What’s in it for me? New Citizen Rights in the Data Protection Act
At our recent Data Protection Act Town Hall, two common sentiments shared among the presenters and participants were: Too few Jamaicans understood the broad implications of this bill; and more education and engagement is needed!
At the Town Hall we had outlined four scenarios that reflect how the legislation will impact everyday citizens. Suffice to say it is highly probable that you or your organization could find yourself in at least one such scenario:
James a recovered drug addict who is worried about how data from his past could affect his ability to move on with his life.
Farmer Ricardo wants a loan from his credit union but knows the financial data being used about him is outdated.
Collett, a small business owner who wants to use customer data from her existing business to start a new venture.
Tarik is a college student with an idea for a new online dating service targeting Jamaicans.
Name: James Johnson
Scenario: James was formerly a drug addict. When he was suffering from his addiction, he received services from a local NGO, who helped him overcome his addiction and get back on his feet.
He is now trying to move on with his life, but he is worried about how the information he shared with the NGO could affect his job prospects if they were shared.
How the bill affects James:
With the Data Protection Act, James can request that the NGO disclose what personal data it has about him, how the data is being used, and with whom it has been shared. He can also request a copy of this data.
James can reject any previous consent he may have given to the NGO to use his data internally or share his data with other entities.
Name: Ricardo Brown
Scenario: Ricardo wants a loan from his credit union to expand his farming business. The credit union pulls his personal data — farmer registration information — from RADA to make loan decisions. However, Ricardo knows that he hasn’t spoken to his RADA extension officer in four years, and his data is outdated.
How the Bill affects Ricardo:
Ricardo can request that his credit union tell him whether they have made a decision based solely on the automated processing of data from RADA. After being notified, Ricardo has 21 days to require that they reconsider and make a new decision on another basis.
Ricardo can request that his credit union not make a decision solely based on automatically processing his data from RADA, and instead allow him to provide his updated data.
Name: Collett Simpson
Scenario: Collett is an entrepreneur. She previously ran a business, where she bought and sold designer sandals through her Facebook page. When her main sandals supplier migrated to Canada, she had to shut down the business.
She is now looking to start a new business providing catering services and wants to market to her previous customer base.
How the bill affects Collett:
Under the proposed Data Protection Act, Collett will need to update her registration information with the Information Commissioner — indicating what data she will now collect and the purpose for its usage.
She will also need to get consent from her customers before she can start marketing her catering service to them.
If members of the customer database indicate that they do not want to receive her new products or services, she should not send them marketing information for the new business.
Name: Tarik Johnson
Scenario: Tarik has an idea for a new online dating service targeting Jamaicans. He has developed a prototype for the product and is ready to test market interest with prospective customers.
How the bill affects Tarik:
Under the Data Protection Act, before he can begin collecting personal data from prospective customers, Tarik will need to register with the Information Commissioner providing, among other details, the specifics of the information he will be collecting for his idea and also appoint a Data Protection Officer to represent his company.
When signing up new customers, he will have to communicate why the data is being collected and how it will be used.
When deciding whether to store data in the cloud, he will have to select hosting locations that have equivalent data protections. If he wants to share their data somewhere without equivalent data protections, he will have to get the consent of his users.
If his service gets hacked or the data is compromised. He must notify the Information Commissioner of the compromise and potentially, all his users that their data may have been affected.
New Citizen Rights under the Data Protection Act
You have the right to access your information
Any entity that has data about you is now required to communicate to you in plain and accessible language, what personal data they have, how they use it, and who they have shared it with.The Right to Prevent the processing of your personal data if you believe it is likely to cause damage or harm to you.
- If it is inaccurate, you can change or update it.
- If the data has been held for longer than necessary, you can prevent it from being used
- If the data is being used for direct marketing, you can request they desist.
- You have the right to know how automated decisions are made.The Right to request that no decision is solely based on the automatic processing of personal data.
The Right to apply for a data controller to rectify any inaccuracy in any data of which he/she is the subject.