The Jamaican cook shop: on the frontlines of the new Data Protection Act

David Munroe of Family Works Restaurant on Old Hope Road … but how will the Data Protection Act work for him and other small and family-owned businesses in Jamaica?

What does the humble Jamaican cook shop and the pursuit of being Jamaica’s own Mark Zuckerberg have in common? Actually, quite a lot, thanks to provisions under the Data Protection Act, which SlashRoots and the Make.Better Software Developers Community worry could have an outsized impact on Jamaican business and innovation.

We strongly believe in every Jamaican’s right to privacy and commend the Government for trying to ensure that legislature to guide what this right should look like, keeps pace with today’s technology. The hard part is finding a middle ground that does not stifle innovation or place unreasonable regulation on individuals and businesses across Jamaica (or “data controllers” as they are called in the bill). What do I mean?

With the digital tools available today, it has never been easier to setup a Facebook page, launch a website, or create an app to test a business idea with prospective customers. But under the proposed Data Protection Bill, if you want to collect their information, you would first need to register as a data controller; appoint a “data protection officer”; pay a fee; and within 11 months, submit an audit of your activities.

Sounds daunting? Well, even if you aren’t in tech, you could also be impacted. In making our submission to Parliament yesterday, March 13th 2018, we spoke about how everyday people and businesses, like the Jamaican cookshop, will be impacted.

Our friendly meal provider — who we imagine provides an invaluable community service serving great fried chicken with curry gravy — must now also get his head around the fact that he’s a data controller since he does in fact handle customer data in the eyes of the proposed law. This could be names, mobile numbers, delivery addresses, or balances for customers who “trus a food”.

Video of SlashRoots’ submission to Parliament.

Curryman and other small to medium-sized business owners may find these new requirements challenging and we worry that burden of compliance may not match the risks for data misuse or their capacities.

In the coming months the public will become more and more aware of the Act. FYI: the next meeting of the Joint Select Committee will be at 10am on Tuesday, March 27. The Data Protection Act is probably the most far reaching legislation to be discussed in recent time, even more so than the controversial NIDS Bill. It is vital that the act provide an enabling, rather than a restrictive framework, for data use.

We believe the members of the Committee want a healthy debate on the bill and broad engagement with the public.

We invite you to click here and read our submission to Parliament. If you run a cook shop or any business at least, for your own benefit, please at least read our following key recommendations:

  • A Tiered Data Controller System — A tiered system be established that exempts or reduces the obligations of organizations as “data controllers” based upon their size, risks of data misuse, or age.
  • Broaden The Definition Of Consent— The definition of consent be broadened to include “informed consent”. And that definition should require it to be specific, informed, unambiguous and active.
  • Annual Report On Exemptions — The Data Commissioner should publish an annual report on the number of data protection exception requests and restrictions that have been granted.
  • Independent Oversight For Exemptions — An Independent Oversight Mechanism for Tax and National Security exemptions under the bill. This oversight mechanism should include representation of civil society. The requests should be reviewed at regular intervals.
  • A Digital Audit Trail for all records — Even in cases where a data subject’s record or a digital service receives an exemption, all accesses to data record must still be recorded and auditable. This may be redacted from citizen disclosure in some cases, but it should still be tracked. A process should be setup for citizens should be able to request declassification of redacted access to their data.
  • Data Protection Review Cycle— Technology advances quickly. For this law to remain relevant, the Data Commissioner’s Office must be required to review the published regulations every 2–3 years, in collaboration with the CIO’s office, eGov.