Top
Top

Global Data Privacy Guide

Jamaica

(Latin America/Caribbean) Firm Myers, Fletcher & Gordon

Contributors Gina Phillipps Black

Updated 01 Jan 2021
What is the key legislation?

The Data Protection Act, 2020 (“DP Act”) was passed in June 2020 and the Governor-General has given his assent, however, the Minister must publish a notice in the Gazette indicating the date bringing the DP Act into operation. The Minister may determine that different days be appointed in respect of different provisions of the DP Act. To date, no such notice has been published. 

Until the Minister publishes the abovementioned notice to bring the DP Act into operation, Jamaica does not have a single piece of legislation that is dedicated to the safeguard and protection of personal information. As a result, the common law principle of confidentiality remains applicable subject to some provisions imposing duties of confidentiality under specific legislation in Jamaica including: 

  1. The Banking Services Act, 2014 (“BSA”);
  2. The Electronic Transactions Act, 2010 (“ETA”); 
  3. The Bank of Jamaica Act, 2001 (“BOJ Act”);
  4. The Telecommunications Act, 2000 (“TCA”)
  5. Access to Information Act, 2002 (“AIA”); 
  6. The Credit Reporting Act, 2010 (“CRA”);
  7. The Cybercrimes Act, 2010 (“CCA”); and 
  8. The Charter of Fundamental Rights and Freedoms (Constitutional Amendment) Act, 2011 (“Charter”)
What data is protected?

Under the DP Act “personal data” and “sensitive personal data” are protected. 

The DP Act defines

  • “personal data” as information (however stored) relating to a living individual or an individual who has been deceased for less than thirty years who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of the data controller. The DP Act also explicitly states that “personal data” includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual. 
  • “sensitive personal data” as personal data consisting of any of the following information in respect of the data subject: genetic or biometric data, filiation, racial or ethnic origin, political opinions, philosophical beliefs, religious beliefs or other beliefs of similar nature, membership in any trade union, physical or mental health or condition, sex life and the alleged commission of any offense by the data subject or any proceedings for any offense alleged to have been committed by the data subject. 

Therefore, when the DP Act is in force, the abovementioned data will be specifically protected by statute.

Common-Law Principle of Confidentiality

As indicated above, until the DP Act comes into force,  we rely on the common law principles of confidentiality except where specifically protected by statute. 

Essentially it is recognized that individuals have a reasonable expectation of privacy in relation to information that is confidential in nature and was communicated in circumstances suggesting an obligation of confidence can be protected in Jamaica and disclosure without consent may give rise to a breach of confidentiality. (This principle was also enunciated by the Jamaican Court of Appeal in Paymaster Jamaica Limited v Grace Kennedy Remittance Services Limited and Paul Lowe [2015] JMCA Civ 20 and affirmed by the Privy Council’s judgment in Paymaster (Jamaica) Limited v Grace Kennedy Remittance Services Limited and another [2017] UKPC 40.

Examples of Confidentiality and Data Privacy Provisions found in legislation in Jamaica:

  • The BSA prohibits an officer, agent or any other person having access to customer information from giving, divulging or revealing any information regarding the money or other relevant particulars of the account of a customer.
  • The ETA requires that a supplier make available to the consumer information including the security procedures and privacy policy of the supplier in respect of payment, payment information and personal information. 
  • The BOJ Act creates a restriction on the disclosure of any information regarding the affairs of a customer of a commercial bank or specified financial institution other than for the purpose of the BOJ Act.
  • The TCA creates restrictions on the communication of confidential information relating to applicants and applications for licenses or spectrum licenses. 
  • The CRA imposes a duty on relevant persons to regard all documents or information disclosed in connection with the performance of their duty or function under the CRA as secret and confidential. 
  • Under the CCA it is an offense for any person to knowingly obtain, for himself or another person, any unauthorized access to any program or data held in a computer. The CCA defines data to include material in whatever form stored electronically; the whole or part of a computer program; and any representation of information or of concepts in a form suitable for use in a computer, including a program suitable to cause a computer to perform a function. 
  • The Charter provides for the right to protection of private and family life, the privacy of the home and protection of other property and communication.
Who is subject to privacy obligations?

