Under
the pending Data Protection Act (DPA), government entities are required to
ensure that any personal data which comes into their possession must be
processed in compliance with certain international standards. One of these
standards stipulates that personal data must be protected using appropriate
technical and organizational measures to prevent unauthorized or unlawful
processing of the data as well as any accidental loss, destruction of, or damage
to the data. For example, there ought to be pseudonymization and
encryption of personal data as well as the ability to remotely erase the data
in the event of a security breach. Additionally, the DPA imposes a higher
standard of protection for government entities who process sensitive personal
data i.e. data regarding an individual’s medical records or biometrics. The
fact that the personal data stored on the JAMCOVID website and app was
allegedly left unsecured and unprotected, may amount to a breach under the
DPA.
The
DPA also imposes an obligation on government entities to notify any person
whose data has been affected of any security breach. This notification must be
done within a reasonable time. It is, however, not clear as to whether the Ministry
of Health and Wellness and/or the Ministry of National Security have made any
attempt to notify the traveller’s whose personal data may have been affected by
the breach.
The
fact that a third party was contracted by the Ministry of Health and Wellness
and/or the Ministry of National Security to create the JAMCOVID website and
app, would not have relieved them of any liability as the DPA stipulates that
where an entity engages a subcontractor to process the personal data on its
behalf, the entity must ensure that the third party is subject to similar data
protection obligations and that they have certain technical and organizational
measures in place to safeguard against a security breach. Furthermore, the
Ministry of Health and Wellness and/or the Ministry of National Security ought
to have taken reasonable steps to ensure that the third party is complying with
those measures.
Failure
to comply with the provisions under the DPA may result in a government entity
being subjected to severe fines and penalties. Additionally, any person who can
prove that they have suffered some sort of damage from the breach may be
entitled to compensation from the government entity.
Likewise,
the European Union’s General Data Protection Regulation (GDPR) imposes a duty
on entities who process the personal data of EU citizens to ensure that the
data is being processed in a manner that is safe, secure and confidential. In
the event that any of the personal data which have been compromised belongs to
an EU citizen, the Ministry of Health and Wellness and/or the Ministry of
National Security may also find themselves being subjected to heavy fines
and penalties under the GDPR. Just recently, Marriott International was found
to be in breach of the GDPR due to the negligent exposure of the personal
records of approximately 339 million guests and was fined a total sum of £99
million by the UK's data protection regulator.
Although
government entities are exempted from being liable to criminal prosecution
under the DPA, they are not exempted from civil penalties. It is
therefore important that these entities start adopting a more robust approach
to the way in which they handle the personal data of its citizens. It is even
more important for the Government to fast track the implementation of the DPA
so that Jamaican citizens can have protection against the misuse and
mishandling of their personal data.
-------------------O------------------------
Note: Samantha Moore is a Partner
at Ramsay Smith and is a member of the firm's Commercial Department. Samantha
may be contacted via moore@ramsaysmithjm.com or www.ramsaysmithjm.com. This
article is for general information purposes only and does not constitute legal
advice.