In recent days, all media was abuzz with reports and announcements of the Covid-19 results of certain individuals ranging from negative to positive. An issue arises as to whether the results can be disclosed by the data controller and if so in what circumstances. In each case as well, who is the controller? It is always the person who determines the means and purpose for which this personal information is processed. It may not matter that the information is obtained indirectly.
These are relevant questions because Jamaica recently passed into law a Data Protection Act. It is not yet effective, but it seems clear that irrespective of the answer to these questions, behavioural change, training and awareness are essential to achieving compliance with the Jamaica Data Protection Act, 2020. Our relationship with personal information must be modified to adapt to the circumstances, lest we face the consequences.
The Act includes health information such as COVID-19 results in its protective sphere by treating it as sensitive personal data. A controller is not at liberty to process health information as it pleases. Process has a very wide meaning. It includes “disclosing the information or data by transmitting, disseminating or other wise making it available.” If, as occurred, the COVID-19 result of any person is to be disclosed other then in the ordinary course of the controllers’ business, the data subject must give her explicit written consent. In addition to explicit consent one or more of the conditions of processing must be satisfied. These include, (a) being necessary for the purpose of exercising or performing any right or obligation for employment or social security; or (b) protecting the vital interests of the individual or other individual as the case may be and in this instance, the condition must be that the data subject’s consent cannot be obtained or the data controller should not be reasonably expected to obtain consent or (c) the information was placed in the public domain as a result of deliberate steps taken by the data subject or the exercise of functions conferred on any person by or under any enactment.
These strictures have a context. The Data Protection Act has its origins in the right of individual privacy. This right is a fundamental right protected, in the case of Jamaica, by the Charter of Fundamental Rights & Freedoms. Data protection principles are not new and have been around since in or about 1981. The principles were thought necessary to create an appropriate balance between access to personal information in an era of increased computing power and cross-border trade. Countries were required to demonstrate more than a healthy respect for the individual right to privacy if they want to participate in and benefit from the advantages associated with cross-border trade. Data protection rules therefore developed to permit authorised access to information about the data subject as means of fostering cross-border trade and business. The data subject is a living person who is identified or can be identified from information. This includes the persons name or a description of the persons such as “world’s strongest man” that can be used to identify the person.
Data protection rules, therefore, preserve the right to privacy by authorising access to personal information within acceptable limits. The data subject retains control over who has access to her information, how much, for what purpose(s) and for how long while placing the burden on controllers to justify any deviation from this right. There are special categories of data defined as sensitive personal data and criminal convictions. The whole purpose of the Act is the imposition of an obligation to treat personal information and sensitive personal information as private and confidential and there are serious penalties for individuals, including imprisonment, and corporations if this obligation is breached. The penalties range from fines of $2,000,000.00 to imprisonment of up to seven years. In the case of corporations, they can be fined up to 4% of their gross worldwide income. Directors and officers may in the appropriate circumstances be found liable for data protection breaches. There may also be civil liability if an individual suffers damage.
There must be some analysis in each case. In the case of the disclosure of the COVID-19 results, you be the judge. A sea-change is heralded by this Act and failure to undertake this analysis at each stage of processing can result in severe penalties for the offender. Let the controller be aware!
M. Georgia Gibson Henlin, QC, CIPP-E, CIPM.
Email – henlin@privacymgmt.org