GENERAL PRIVACY STATEMENT

ALL STAKEHOLDERS

 

  1. Introduction

The privacy and protection of our stakeholder’s data/information matters to the JUTC. As a Company that collects and use personal information as part of our business processes, JUTC understands our obligations to all our internal and external customers (referred to as data subjects under the Data Protection Act) whose personal data, including sensitive personal data, in or which may come into our possession, and we are committed to protecting your privacy, keeping your personal information safe and ensuring the security of your data.

This statement offers details on the gathering, processing, and storage of personal data, including sensitive personal information. It will be reviewed alongside other privacy statements tailored to various categories of data subjects, which may be periodically created.

The JUTC in conducting its business will from time to time collect and process personal data for data subjects under one of the following categories:

  • Customers/Smarter Card holders
  • Suppliers/contractors
  • Sub- franchise Operators
  • Third Parties
  • Employees
  1. What is Required?
  2. That there is lawful and fair data processing which involves fulfilling contractual obligations, complying with legal requirements, and safeguarding vital interests.
  3. That data usage is restricted to specified purposes and reasons.
  • Emphasis on maintaining data accuracy and currency while avoiding unnecessary retention.
  1. Data processing must align with the rights of data subjects.
  2. Organizations must implement measures to prevent unlawful or unauthorized access, use, loss, or destruction of data.
  3. Data should not be transferred outside Jamaica unless specific criteria are met.

 

  1. Definitions
  2. Personal data is any information, whether electronic or hard-copy, that relates to an identified or identifiable individual. Different pieces of information that may lead to the identification of a particular person, also constitute personal data.
  3. Sensitive Personal data refers to specific categories of data such as biometric or genetic data as well as information relating to a person’s racial origin; political opinions; religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership etc.
  • Data subjects means a named or otherwise identifiable individual whose personal information is being collected and or processed/used.
  1. Data Controller– A person or public authority, who processes and determines the purposes and manner in which any personal data are, or are to be processed.
  2. Data Protection Officer -an appropriately qualified person appointed by the Data Controller, responsible for independently monitoring the data controller’s compliance with the provisions of the Data Protection Act.

 

  1. What is Collected?

JUTC will collect, store and process data necessary to facilitate the conduct of business as follows:

  • Customers/SmarterCard holder

From customers who acquire or seek to acquire a bus card (SmarterCard) or reserve charter services, we will collect information such as name, address, telephone number, email address, age and or proof of age (for concession cards).

  • Suppliers/contractors

From our suppliers, service providers, contractors and other persons doing business with the Company, we will collect name, TaxPayer Registration Number, (TRN) address, telephone number, email address, tax compliance certificate and banking details.
For merchants seeking approval from the JUTC to top-up smarter cards for customers via POS systems, we will gather the following information: the company name, company documents, contact email, Proof of Address for the business owner, and a police record.

 

  • Sub-franchise Operators

From applicants for sub-franchise licences we will collect TRN/ driver’s licence details, address, telephone number, email address, vehicle and or company details and police record.

  • Third Parties

This category includes persons who may be involved in an accident with vehicles owned and operated by the JUTC, or other individuals who may lay a legal claim against the JUTC, and will be required to provide the Company with name, date of birth, contact details, motor vehicle details, driver’s licence/TRN and sensitive data such as medical reports.

  • Employees

From employees the Company will collect both personal and sensitive personal data such as name, date of birth, address, contact details, gender, banking information, marital status, next of kin, medical and police records and education/academic qualifications.

The gathering and processing of the previously stated data from both employees and their dependents are essential for managing various aspects of staffing, including recruitment, employee selection and placement, staff development, awards, registration for group health and life insurance coverage, participation in pension/retirement schemes, compensation, welfare benefits, security matters, and fulfilling obligations such as tax payments and other statutory and legal requirements. Further details are stated in the JUTC’s HR Privacy Statement.

 

  • Information Collected automatically

Closed Circuit Television Systems (CCTV) are installed across our premises to uphold the security and safety of our staff, customers and visitors. This includes all locations affiliated with JUTC. Additionally, our websites may capture personal and usage information for certain data subjects such as customers and sub-franchise operators.

 

  1. How is the data collected?
  • Employee Data Collection:

Employee data will be gathered manually through a standard form, overseen by duly authorized personnel specifically assigned to the Human Resources Department.

 

  • Applicant Data for Sub-Franchise Licenses:

Data concerning applicants for sub-franchise licenses will be acquired either electronically via the JUTC portal on the Company’s website or through duly authorized employees designated to the Service Planning Department.

 

  • Charter Services Processing Data:

Data related to the processing of charter services will be electronically collected through the JUTC portal on the Company’s website or by duly authorized employees designated to the Marketing and Sales Department, Customer Service, or Ticket Offices at Spanish Town, Downtown, Greater Portmore, or Half Way Tree.

