Is the Ministry of Health taking privacy rights seriously? – Jamaica Observer

The Ministry of Health (MOH) recently published a press release stating that the Attorney General’s chambers has advised that, based on regulation 20 of the Pharmacy Regulations, the transmission of prescription for drugs through electronic means is permissible.
The ministry further stated that entities transmitting prescriptions electronically should ensure that the system meets the legal requirements of the Government of Jamaica’s Data Protection Act 2020 concerning the end-to-end operations in order to safeguard patient data privacy and security.
This initiative is a part of the multimillion US dollar digital transformation initiative of the health sector that was announced by Minister Christopher Tufton on the November 16, 2021 during a statement to the House of Representatives. He stated that the project would allow for, among other benefits, an improved appointment system at our various health facilities, the introduction of electronic prescriptions, and electronic access to patients’ medical data.
Without question there are game-changing efficiencies to be enjoyed upon the full implementation of this initiative. Notwithstanding the social benefits that the citizens of Jamaica would stand to gain, there are now pressing concerns surrounding the organisational and technical controls the MOH has failed to put in place to protect the informational privacy rights of Jamaican citizens in accordance with the Data Protection Act (DPA).
Based on the platitudes made in relation to data protection in the press release, it is evident that the MOH is aware that they have responsibilities under the Data Protection Act. An examination of the request for proposal (RFP) that details the deliverables of the digital transformation project reflects, however, that the platitudes are not worth the pixels on the computer screen that they use.
The urgency of this situation is increasing given the recent history of data breaches with MOH-related initiatives and the expansive amount of personal and sensitive data that this system is expected to process. The approach cannot be to announce a legal opinion and simply declare that entities must comply with the requirements of the Data Protection Act. Informational privacy is a constitutional right which is guaranteed by our Charter of Rights and, accordingly, the MOH shall take no action which abrogates those rights. Have we not learnt anything from the National Identification System (NIDS) decision?
On the face of the RFP, it would appear that the MOH would be the data controller that has a fiduciary responsibility to the citizens of Jamaica as it relates to the operation of this system and how their personal data is processed. Based on the construct of the RFP it appears that the management of this platform is to be wholly or substantially outsourced to a third party. And, given the nature of the services being sought in the RFP, it would appear that, that third party would be a data processor, as defined by the DPA.
The first issue/question that arises if the contracting party is indeed a data processor is: Was there or is there now a contract in writing that requires the data processor to comply with obligations equivalent to those imposed on the MOH as the data controller, in accordance with section 30(5) of the DPA? Further, did the data processor provide sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out and the reporting of security breaches to the data controller, and take reasonable steps to ensure compliance with those measures in accordance with section 30(4) of the Act?
The second issue that arises is: Given the expanse of personal sensitive data to be processed, one of the first organisational measures that would have to be put in place is the appointment of a data protection officer (DPO). Not only would this conform with the DPA, but it would also ensure that in the implementation of this initiative the rights of the data subjects would be preserved. The question then is: Have both the MOH and the data processor appointed a DPO or put processes in place to secure the services of a DPO service provider and ensure that they are a part of the project team or that they have visibility over the implementation of the project?
An examination of the RFP reflects that some attention was placed on cybersecurity as it was a requirement that a cybersecurity specialist be part of the project team. There was, however, no requirement for the entity that would win the contract to ensure that there was a privacy practitioner or DPO on the team.
The RFP required the contracting entity to have a project team leader, senior network and communications expert, a senior data centre specialist, and cybersecurity specialist. There was just no mention of a need for a privacy practitioner or a DPO service provider.
The direction of the MOH is concerning as they do not seem to realise the folly in their approach and, as such, has not taken any steps to remedy same.
Since 2020 there have been over 70 tenders, which included terms of reference, consultancies, and RFPs that have been put out by the MOH. Not one of the tenders sought the service of a data protection consultant or privacy practitioner. Neither have I seen that there has been a tender requesting the services of anyone to conduct a data protection impact assessment on the implementation of any of the digital transformation projects or individual elements of it. Have we not learnt from the JamCovid incident?
Could it be that MOH assumed that a cybersecurity specialist would adequately cover the responsibilities of a privacy practitioner or a DPO service provider?
Unfortunately, decision-makers who have taken the time to address their mind to the DPA hold this erroneous view. Suffice it to say, it would be unlawful and in breach of the DPA for a cybersecurity specialist or information security specialist playing that role on the team to be appointed as the DPO as section 20(2) of the DPA specifically states that a person shall not be qualified to be appointed as a DPO in instances in which there is likely to be a conflict of interest between the person’s duty as DPO and any other duties of that person. In these circumstances there is no greater conflict of interest.
The MOH needs to do a very quick course correct. They have not even sought to publish a privacy notice or privacy policy on their website that informs Jamaican citizens how their personal data will be processed, as required by the DPA.
The website directs you to the Register of Guidelines, Policies, Protocols and Manuals. An examination of this document does not reflect any form of privacy notice/policy. And these are just a few of the issues that evidence the total disregard for the DPA and the right to informational privacy.
We do not want a situation in which the safety and conformity of the platform is challenged and either the information commissioner or the court instructs the MOH to stop processing personal data until the requisite safeguards are put in place.
Based on the platitudes of the MOH, it is aware that it has obligations under the DPA.
It is important for leaders of public authorities to know that neither a declaration nor an opinion from the AG’s office or the Director of Public Prosecutions’ office makes you compliant with the DPA, and it cannot absolve you for any failings under the DPA.
It is worthy of note that the DPA specifically mandates all public authorities appoint a DPO. Appointing a DPO, however, does not make you compliant either, it is simply an early step in the compliance journey that would take at least two years if pursued aggressively.
The DPA has granted a two-year transitional period. A quarter of that two-year period, which started on December 1, 2021, has now elapsed. Let’s see how this plays out.
Chukwuemeka Cameron is a privacy practitioner and a certified ISO 27701 lead implementer and the founder of Design Privacy a firm that helps companies comply with privacy laws. Send comment to the Jamaica Observer or ccameron@designprivacy.io.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login
HOUSE RULES

source

Posted by