Did any one give the Statistical Institute of Jamaica (Statin), the memo that there is now a Data Protection Act(DPA) and that sending out promotional text messages is circumscribed under the legislation and that they are subject to the law in the same manner that all other data controllers are? If the Statistical Institute of Jamaica is flagrantly breaching the law that prohibits direct marketing without consent it begs the question as to whether Statin has implemented any of the mandated data processing standards prescribed by the DPA? Let us be clear breaching data processing standards is not synonymous with poor or weak information security controls. Apart from it being a criminal offence, failing to implement the mandatory data processing standards reflects a lack of respect for the constitutional right to informational privacy that we now enjoy, and a lack of acknowledgment of the dangers Jamaicans may be exposed to if the information is used inappropriately.
To date I have received 6 text messages from Jam-Census, these text messages were all sent during the month of September. While writing this I received another. A sample of two of the text messages read as follows:
“Census day is September 12, 2022. Wear Jamaican colors to show your support. Yuh Count, Mi Count.”
“Responses to the 2022 Census are confidential and secure. Yuh Count, Mi Count.”
Where did Jam-Census get my number from? Why is Jam-Census spamming my phone? How do I get them to stop? Did a third party offer an sms marketing service and make my number available to Statin? Did Jam-Census procure an SMS marketing service to blast out sms messages? What is the name of this third party company that is offering the sms service and making money off of my personal data? Is anyone else receiving these text messages?
Statin must be aware of the recent NIDS decision where our constitutional court found that it was unconstitutional for the government to attempt to compel persons to give up their personal data in the absence of any safeguards. The Data Protection Act was subsequently promulgated that prescribed the requisite safeguards to be put in place to protect the right to informational privacy enjoyed by persons in Jamaica. It should be apparent to Statin that they are seeking to engage in a very similar exercise to that of NIDS. i.e. compelling its citizens with the force of law to give up large swathes of personal data. It should follow therefore that they would be acutely aware of their obligation to comply with the Data Protection Act.
Under the DPA, which was gazetted in December 2021, the sending of these text messages is considered to be direct marketing. According to section 10(6) of the DPA direct marketing means to approach a data subject in person or by any means of communication for the purpose of promoting in the ordinary course of business any services or requesting a donation of any kind for any reason.
Not only does the DPA define what direct marketing is, it prescribes how data controllers such as Statin and all data controllers are to engage in direct marketing: A data controller shall not process personal data of a data subject for the purpose of direct marketing unless the data subject consents to the processing for that purpose . . ..
The legislation is also very clear on what consent is, it ensures that a person cannot unwittingly give their consent. It specifically states that any consent required to be given, by a data subject, to the processing of personal data means any informed, specific, unequivocal, freely given, expression of will and may be withdrawn in the same manner. Having received and reviewed the six text messages nowhere does it allow me to withdraw my consent assuming I gave my consent unwittingly.
The DPA further requires that you are informed about how your telephone number will be used, including the purpose for which your number will be used and the class of persons to whom your number will be shared. In other words, you have had to be made aware that your telephone number, if not collected by Statin, would have been sold to Statin for the purpose of sending you promotional information about participating in census 2020.
Statin will find itself in somewhat of a quagmire if it attempts to argue that they collected the number directly from you with your consent. You would recall that consent must be freely given. How could consent be freely given if they could refer you for prosecution if you fail to provide your telephone number when asked.
Suffice it to say at no time have I consented to receiving marketing material from Jam Census or Statin. Nor at any time did I give my number to them or any other third party for this purpose.
Without more if indeed Statin used your telephone number for direct marketing without your consent it has committed a criminal offence and shall be liable upon – (a) summary conviction in a Parish Court to a fine not exceeding two million dollars or to imprisonment for a term not(b) conviction on indictment in a Circuit Court, to a fine, or to imprisonment for a term not exceeding seven years.
As a data subject that now enjoys a constitutional right to informational privacy that has been encoded in the Data Protection Act we are not left without redress. The DPA has provided you with all the requisite controls to protect your personal data and in this instance your telephone number.
- The DPA gives you the right to demand of Statin that they tell you all the information they have about you and where they got this information from. This is known as a “data subject access request”. Statin has 30 days to reply to your request. All citizens have this right that can be exercised with any data controller be it a public sector entity or a private sector entity.
- Having confirmed that they have your number and are using it you are entitled to instruct them to stop using your number and delete it. Statin will then have 21 days to confirm that they have indeed done so.
The sixth data processing standard requires that Statin observe all the rights that you have been accorded. It is a contravention of the data processing standards if they don’t and it is a criminal offence to breach a data processing standard. In other words where Statin uses your telephone number for direct marketing purposes without your consent or fails to either provide the information required or fails to stop using your number upon receiving your instructions to stop using it they would have committed a criminal offence. This specific offence can land someone in jail for up to 7 years. You will not be able to sue in your own right in this scenario as you can only approach the court under the DPA where you would have suffered some form of damages which would give rise to a claim for compensation.
There is a two month transition period that expires in around the next 13 months. The transition period is meant to afford data controllers sufficient time to become compliant with all the prescribed data processing standards. Data controllers however are still expected to operate in good faith in relation to how they process personal data. Being one of the largest processors of personal data Statin should be in a position to demonstrate that they have complied with the data processing standards and is well underway in implementing its data protection compliance form.
Chukwuemeka Cameron is a trained Data Protection Officer, an Attorney with a master’s in information technology and founder of Design Privacy, a consulting firm that helps clients comply with privacy laws and build trust with their customers. He is also a certified ISO 27001 and 27701 lead implementer Email feedback to [email protected]