There has been a lot of buzz surrounding reports and announcements of the COVID-19 results of certain individuals, ranging from negative to positive.
The issue arises as to whether the results can be disclosed by the data controller and, if so, in what circumstances. In each case, as well, who is the controller? It is always the person who determines the means and purpose for which this personal information is processed. It may not matter that the information is obtained indirectly.
These are relevant concerns because Jamaica recently passed into law a Data Protection Act. It is not yet effective, but it seems clear that irrespective of the answer to these issues, behavioural change, training and awareness are essential to achieving compliance with the Jamaica Data Protection Act, 2020. Our relationship with personal information must be modified to adapt to the circumstances, lest we face the consequences.
The act includes health information such as COVID-19 results in its protective sphere by treating it as sensitive personal data. A controller is not at liberty to process health information as it pleases. ‘Process’ has a very wide meaning. It includes “disclosing the information or data by transmitting, disseminating or otherwise making it available”.
If, as occurred, the COVID-19 result of any person is to be disclosed other than in the ordinary course of the controller’s business, the data subject must give her explicit written consent.
The data subject is a living person who is identified or can be identified from information. This includes the person’s name or a description of the person, such as “world’s strongest man”, that can be used to identify the person.
In addition to explicit consent, one or more of the conditions of processing must be satisfied. These include:
(a) being necessary for the purpose of exercising or performing any right or obligation for employment or social security; or
(b) protecting the vital interests of the individual or other individual, as the case may be, and in this instance, the condition must be that the data subject’s consent cannot be obtained or the data controller should not be reasonably expected to obtain consent; or
(c) the information was placed in the public domain as a result of deliberate steps taken by the data subject or the exercise of functions conferred on any person by or under any enactment.
These strictures have a context. The Data Protection Act has its origins in the right of individual privacy. This right is a fundamental right protected, in the case of Jamaica, by the Charter of Fundamental Rights & Freedoms.
Data protection principles are not new and have been around since in or about 1981. The principles were thought necessary to create an appropriate balance between access to personal information in an era of increased computing power and cross-border trade.
Countries were required to demonstrate more than a healthy respect for the individual’s right to privacy if they want to participate in and benefit from the advantages associated with cross-border trade. Data protection rules, therefore, were developed to permit authorised access to information about the data subject as a means of fostering cross-border trade and business.
Data protection rules, therefore, preserve the right to privacy by authorising access to personal information within acceptable limits. The data subject retains control over who has access to his/her information, how much, for what purposes and for how long, while placing the burden on controllers to justify any deviation from this right.
There are special categories of data defined as sensitive personal data and criminal convictions. The whole purpose of the act is the imposition of an obligation to treat personal information and sensitive personal information as private and confidential, and there are serious penalties for individuals, including imprisonment, and corporations if this obligation is breached.
The penalties range from fines of $2 million to imprisonment of up to seven years. In the case of corporations, they can be fined up to four per cent of their gross worldwide income. Directors and officers may, in the appropriate circumstances, be found liable for data protection breaches. There may also be civil liability if an individual suffers damage.
There must be some analysis in each case. In the case of the disclosure of the COVID-19 results, you be the judge. A sea change is heralded by this act, and failure to undertake this analysis at each stage of processing can result in severe penalties for the offender.
Let the controller be aware!