2. Interpretation and objects.

2. —(1) In this Act—

“biometric data”, in relation toan individual, means anyinformation relating to the physical, physiological or behavioural characteristics of that individual, which allows for the unique identification of the individual, and includes—

(a) physical characteristics such as the photograph or other facial image, finger print, palm print, toe print, foot print, iris scan, retina scan, blood type, height, veinpattern, or eye colour, of the individual, or such other biological attribute of the individual as may be prescribed; and

(b) behavioural characteristics such as a person’s gait, signature, keystrokes or voice;

“Commissioner” means the office of Information Commissioner established by section 4;

“Court” means the Supreme Court; “data controller” means any—

(a) person; or

(b) public authority,

who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller;

“data controller representative” means a person or other entity appointed for the purposes of section 3(2);

“data processor”, in relation to personal data, means any person, other than an employee of the data controller,who processes the data on behalf of the data controller;

“data protection standards” means the data protection standards as set out in sections 22 to 31, and reference to any of those standards by number means the standard as numbered in any of those sections;

“data subject” means a named or otherwise identifiable individual who is thesubject of personal data, and in determiningwhether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual;

“disclosure to data subject requirements” means—

(a) the information mentioned in section 22(6) required to be given to a data subject under section 22(4); and

(b) the provisions of section 6;

“genetic data” means DNAas defined by the DNAEvidence Act, 2016;

“good practice” means such practice as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, and includes (but is not limited to) compliance with the requirements of this Act;

“health professional” means any of the following—

(a) a medical practitioner registered under the Medical Act;

(b) a person registered as a dentist under the Dental Act;

(d) a person registered as a pharmacist or pharmacy owner under the Pharmacy Act;

(e) a person registered as a nurse or midwife, or enrolled as an assistant nurse, under the Nurses and Midwives Act;

(f) a person registered as a member of a “specified profession” within the meaning of section 2 of the Professions Supplementary to Medicine Act;

(g) a regional hospital or public health facility, within the meaning of section 2 of the National Health Services Act;

(h) a private hospital or private health facility;

(i) the National Health Fund;

(j) a provider of ambulance services;

(k) the Hospital established pursuant to the University Hospital Act;

“health record” means any record which—

(a) is in the custody or control of a health professional in connection with the care of an individual; and

(b) consists of information relating to –

(i) the past or present physical or mental health, or condition, of an individual, for example—

(A) clinical information about diagnosis and treatment;

(B) genetic data;

bodily substance, or the donation of a body part or bodily substance;

(D) biometric data;

(ii) the registration of an individual for the provision of health services and any number, symbol or code assigned to uniquelyidentifytheindividual for those services;

(iii) the name of the individual’s health care provider; or

(iv) payments made by, or the eligibility of, the individual for the provision of health services,or any other health related information about the individual that is collected in the course of the provision of health services to that individual;

“minor” in relation to an individual means an individual under the age of eighteen years;

“personal data”—

(a) means information (however stored) relating to—

(i) a living individual; or

(ii) an individual who has been deceased for less than thirty years,

who can be identified from that information alone or from that informationandotherinformationin the possession of, or likely to come into the possession of, the data controller; and

(b) includes any expression of opinion about that individual and anyindication of the intentions of the data controller or any other person in respect of that individual;

“process” in relation to information or personal data means obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including—

(a) organisation, adaptation or alteration of the information or data;

(b) retrieving, consulting or using the information or data;

(d) aligning, combining, blocking, erasing or destroying the information or data, or rendering the data anonymous;

“public authority” means—

(a) a Ministry, department, ExecutiveAgencyor other agency of Government;

(b) a statutory body or authority, being a body corporate established by an Act of Parliament and over which the Government or an agency of the Government exercises control;

(d) any company registered under the Companies Act, being a company in which the Government or an agency of the Government is in a position to direct the policy of that company;

(e) a commission of Parliament; or

(f) any other body or organization which provides services of a public nature which are essential to the welfare of Jamaican society, or such aspects of their operations, as may be specified by the Minister by order published in the Gazette;

“sensitive personal data” means personal data consisting of any of the following information in respect of a data subject—

(a) genetic data or biometric data;

(b) filiation, or racial or ethnic origin;

(d) membership in any trade union;

(e) physical or mental health or condition;

(f) sex life;

(g) the alleged commission of any offence by the data subject or any proceedings for anyoffence alleged to have been committed by the data subject;

“the non-disclosure provisions” means the following provisions, to the extent to which they prohibit the disclosure in question—

(a) the first data protection standard, except to the extent to which disclosure is required for compliance with the conditions set out in sections 23 and 24;

(b) the second, third, fourth and fifth data protection standards; and

“the special purposes” means any one or more of the following—

(a) the purposes of journalism;

Application of Act.

(b) artistic purposes;

“trade association” includes anybody representing data controllers.

(2) For the purposes of this Act—

(a) “obtaining” or “recording”, in relation to personal data, includes obtainingor recording the information to be contained in the personal data; and

(b) “using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the personal data.

(3) The objects of this Act are to—

(a) define the general principles for the treatment of personal data relating to an individual; and

(b) provide for transparent oversight therefor, that will enable the public and private sectors to strengthen the protection of personal data.

<-- Contents Page