The Data Protection Act of Jamaica (the Act) is now undergoing its two-year transition period during which data controllers are to be putting in place the necessary measures to ensure compliance with the Act. For employers, this includes understanding their responsibilities in relation to employees’ personal data and how this may affect their internal policies and procedures.

Employers tend to collect and process personal data of employees in the form of resumes, references, payroll, medical information and performance reviews. Personal data include data relating to an individual, living, or deceased within the last 30 years, who can be identified from that information and sensitive personal data include information relating to physical or mental health, membership in a trade union and the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject.

The Processing of Employee Personal Data

The employment relationship involves different stages, that is, recruitment, hiring, promotion, and termination, voluntary or involuntary. At each stage the data protection considerations differ.

At the recruitment stage, an employer may collect potential employees’ personal data, from multiple sources such as resumes, references from former employers and social media platforms. In cases where social media is used, it is important the information was published by the applicant themselves, otherwise consent would be required from the applicant.

Another key consideration during recruitment is data retention. Employers may wish to include a privacy notice in job advertisements to inform potential applicants how data are processed during this process. Where applicant’s information is retained, for example, to notify them of potential vacancies, consent must be obtained. Employers should, however, be cautious as to how long they retain such information because this increases their risk of a potential breach based on the increased volume of personal data being retained.

During employment, the scope of personal data may change, for example, where an employee is promoted. It is important that where there are any changes to the processing of an employee’s personal data they are notified and where necessary consent is obtained. Consent in the employment context should, however, be the exception and not the rule. Consent should be freely given and in the context of a potential and existing employment relationship, the bargaining power may be unequal and so this threshold is difficult to meet. Consent should therefore only be relied on for internal policies such as the publication of an employee’s picture on their website.

At the end of the employment relationship data retention is also a key consideration. It is crucial that where personal data are retained there is a legal basis for doing so, such as the employee’s consent or a legal obligation of the employer. For example, an employee may consent to the employer retaining their personal data for a specified period to provide references to future employers. Employers may, therefore, wish to consider obtaining consent of the departing employee as a part of in the exit process.

Next Steps for Employers

With a little over a year until the expiration of the transition period, employers should be taking steps to ensure their compliance with the Act. Among the matters employers should consider are the following:

1) Identifying employee’s personal data being processed and the basis for processing this data, this is typically done by way of a data mapping exercise.

2) Their obligations generally and specifically in relation to employee’s rights as data subjects such as the right to access, erasure, rectification and to object to automated decision making.

3) Informing applicants and employees how they collect, process and share their personal data. An efficient and effective way to do so is through privacy policies that are easily understood and accessible.

4) Keeping records of all activities of processing including recruitment, onboarding and erasure.

5) Retention policies

6) The technical and organisational measures in place, if any, and what may be required. This would include organisational and cybersecurity measures and internal policies.

7) The regular review of the personal data of employees it is processing, their policies and consents to ensure they maintain compliance. This will also assist employers in the preparation of the Data Protection Impact Assessment.

8) Regularly reviewing the personal data retained and destroying personal data where the employer is not permitted to maintain such information.

9) Engaging IT and legal professionals to consult on what may be required for their particular entity for compliance with the Act.

In summary, an employer is a data controller in respect of their employees’ data, before, during and even after employment in some cases. It is therefore crucial that employers are up to date on their data protection obligations and keep employees informed of any changes to their internal procedures to meet their obligations. While this certainly does not cover everything an employer needs to know about employee data, it is a helpful start and can assist in structuring your conversation with an attorney in your data protection journey.

Joanna Marzouca is an attorney at Myers, Fletcher & Gordon and a member of the Firm’s Commercial Department. She may be contacted at joanna.marzouca@mfg.com.jm or through the Firm’s website www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.