Data Protection for Strata Corporations: What the DPA 2020 Requires

Your strata corporation maintains a register of proprietors with names, addresses, phone numbers, and lot information. Your guard booth collects visitor identification details and vehicle registrations. Your accounting system tracks who owes what and who has paid. Your AGM minutes record which proprietors attended, how they voted, and what disputes were raised.

Under the Data Protection Act of Jamaica, 2020, all of this is personal data. And your strata corporation — as the entity that determines why and how this data is collected and used — is a Data Controller with legal obligations to protect it.

Most strata corporations have not considered this. They should.

The Data Protection Act 2020

Jamaica’s Data Protection Act establishes eight data protection standards that every organisation handling personal data must follow:

1. Fairness and lawfulness — data must be collected and processed fairly, with a lawful basis
2. Purpose limitation — data must be collected for specified, legitimate purposes and not used beyond those purposes
3. Data minimization — only the data necessary for the stated purpose should be collected
4. Accuracy — personal data must be kept accurate and up to date
5. Storage limitation — data should not be kept longer than necessary
6. Data subject rights — individuals have rights over their personal data
7. Technical and organizational security — appropriate measures must protect data from unauthorized access, loss, or damage
8. Lawful cross-border transfers — data transferred outside Jamaica must receive adequate protection

These are not aspirational guidelines. They are legal requirements with enforcement provisions.

Your Corporation as Data Controller

A Data Controller is the entity that determines the purposes and means of processing personal data. For a strata corporation, this means the corporation itself — through its executive committee — is the Data Controller for:

• Proprietor data: names, addresses, contact information, lot details, household composition
• Financial data: maintenance fee balances, payment histories, arrears records, invoices
• Visitor data: names, identification numbers, vehicle details, entry and exit records
• Governance data: AGM attendance, voting records, committee membership, complaint records
• Employee data: if the corporation employs security guards, cleaners, or maintenance staff

The corporation is responsible for ensuring this data is collected lawfully, stored securely, used only for legitimate purposes, and protected from unauthorized access.

What Your Corporation Probably Gets Wrong

Most strata corporations handle personal data casually. This creates compliance risks that few board members recognise.

The Guard Booth Problem

The most visible data protection failure in most Jamaican gated communities is the guard booth logbook. Every visitor who enters signs a book that is visible to every subsequent visitor. Names, identification numbers, vehicle details, and the unit being visited are all exposed to anyone who walks up to the booth.

This is a data protection failure on multiple levels. Visitor identification data is being exposed to unauthorised third parties. There is no purpose limitation — the logbook serves security but the data is accessible to anyone who glances at it. There is no storage limitation — logbooks sit in guard booths indefinitely.

The WhatsApp Problem

Many strata corporations use WhatsApp groups for management communication. When delinquent owner lists, proprietor contact details, or complaint information is shared in group chats, personal data is being disclosed to individuals who may not have a legitimate need to see it. Screenshots are taken. Messages are forwarded. There is no control over how the data is subsequently used.

The Spreadsheet Problem

Financial records maintained in unprotected spreadsheets on personal computers lack basic security controls. No access restrictions. No audit trail. No encryption. If the computer is stolen or the file is shared inadvertently, every proprietor’s financial data is exposed.

The Retention Problem

Most corporations never delete anything. Visitor logbooks from years ago sit in storage rooms. Financial records from decades past remain on old computers. Former proprietor data remains in active systems long after the person has sold their unit. Without a retention policy, data accumulates indefinitely — increasing the risk and scope of any breach.

Data Subject Rights

Under the DPA, proprietors and visitors have specific rights regarding their personal data:

Right of access. Any data subject can request a copy of the personal data the corporation holds about them. The corporation must respond within the timeframe specified by the Act.

Right to correction. Data subjects can request that inaccurate or incomplete data be corrected. If the corporation’s records show the wrong address, contact number, or household information, the proprietor has a legal right to have it fixed.

Right to deletion. In certain circumstances, data subjects can request that their data be deleted. When a proprietor sells their unit, they may request deletion of data that is no longer needed for the corporation’s legitimate purposes.

Right to object. Data subjects can object to certain types of processing — for example, the use of their personal data for purposes beyond the corporation’s core management functions.

Right to withdraw consent. Where processing is based on consent, data subjects can withdraw that consent at any time.

The corporation must have processes in place to receive and respond to these requests. Most do not.

Where Technology Providers Fit

If your strata corporation uses a software platform like FiWi Community, the technology company acts as a Data Processor — processing personal data on behalf of and under the instructions of the corporation. The corporation remains the Data Controller.

This relationship has specific implications:

• The corporation is responsible for ensuring it has lawful grounds to collect the data
• The corporation must obtain necessary consents from proprietors and visitors
• The corporation must respond to data subject requests (the Processor assists)
• The Processor must only use the data as instructed by the Controller
• The Processor must implement appropriate security measures
• The Processor must not share the data with third parties for purposes unrelated to the service

A good technology provider makes compliance easier — role-based access controls ensure only authorised persons see data, encryption protects data in transit and at rest, audit logs track who accessed what and when, and data segregation prevents one community’s data from being visible to another.

A bad technology provider — or no technology at all — leaves the corporation managing personal data with no security controls, no access restrictions, and no audit trail.

AML and Financial Crime Awareness

The REB/CSC publishes anti-money laundering and counter-financing of terrorism (AML/CFT) resources. Strata corporations that handle significant financial transactions — particularly large maintenance fee collections, special assessments, or reserve fund management — should be aware of their obligations under the Proceeds of Crime Act and the Terrorism Prevention Act.

This does not mean every strata corporation needs a formal AML programme. But executive committees should understand that the financial flows they manage are not exempt from Jamaica’s financial crime prevention framework.

Building Compliance Into Operations

Data protection compliance for strata corporations is not about hiring a data protection officer or implementing enterprise-grade security systems. It is about embedding basic data protection practices into daily operations:

Minimise collection. Do not collect more data than you need. If your visitor check-in requires a name and the unit being visited, do not also demand a national ID number unless it serves a legitimate security purpose.

Restrict access. Not everyone needs to see everything. Financial records should be accessible only to authorised committee members and the property manager. Visitor data should be accessible only to security personnel. Proprietor contact details should not be shared in open WhatsApp groups.

Set retention periods. Define how long different types of data are kept. Visitor logs from two years ago serve no current purpose. Financial records may need to be kept longer for audit requirements. Former proprietor data should be removed within a reasonable period after sale.

Secure storage. Whether paper or digital, personal data should be protected from unauthorised access. Paper logbooks should not be left open on counters. Digital records should be in access-controlled systems.

Respond to requests. When a proprietor asks what data the corporation holds about them, there must be a process to respond. This is a legal requirement, not a courtesy.

FiWi Community is built with data protection at its core. Role-based access controls, AES-256 encryption at rest, TLS 1.2+ encryption in transit, comprehensive audit logging, logical data segregation between communities, and data export capabilities for portability requests. The platform acts as a Data Processor under the instructions of each community’s Data Controller, with clear delineation of responsibilities.

Data protection is not a feature to be added later. For strata corporations handling the personal data of hundreds of residents and thousands of visitors, it is a legal obligation that begins the moment the first record is created.