Privacy Policy

Privacy Policy

PRIVACY POLICY

National Environment and Planning Agency Privacy Policy

Policy Owner

National Environment and Planning Agency

Policy Approver(s)

Chief Executive Officer

Key Related Policies and Procedures

 

Created by

Privacy & Legal Management Consultants Limited

Storage Locations

 

Effective Date

 

Next Review Date

 

 

INTRODUCTION

The National Environment and Planning Agency (hereinafter “NEPA” or “the Agency”) is a Data Controller by virtue of the Data Protection Act, 2020 (the Act). Data Controllers have an obligation to Process Personal Data in accordance with the standards outlined in the Act. This Policy sets forth the core Principles governing the Processing of Personal Data by NEPA. This Policy is intended to ensure consistent practices are aligned with recognized local and international standards, for the processing of Personal Data by the Agency.

 

DEFINITIONS

Applicable Laws: means the Jamaica Data Protection Act, 2020 (JDPA), the Constitution, and any other related legislation and regulations governing the processing of personal data.

Data Controller: Any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any Personal Data are, or are to be, Processed.

Data Processor: Any person, other than an employee of the Data Controller, who Processes the Personal Data on behalf of the Data Controller.

Data Subject: A named or otherwise identifiable individual who is the subject of Personal Data.

Personal Data: Information (however stored) relating to a living individual or an individual who has been deceased for less than thirty years, who can be identified from that information alone or from that information and other information in the possession of the Data Controller.

Processing (or “Process” or “Processes” or “Processed"): Any operation or set of operations, automated or not, which is performed on Personal Data, including but not limited to collection, storage, use, transmission, disclosure, or deletion.

Sensitive Personal Data: Personal Data consisting of any of the following information in respect of a Data Subject: genetic data or biometric data, filiation, or racial or ethnic origin, political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature, membership in any trade union, physical or mental health or condition, sex life, the alleged commission of any offence by the Data Subject or any proceedings for any offence alleged to have been committed by the Data Subject.

 

PURPOSE

NEPA recognizes that as part of our operations we must collect and process personal data. The purpose of this policy is to describe how personal data must be collected, handled and stored to meet NEPA’s data protection standards, comply with governing privacy and data protection laws, and respect individual rights. The purpose of this policy is to:

  • Comply with the Data Protection Act, 2020 and follow best practices;
  • Protect the rights of employees, customers and any related data subjects as guaranteed by the Charter of Fundamental Rights and Freedoms; and
  • Ensure transparency around how NEPA collects, stores and processes individuals’ data.

 

SCOPE

This Data Protection Policy applies to all business processes, information systems and components, personnel, and physical areas of NEPA. This Policy applies to the collection, processing, storage, and handling of personal data and any other procedures related to personal data of any individual in both electronic and manual format.

Individuals or groups this policy applies to include, but are not limited to:

  • Executives and directors;
  • All employees, whether employed on a full-time or part-time basis, by NEPA;
  • All previous employees, whether employed on a full-time or part-time basis, by NEPA;
  • All job applicants of positions at NEPA;
  • All contractors, suppliers and other people including but not limited to agents and subcontractors working on behalf of NEPA;
  • All customers of NEPA; and
  • Any other data subjects identified through the regular course of business by NEPA.

 

OUR APPROACH TO HANDLING PERSONAL DATA

 

NEPA’s approach to handling personal data is aligned with the JDPA. In particular, NEPA:

  1. may collect your personal data where this is reasonably necessary for, or directly related to, one or more of its functions or activities;
  2. may collect your sensitive personal data where you consent, where the collection is authorised or required by law, or the collection is otherwise allowed under the JDPA;
  3. will only use and disclose your personal information for the purposes for which it was collected, or otherwise in accordance with the JDPA; and
  4. will notify you of the purpose that your personal data is being collected, either at the time of collection, or as soon as practicable afterwards.

 

INFORMATION COLLECTED FROM YOU

NEPA will collect personal information directly from you.

  1. NEPA and associated users or partners will collect personal data in a manner that is fully transparent with data subjects and in accordance with the law.
  2. Users will refrain from knowingly collecting the personal data of any data subject without authorization from a Direct Manager or Data Protection Officer.
  3. If personal data is collected from someone other than the data subject, the data subject will be informed of the collection unless one of the following criteria apply:
    1. The data subject has received the required information by other means.
    2. The information must remain confidential due to a professional secrecy obligation.
    3. A national law expressly provides for the collection, processing, or transfer of the personal data.
  4. When necessary, NEPA will obtain consent from data subjects in accordance with the Consent Policy and through the authorization of the Data Protection Officer.
  5. Consent from the data subject will be provided in writing.
  6. Consent obtained orally from a data subject will be reviewed by the Data Protection Officer.

