1. Governing Texts

1.1. Legislation

Privacy and data protection in Jamaica will generally be governed by the Data Protection Act, 2020 ('the Act'). The Act was recently passed by the Government of Jamaica ('the Government'), however,  the substantive provisions under the Act which include the rights of a data subject and legal obligations of a data controller are not yet in effect. . Those provisions will not come into operation until the Government has publicly appointed a date on which they will take effect. Additionally, data controllers will have a transition period of two years from the appointed date to take the necessary steps to ensure full compliance with the requirements under the Act.

The Banking Services Act, 2014 ('BSA') specifically governs financial institutions in Jamaica and creates restrictions on the collection, use, and and/or storage of personal information. Additionally, the BSA imposes a general duty of confidentiality or secrecy upon officials and persons who by reason of their capacity or office have access to personal records.

Data protection in the financial sector would therefore be governed by both the Act and the BSA.

1.2. Supervisory authorities

The Information Commissioner ('the Commissioner') is the main regulator under the Act. OneTrust DataGuidance confirmed, on 13 December 2021, with the Jamaica Ministry of Science, Energy, and Technology, that Celia Barclay was appointed as Jamaica Information Commissioner and will be responsible for the establishment of the Office of the Information Commissioner

The Supervisor i.e., the Governor of the Bank of Jamaica and the Supervisory Committee established pursuant to the BSA are the main regulators under the BSA.

2. Personal and Financial Data Management

2.1. Legal basis for processing

The Act imposes a general obligation on data controllers to ensure that personal data is being processed in a safe, secure, and confidential manner and otherwise in accordance with the provisions under the Act. More specifically, data controllers are required to comply with the eight data protection standards outlined under the Act. These data protection standards require that:

• personal data be processed fairly and lawfully and that there must be a legitimate interest for processing the data;
• personal data must be obtained only for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Data controllers will be required to specify the purpose for obtaining the data and will not be permitted to use the data for any other purpose without first informing and, where necessary, receiving the consent of data subjects;
• personal data collected by data controllers must be adequate, relevant, and must only be limited to the purpose for which it is being processed. The data collected must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required;
• personal data collected by data controllers must be accurate and, where necessary, kept up to date. Data controllers would not be in breach of this standard if the inaccurate data was provided by the data subjects. However, data controllers would be required to take reasonable steps to ensure the accuracy of the data;
• personal data collected by data controllers must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the Act. This is, however, subject to any applicable retention periods prescribed by law;
• personal data must be processed in accordance with the rights of the data subject as outlined under the Act;
• personal data collected by data controllers must be protected using appropriate technical and organisational measures so as to prevent unauthorised or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data; and
• the personal data collected by data controllers shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

Note that the data controller's obligations under the Act are subject to certain exemptions such as where the personal data is being processed for the performance of a contract or where the data controller has obtained the consent of the data subject.

Additionally, Section 134 of the BSA stipulates that:

• 'no officer of any licensee, agent or any other person having access to information on customers; and
• no person who, by reason of his capacity, office, employment or other relationship with the licensee, has by any means access to:
  • the records of the licensee; or
  • any registers, correspondence or material with regard to the account of any customer of a deposit taking institution'

while his office, employment in or, as the case may be, his professional relationship with the licensee continues or after the termination thereof, shall give, divulge or reveal any information regarding the money or other relevant particulars of the account of that customer.'

The BSA therefore imposes a general duty of confidentiality or secrecy upon employees and agents of financial institutions as it relates to customer information.

2.2. Privacy notices and policies

The BSA does not require financial institutions to provide customers with notice of the institution's privacy policies and practices. The Act, however, does provide a general obligation on data controllers to provide customers with notice of their privacy policies and practices.

Please note, also, that Section 27 of the Electronic Transactions Act ('ETA') requires that a supplier who offers by means of electronic transactions any goods or services for sale shall make available to the consumer its security procedures and privacy policy in respect of payment, payment information, and personal information.

'Personal Information' is defined under the ETA as information about an identifiable individual, including:

• information relating to the race, gender, marital status, nationality or ethnicity, colour, sexual orientation, age, physical or mental health, disability, religion, social or political views, language, or birth of the individual;
• information relating to the education or the medical, criminal, credit, or employment history of the individual;
• information about financial transactions in which the individual is or has been involved;
• the address, fingerprints, or blood type of the individual;
• the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal personal information about the individual;
• correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence; and
• the views or opinions of any person about the individual.

The ETA applies to any supplier who:

• in Jamaica, offers goods, services or facilities, for sale, hire or exchange, to any person in or outside of Jamaica; or
• whether in or outside of Jamaica, offers goods, services or facilities, for sale, hire or exchange, to any person in Jamaica.

A 'consumer' is defined under the ETA as any person who employs or wishes to be provided with the services.

A 'supplier' is defined under the ETA as a person who offers by means of electronic transactions any goods, services or facilities for sale, hire or exchange.

2.3. Data security and risk management

There are no sector specific requirements in relation to data security and risk management. Data security and risk management would generally be governed by the Act.

2.4. Data retention/record keeping

The Act does not speak to what would be considered as an appropriate retention period for personal data. However, data controllers would be required under the Act to inform data subjects of the expected period of retention of their personal data which must be clearly set out in the Privacy Notice.

