1. Scope, purpose and users

This Procedure provides general principles and a model to approach, respond to, and mitigate breaches of personal data . The Procedure lays out the general principles and actions for successfully managing the response to a data breach as well as fulfilling the obligations surrounding the notification to Supervisory Authorities and individuals as required by the Jamaica Data Protection Act (“JDPA”).

All Employees/Staff, contractors or temporary Employees/Staff and third parties working for or acting on behalf of Mystique Integrated Services (“Mystique”) must be aware of, and follow this Procedure in the event of a personal data breach.

2. Reference documents

Jamaica’s Data Protection Act (and any attendant regulations) 

Personal Data Protection Policy

Data Retention Policy

Information Security Policy

Cross-Border Personal Data Transfer Procedure

3. Definitions

The following definitions of terms used in this document are applicable and where they differ from any definition provided in Jamaica’s Data Protection Act, the definition provided in the Act shall take precedence:

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Regulation.

“Data Controller” is the natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor” is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4.Data Breach Response Team

The Data Breach Response Team must be a multi-disciplinary team composed of knowledgeable and skilled individuals in the areas of IT Security, Legal, Legal and Public Affairs. The team may be a physical or virtual team which responds to any suspected/alleged/actual personal data breach.

The Data Protection Officer/Chief Privacy Officer appoints the Data Breach Response Team Leader and members of the Data Breach Response Team. The Team must be appointed regardless of whether or not a breach has occurred.

The team must ensure that necessary readiness for a personal data breach response exists, along with the needed resources and preparation (such as call lists, substitution of key roles, desktop exercises,  and  review of company policies, procedures and practices).

The team’s mission is to provide an immediate, effective, and skilful response to any suspected/alleged or actual personal data breach affecting Mystique.

If required, the team members may also involve external parties (e.g. an information security vendor for carrying out digital forensics tasks or an external communications agency for assisting Mystique in crisis communications needs.

The Data Breach Response Team Leader can choose to add additional personnel to the team for the purposes of dealing with a specific personal data breach.

The Data Breach Response Team may deal with more than one suspected/alleged or actual personal data breach at a time. Although the core team may be the same for each suspected/alleged or actual personal data breach, there is no strict  requirement for this.

The Data Breach Response Team must be prepared to respond to a suspected/alleged or actual personal data breach at any given time. Therefore, the contact details for each member of the Data Breach Response Team, including personal contact details, shall be stored in a central location, and shall be used to assemble the team whenever notification of a suspected/alleged or actual personal data breach is received.

5. Data Breach Response Team duties

Once a personal data breach is reported to the Data Breach Response Team Leader, the team must implement the following:

• Validate/triage the personal data breach
• Ensure proper and impartial investigation (including digital forensics if necessary) is initiated, conducted, documented, and concluded
• Identify remediation requirements and track resolution
• Report findings to top management
• Coordinate with appropriate authorities as needed, including the Information Commissioner
• Coordinate internal and external communications
• Ensure that impacted data subjects are properly notified

The Data Breach Response Team will convene for each reported (and alleged) personal data breach, and will be headed by the Data Breach Response Team Leader.

6. Data Breach Response Process

The Data Breach Response Process is initiated when anyone who notices or suspects a personal data breach and any member of the Data Breach Response Team is notified. The team is responsible to determine if the breach should be considered a breach affecting personal data.

The Data Breach Team Leader is responsible for documenting all decisions of the core team. Since these documents might be reviewed by the Information Commissioner, they need to be written very precisely and thoroughly to ensure traceability and accountability.

7.Personal data breach notification: Data processor to data controller

When a personal data breach or suspected data breach affects personal data that is being processed on behalf of a third party, the Data Protection Officer of Mystique acting as a data processor must report any personal data breach to the respective data controller(s) without undue delay.

The Data Protection Officer will send a Notification to the controller that will include the following:

• A description of the nature of the breach
• Categories of personal data affected
• Approximate number of data subjects affected
• Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer
• Consequences of the personal data breach
• Measures taken to address the personal data breach
• Any information relating to the data breach

A Data Breach Response Team Member, directed by the DPO will record the data breach into the Data Breach Register.

8. Personal data breach notification: Data controller to Information Commissioner

When the personal data breach or suspected data breach affects personal data that is being processed by Mystique as a data controller, the following actions are performed by the Data Protection Officer:

1. Mystique must report the data breach to the Information Commissioner within 72 hours of the breach. Any possible reason for delay beyond 72 hours must be communicated to the Information Commissioner.

1. In order to establish the risk to the rights and freedoms of the data subject affected, the Data Protection Officer must perform the Data Protection Impact Assessment on the processing activity affected by the data breach.

1. If the personal data breach is not likely to result in a risk to the rights and freedoms of the affected data subjects, no notification is required. However, the data breach should be recorded into the Data Breach Register.

The DPO will send Notifications to the Supervisory Authority that will include the following:

• A description of the nature of the breach
• Categories of personal data affected
• Approximate number of data subjects affected
• Name and contact details of the Data Breach Response Team Leader/ Data Protection Officer
• Consequences of the personal data breach
• Measures taken to address the personal data breach
• Any information relating to the data breach

9. Personal data breach notification: Data controller to data subject

The Chief Executive Officer along with the Director of Operations must assess if a personal data breach is likely to result in high risk to the rights and freedoms of the data subject. If yes, the Data Protection Officer must notify with undue delay the affected data subjects.

The Notification to the data subjects must be written in clear and plain language and must contain the same information listed in Section 7.

If, due to the number of affected data subjects, it is disproportionately difficult to notify each affected data subject, the DPO must take the necessary measures to ensure that the affected data subjects are notified by using appropriate, publicly available channels.

10. Accountability

Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment); and may also face civil or criminal liability if their action violates the law.

11. Validity and document management

This document is valid as of December 2023.

The owner of this document is the Operations Manager, who must check and, if necessary, update the document at least once a year.

Change history