Are We Compliant With Data Protection Requirements? - Samantha Moore

Samantha Moore

In the range of security alerts, a “red” alert is usually one level above an “amber” alert. The recent alleged exposure of the personal data of thousands of traveller’s on the Government of Jamaica’s (GOJ) COVID-19 (JAMCOVID) website and app could be considered a “red alert” situation. This has reiterated the need for a robust approach to the way in which personal data is being handled by government entities on a day to day basis, especially as the nation prepares for a national ID system. According to an American online newspaper, TechCrunch, more than 70,000 COVID-19 lab results, over 425,000 immigration documents (including passport information) and more than 440,000 images of traveller’s signatures which were uploaded to the JAMCOVID website and app were left unsecured thereby resulting in unauthorized access.

 

Under the pending Data Protection Act (DPA), government entities are required to ensure that any personal data which comes into their possession must be processed in compliance with certain international standards. One of these standards stipulates that personal data must be protected using appropriate technical and organizational measures to prevent unauthorized or unlawful processing of the data as well as any accidental loss, destruction of, or damage to the data.  For example, there ought to be pseudonymization and encryption of personal data as well as the ability to remotely erase the data in the event of a security breach. Additionally, the DPA imposes a higher standard of protection for government entities who process sensitive personal data i.e. data regarding an individual’s medical records or biometrics. The fact that the personal data stored on the JAMCOVID website and app was allegedly left unsecured and unprotected, may amount to a breach under the DPA. 

The DPA also imposes an obligation on government entities to notify any person whose data has been affected of any security breach. This notification must be done within a reasonable time. It is, however, not clear as to whether the Ministry of Health and Wellness and/or the Ministry of National Security have made any attempt to notify the traveller’s whose personal data may have been affected by the breach.

The fact that a third party was contracted by the Ministry of Health and Wellness and/or the Ministry of National Security to create the JAMCOVID website and app, would not have relieved them of any liability as the DPA stipulates that where an entity engages a subcontractor to process the personal data on its behalf, the entity must ensure that the third party is subject to similar data protection obligations and that they have certain technical and organizational measures in place to safeguard against a security breach. Furthermore, the Ministry of Health and Wellness and/or the Ministry of National Security ought to have taken reasonable steps to ensure that the third party is complying with those measures.

Failure to comply with the provisions under the DPA may result in a government entity being subjected to severe fines and penalties. Additionally, any person who can prove that they have suffered some sort of damage from the breach may be entitled to compensation from the government entity.

Likewise, the European Union’s General Data Protection Regulation (GDPR) imposes a duty on entities who process the personal data of EU citizens to ensure that the data is being processed in a manner that is safe, secure and confidential. In the event that any of the personal data which have been compromised belongs to an EU citizen, the Ministry of Health and Wellness and/or the Ministry of National Security may also find themselves being subjected to heavy fines and penalties under the GDPR. Just recently, Marriott International was found to be in breach of the GDPR due to the negligent exposure of the personal records of approximately 339 million guests and was fined a total sum of £99 million by the UK's data protection regulator.

Although government entities are exempted from being liable to criminal prosecution under the DPA, they are not exempted from civil penalties.  It is therefore important that these entities start adopting a more robust approach to the way in which they handle the personal data of its citizens. It is even more important for the Government to fast track the implementation of the DPA so that Jamaican citizens can have protection against the misuse and mishandling of their personal data.

-------------------O------------------------

Samantha Moore

Partner; Data Protection Consultant

moore@ramsaysmithjm.com

Office: 876-906-2616; 876-906-3402

Mobile: 876-833-0276

Fax:1-833-261-3637

Note: Samantha Moore is a Partner at Ramsay Smith and is a member of the firm's Commercial Department. Samantha may be contacted via moore@ramsaysmithjm.com or www.ramsaysmithjm.com. This article is for general information purposes only and does not constitute legal advice.

 

NATIONAL IDENTIFICATION SYSTEM TO ROLL OUT JANUARY 2018 IN JAMAICA

KINGSTON, Oct. 10 (JIS):

Prime Minister Holness

 Prime Minister, the Most Hon. Andrew Holness, says the National Identification System (NIDS) is set to roll out in January 2018.

He said NIDS is expected to have a transformative effect on Jamaica, providing a comprehensive and secure structure to capture and store personal identity information for citizens and persons resident in the island.

The Prime Minister, who was addressing the Anti-Money Laundering/

Counter-Financing of Terrorism (AML/CFT) Conference at The Jamaica Pegasus hotel in New Kingston today (October 10), informed that NIDS was the first item on the agenda for discussion at today’s meeting of the Cabinet.

He said that given all the processes involved in setting up the system, he recognises that the 2018 target date for it to be operational is ambitious, but achievable.

 Mr. Holness said the Government has identified the setting up of NIDS as a strategic priority. What is envisioned is a cradle-to-grave biometric identification system with a unique identification number being used for every Jamaican, with the appropriate anti-fraud features.

“This source of identification will be considered as conclusive for the purpose of customer due diligence, not only for banks but for all businesses which require customer identification and verification,” he pointed out.

Biometric and demographic information will be accessible through databases and computer networks, he added. “We must leverage every technological resource at our disposal to meet the demands of the global business environment. Government’s use of technology in regulation and compliance must be in step with international practices,” he said.

Mr. Holness noted further that NIDS will serve to eliminate some procedural steps and make compliance with AML/CFT regulations in the financial sector easier, while also leading to greater financial inclusion.

The NIDS project is being implemented by the Office of the Prime Minister, through funding from the Inter-American Development Bank (IDB), and was allocated a sum of $14.98 billion this financial year for its continued development.

The project aims to establish a reliable identification system for Jamaicans and other nationals resident in the country, with a unique National Identification Number (NIN) as the primary key identifier of a person in the system.

NIDS has been in development since 2009 and will result in improved governance and management of social, economic and security programmes.

The two-day AML/CFT Conference is being hosted by the Jamaica Bankers Association (JBA) and the Jamaica Institute of Financial Services (JIFS), under the theme ‘Understanding Our Obligations… Safeguarding Our Future’.