DATA ACCURACY

NEPA will take reasonable measures to ensure that personal data remains accurate across the Agency.

All data users at NEPA will take reasonable steps to ensure personal data is kept as accurate and up to date as possible.

 

STORING YOUR PERSONAL DATA

NEPA will secure your personal data where it:

  1. physically possesses a record containing your personal information (including storage on servers owned and operated by the Department); or
  2. has the right or power to deal with the information, even if it does not physically possess it (such as where the personal information is stored on servers owned or operated by a third party, to which the Agency has access to, or in archived files).

The Agency holds personal information in a range of audio-visual such as CCTV Data, paper and electronic based records (including in cloud-based applications and services). The Agency complies with the GOJ ICT Policy for protecting departmental resources (including information) from harm or unauthorised access. Personal data is held in accordance with the collection and security requirements of the ISO 270001 Framework and NIST CSF, the department’s policies and procedures, and the JDPA.

If personal data held by us is lost, or subject to unauthorised access or disclosure, the Agency will respond in line with the JDPA and Data Protection (Data Controller) Regulations 2024.  

 

DATA RETENTION

Personal Data should be reviewed at least once annually, against the Records Retention Schedule. If no longer required, data should be disposed of. Refer to Records Retention Policy and Schedule for further detail.

 

DISCLOSURE TO THIRD-PARTIES

We may disclose your personal data to third parties, where this is permitted under the JDPA. Those third parties include the entities or persons identified on the List of Third Parties document., located on the NEPA Website.  

If NEPA discloses your personal data to a third party, it will take reasonable steps to ensure that the third party handles your personal data in the same manner as NEPA and in accordance with the JDPA. NEPA imposes privacy obligations on all contracting parties, including in its funding deeds, service contracts, data sharing arrangements and commercial agreements.

 

 

Cross Border Transfers

NEPA may disclose personal data to overseas recipients in limited circumstances, where this is reasonably necessary, or directly related to, our work. This may include, for example, disclosure to peer reviewers anywhere in the world where appropriate scientific expertise exists, or to a foreign government or agency.

If it is likely that your personal data will be disclosed to an overseas recipient, we will take reasonable steps to notify you, and we will only disclose the information as permitted under the JDPA to the overseas recipient. We will also take reasonable steps to ensure the overseas recipient treats your personal data in accordance with the applicable provisions under the JDPA, such as through our standard contractual clauses, Data Processing Agreements, binding corporate rules, where applicable.

PRIVACY RIGHTS AND CHOICE

Data Subjects have rights under the Act. These include:

Your Right to

What does this mean?

Be Informed

You have the right to know whether we process your personal data

Access

You have the right to request all Personal Data we have collected about you, if any

Data Portability

You have the right to request the transfer of your Personal Data in a commonly used machine-readable format to another data controller that determines the purposes and means for which Personal Data is processed

Consent

You have the right consent to the processing of your personal data. Where you have provided us with your consent, you also have the right to withdraw such consent at any time

Prevent Processing

You can tell us when you do not want your Personal data to be on our grounds for legitimate interest, unless our reasons for undertaking that processing outweighs any prejudice to your data protection rights

Automated Decision Making

You have the right to ensure that no decision having significant impact on you, the data subject, is made solely by automated means

Rectification

You have the right to change any errors or omissions in the Personal Data we have collected about you

 

ACCOUNTABILITY AND REVIEW

This Privacy Policy is reviewed and updated annually. Any updated version will be available on NEPA’s website. NEPA must develop mechanisms to:

  1. oversee compliance with this Policy; and
  2. provide individuals with a method, subject to reasonable limitations and conditions, to:
  1. request information regarding the individual’s Personal Data Processed by NEPA; and
  2. seek redress if the individual reasonably believes that the individual’s Personal Data has been Processed in violation of this Policy.

 

EFFECTIVE DATE

This policy is effective as of September 2025.

 

RELATED DOCUMENTS

a. Data Subject Access Request Policy

b. Incident Response Policy

c.  IT and Acceptable Use Policy

d. IT Remote Access Policy

 

QUESTIONS ABOUT POLICY

Questions regarding this Policy should be addressed to the Data protection officer via email at Dataprotection@nepa.gov.jm.

History of Changes

Revision Date

Revision Number

Changes

Revised By

 

 

 

National Environment and Planning Agency