unless obliged or allowed to do so] eg Clause 3(3) of the Labour
Relations and Industrial Disputes Regulations, 1975 whereby the
Minister may require an employer to produce information in respect of
workers of whom a request for a ballot has been made.
Processing of sensitive personal data in respect of trade union activity is to
be carried out with appropriate safeguards for the rights and freedoms of
data subjects; relates only to individuals who are members of the
association or have regular contact with it in connection with its purposes
and does not involve disclosure of the personal data without consent of the
data subject.
 THE DATA PROTECTION ACT, 2020
Processing for medical purposes to be undertaken by a health professional
or person under duty of confidentiality
Genetic Monitoring- the periodic examination of persons for
environmentally induced changes in their genetic monitoring
Occupational Health Services Recommendation, 1985 (No.171)-
Surveillance of Workers’ Health- when a valid and generally accepted
method of biological monitoring of the workers’ health for the early
detection of the effects on health of exposure to specific occupational
hazards exists, it may be used to identify workers who need a detailed
medical examination, subject to the individual workers’ consent.
 THE DATA PROTECTION ACT, 2020
Personal data –
2. shall only be used for one or more specified lawful purposes *[The ‘finality’ principle; any
new use must be compatible with the original purpose and distortion of information due to new
context avoided].
3. shall be adequate, relevant, and limited to what is necessary for the purposes for
which they are processed
*[Eg medical personal data should only be collected in conformity with national legislation, medical
confidentiality and general principles of occupational safety and health, and only as needed to-
o Determine whether the worker is fit for a particular employment (National Workplace Policy on HIV
& AIDS)
o Fulfill the requirements of occupational safety and health; and
o To determine entitlement to and to grant social benefits]
*[-ILO Code of Practice on Protection of Workers’ Personal Data]
 THE DATA PROTECTION ACT, 2020
Occupational Health Services Recommendation, 1985 (No.171)
14(2) the personnel providing occupational health services should have access to personal
health files only to the extent that the information contained in the files is relevant to the
performance of their duties. Where the files contain personal information covered by medical
confidentiality, this access should be restricted to medica personnel.
(3) Personal data relating to health assessments may be communicated to others only with the
informed consent of the worker concerned.
16(1) on completing a prescribed medical examination for the purpose of determining fitness for
work involving exposure to a particular hazard, the physician who has carries out the
examination should communicate his conclusions in writing to both the worker and the employer.
(2) these conclusions should contain no information of a medical nature; they might, a
appropriate, indicate fitness for the proposed assignment or specify the kinds of jobs and the
conditions of work which are medically contra-indicated, either temporarily or permanently.
THE DATA PROTECTION ACT, 2020
Personal Data-
4. shall be accurate and kept up to date
5. Shall not be kept any longer than necessary for
processing and is to be disposed of as prescribed
6. Shall be processed in accordance with the rights of data
subjects eg no direct marketing without consent
 THE DATA PROTECTION ACT, 2020
7. Appropriate Technical and Organisational Security
measures to be implemented eg encryption, ensuring
confidentiality, integrity and resilience of processing systems and
services. These are measures to prevent unlawful processing of
personal data, accidental loss, damage to/destruction of personal
data and ensure Commissioner notified without delay of breach
which might affect personal data.
Where data processor acting on behalf of data controller, processing
must be carried out under a contract in writing and only upon the
instructions of the data controller, with sufficient guarantees of
technical and organizational security measures.
THE DATA PROTECTION ACT, 2020
8. Personal data shall not be transferred to a
State/territory outside of Jamaica unless that State/territory
ensures an adequate level of protection for the rights and
freedoms of data subjects with respect to the processing of data,
having regard to inter alia;
• The nature of the personal data
• The international obligations of the state/territory
THE DATA PROTECTION ACT, 2020
EXEMPTIONS from compliance with data processing standards- Processing for;
• Safeguarding National security subject to certification of Minister of National Security
• Law enforcement, taxation, statutory functions
• Research, History & Statistics
• Information available to the public under enactment other than the Access to
Information Act
• Disclosure in connection with legal proceedings
• Parliamentary privilege
• Domestic purposes- personal/family/household affairs and recreational purposes
• Miscellaneous exemptions- confidential references, JDF, Judicial appointments &
honours, public service appointments and ministerial appointments
 THE DATA PROTECTION ACT, 2020-
ENFORCEMENT
Enforcement Notice advising of contravention and steps to be taken to rectify within a specified
time. Commissioner to be provided with Data Protection Impact Assessment within 90 days of
end of financial year. Data subject may request assessment as to whether processing of data in
compliance with the Act. Commissioner may serve Assessment Notice or Information Notice to
determine compliance with standards.
