< Back to Blog

Urgent Data Protection Concerns in the Sharing of Data between Auditor General’s Department and FID: Safeguarding Privacy in the Pursuit of Justice

07 Jul 2023

Introduction:

In the digital age where personal data is increasingly vulnerable and can be subject to state abuse. More so in the advent of the  2019  NIDS decision (Julian Robinson v The Attorney General) that declared that our right to informational privacy is guaranteed by the Constitution , the recent strategic partnership between the Auditor General’s Department (AuGD) and the Financial Investigations Division (FID) has sparked urgent concerns about data protection compliance. As these agencies aim to strengthen their response to corruption, money laundering, fraud, and other financial crimes, questions arise regarding the safeguarding of individuals’ privacy rights. This article  examines the implications of the partnership and emphasizes the need for data protection compliance before engaging in potentially risky data sharing initiatives.

The Significance of Data Protection Compliance:

Non-compliance with data protection regulations carries potential risks and consequences that cannot be understated. Failure to implement robust data protection measures, especially when government agencies are the data controllers can leave individuals vulnerable to breaches of their other fundamental rights  such as the freedom of expression, the freedom of movement, freedom of association, freedom from discrimination  and a host of other freedoms. The right to privacy and freedom from unlawful surveillance is the bedrock and enabler of a free and democratic society. The absence of informational privacy has the potential to undermine our democracy and restrict attendant rights.

The Auditor General’s Department and the Financial Investigations Division:

The Auditor General’s Department (AuGD) and the Financial Investigations Division (FID) play crucial roles in upholding transparency, accountability, and the responsible use of public resources. The recent strategic partnership between these entities purportedly aims to enhance collaboration and information sharing to effectively combat corruption, money laundering, fraud, and other financial crimes.

According to a press release issued by the AuGD, the Memorandum of Understanding (MoU) signed with the FID provides a framework for formalizing and operationalizing strategic information sharing. This collaboration encompasses the exchange of data and other relevant material related to the detection of misused public funds and corruption issues that impact government revenue and expenditure.

The AuGD, as an independent body, is responsible for conducting audits to ensure that entities’ systems have adequate controls in place and are operating effectively and efficiently to achieve their objectives. Their objectives include assessing the relevant general and application controls of each system, determining compliance with relevant laws and regulations, and assessing whether each system adequately supports the respective business objectives of the entities.

On the other hand, the FID, as a specialized investigative unit, focuses on financial investigations, particularly in the areas of corruption, money laundering, and fraud. Their expertise lies in gathering evidence, conducting investigations, and providing advisory support to agencies involved in combating financial crimes.

Concerns Regarding Data Sharing:

While the partnership between the AuGD and the FID aims to enhance collaboration and information sharing, concerns arise about potential data protection issues. It is essential to address these concerns proactively to safeguard individuals’ privacy rights before engaging in any data sharing initiatives. The risks associated with sharing sensitive and confidential information without adequate safeguards in place are significant.

 Addressing individual privacy rights proactively means ensuring compliance with the basic data processing standards and the privacy framework mandated by the Jamaican Data Protection Act. For example has either the AuGD or the FID appointed  their Data Protection Officer whose responsibility would be to ensure that the requisite safeguards are in place to safely share data in the proposed manner. In the absence of a Data Protection Officer mandated by the law, who is to hold these government agencies accountable and safeguard the privacy rights of Jamaican citizens.

Let us assume that both these organizations have appointed their DPO’s and they have just not announced it to the public, which by the way they have a duty to announce.

  • Was a data protection impact assessment done in accordance with section 45 of the DPA. In other words did they scope the sharing contemplated,
  • did they assess the risks associated with sharing the data in the proposed manner,
  • did they determine the necessity and proportionality of the sharing in the proposed manner.
  • Having identified the proposed risks, they have identified the controls to mitigate the potential risks.
  • Have they categorized the different types of datasets they are sharing, and
  • have they established data retention periods for the different data sets that are being shared.

These are but a few (certainly not exhaustive) issues they would have had to address if their actions can be viewed as lawful.

With awesome powers to compel information for the specific purpose of fulfilling her mandate  under the Financial Administration and Audit Act. How can this information obtained from individuals for a specific purpose be then shared with another entity for purposes. Matters such as these do not have to be resolved in a court of law as we already have a clear pronouncement by our Constitutional Court on our right to informational privacy.

These are all regulatory and compliance issues. As regulatory bodies who ensure that persons in positions of responsibility I am confident that they would not be acting illegally and flaunting our right to informational privacy and breaching the Data Protection Act. This confidence however is nothing more than a hope and a prayer as an examination of their respective websites do not even reflect the existence of a privacy policy or privacy notice. What is of even greater concern is that it is highly likely that FID has entered into several other such data sharing agreements with other public and private entities.

The Importance of Data Protection Compliance:

Data protection compliance is not a mere formality but an ethical responsibility for organizations handling sensitive data, especially when engaging in collaboration and data sharing initiatives. Both the AuGD and the FID must prioritize data protection compliance as a critical aspect of operations. This includes appointing Data Protection Officers (DPOs) responsible for overseeing data protection activities, implementing comprehensive privacy policies, and ensuring that appropriate technical and organizational measures are in place to safeguard personal data.

Conclusion:

The strategic partnership between the Auditor General’s Department (AuGD) and the Financial Investigations Division (FID) holds great potential in combating corruption, money laundering, fraud, and other financial crimes. However, it is crucial to address data protection compliance as a top priority before proceeding with data sharing initiatives. By ensuring robust data protection measures, appointing Data Protection Officers (DPOs), and implementing comprehensive privacy policies, the AuGD and the FID can uphold individual privacy rights, maintain public trust, and effectively combat financial crimes while safeguarding sensitive information.

Let us be mindful and intentional of how we proceed with this initiative and other such initiatives.  We do not want a situation where this type of data sharing is challenged in our courts and found to be in breach of our constitutional right to informational privacy or in breach of the data processing standards outlined in our Data Protection Act. Both organizations will be well served to pause their sharing activities and put their respective houses in order.

Chukwuemeka Cameron is a trained Data Protection Officer, an Attorney with a master’s in information technology and founder of Design Privacy, a consulting firm that helps clients comply with privacy laws and build trust with their customers. He is also a certified ISO 27001 and 27701 lead implementer Email feedback to [email protected]