updated may 26, 2024



Data Protection
& Rights



Defining data protection and your rights



01



Data protection



02



Data subject rights



Data Protection



Personal data



Personal data is any information that relates to an identified or identifiable living individual, or one who has been deceased for less than thirty years. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.



Sensitive personal data



Sensitive personal data is information relating to an individual’s genetic data, biometric data, racial or ethnic origin, political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition, sex life, an alleged commission of offences by the individual or any proceedings for any offence alleged to have been committed by the individual. When processing personal data, you must comply with the data protection standards:





Fair and Lawful



Personal data must be processed transparently and in accordance with the law.



Not kept longer than necessary



Must only be kept in a form which allows identification of the individual(s) for no longer that in necessary for the purpose for which the data is processed.



Specific/Compatible Purpose



Personal data must be collected for specific, explicit and legitimate purposes



Technical and Organisational Measures



Must only be processed in a manner that ensures its confidentiality, including unauthorised use and accidental loss or destruction.



Adequate, relevant and not excessive



Personal data should be limited to only what is necessary to fulfil your purpose.



Rights of the data subjects



Must be processed in a way that protects the rights of individuals.



Accurate/ Up to date



Must be accurate and where necessary kept up to date.



Not transferred outside Jamaica



Must not be transferred outside the country without appropriate safeguards in place.



For further information



Please contact the Office of the Information Commissioner or refer to the Data Protection Act



If you have any questions or need support



in relation to your data protection obligations, please contact admin@majdoctors.com



Data Subject Rights



1. Aims and Objectives



The aim of this Policy is to ensure that Dr. Frances Berry and staff, are aware of their obligations when an individual, a data subject, asserts one of their rights under the Jamaica Data Protection Act 2020 (DPA20). The sixth standard of the DPA20 states that personal data shall be processed in accordance with the rights of data subjects.



2. Personal Data



The information covered by the DPA20 is personal data which is defined as any information relating to an identified or identifiable living person or a person who has been deceased less than 30 years. Pseudonymised personal data is covered by the legislation, but anonymised data is not, as long as it is properly anonymised, and it cannot be reversed to identify any individuals.



3. Data Subject



A data subject is the individual to whom the personal data relates. A data subject can be a living individual or an individual who has been deceased for less than thirty (30) years.



4. Fairly and Lawfully Processed



Before processing any personal data, an organisation must ensure that the data subject (patient or employee) is provided with the following information in an accessible format:

  • The name, address and contact details of your business
  • The identity and contact details of the Data Protection Officer
  • The purpose(s) for which the personal data is being processed
  • The identity of any third parties with whom the personal data may be shared (and on what basis)
  • How long you intend to process the personal data
  • Whether the personal data will be transferred outside of Jamaica If there is a legal requirement to collect personal data, from the data subject, this should be explained and also if there are any consequences if the data is not provided. Also, consider if there is any other pertinent information regarding the processing of personal data which should be shared with the data subject. This information should be provided via a Privacy Notice.


5. Right of Access



The right of access, commonly referred to as a subject access request (SAR), gives data subjects the right to request a copy of the personal data that the organisation holds about them. Once the data subject makes a written request, you must, free of charge, provide:

  • A description of the personal data held
  • The purpose for which the personal data is being held
  • Details of the people with whom the personal data is being shared

Once the data subject makes a written request, the organisation must, following the payment of a prescribed fee, provide:

  • A paper or electronic copy of all personal data held and
  • Where possible, the personal data in a format which will permit transmission to another data controller which the data subject has specified. The personal data should be in a structured, commonly used machine readable format.
  • If the data controller is processing personal data by automated means an explanation
  • The data controller must comply with the request from the data subject without delay and within one month of receipt of the request.


6. Right to consent for processing for direct marketing



This right means that before the organisation can use the personal data of data subjects for direct marketing, consent must be obtained.



7. Right to request processing to stop



This right means that data controllers must consider requests from data subjects to stop processing their personal data. It may not always be possible or lawful to comply with this type of request and they must be assessed on a case-by-case basis.



8. Right to object to decisions being made by automated means



This right means that data subjects have a right to require organisations not to make decisions about them based solely on the processing of their personal data by automated means. Exemptions There may be circumstances in which organisations may be exempt from compliance of certain parts of the DPA20, if the processing of personal data falls withing the following provisions:

  • National Security
  • Law Enforcement, taxation
  • Regulatory activity
  • Journalism, literature and art
  • Research, history and statistics
  • Information available to the public by or under an enactment
  • Disclosure required by law
  • Parliamentary privilege
  • Domestic purposes