Getting Started
Understanding the Eight Data Protection Standards
The eight standards are the heart of the Act. This module explains each one in plain English with practical examples.
What you will learn
- What the eight data protection standards are
- What each standard requires in practice
- Common ways businesses fall short
- How to build the standards into everyday habits
Overview
The Act is built around eight data protection standards, set out in sections 22 to 31. They are the rules every data controller must follow. If you understand these eight ideas, you understand the spirit of the whole Act.
Why this matters
Almost every practical obligation, from privacy notices to retention to security, traces back to one of these standards. Meeting them is what compliance actually looks like in day-to-day operations.
The eight standards in plain English
1. Fair and lawful
Process personal data fairly and lawfully. People should not be misled about what you do with their data, and you need a proper legal reason to process it.
2. Specified purposes
Collect personal data only for clear, specific purposes, and do not later use it for something incompatible with those purposes.
3. Adequate, relevant, not excessive
Collect only what you genuinely need for the purpose. More data is more risk, not more value.
4. Accurate and up to date
Keep personal data accurate and, where necessary, current. Give people a way to correct mistakes.
5. Not kept longer than necessary
Do not keep personal data forever. Set retention periods and delete or securely dispose of data when you no longer need it.
6. In line with people's rights
Handle personal data in a way that respects the rights the Act gives individuals, such as access and correction.
7. Kept secure
Protect personal data against loss, damage, and unauthorised access, using appropriate technical and organisational measures.
8. Careful international transfers
Do not transfer personal data outside Jamaica unless there is appropriate protection in place for it.
Common mistakes
- Collecting data for one purpose and quietly using it for another (standards 1 and 2).
- Keeping every record forever "just in case" (standard 5).
- Treating security as an IT afterthought rather than a duty (standard 7).
- Moving data to overseas tools without checking the protections (standard 8).
Best practices
- Write down, for each type of data, why you hold it and how long you keep it.
- Give people an easy way to update or correct their information.
- Review access controls and backups regularly.
Put this into practice
See how your current practices line up against the eight standards.
Check your complianceFrequently asked questions
Key takeaways
- The eight standards (sections 22 to 31) describe how all personal data must be handled.
- They cover fairness, purpose, data minimisation, accuracy, retention, rights, security, and transfers.
- Most compliance work is really about living up to these eight ideas day to day.
- You do not need to memorise the law, just build habits that meet each standard.
