Is your data protected?
Every Jamaican business collecting or processing your personal information is subject to the DPA.
What is the DPA?
Similar to the EU’s General Data Protection Regulation (GDPR), The Data Protection Act, 2020 (DPA) is designed to protect YOU. It seeks to “safeguard the privacy and personal information of Jamaicans”. The Act provides guidelines on exactly how personal data should be collected, processed, stored, used and disclosed in both the physical form, and, perhaps more importantly, the digital form.
Under the DPA, you can demand to know what data is being collected, how it will be used, that is it accurate and deleted. You can also opt out of direct led advertising or profiling. It requires that data should only be obtained and retained for specific “lawful purposes”.
Once an entity has your express permission to collect and keep your precious personal data, they shouldn’t use it “in any way incompatible with the original purpose”. I understand that to be legal talk for, they can collect it for one thing and use it for something else.
If they wish to share the data, which they can’t do without your permission, they are restricted from sharing it outside Jamaica unless they can reasonable guarantee a similar standard of protection.
So any entity collecting your personal data including even your name, email address or phone number, must comply or face fines, personal liability or civil suits. As you would expect, entities include big businesses. But is also includes schools and service clubs and small vendors who collect your email address for digital payments or your phone number to WhatsApp you a product picture. Regardless of the size or nature of the entity, they must all comply with the same law.
To ensure compliance, and in keeping with the provisions of the act, the Governor General appointed Jamaica’s first Information Commissioner Attorney-at-law Celia Barclay.
By 2023, entities are on the hook to ensure your data is lawfully obtained, accurate, up to date, protected or properly destroyed. This two year transition period allows data controllers to take the necessary steps to ensure compliance with the legislation. And to facilitate other administrative processes.
The successful implementation of the DPA is crucial to the successful implementation of NIDS (National Identification System). But that is a blog post for another day.
Protect Yourself
Wether it’s the DPA, GDPR or ABCD, ultimately, you’ve got to protect yourself. Here are my five top tips for personal data protection:
Be skeptical
Activate Two Factor Authentication (2FA)
Use strong, unique passphrase
Update software
Backup data