Under the DP Act, a data controller, which may be a person or public authority, is subject to the provisions of the DP Act generally and specifically in relation to the safeguarding and protection of personal data and where applicable, sensitive personal data. Part V of the DP Act includes exemptions to the data protection standards, in whole or in part, or to the disclosure to data subject requirements. Part V of the DP Act includes exemptions in relation to personal data in the following circumstances involving:

  1. personal data exempted by the Minister of National Security for the purpose of safeguarding national security; 
  2. personal data processed for law enforcement, taxation and statutory functions; 
  3. personal data processed in relation to regulatory activity as indicated in section 35 of the DP Act
  4. personal data processed for the special purposes of journalism, literature and art;
  5. the information available to the public under any enactment; 
  6. parliamentary privilege; 
  7. personal data processed by an individual only for domestic purposes; and   
  8. matters set out in the Second Schedule to the DP Act

The common law principle of confidentiality applies to any person (individual or company) who handles the personal data of an identifiable individual.

The charter applies to natural and juristic persons, depending upon the nature of the right and the duty imposed by the right.

The ETA applies to suppliers which include persons who offer by means of electronic transactions any goods, services or facilities for sale, hire or exchange. 

The BSA applies to officers of any licensee, agent or any other person having access to information on customers; and any person by reason of his capacity, office, employment or other relationship with the licensee has by any means access to the records of the licensee or any registered, correspondence or material with regard to the account of any customer of a deposit-taking institution. Where applicable, this obligation survives termination of the person’s relationship with the licensee. 

The BOJ Act applies to an authorized officer and any other person authorized pursuant to section 34B(4) of the BOJ Act to give assistance to the Supervisor and the Deputy Supervisor in the performance of their functions under the BOJ Act

The TCA applies to those having any official duty or being employed in the administration of the TCA

The CRA applies to every credit bureau, credit information provider, a present or past employee of a credit bureau or credit information provider or other people who by reason of his or her capacity or office has by any means access to credit information. 

What are the principles applicable to personal data processing?

As indicated above, we do not currently have a single piece of legislation in force that is dedicated to the safeguard and protection of personal information and as such the collection of personal data is not statutorily regulated in Jamaica at this time. When the DP Act comes into force it will regulate the collection of personal data.

The CRA limits the collection of credit information to credit information providers only. Credit information providers are limited to those listed in section 8 of the CRA and such other body, other than an individual, as the Minister of Finance and the Public Service may designate to be a credit information provider.

How is the processing of personal data regulated?

As indicated above, we do not currently have a single piece of legislation in force that is dedicated to the safeguard and protection of personal information and as such the disclosure of personal data is not statutorily regulated in Jamaica at this time under a single statute.

Disclosures Required by Law

There are certain disclosures that may be required by law pursuant to the following acts:

Under the Interception of Communication Act, allowing interception may be compelled by warrant. 

Under the CCA, similarly, a person in control of certain data might be compelled by a warrant to produce it.

Under the TCA, confidential information may be disclosed:

  1. with the consent in writing of a licensee or an applicant for a license; 
  2. on the written directions of the Minister of Science, Energy & Technology to the police who require such disclosure for the purpose of the investigation of a criminal offense;
  3. to the Minister of Science, Energy & Technology, an agent of or consultant providing professional services to the Office or Authority, as the case may be, or the Fair Trading Commission; 
  4. subject to section 7(3)(b) of the TCA, to any person who is authorized by the Office or the Authority as the case may be, to receive it; or 
  5. to any person carrying out regulatory or other functions under the TCA

The disclosure of credit information by a credit bureau is regulated by the provisions of Part II of the CRA.

