Do not breach the privacy of grant Applicants: There must be a better way.

On the 29th day of April 2021, the Minister of Finance and the Public Service posted on his facebook page a press release dated April 29, 2020 in relation to the #CAREProgramme grants (Compassionate Grant, SET Cash and General Grant) which stated that grants that were disbursed must be collected by May 30 at LASCO MoneyGram. In the press release the Care programme further stated that they will publish in the Sunday Newspaper of May 8 the names of persons on whose behalf uncollected grants were disbursed. This is after months of repeated SMS text messages and phone calls to the numbers associated with the application and emails to no avail.

Notwithstanding the well intentioned objectives of the Ministry and the difficulties faced by the Ministry in contacting the applicants, consideration has to be given to their constitutional right to informational privacy guaranteed by the Charter of Fundamental Rights and Freedoms before they choose to publish the names of applicants in this manner.

In the context of the right to informational privacy has anyone asked themself the question; does the applicant want the fact that he applied for financial assistance to be published to the world at large? Or, might the publication cause any embarrassment of distress to the applicant? Could the applicant have reasonably expected that when he in the privacy of his home applied online for the grant that the fact of his application would be published to all of Jamaica? Was the applicant informed that when he applied for this grant that his information would be made public if he failed to collect his/her disbursement?

The Ministry of Finance and the Public Service has an obligation to respect and uphold the right to informational privacy of the applicant. As a data controller like all other data controllers the Ministry has a duty to observe the data processing standards set out in the Data Protection Act and ensure that they process personal data fairly and lawfully.

The legislation specifically sets out seven lawful bases for processing personal data. If a data controller does not bring itself within one of the bases identified in the legislation the processing would be unlawful. The most relevant lawful basis that the Ministry could rely upon to justify the publishing of the names is the condition set out at 23(1)(e) to wit : the processing is necessary for the exercise of any function conferred by or under any enactment, or for the exercise of any other functions of a public nature exercised in the public interest.

While I am not aware of a specific function the Ministry would be fulfilling by administering the CARE programme it is possible that they can claim that they are exercising a function of a public nature in the public interest. The public interest being served would be ensuring that those persons who applied for a grant and were successful actually receive the disbursement. The purpose for the grant and the programme as a whole is captured by the Minister of Finance and Public Service when he stated that it is a programme “which seeks to cushion the economic impact of the Covid-19 pandemic on individuals and businesses . . . and is designed to put us in the best position to recover and to be stronger than we were before.”

In light of the foregoing one may conclude that the Ministry has a basis to suggest that there is a lawful basis. That however is the first step.

Ireland’s supervisory authority in 2019 issued guidance notes as to how data controllers can rely on the public interest lawful basis:”Controllers relying upon this legal basis (public interest) need to ensure that the processing of the personal data of the data subject must actually be necessary in order to carry out the task in the public interest or exercise official authority. As is the case of other legal bases which involve the concept of necessity, the extent of what precisely is ‘necessary’ to carry out the task in the public interest or exercise official authority will ultimately depend on the circumstances of each case.”

“For processing to be necessary to carry out a task in the public interest or exercise official authority, it must be a targeted, reasonable, and proportionate way of doing so.” Can the Ministry properly say that this exercise is targeted in circumstances where in an attempt to communicate with an individual they publish the communication in the newspaper. Could the applicant reasonably have expected that the fact of his application would be made public in this matter? Can one say that the objective of communicating the applicant about his successful grant application outweighs his right to maintain the privacy of his/her private financial transaction? It is hard to see how any one of these questions can be answered in the affirmative.

The Irish Commissioner goes on to say that “If a controller can reasonably achieve these purposes in another, less intrusive way, it is unlikely that they should process personal data under this legal basis, in line with the principle of data minimisation.”

Could possibly running a series of ads in the local newspaper inviting all persons to contact a call centre or use some code to access a private online resource to check to see if the monies are available for them, achieve the stated objective in a less intrusive manner? One would be hard pressed to credibly maintain that the Ministry cannot reasonably achieve its purpose by adopting this approach. In light of the foregoing the Ministry is not in a position to rely upon public interest as a lawful basis.

What then of the fair part of the lawful and fair processing? Fair processing under the act means that the Ministry would have notified the applicants at the time of receiving information from the applicant that they intended to publicize their name and the fact that they were seeking financial assistance from the government if they failed to collect the grant once it was disbursed. Among other things the legislation specifically requires the controller to advise the applicant of the purpose or purposes for which the personal data are intended to be processed. If it is the applicants were appropriately advised, in the manner set out by section 22 of the legislation, that the Ministry would publish their information in this manner then the Ministry may be able to maintain that the processing is fair. We do not know if this was done. We were unable to find a privacy notice or any reference to a privacy notice on the website which may well have been an appropriate place to notify the applicants of the intended use of the personal data.

In the absence of a lawful basis for processing, there being no necessity to publish the applicants personal data in this matter coupled with there being a less intrusive alternative means to achieve the objective, the processing cannot be deemed to be either lawful or fair.

One may argue that the Data Protection Act has not yet been implemented so this discussion is only academic. The challenge is that the publishing of this information in the proposed manner by virtue of the NIDs decision would be in breach of the applicants right to informational privacy which is guaranteed by the Charter of Fundamental Rights and Freedoms. This form of privacy concerns the right to prevent the dissemination of information of a private nature. It is the Data Protection Act that would create a lawful basis to process an applicants personal data in the suggested manner. In the absence of the legislation that enables the processing of personal data, unless the Ministry of Finance can demonstrate they were authorized by the applicant to publish the applicants personal data in this manner they may be exposed to a constitutional claim.

The Jamaican government is strongly driving digital adoption and transformation both in the public sector and private sector as a key economic driver. In order to effectively do so however the government has to inspire trust and confidence in the public that at a bare minimum their personal information is protected when they share it with companies/organisations and that an organisation would only share or publish their personal information with their knowledge. The first step is to demonstrate that they understand, acknowledge and respect the privacy rights of individuals. A second step could be actually implementing the Data Protection Act and activating the office of the Information Commissioner. In essence there needs to be an institutionalized culture of the respect for privacy rights of the citizenry.

Chukwuemeka Cameron LLB LLM is a privacy practitioner and the founder of Design Privacy a company that helps you comply with local and international privacy laws. Feedback can be sent to ccameron@designprivacy.io.This article is for general information purposes only and does not constitute legal advice.