Did Statin get the memo that there is a Data Protection Act

Chukwuemeka Cameron
5 min readOct 13, 2022

--

To date I have received 6 text messages from Jam-Census, these text messages were all sent during the month of September. While writing this I received another. Where did they get my number from? Why are they spamming my phone? How do I get them to stop? Did a third party offer an sms marketing service and make my number available to Statin? What is the name of this third party company that is offering the sms service and making money off of my personal data? Did any one give them the memo that there is now a Data Protection Act and this type of activity is circumscribed under the legislation.

Under the Data Protection Act(DPA), which was gazetted in December 2021, the sending of these text messages is considered to be direct marketing. According to section 10(6) of the DPA direct marketing means to approach a data subject in person or by any means of communication for the purpose of promoting in the ordinary course of business any services or requesting a donation of any kind for any reason.

Not only does the DPA define what direct marketing is, it prescribes how data controllers such as the Statistical Institute of Jamaica and all data controllers are to engage in direct marketing: A data controller shall not process personal data of a data subject for the purpose of direct marketing unless the data subject consents to the processing for that purpose . . ..

At no time have I consented to receiving marketing material from Jam Census or Statin. Nor at any time did I give my number to them or any other third party for this purpose.

This flagrant breach of the Data Protection Act raises concerns in relation to the extent to which Statin has implemented any of the mandatory data processing standards as prescribed by the DPA. A quick look at Statin’s website does not reflect an appreciation of or acknowledgement by Statin of its responsibilities under the DPA or the informational privacy rights enjoyed by the citizens of Jamaica.

The following statements were found on their website:

“STATIN takes every precaution to minimize the risk of unauthorized access to any information captured during the Census. Our security systems involve a combination of data encryption and network security equipment, to protect unauthorized access to Census information. Any data that is transmitted to our web servers is encrypted and stored on STATIN’s secure internal network, and is made accessible only to authorized employees of STATIN

STATIN is mandated by law to ensure the security, confidentiality and integrity of all sensitive data captured on tablets. Tablets are configured to use native Android security services and our web-based services employ the use of encryption to ensure secure connectivity between the Tablets used by census takers and STATIN’s internal systems.”

Assuming this is indeed accurate and has been verified by an independent audit this in no way covers the requirements of the data processing standards. Have we not learned anything from the NIDS decision? This was where the government sought to collect personal and sensitive data from Jamaican citizens en masse and made it a criminal offense if citizens failed to provide the requested information. In that instance our constitutional court found that the legislation breached the right to informational privacy and struck down the entire bill.

I will bell the cat, this is the exact same thing that is being done in this census exercise. Personal and sensitive data is being collected from the citizens of Jamaica in accordance with a statutory mandate, for the national good, and according to section 19 and 20 it is a criminal offense if the information is not provided. Let us be clear both personal and sensitive data are being collected.

Among other data items being collected are:

  • a first name
  • your address
  • GPS location
  • Address
  • Age and sex
  • Religious affiliation and ethnicity
  • Fertility

And a myriad of other personal and sensitive data.

There are eight specific data processing standards Statin as a data controller processing personal data is required to follow. Based on their approach to direct marketing, the lack of a data protection officer and the absence of an appropriate privacy notice one is left to wonder if any regard has been paid to data subject rights or the prescribed data processing standards.

Why would this government agency ignore the NIDS decision and the Data Protection Act and in effect seek to bring the legality of this necessary national exercise into question. Is there a gap between the law and their understanding that it applies to them? Who has dropped the ball here?

Has a Data Protection Impact Assessment been conducted on the introduction of tablets in the data collection process? Why is it necessary to collect my GPS location in addition to my address?

Interestingly according to several scholars, one such being Anu Bradford, professor of law and director of the European Legal Studies Center at Columbia Law School the right to informational privacy can be traced back to World War II and the atrocities of the Nazis, who systematically abused private data to identify Jews and other minority groups. In 1930s Germany, census workers went door to door filling out punch cards that indicated residents’ nationalities, native language, religion and profession. This information that was collected during the census was subsequently used to round up victims. It became clear how — while census data is necessary to keep a government running — the collection of citizens’ personal information could lead to direct harm for those people.

In closing I will share a recent decision of the Portuguese Information Commissioner where he found that the Portuguese National Statistical Institute (“Instituto Nacional de Estatística”) that was undertaking the 2021 census by collecting data through forms on their own website “CENSOS 2021”, and using various website security and content delivery services of Cloudflare, a service provider headquartered in the United States, failed to implement the appropriate security controls. Permanent Secretaries and heads of state agencies must take heed.

Chukwuemeka Cameron is an attorney with a master’s in information technology and founder of Design Privacy, a consulting firm that helps clients comply with privacy laws and build trust with their customers. He is also a certified ISO 27001 and 27701 lead implementer Email feedback to ccameron@designprivacy.io

--

--

Chukwuemeka Cameron

Founder of Design Privacy a company that helps you comply with local and international privacy laws.