There are very few statutory provisions concerning the retention of documents as it relates to financial institutions. One such example is the Proceeds of Crime (Money Laundering Prevention) Regulations, 2007 ('the Regulations') made under the Proceeds of Crime Act ('POCA'). In particular, Regulation 14 provides that record-keeping procedures maintained by a person in the regulated sector i.e., a financial institution shall require the keeping of a record for the prescribed period if they:

• require the evidence of the identity of an applicant for business which is obtained under procedures maintained in accordance with the Regulations and shall:
  • comprise a copy of the evidence; and
  • provide such information as would enable a copy of it to be obtained; or in a case where it is not reasonably practicable to comply with (i) or (ii) provide sufficient information to enable the details as to a person's identity contained in the relevant evidence to be re-obtained;
• in relation to all relevant financial business a record shall be kept of each transaction, in such manner and form as shall facilitate the reconstruction of transactions.

The prescribed period for the purposes of the Regulation is a period of five years commencing with the date on which the relevant financial business was completed or the business relationship was terminated, whichever occurs later.

3. Financial Reporting and Money Laundering

POCA and the Regulations contain provisions which have a direct impact on the collection, processing, storage, and transfer of data. These provisions include:

• the maintenance of certain identification procedures for the purposes of complying with Know Your Customer and customer due diligence requirements;
• the updating of customer information;
• the on-going monitoring of customer information
• the reporting of transactions to the relevant authorities which are deemed suspicious/and or unusual or which goes beyond the permitted limits stipulated by law;
• conducting certain verification procedures as it relates to customer information; and
• the maintenance of record keeping procedures.

As it relates to the financial sector, the above anti-money laundering provisions must be complied with in addition to the general provisions under the Act.

4. Banking Secrecy and Confidentiality

As mentioned above, the BSA imposes a general duty of confidentiality or secrecy upon employees and agents of financial institutions as it relates to customer information. Employees and agents of financial institutions may disclose personal information in the following circumstances:

• for the performance of their functions under the BSA or under any other enactment;
• pursuant to any statute, rule, regulation, directive or court order;
• internal transfers;
• transfers to affiliated banks;
• where the customer or their personal representative gives written permission for disclosure of the information;
• where the information is disclosed in connection with civil proceedings;
• where it is in the interests of the financial institution that the information be disclosed; or
• where the disclosure is necessary for the financial groups' general risk management procedures or standardisation of credit approval mechanisms.

5. Insurance

There are no regulations or guidance which specifically covers data collection and processing in the insurance industry. The Act would govern data collection and processing in the insurance industry.

6. Payment Services

The Payment Clearing and Settlement Act and the Bank of Jamaica FinTech Regulatory Sandbox Guidelines ('the Sandbox Guidelines') specifically govern payment service providers in Jamaica. However, there are no such data protection or privacy provisions specific to the payments services industry under either legislation.

7. Data Transfers and Outsourcing

There are no sector specific requirements in relation to the transfer of personal data by financial institutions or their use of third parties/cloud computing. The Act imposes a general obligation on data controllers to obtain consent before transferring personal data to third parties.

The Act further provides that where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall:

• ensure that the processing is carried out under a written contract which stipulates that the data processor is to act only on instructions from the data controller; the contract must also require the data processor to comply with obligations equivalent to those imposed on the data controller under the Act;
• choose a data processor who provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and the reporting of security breaches to the data controller; and
• take reasonable steps to ensure compliance with those measures.

The Act therefore requires data controllers to ensure that third parties/data processors are subject to similar data protection obligations and that they have certain technical and organisational measures in place to safeguard against a security breach before transferring personal data.

8. Breach Notification

There are no sector specific requirements for financial institutions to notify regulators, clients, or consumers of a data breach. However, the Act stipulates that a data controller is required to report any security breach in respect of the data controller's operations which affects or may affect personal data to the Commissioner within 72 hours after becoming aware of the breach. The report must include:

• the facts surrounding the security breach;
• a description of the nature of the security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;
• the consequences of the breach; and
• the name, address, and other relevant contact information of its data protection officer ('DPO').

A data controller is also required to report any security breach to each data subject, whose personal data has been affected by such breach within such time as prescribed. The report must include:

• the nature of the security breach;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
• the name, address, and other relevant contact information of its DPO.

9. Fintech

There are currently no sector specific requirements for financial institutions when using FinTech i.e. insuretech, regtech, blockchain, and artificial intelligence. However, as previously outlined in section 6 above the Bank of Jamaica has established a FinTech Regulatory Sandbox. In particular, one of the objectives of the Sandbox is to incentivise the digitisation of financial services by encouraging solutions which effectively provide consumer protection services, including data protection, handling, tracing and resolving complaint (Part II(IV) 4.1.(ii) of the Sandbox Guidelines).

10. Enforcement

Any employee or agent of a financial institution who unlawfully divulges or reveals any information regarding a customer account commits a criminal offence under the BSA and may be liable to a fine of up to JMD 7.5 million (approx. €42,202) or to imprisonment for a term not exceeding five years.

Where a body corporate commits an offence under the Act, the body corporate may be liable to a fine not exceeding 4% of its annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act.

A director, manager, secretary, or similar officer of the body corporate or any person who was purporting to act in any such capacity can also be held personally liable.

Any person who commits an offence under the Act may also be subjected to severe fines up to a maximum of JMD 5 million (approx. €28,135) and/or imprisonment up to a maximum of ten years.

Any person who can prove that he/she has suffered damage by reason of any contravention by a data controller of any of their obligations under the Act may be entitled to compensation from the data controller for that damage.

11. Additional Areas of Interest

Not applicable.

Samantha Moore Partner
[email protected]
Ramsay and Partners, St Andrew