Getting Started

Understanding the Eight Data Protection Standards

The eight standards are the heart of the Act. This module explains each one in plain English with practical examples.

Intermediate 18 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What the eight data protection standards are
  • What each standard requires in practice
  • Common ways businesses fall short
  • How to build the standards into everyday habits

Overview

The Act is built around eight data protection standards, set out in sections 22 to 31. They are the rules every data controller must follow. If you understand these eight ideas, you understand the spirit of the whole Act.

Why this matters

Almost every practical obligation, from privacy notices to retention to security, traces back to one of these standards. Meeting them is what compliance actually looks like in day-to-day operations.

The eight standards in plain English

1. Fair and lawful

Process personal data fairly and lawfully. People should not be misled about what you do with their data, and you need a proper legal reason to process it.

2. Specified purposes

Collect personal data only for clear, specific purposes, and do not later use it for something incompatible with those purposes.

3. Adequate, relevant, not excessive

Collect only what you genuinely need for the purpose. More data is more risk, not more value.

4. Accurate and up to date

Keep personal data accurate and, where necessary, current. Give people a way to correct mistakes.

5. Not kept longer than necessary

Do not keep personal data forever. Set retention periods and delete or securely dispose of data when you no longer need it.

6. In line with people's rights

Handle personal data in a way that respects the rights the Act gives individuals, such as access and correction.

7. Kept secure

Protect personal data against loss, damage, and unauthorised access, using appropriate technical and organisational measures.

8. Careful international transfers

Do not transfer personal data outside Jamaica unless there is appropriate protection in place for it.

Tip. You do not need to recite these. Pick one a week, look at how your business handles data against it, and fix the biggest gap.

Common mistakes

  • Collecting data for one purpose and quietly using it for another (standards 1 and 2).
  • Keeping every record forever "just in case" (standard 5).
  • Treating security as an IT afterthought rather than a duty (standard 7).
  • Moving data to overseas tools without checking the protections (standard 8).

Best practices

  • Write down, for each type of data, why you hold it and how long you keep it.
  • Give people an easy way to update or correct their information.
  • Review access controls and backups regularly.
Legal note. The precise wording and conditions for each standard are in sections 22 to 31. Use this module to understand them, and rely on the Act and counsel for the detail.

Put this into practice

See how your current practices line up against the eight standards.

Check your compliance

Frequently asked questions

They are set out in sections 22 to 31 of the Data Protection Act, 2020.

Key takeaways

  • The eight standards (sections 22 to 31) describe how all personal data must be handled.
  • They cover fairness, purpose, data minimisation, accuracy, retention, rights, security, and transfers.
  • Most compliance work is really about living up to these eight ideas day to day.
  • You do not need to memorise the law, just build habits that meet each standard.

Related

Ask the Privacy Assistant

Beta