Confusion in the application of the Data Protection Act?
Dear Editor,
The Office of Information Commissioner has published a notice requiring data controllers to register under the Data Protection Act (DPA) beginning on June 1, 2024.
The DPA defines a data controller as including any person or public authority which determines the purposes for which and the manner in which personal data are processed. “Data” is a wide word meaning any facts or information. “Personal data” is defined by the DPA as meaning any information relating to a living individual or a person who died within the last 30 years who can be identified from that information. Personal data, therefore, includes the name, address, telephone number, e-mail address, date of birth, name of parents or siblings as well as copies of birth, marriage, and death certificates; driver’s licence; employment or school identification cards. “Process” is defined by the DPA in relation to personal data, obtaining or storing personal data. On this basis there is hardly any company, association, institution, or individual who is not a data controller. The extraordinary consequence of this broad-brush approach is that nearly every person in Jamaica would have a legal obligation to register as a data controller.
As an example: If George Smith, who is an electrician, receives a text from Mary Brown stating her address, her mobile telephone number, and that she is having a problem with her electric stove and she needs his assistance, and after responding Smith places a copy of the message in the pocket of his tool bag, on this basis Smith qualifies as a data controller and is required to register and pay a registration fee.
The DPA makes an important distinction between “personal data” and “sensitive personal data”. “Sensitive personal data” is defined as specific information, such as:
(a) genetic data or biometric data
(b) filiation or racial or ethnic origin
(c) political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature
(d) membership in any trade union
(e) physical or mental health or condition
(f) sex life
(g) the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject
A reasonable approach to the administration of the Act is that only those people who control sensitive personal data should be placed under the onerous obligation to register as controllers. The published instructions only indicate certain categories of data controllers who are required to register “as a matter of priority” but no timetable is fixed for other categories who remain under a general obligation to register and are put at the risk of being eventually subject to penalties.
Alternatively, the responsible minister may, with parliamentary approval, make an order specifying those acts of processing or the data controllers who are to be excluded from these requirements, but this would be a more complex and difficult solution. In any event, it has not been employed.
There is a clear need for a more rational and practical approach to be adopted.
Lloyd Barnett
dr.lgbarnett@gmail.com