  • Supplier, Contractor, or Service Provider Information:

Information pertaining to suppliers, contractors, or other goods and service providers will be collected by duly authorized staff assigned to the Procurement or Finance Department.

 

  • Third-Party Data Collection:

Data from third parties will be collected by duly authorized personnel specifically assigned to the JUTC Internal Accident and/or Legal Department.

 

  1. Legal Bases for processing Personal Data
  • User Consent: We will always seek your explicit, informed, and voluntary consent before handling your Personal Data, unless obtaining consent is not feasible. In cases where it is impossible to secure your consent but processing your Personal Data is necessary (e.g., due to legal obligations, safeguarding vital interests, public interest, or aiding in the administration of justice), we may proceed. You have the option to withdraw your consent at any time through the same method it was initially provided or by reaching out to our Data Protection Officer, Racine Weir-Rattray at rwrrattray@jutc.com.jm or 876-749-3192-9 ext. 66210
  • Contractual Obligation: We may engage in processing your Personal Data when considering entering into a contract with you or to fulfil our existing contractual commitments to you.
  • Legitimate Interest: Our processing of your Personal Data is driven by the legitimate interest of efficiently delivering and promoting our services to you. However, we will refrain from processing your personal data if it poses a potential risk to your rights, freedoms, and vital interests.
  • Public Interest: We will process your personal data if it is necessary for the performance of a task carried out in the public interest. In line with our dedication to promoting education access, social fairness, environmental responsibility, and children’s well-being, we gather basic personal details from children, such as their names and dates of birth. This data is essential for administering concession cards, which enable affordable transportation services throughout Kingston, St. Andrew, and St. Catherine. Our initiative is firmly grounded in serving the community’s best interests, ensuring that every child can readily access transportation for educational and social engagements. While we acknowledge the significance of this service, we uphold strict adherence to data protection regulations to safeguard privacy rights.
  • Legal Obligation: There may be instances where we must process your Personal Data to comply with legal requirements. This could involve processing information about criminal convictions for investigating suspected financial crimes, fraud, and threats, and sharing data with law enforcement and regulatory bodies. We are also legally obligated to assess the affordability and suitability of credit for loan and other credit applications throughout the relationship.Top of Form

 

  1. Usage of Data

Data collected from all categories of data subject will be used strictly for the purpose it was collected, and will not be shared with any internal or external party, unless we are legally obligated to do so, or the specific data subject has consented to the sharing of the information.

 

  1. Storage/Retention of Data

All personal data will be stored in securely locked filing cabinets in the respective departments and/or on the Company’s server system which is protected by encryptions and firewalls.

 

  1. Retention Period

The JUTC commits to not storing data longer that is necessary as provided in law and other Government of Jamaica rules for the purposes of statutory obligations, accounting, reporting and or auditing purposes.

 

Therefore:

  • Personal Data collected for purposes related to the performance of a contract between the data subject and the controller shall be retained until such contract has been fully performed.
  • Personal Data collected for the purposes of the data controller’s legitimate interests shall be retained as long as needed to fulfil such purposes.

 

JUTC may be allowed to retain Personal Data for a longer period whenever the data subject has given consent to such processing, as long as such consent is not withdrawn. Furthermore, JUTC may be obliged to retain Personal Data for a longer period whenever required to fulfil a legal obligation or upon order of an authority. Once the retention period expires, Personal Data shall be deleted. Therefore, certain rights cannot be enforced after expiration of the retention period.

 

  1. Disclosure/Sharing/Transfer of Data

The JUTC by law, may be required to provide elements of your data to the police or other regulatory or statutory body if so requested, for the purpose of: (a) the prevention, detection, or investigation of crime; (b) the apprehension or prosecution of offenders; or other law enforcement activities.

Other than in the circumstances as above, JUTC will not share or transfer data to any third party without the data subject consent, except for the direct purpose it was collected as listed below:

 

  1. Sub-Franchise Operators

Personal data collected from sub-franchise operators will be shared with the Transport Authority. Data collected from third parties will be shared with the Company’s insurers (Marathon Insurance Brokers) and legal team.

  1. Employees
  • Data collected from employees will be shared with insurance providers for group health (Canopy Insurance) group life (Sagicor) pension (Guardian Life) and statutory bodies such as the National Insurance Scheme, Tax Administration and the National Housing Trust.
  • Employee may provide banking details to the Human Resource Department, which will be shared with the Payroll Department to facilitate salary payments.

 

  • Internal Transfer
  • Data collected may also be shared or transferred internally among other authorized members of staff, who may be required to process data for the purpose it was collected; for example, a supplier may provide banking details to the Procurement Department, that data will be processed by Accounts Payable in order that we are able to remit payment.

 

  1. Our Website

The website which is hosted and managed by the Jamaica Information Service (JIS), not only offers information to viewers but also allows customers to book and pay for charters as well as Sub-Franchise License Application and Renewal. These cloud-based applications are protected by firewall and Secure Sockets Layer (SSL) encryption is used within website communication.  Additionally, all data is stored in a secure database with the latest and very effective and efficient layers of protection to which only JUTC website administrators have access. In order to access our privacy statement in regards to our website, you can visit www.jutc.gov.jm.