Registered credit bureaus shall only disclose credit information in the following circumstances:

  1. in accordance with the order of a court; 
  2. subject to section 11(3) to a credit information provider; 
  3. to the supervising authority; 
  4. to the consumer to whom the information pertains; 
  5. information relating to the identification of any consumer, to a constable upon the production of a declaration in the form set out in the Third Schedule and sworn to by that constable; 
  6. as provided under the CRA or any other law; or 
  7. in such other circumstances and to such other entities as the Minister may specify by order

Furthermore, a credit bureau shall not provide credit information to any person where the credit bureau knows or has reasonable cause to suspect is false or misleading. 

A disclosure made in the following circumstances shall not be deemed inconsistent with the duty of secrecy and confidentiality under section 13(1) of the CRA:

  1. Permitted by the provisions of the CRA;
  2. To the supervising authority for the purposes of the CRA
  3. Made in any legal proceedings for an offense under the CRA or the Perjury Act; or 
  4. Where it is reasonable for the credit bureau, credit information provider or another person aforesaid, to make for the purpose of executing the provisions of section 9(2) of the CRA or for the purposes of a hearing under section 6 of the CRA

The CRA also monitors the disclosure of credit information providers. It states that a credit information provider may disclose credit information to a credit bureau in accordance with the CRA but shall do so where the credit information provider has undertaken all reasonable inquiries and investigations and is satisfied that the information is reliable. A credit information provider may also disclose credit information in accordance with the written request of a consumer about that consumer. 

Disclosures required by law for the purposes of investigations (fraud, money laundering, etc.)

The Proceeds of Crime Act (“POCA”)requires disclosure for the purpose of investigation of fraud and money laundering.
 
Section 94(2)

"A person commits an offense if (i) that person knows or believes, or has reasonable grounds for knowing or believing, that another person has engaged in a transaction that could constitute or be related to money laundering; (ii) the information or matter on which the knowledge or belief is based or which gives reasonable grounds for such knowledge or belief, came to him in the course of a business in the regulated sector; and (c) the person does not make the required disclosure as soon as is reasonably practicable, and in any event within fifteen days, after the information or other matter comes to him."

Recently, in the Court of Appeal decision, Jamaica Bar Association v Attorney General and General Legal Council [2020] JMCA Civ 37 Section 94(2) was found to be unconstitutional, only in regard to Attorneys at Law, as it was deemed to be inconsistent with section 13(3)(j) and 13(3)(a) of the Charter. Accordingly, at this time attorneys in the regulated sector are not required to make suspicious reports to the Designated Authority. We anticipate the decision will be the subject of an appeal to the Privy Council. 

Section 94(3)

"For the purpose of enabling the making of the required disclosure, a person in the course of business in the regulated sector shall, in relation to each customer, pay special attention to- (a) all complex, unusual or large business transactions carried out by that customer with the business; and (b) unusual patterns of transactions, whether completed or not, which appear to the person to be inconsistent with the normal transactions carried out by that customer with the business."

Section 94(4)

"The required disclosure is a disclosure of the information or other matter (a) to a nominated officer or (b) to the designated authority in the form and manner prescribed for the purposes of this subsection by regulations made under section 102."

Section 105(1)

"A Judge may, on an application made to him by an appropriate officer, make a disclosure order if he is satisfied that each of the requirements for the making of the order is fulfilled."

Section 106 (1)(b)

"...reasonable grounds for believing that the person that the application for the order specifies as appearing to be in possession or control of the information or material so specified is in possession or control of the information or material; (c) reasonable grounds for believing that the information or material is likely to be of substantial value, whether or not by itself, to the investigation for the purposes of which the order is sought."

Bank of Jamaica Guidance Notes on the Prevention of Money Laundering and Countering the Financing of Terrorism, Proliferation and Managing Related Risks 

The enhanced KYC requirements under the POCA (MLP) Regulations, 2007 are: (a) The establishment of statutory minimum KYC requirements by virtue of regulation 7 which contains the following definition of “customer information - “Customer information includes an applicant for business’s full name, current address, taxpayer registration number or other reference numbers, date and place of birth (in the case of a natural person) and, where applicable, the information referred to in regulation 13(1)(c);” (See also section 122(1) of the POCA which outlines the KYC information a financial institution must be in a position to provide pursuant to customer information orders. 

