Is the Ministry of Health taking Privacy Rights Seriously?
The Ministry of Health recently published a press release stating that The Attorney General’s Chambers has advised that based on Regulation 20 of the Pharmacy Regulations, the transmission of prescription for drugs through electronic means is permissible. The Ministry further stated that entities transmitting prescriptions electronically should ensure that the system meets the legal requirements of the Government of Jamaica’s Data Protection Act 2020 concerning the end-to-end operations in order to safeguard patient data privacy and security.
This initiative is a part of the multimillion US dollar digital transformation initiative of the health sector that was announced by Minister, Dr the Hon. Christopher Tufton on the November 16, 2021, during a statement to the House of Representatives. He stated that the project would allow for among other benefits:
· an improved appointment system at our various health facilities,
· the introduction of electronic prescriptions, and
· electronic access to patients’ medical data.
Without question there are game changing efficiencies to be enjoyed upon the full implementation of this initiative. Notwithstanding the social benefits that the citizens of Jamaica would stand to benefit from, there are now pressing concerns surrounding the organizational and technical controls the MoH has failed to put in place to protect the informational privacy rights of Jamaican citizens in accordance with the Data Protection Act.
Based on the platitudes made in relation to Data Protection in the press release, it is evident that MoH is aware that they have responsibilities under the Data Protection Act. An examination of the RFP that details the deliverables of the digital transformation project reflects however that the platitudes are not worth the pixels on the computer screen that they use.
The urgency of this situation is increasing given the recent history of data breaches with MoH related initiatives and the expansive amount of personal sensitive data that this system is expected to process. The approach cannot be to announce a legal opinion and simply declare that entities must comply with the requirements of the Data Protection Act. Informational privacy is a constitutional right which is guaranteed by our Charter of Rights and accordingly the MoH shall take no action which abrogates those rights. Have we not learnt anything from the NIDs decision?
On the face of the RFP, it would appear that the MoH would be the data controller that has a fiduciary responsibility to the citizens of Jamaica as it relates to the operation of this system and how their personal data is processed. Based on the construct of the RFP it appears that the management of this platform is to be wholly or substantially outsourced to a third party. Given the nature of the services being sought in the RFP it would appear that third party would be a data processor as defined by the DPA.
The first issue that arises, if the contracting party is indeed a data processor is, was there or is there now a contract in writing that requires the data processor to comply with obligations equivalent to those imposed on the MoH as the data controller in accordance with section 30(5) of the DPA. Further did the data processor provide sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and the reporting of security breaches to the data controller and take reasonable steps to ensure compliance with those measures in accordance with section 30(4) of the Act.
The second issue that arises is given the expanse of personal sensitive data to be processed one of the first organizational measures that would have to be put in place is the appointment of a Data Protection Officer. Not only would this conform with the DPA, but it would also ensure that in the implementation of this initiative the rights of the data subjects would be preserved. The question then is have both the MoH and the data processor appointed a data protection officer or put processes in place to secure the services of a Data Protection Officer service provider and ensure that they are a part of the project team, or that they have visibility over the implementation of the project.
An examination of the RFP reflects that some attention was placed on cyber security as it was a requirement that a cyber security specialist be part of the project team. There was however no requirement for the entity that would win the contract to ensure that there was a privacy practitioner or Data Protection Officer on the team.
The RFP required the contracting entity to have a project team leader, senior network and communications expert, a senior data centre specialist and cyber security specialist. There was just no mention of a need for a privacy practitioner or a Data Protection Officer service provider.
The direction of the MoH is concerning as they have not appeared to realize the folly in their approach and as such has not taken any step to remedy it. Since 2020 there have been over 70 Tenders which included Terms of Reference, Consultancies and Request for Proposals that have been put out by the MoH. Not one of the tenders sought the service of a data protection consultant or privacy practitioner. Neither have I seen where there has been a tender requesting the services of any one to conduct a data protection impact assessment on the implementation of any of the digital transformation project or individual elements of it. Have we not learnt from the JamCovid incident?
Could it be that MoH assumed that a cyber security specialist would adequately cover the responsibilities of a privacy practitioner or a data Protection officer service provider. Unfortunately, decision makers who have taken the time to address their mind to the DPA hold this erroneous view. Suffice it to say it would be unlawful and in breach of the DPA of a Cyber Security Specialist or information security specialist playing that role on the team to be appointed as the Data Protection Officer as section 20(2) of the DPA specifically states that a person shall not be qualified to be appointed as a DPO where there is likely to be a conflict of interest between the person’s duty as data protection officer and any other duties of that person. In these circumstances there is no greater conflict of interest.
The MoH needs to do a very quick course correct. They have not even sought to publish a privacy notice or privacy policy on their website that informs Jamaican citizens as to how they process their personal data as required by the DPA. The website directs you their Register of Guidelines, Policies, Protocols and Manuals. An examination of this document does not reflect any form of privacy notice/policy. These are just a few of the issues that evidence the total disregard for the DPA and the right to informational privacy.
We do not want a situation where the safety and conformity of the platform is challenged and either the Information Commissioner or the Court instructs the MoH to stop processing personal data until the requisite safeguards are put in place.
Based on the platitudes of the MoH it is aware that it has obligations under the Data Protection Act. Failing to take any steps to conform could only mean that you are now acting in bad faith. The interesting question for me is who in the Ministry would be sanctioned personally?
It is important for leaders of public authorities to know that neither a declaration nor an opinion from the AGs office or the DPP’s office makes you compliant with the Data Protection Act nor can it absolve you for any failings under the DPA. It is worthy of note that the DPA specifically mandates all public authorities appoint a Data Protection Officer. Appointing a Data Protection Officer however does not make you compliant either, it is simply an early step in the compliance journey that would take at least two years if pursued aggressively.
The DPA has granted a two-year transition period. A quarter of that two-year transition period that started on December 1, 2021, has now elapsed. As a leader of a public authority have you started your data protection compliance journey? Have you ensured that you have secured a budget to implement your programme? Have you ensured that a post has been created within your organization to allow you hire someone to be appointed a Data Protection Officer? That bureaucratic process in an of itself will take a significant amount of time much less implementing the actual compliance programme. Let’s see how this plays out.
Chukwuemeka Cameron is a privacy practitioner, trained Data Protection Officer, a certified ISO 27701 lead implementer and the founder of Design Privacy a firm that helps companies comply with privacy laws. Feedback can be sent to ccameron@designprivacy.io.