Privacy glossary

Altering personal data so that individuals can no longer be identified, directly or indirectly.

Legal obligations requiring firms to detect and report financial crime.

Also: AML, anti-money laundering, money laundering prevention

Making decisions solely by automated means, without human involvement, that significantly affect individuals.

The natural person who ultimately owns or controls a legal entity.

Also: UBO, ultimate beneficial owner, beneficial owner

Unique physical or behavioural characteristics used to identify an individual, such as fingerprints.

A situation where a professional's duty to one client may be compromised by duties to another party.

Also: COI, conflict check

A freely given, specific, informed, and unambiguous agreement to the processing of personal data.

A small file placed on a user's device by a website to store information or track activity.

A security incident leading to unauthorised access, loss, or disclosure of personal data.

Also: personal data breach, security breach

The legal requirement to report personal data breaches to the OIC within 72 hours.

The person or organisation that determines the purposes and means of processing personal data.

Also: controller

The principle that personal data collected should be limited to what is necessary for the stated purpose.

A person or organisation that processes personal data on behalf of a controller.

Also: processor

The obligation to build data protection into systems and processes from the start, not as an afterthought.

A process to identify and minimise privacy risks before starting high-risk data processing.

Also: DPIA

A designated individual responsible for overseeing an organisation's data protection compliance.

Also: DPO

The living individual to whom personal data relates.

A written agreement setting out the terms on which a professional firm will provide services.

Also: letter of engagement, retainer letter, terms of engagement

Personal data relating to an individual's physical or mental health, including medical history.

The sending or making available of personal data to a recipient in a country outside Jamaica.

Also: cross-border transfer, transfer

The process of verifying a client's identity and assessing risk before and during a business relationship.

Also: KYC, customer due diligence, CDD, client due diligence

The legal ground that justifies the processing of personal data under the DPA 2020.

Also: legal basis

A lawful basis for processing where it is necessary for the controller's genuine interests and does not override individual rights.

Jamaica's independent data protection authority responsible for enforcing the DPA 2020.

Also: OIC, Information Commissioner

Any information relating to an identified or identifiable living individual.

The obligation to ensure that only the minimum personal data necessary is processed by default.

Also: data protection by default

A document informing individuals about how their personal data is collected, used, and protected.

Also: privacy policy

Any operation performed on personal data, including collection, storage, use, disclosure, or erasure.

Insurance that protects a professional firm against claims of negligence or errors in the services it provides.

Also: PI insurance, professional liability insurance, E&O insurance

Automated processing of personal data to evaluate personal aspects such as behaviour or preferences.

Processing personal data so it cannot be attributed to an individual without separate additional information.

A lawful basis for processing necessary to perform a task in the public interest or exercise official authority.

The principle that personal data must only be used for the purpose it was originally collected for.

The length of time a controller stores personal data before it is deleted or anonymised.

The right to obtain confirmation that your personal data is being processed and receive a copy of it.

Also: subject access request, SAR

The right to receive your personal data in a structured, machine-readable format and transfer it to another controller.

The right to request deletion of your personal data in certain circumstances.

Also: right to be forgotten

The right to object to the processing of your personal data for certain purposes.

The right to have inaccurate personal data corrected or incomplete data completed.

The right to request that the use of your personal data is limited in certain circumstances.

The right to withdraw consent to data processing at any time, without affecting prior lawful processing.

A special category of personal data requiring stricter protection, such as health, race, religion, or biometrics.

Also: special category data

Any person other than the data subject, controller, processor, or persons authorised by them.

A lawful basis for processing necessary to protect someone's life.