In addition to this the POCA (MLP) Regulations, 2007 requires the following:

  1. Periodic updates of customer information must be carried out at least once every five years; (R. 7(1)(c) & (d)) This requirement extends to the existing client base of financial institutions; (R.19); 
  2. Transaction verification procedures must be applied particularly in the circumstances specified in regulation 7(3) which include – cases where the transaction meets the TTR limit 7(5); wire transfer transactions; the situation is one requiring an STR to be made; where there is doubt about the accuracy of any previously obtained evidence of identity; and
  3. KYC details must be retained for electronic funds transfers; (R.9).

Wire Transfers and Other Electronic Funds Transfer Activities

The terms ‘wire transfer’ and ‘funds transfer’ refer to any transaction carried out on behalf of an originator person (both natural and legal) through a financial institution by electronic means, with a view to making an amount of money available to a beneficiary person at another financial institution. For all wire transfers or electronic funds transfers, whether domestic or cross-border, the following information should be obtained and retained for the period stated in the regulations when conducting any/all electronic fund transfers (wire transfers, remittances, etc.).

The identity of the originator/remitting customer (including name, address and account number

In the absence of an account number, a unique reference number must be included) whether or not the originator is a customer of the Central Bank; (Note that according to the interpretative note to FATF Special Recommendation 7, paragraph 2(e), the originator is an account holder, or where there is no account, the person that places the order with the financial institution to perform the wire or funds transfer).

The identity of the ultimate recipient/beneficiary, where practical, including name, address and account number (in the absence of an account number, a unique reference number must be included).

How are storage, security and retention of personal data regulated?

As indicated above, we do not currently have a single piece of legislation in force that is dedicated to the safeguard and protection of personal information and as such the storage, security and retention of personal data is not statutorily regulated in Jamaica at this time by a single statute.

Section 28 of the DP Act prescribes that personal data should not be kept for longer than is necessary for that purpose and disposal of personal data shall be done in accordance with the Regulations. Section 74 of the DP Act also indicates that the Regulations may speak to the prescribed periods for personal data to be observed by data controllers. This will however also be subject to FID requirements as indicated from time to time. 

Under POCA and the ETA certain entities are required to maintain and keep confidential information for a specified period of time.

Proceeds of Crime Amendment Act & Regulations-Section 6, Regulation 14

Record-keeping procedures should be maintained by a regulated business in any case where evidence of the identity of the applicant for business is obtained as business relationships and transactions under Regulation 7 and transactions on behalf of another pursuant to Regulation 11. 

Regulation 14 also requires that relevant financial businesses keep a record of each transaction and all correspondence, and analysis undertaken, in relation to each transaction and business relationship in accordance with Regulation 14 and account files shall be kept in relation to each customer, containing pertinent information in respect of each of the customer’s accounts with the regulated business. 

The prescribed period for the abovementioned record-keeping is not less than seven years commencing on the date on which the relevant financial business was completed, or the business relationship was terminated, whichever occurs later, or such other period as may be specified by the FID.  

Electronic Transactions Act-Section 11

All entities are required to keep information in an electronic form where required to store such information by law.
The CRA requires that all credit bureaus ensure that credit information in its custody, possession or control is stored in a secure manner, in a form that is capable of being reproduced in intelligible form for the purposes of section 15 of the CRA and in a repository located in Jamaica or with the written approval of the Minister of Finance and the Public Service, in another jurisdiction. 

What are the data subjects' rights?

The Banking Services (Deposit-Taking Institutions) (Customer Related Matters) Code of Conduct 2016 (“Code”) provides consumers with a right of access to personal information. Specifically, Article 11(2)(a) of the Code provides that upon the written request of a customer, a customer must be provided with either an accurate and complete disclosure of the account information or the transaction details requested, within 14 calendar days of the receipt of the request.

