Standards for Processing Personal Data under the
    Jamaica Data Protection Act (JDPA)

    The Rights of the Data Subject

    Access to Information

    Consent to Processing

    To Prevent Processing

    In relation to Automated Decision making

    Rectification

    The importance of data privacy in Jamaica has been made more significant by the passing of our Data Protection Act in 2020 (DPA). Under the DPA, the Information Commissioner (IC) is the designated regulator of data privacy matters. Sections of the DPA were enacted into law on December 1, 2021, to facilitate the establishment and work of the Office of the Information Commissioner. Other sections of the DPA are expected to be enacted into law during 2022.

    The DPA, like most modern data privacy laws, is concerned specifically with defining how organisations may collect and use data about individuals (i.e. personal data). Jamaica’s DPA, like many other data privacy legislations, may be best understood by focusing on:

    1. The 5 Rights that are accorded by the DPA to individuals so that they maintain control of their personal data and how it is used;
    2. The 8 Standards (principles) defined in the DPA that must be followed by organisations as they collect and use personal data;
    3. The penalties for non-compliance, which may be very significant and may affect both the organisation and responsible individuals within the organisation.

    Data privacy compliance is an ongoing journey that requires periodic training, awareness, correct work practices, documentation and review.

    At The Jamaica National Group, we will renew and refocus our efforts to ensure that we are compliant with the requirements of the DPA as it becomes law, and within the timeframe designated in the DPA.

    To learn more about how your personal information is used, please read our updated Privacy Notice.

    If you require any further information, please contact us at helpdesk@jngroup.com or click here to see our contact details.

    FAQs

    Personal data is any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, using that information.  Personal data includes an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

    If personal data is in the possession of a company or organisation, then that data is being processed. The collection or disposal of personal data is also considered to be processing.

    Consent is defined as any freely given, specific, informed and unambiguous indication of your wishes by a statement or by a clear affirmative action, signifying agreement to the processing of personal data.  Consent is not permanent and may be withdrawn at any time.

    Personal information  is personal data.

    The Data Protection Officer (DPO) is responsible for, informing,  guiding, training and supporting the organisation on data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs) and other requirements of data privacy practice, monitoring internal compliance with data privacy requirements, and acting as a contact point for data subjects and the supervisory authority.

    The Jamaica National Group has appointed a DPO for the Group, who is based in Jamaica.

    The JN Group treats your personal information as private and confidential.  We may disclose same to JN Group member companies and our trusted service providers in the normal process of providing a service and managing your business with us, and in order to meet our contractual and legal obligations in accordance with the terms and conditions of your account(s).

    We will also disclose information, where necessary to comply with all obligations to the law (a regulatory body or public interest, as required) or if it is required as part of our duty to protect your accounts.

    There are five Rights that are accorded by the DPA to individuals so that they maintain control of their personal data and how it is used:

    1. Access to Information
    2. Consent to Processing
    3. To Prevent Processing
    4. In relation to Automated Decision making
    5. Rectification

    There are eight Standards for processing personal data under the DPA.  Companies are required to apply these Standards to the processing of all personal data:

    1. Ensure the processing is fair and lawful
    2. Processing of personal data is compatible with the purposes of collecting that data
    3. Personal data is adequate, relevant and limited to the purpose for which the data was collected
    4. Personal data is kept accurate and up to date as required for the purpose of collection
    5. Personal data is processed in accordance with data subjects’ rights
    6. Personal data is kept no longer than is necessary & disposed of as required
    7. Personal data is protected by appropriate technical/organisational measures and there is prompt notification of security breaches
    8. Personal data is not to be transferred outside Jamaica without adequate levels of protection

    We will keep your information for as long as it takes to process an account or product application and for as long as you have accounts and products with us. We will also keep your personal information for a certain time after your application has ended or you’ve closed your accounts.

    When determining how long we keep your information, we consider our legal obligations, the expectations of financial and data protection regulators and the amount of time we may strictly need to hold your personal information to carry on our business. In many circumstances, your information will be held for seven years.