Offences
• Processing personal date without registering unless exercised due diligence to comply- 2
million dollars on summary conviction or 6 months imprisonment
• Failure to comply with enforcement notice, assessment notice or information notice is an
offence, as well as making a false or reckless statement in respect of same unless due
diligence to comply was exercised- liable to a fine not exceeding 1 million dollars upon
summary conviction. Right of appeal applies.
• Failure to comply with standards for processing personal data- summary conviction, 2 million
dollars/2 years. Circuit court- a fine or imprisonment not exceeding 7 years.
THE DATA PROTECTION ACT, 2020-
RIGHTS OF DATA SUBJECTS
• The Right to Know- Access to Personal Data upon written request enquiring
whether they are the subject of processing personal data, the purpose for
which being processed and the class of persons to which it will be disclosed.
Prescribed fee payable where the data is to be provided in intelligible form
along with any supplementary information held about them by the data
controller or to transmit to another data controller in a structured, commonly
readable format.
Includes right to data processed by automatic means where the individual is
the subject and the data is being used to evaluate matters such as work
performance, reliability or conduct and has or is likely to form the basis of any
decision significantly affecting the individual. *[workers and their
representatives to be kept informed]
 THE DATA PROTECTION ACT, 2020-
RIGHTS OF DATA SUBJECTS
*[all negotiations concerning the processing of workers’ personal data should be
guided by the principles that protect the individual worker’s right to know and
decide which personal data concerning that workers should be used, under which
conditions and for which purposes.
The worker’s representatives should be consulted in conformity with national law
and practice:
• Concerning the introduction or modification of automated systems that process
worker’s personal data;
• Before the introduction of any electronic monitoring of workers’ behaviour in
the workplace;
• About the purpose, contents and the manner of administering and interpreting
any questionnaires and tests concerning the personal data of workers.]-ILO
Code of Practice
 THE DATA PROTECTION ACT, 2020-
RIGHTS OF DATA SUBJECTS
Monitoring of Workers’ Behaviour
Continuous Monitoring can cause anxiety and psychological
distress, and is to be limited to cases in which surveillance is
necessary to deal with specific safety and health issues or
protection of property.
Secret Monitoring is not appropriate where there is a mere
suspicion of wrongdoing. Only where reasonable grounds exist
for suspecting such wrongdoings.

-ILO Code of Practice on Protection of Worker’s Personal Data

 THE DATA PROTECTION ACT, 2020-
RIGHTS OF DATA SUBJECTS
• Consent to Processing of Data– must be informed, specific, unequivocal, freely
given
• Right to Prevent Processing- must notify processor in writing, with reasonable
notice where likely to cause substantial damage or distress to the subject or another,
the data is irrelevant or incomplete, the manner or purpose of processing is
prohibited by law, the data has been retained by the processor longer than
prescribed by law.
• Rectification of Inaccuracies- includes errors and omissions. Within 30 days of
request, processor is notify where no rectification made or where required, give
notice of rectification (amend, block, erase or destroy to correct inaccuracy) to the
individual making the request and so far as reasonably practicable, to every other
person or entity to whom the personal data was disclosed at any time during the 12
months preceding the request.
THE DATA PROTECTION ACT, 2020-
RIGHTS OF DATA SUBJECTS
• Rights in relation to Automated decision taking- an individual entitled by notice
in writing to require that no decision is based solely on the processing by automatic
means of data in respect of the subject for the purpose of evaluating matters such as
the individual’s performance at work, creditworthiness, reliability or conduct
Where processor takes a decision in the absence of a notice from the subject, the
subject is to be informed as soon as reasonably practicable about the decision and the
basis, and the processor is to permit 30 days within which the subject may request a
notice in writing requiring the data controller to reconsider the decision or substitute
for a new decision made on another basis. *[restricting decisions made on the
sole basis of automated processing of personal data recognizes that workers
are entitled to due process]
• Right to object to personal data being processed for direct marketing
without prior consent.
THANK YOU FOR LISTENING!
QUESTIONS? COMMENTS?