Doctors, too, must fall in line under Data Protection Act — lawyer
ATTORNEY-AT-LAW Chukwuemeka Cameron has warned operators of medical practices to get their houses in order as far as the security of patients’ confidential details are concerned, to escape the penalties associated with not doing so under the pending Data Protection Act.
The Act, which seeks to safeguard the privacy and personal information of Jamaicans, was passed in both Houses of Parliament last year, but is not yet in force as the regulations are incomplete. The Act establishes, among other things, a supervisory authority — the information commissioner — who will wield enormous power.
Breach of certain provisions of the legislation will constitute criminal offences attracting penalties, both for corporations and individual corporate officers. The provision, however, includes a transitional provision by which data controllers are required to take all necessary measures to ensure full compliance with the legislation, especially the data protection standards, within a year after the commencement of the legislation.
Speaking yesterday during a virtual symposium of the Association of Consultant Physicians of Jamaica (ACPJ), the attorney said, “The legislation requires you to secure all confidential information across the board, it sets out the specific rights that data subjects now have, it also imposes clear obligations on you as data controllers and says now that you have these in your possession, these are the things you must do and this is how you must treat the data. And to ensure that you must comply, they have also created a supervisory authority.”
Personal data includes mobile numbers, e-mail addresses, bank details, or any information that can be used by itself, or in conjunction with any other information, to identify someone.
“This information commissioner is more powerful than a judge, INDECOM’s [Independent Commission of Investigation’s] commissioner, or the Integrity Commission because he has the power to investigate, make his findings, and implement the sanctions…so it is a very serious issue that we must be mindful of,” said Cameron.
In pointing out that data held by medical professionals do not belong to them and should not be used outside of the purpose for which it was given, he noted that “there may be equally dire consequences if you cannot account to the data subject for this personal data.
“The information commissioner can now come into your practice and find that you have not treated with the personal data in a manner expected and fine you, or worse yet, tell you to stop processing all personal data until you have put the appropriate security measures in place. That means bringing your practice to a temporary halt,” he warned.
The attorney further noted that there was no question of escaping the notice of the authorities.
“On implementation of the legislation, all data controllers will be required to register under the legislation, so it is not a matter of thinking I run a small practice [so] I am going to fly low under the radar. No. What the legislation has sought to do is they have said, ‘Everybody, from day one, must register,’ and if you do not register, the act of not registering is a criminal offence and can attract a penalty. So by doing nothing, or flying under the radar, you are exposing yourself to criminal liability,” Cameron said.
In the meantime, he noted that the Government has demonstrated its seriousness, as allocations have been made in the present budget to establish the office of the information commissioner.
“They have already put out an ad for persons to fill the office, but let us be very clear when I say there are equally very dire consequences,” Cameron stated.
He said, too, that the recent data breach of the Government’s JAMCOVID-19 application could have been avoided if the safeguards promoted by the legislation had been taken.
“You must appoint a data protection officer, that is someone who will ensure that you are properly implementing the legislation and help you implement it. This cannot be a doctor or your IT [Information Technology] person, because there cannot be conflict of interest.
“You must file your personal data protection plan; you can only do that after you have conducted a data protection impact assessment. This is where you identify the data you are processing, the risks associated with processing the data at each point in your practice, and say the controls necessary to remedy the gaps found.
“It is the thinking that if Amber [developers of the application] in this recent data breach, had gone through this exercise, it is very likely they would have identified this breach,” the attorney suggested.
He continued: “The Government has demonstrated that they are serious about setting up the organisational measures on a national level to ensure organisational and technical measures are put in place, because they have signalled to the country by inviting members to apply for the job of information commissioner and all the other 21 positions that would be required. They have signalled that they are pressing forward and serious.”
He urged medical practitioners to understand that they are processing more, if not the same amount of data, as the developers at Amber.
“The first step you want to take is not become overwhelmed with implementing an entire data protection compliance programme. Take one step at a time, and the first step is to conduct a gap analysis to confirm where you are today, and how you stack up against what the legislation requires. That gap analysis will give you a road map as to how you proceed,” he told participants.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at http://bit.ly/epaper-login