Red Alert: Implications of the JAMCOVID Breach

In the range of security alerts, a “red” alert is usually one level above an “amber” alert. The recent alleged exposure of the personal data of thousands of traveller’s on the Government of Jamaica’s (GOJ) COVID-19 (JAMCOVID) website and app could be considered a “red alert” situation. 

Copy of Copy of Digital dollar-2.gif

This has reiterated the need for a robust approach to the way in which personal data is being handled by government entities on a day to day basis, especially as the nation prepares for a national ID system. According to an American online newspaper, TechCrunch, more than 70,000 COVID-19 lab results, over 425,000 immigration documents (including passport information) and more than 440,000 images of traveller’s signatures which were uploaded to the JAMVOCID website and app were left unsecured thereby resulting in unauthorized access.

Under the pending Data Protection Act (DPA), government entities are required to ensure that any personal data which comes into their possession must be processed in compliance with certain international standards. One of these standards stipulates that personal data must be protected using appropriate technical and organisational measures to prevent unauthorised or unlawful processing of the data as well as any accidental loss, destruction of, or damage to the data.  For example, there ought to be pseudonymization and encryption of personal data as well as the ability to remotely erase the data in the event of a security breach. Additionally, the DPA imposes a higher standard of protection for government entities who process sensitive personal data i.e. data regarding an individual’s medical records or biometrics. The fact that the personal data stored on the JAMCOVID website and app was allegedly left unsecured and unprotected, may amount to a breach under the DPA. 

The DPA also imposes an obligation on government entities to notify any person whose data has been affected of any security breach. This notification must be done within a reasonable time. It is, however, not clear as to whether the Ministry of Health and Wellness and/or the Ministry of National Security have made any attempt to notify the traveller’s whose personal data may have been affected by the breach.

The fact that a third party was contracted by the Ministry of Health and Wellness and/or the Ministry of National Security to create the JAMCOVID website and app, would not have relieved them of any liability as the DPA stipulates that where an entity engages a subcontractor to process the personal data on its behalf, the entity must ensure that the third party is subject to similar data protection obligations and that they have certain technical and organisational measures in place to safeguard against a security breach. Furthermore, the Ministry of Health and Wellness and/or the Ministry of National Security ought to have taken reasonable steps to ensure that the third party is complying with those measures.

Failure to comply with the provisions under the DPA may result in a government entity being subjected to severe fines and penalties. Additionally, any person who can prove that they have suffered some sort of damage from the breach may be entitled to compensation from the government entity.

Likewise, the European Union’s General Data Protection Regulation (GDPR) imposes a duty on entities who process the personal data of EU citizens to ensure that the data is being processed in a manner that is safe, secure and confidential. In the event that any of the personal data which have been compromised belongs to an EU citizen, the Ministry of Health and Wellness and/or the Ministry of National Security may also find themselves being subjected to heavy fines and penalties under the GDPR. Just recently, Marriott International was found to be in breach of the GDPR due to the negligent exposure of the personal records of approximately 339 million guests and was fined a total sum of £99 million by the UK's data protection regulator.

Although government entities are exempted from being liable to criminal prosecution under the DPA, they are not exempted from civil penalties.  It is therefore important that these entities start adopting a more robust approach to the way in which they handle the personal data of its citizens. It is even more important for the Government to fast track the implementation of the DPA so that Jamaican citizens can have protection against the misuse and mishandling of their personal data.

Samantha Moore is a Partner at RamsaySmith and is a member of the firm's Commercial Department. Samantha may be contacted via moore@ramsaysmithjm.com or www.ramsaysmithjm.com. This article is for general information purposes only and does not constitute legal advice.

Samantha Moore