The crippling effect of sections 16, 17 of the Data Protection Act
It is our position that the filing of registration particulars required by section 16(2) of the Data Protection Act, coupled with the section 17 requirement of the information commissioner to maintain this information in a public register, will have a crippling effect on a company or firm’s drive to innovate and offer increased customer value. In essence, by making the filing of the registration particulars mandatory and available to the public, the Government is commoditising all services. This, ultimately, will result in a price war, forcing prices down. While this may be of short-term value to consumers, this will ultimately drive firms out of the market.
In the Information Age, the extent and speed at which firms can innovate their processes and/or business models speaks to the extent to which they will succeed. Section 15 of the Data Protection Act (DPA) prohibits data controllers from processing personal data (in effect operating their business) unless they register their registration particulars with the information commissioner upon the implementation of the Act.
Registration particulars include:
(a) the data controller’s name, address and other relevant contact information;
(b) if the data controller has appointed a data controller representative for the purposes of this Act, the name, address, and other relevant contact information of the data controller representative;
(c) the name, address and other relevant contact information of the data protection officer appointed under section 20;
(d) a description of the personal data being, or to be processed by or on behalf of the data controller and the category or categories of data subjects to which they relate;
(e) a description of the purpose or purposes for which the personal data are being, or are to be, processed;
(f) a description of any recipient(s) to whom the data controller intends, or may wish to disclose the personal data;
(g) the names, of any States or territories outside of Jamaica to which the data controller directly or indirectly transfers, or intends or may wish directly or indirectly to transfer, the personal data;
(h) where the data controller is a public authority, a statement of that fact; and
(i) such information about the data controller as may be prescribed in regulations made under subsection (3).
We believe that the combination of items contained in letters (d) to (g) set out above represent proprietary information; that is, parts of a business model or secret sauce.
Section 17 of the Data Protection Act mandates the commissioner to maintain this information as a public register. There is no constitutional basis for the information commissioner to require this proprietary information and, worse, make it available to the public.
What public good or interest is being served by imposing this obligation on data controllers? What legitimate goal is the Government trying to achieve by making this information freely available to the public once it is received. It cannot be argued that it is in the best interest of the data subject, as data subjects have several layers of controls and redress available to them. They have the right to request the data controller to tell them what personal data is being processed and how it is being processed. There is also a proactive duty on data controllers to issue privacy notices to their clients informing them of what personal data is being processed and how it is being processed.
In Europe, under Article 30 of the General Data Protection Regulation (GDPR), a data controller is required to maintain a record of processing similar to our Section 16, registration particulars; however, this information is not required to be filed, but just maintained by a data controller and then be made available to the commissioner upon request.
One may argue that this information is already lawfully required to be given to data subjects under the section 22(6), privacy notice, so what harm is done if you now have to file it. In issuing privacy notices you are not publishing your firm’s proprietary information to the public. Firstly, you are only required to give this information to your clients, and not to the public at large. Secondly, you are not required to disclose all the processes that your business employs, but only those processes that include processing their personal data. For example, a privacy notice on a website only has to speak to how personal data collected on the website is processed and nothing more.
While sections 15 through 17 received a lot of feedback from stakeholders during the extensive public consultation period, this specific issue of publishing proprietary company information was never considered as most of the stakeholders understandably maintained narrow self-serving positions that were ultimately not sustainable. Even though this issue was never specifically raised by stakeholders, the technical committee recommended that:
Given that this is a new regime, the Office of Information Commissioner (OIC) ought to properly know the individuals or ‘legal persons’ who are processing data, and the type of data being processed. This is not only important for oversight by the OIC, it also provides the OIC with information to assist in the execution of other key functions, such as training, guidance notes, and directives, etc.
As strong advocates for the right to informational privacy and supporting structures being put in place to enforce the right to privacy, we agree that the OIC must know the personal data that is being processed by data controllers and there must be a starting point. The technical committee, however, does not conclude that the OIC needs to know how the data is being processed nor have they stated that the processing activities ought to be maintained in a public register.
One may say that members of the public and private interest groups already had their opportunity to let their voices be heard and issues such as these can be revisited when the legislation comes up for review. The danger with that approach is that the filing and publishing of data processing records is a one-off event and, like the word once spoken, can never be recalled.
Truth be told, personal data privacy rights are new to the Jamaican populace and, with the best intentions and the brightest minds, one would not be able to distil these issues until you start to look at the practical application of the legislation from a practitioners point of view, as opposed to a legal point of view.
In light of the foregoing, it is our position that there should be no requirement for the filing of registration particulars by firms. Instead, as is done in Europe, firms should be required to maintain those records internally and on request made available to the information commissioner. This would require some form of legislative intervention.
Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, privacy practitioner, podcaster, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.