 

  1. Data Security

The protection of personal data is of paramount importance to us at JUTC. We are dedicated to consistently employing established and accepted methods to secure all data within our possession. It is crucial to recognize that, despite our best efforts, no method can claim to be 100% failsafe.

However, we have implemented a series of measures to bolster data security, emphasizing transparency and diligence in our approach.

 

  • Continuous Staff Training:

JUTC commits to ongoing internal data security protocols and procedures training for all staff levels. The goal is to ensure that document use is treated with the utmost security and confidentiality.

  • Electronic Access Governance:

Electronic access is strictly governed by user rights. Only authorized users with specific access permissions can interact with different programs, software, or files.

  • Access Based on Position:

Employment notifications from the human resource department determine users’ rights and access to data files and applications based on their position. For instance, only human resources staff can access the HRD system or files stored on the server, with varying levels of access determined by the staff’s position.

  • Administrative Management:

Systems Administrator, through Windows Active Directory, manages access to HRD files. Individual system administrators, assigned based on position, manage each system of access (e.g., Human Resource Management, ACCPAC).

  • Security of Internal Systems:

All internal systems utilize secure databases. Firewall and anti-virus software protect system traffic, ensuring an additional layer of security.

Top of Form

 

  1. Data Subject Rights

JUTC pledges to adhere to legal standards in respecting the rights of all individuals whose data is processed by the company.

Every individual whose personal information is collected and processed by the JUTC, referred to as data subjects, possesses specific rights under the Data Protection Act. These rights include:

  • Right to be informed about how your personal data is being processed;
  • Right to request access to your personal data;
  • Right to consent and withdraw consent;
  • Right to request the correction of your personal data;
  • Right to object to the processing of your personal data;
  • Right to require that your personal data is not subject to automated decision-making only;
  • Data subjects also has the right to make a report or contact the Office of the Information Commissioner with concerns or complaints concerning how your personal data shared with the JUTC.

 

If you wish to exercise any of the rights set out above, please contact our Data Protection Officer.

Please note that if you contact us to do any of the things listed above, we may require you to provide sufficient personal data to allow us to identify you. However, this personal data will only be used for this purpose. If you contact us to exercise these rights, we will respond to your request within thirty (30) days.

If we are unable to fulfil a request from you to exercise one of your rights, we will write to you to explain the reason for refusal.

 

  1. Children’s Privacy

Our services (excluding smarter cards) are not offered to persons under the age of 18 without parental or guardian consent. Any such information that is in breach of this provision will be deleted. If you become aware that a child has provided us with information without parental or guardian consent please contact our Data Protection Officer.

Concession Smarter Cards for Children

Public Interest: In accordance with our commitment to promoting access to education, social equity, environmental sustainability, and child welfare, we process minimal children’s personal data, such as their names and date of birth. This processing is integral to administering concession cards designed to offer affordable transportation services within the Kingston, St. Andrew and St. Catherine area.

Our initiative is firmly rooted in the public interest, seeking to ensure that every child has access to essential transportation for educational and social activities. While we acknowledge the public interest served by this service, we prioritize compliance with data protection regulations. As such, we are dedicated to upholding the highest standards of privacy and security.

In light of processing concession Smarter Card, students will be able to request refunds, blacklist lost cards, or obtain replacements. This supports the public interest objective of ensuring children’s access to our bus services through the Smarter Card system. It’s important to highlight that users of smarter or concession cards cannot possess two cards simultaneously unless one has been blacklisted.

 

  1. Notifiable Data Breaches

We take data breaches very seriously. We will endeavour to meet the 72-hour deadline as required by the Data Protection Act to report any data breach to the Information Commissioner. Further, where there is likely to be a high risk to your rights being breached, then we will endeavour to contact you without undue delay.

Our report will inform you of:

  • the nature of the security breach;
  • the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
  • the name, address and other relevant contact information of our Data Protection Officer or other designated representative.
  • We will review every incident and/or breach and act to prevent future incidents or breaches.

 

  1. Contact Us

Should you have any inquiries or comments regarding this Privacy Statement, or if you wish to file a complaint, please reach out to our Data Protection Officer using the contact information provided below:

 

Mrs. Racine Weir-Rattray

rwrattray@jutc.com.jm

 (876) 749-3192-9 ext.66210

 

If you are not satisfied with the way that we have handled your complaint, you have the right to raise the matter with the Information Commission using the contact details below:

Information Commissioner’s Office

The Masonic Building (2nd Floor)

45-47 Barbados Avenue

Kingston 5, Jamaica

Telephone (876) 920-4390

Email address: info@oic.gov.jm

 

“Thank you sincerely for entrusting us at JUTC with your valuable information.”