Pursuant to section 15 of the CRA, a consumer may make a written request to a credit bureau for the disclosure of all information pertaining to that consumer in the credit bureau’s custody, possession and control. Where a consumer disputes the accuracy or completeness of any information disclosed by a credit bureau in relation to that consumer, they may make a complaint in person or in writing to the credit bureau. 

Under section 6 of the AIA, subject to the provisions of the AIA, every person shall have the right to obtain access to an official document, other than an exempt document. Section 24 of the AIA indicates that where a person claims that an official document contains personal information about the person that is incomplete, incorrect, out of date or misleading and has been used, is being used or is available for use by a public authority for administrative purposes, the person may apply to the public authority for an amendment or an annotation, as the case may be, of that document. 

Are there restrictions on cross-border data transfers?

Not at this time. However, section 31 of the DP Act indicates that personal data shall not be transferred outside of Jamaica unless that territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

Until the DP Act is put into force, the general principles explained above would be applicable.

Are there any notification requirements for data breaches?

Not statutorily at this time, however, there may be an obligation based on the contract. 

Section 21 of the DP Act requires data controllers to notify the data subject and commissioner of any security breaches as well as the manner of the report and its contents. 

Who is the privacy regulator?

There is none at this time. However, section 4 of the DP Act establishes the office of the Information Commissioner who has oversight over the safeguard and protection of personal data pursuant to the DP Act. We are awaiting the appointment of the commissioner.

What are the consequences of a privacy breach?

A breach will only arise where persons have breached any of the above legislative requirements which relate to privacy such as failure to maintain records etc. These attract fines and are only applicable to the entities whom such regulations are imposed upon.

Throughout the DP Act, there are penalties specific to each respective breach and fixed penalties. Additionally, pursuant to section 68 of the DP Act, where a body corporate is in breach of the DP Act, it provides for a fine not exceeding four percent of the annual gross worldwide turnover of a body corporate. 

How is electronic marketing regulated?

The DP Act does not speak to electronic marketing but to direct marketing. Section 10 of the DP Act prohibits a data controller from processing personal data for the purpose of direct marketing unless the data subject consents or subject to section 10(4), is a customer of the data controller. 

Under section 25(2) of the ETA, an intermediary shall not be held liable in any civil or criminal proceedings for the content of any electronic document, in respect of which the intermediary provides services if the intermediary-

  1. is not the originator of the document;
  2. has no actual knowledge of the act or omission that would give rise to any civil or criminal liability in respect of the document; and
  3. has no knowledge of any facts or circumstances from which the likelihood of such civil or criminal liability ought reasonably to have been known.

The ETA further states that the intermediary has no duty to monitor any information contained in the electronic document to ensure that no civil or criminal liability will arise.

“Intermediaries” are defined under the ETA as a person who sends, receives or stores an electronic document, or provides other services in relation to that document, on behalf of another person.

Are there any recent developments or expected reforms?

As previously indicated, an enactment date has not yet been set. In its current form, the DP Act proposes to impose an obligation on “data controllers” in possession of an individual’s personal data to deal with that information in such a manner that offers that person a level of protection and confidence. The DP Act requires data controllers to comply with what is termed as “Standards of Processing Personal Data” and also imposes conditions for the collection, use, storage, processing, transfer, direct marketing and disclosure of personal data.

In its current form, section 76 of the DP Act allows for a two-year transition period for those affected by the DP Act to implement the necessary procedures to bring them in compliance with the DP Act.

At this time, we could not say when the DP Act will come into force but based on recent inquiries we understand that this is awaiting the appointment of the Information Commissioner and that Regulations to the DP Act are also now being drafted. 

Global Data Privacy Guide

Jamaica

(Latin America/Caribbean) Firm Myers, Fletcher & Gordon

Contributors Gina Phillipps Black

Updated 01 Jan 2021