Intellibus AI Hackathon

INTELLIBUS DATA PROTECTION POLICY

Project Name: Intellibus Hackathon 2025

Prepared for: Intellibus (Intelligent Business Platforms LLC)

Prepared by: Design Privacy Limited

Date: March 13, 2025

Version: 1.0

Confidentiality Notice

This document contains confidential and sensitive information regarding the processing of personal data for the Intelligent Business Platforms LLC. It is intended solely for authorized personnel involved in data protection and compliance oversight. Unauthorized access, distribution, or disclosure of this document is strictly prohibited.

For inquiries related to this policy, please contact:

Chukwuemeka Cameron
intellibusdpo@designprivacy.io

Table of Contents

Introduction

Intelligent Business Platforms LLC (Intellibus) is committed to protecting the personal data of its employees, customers, hackathon participants, and other stakeholders. This policy outlines how Intellibus collects, processes, stores, and secures personal data in compliance with the Jamaica Data Protection Act (JDPA) 2020. By implementing this policy, Intellibus ensures that personal data is handled lawfully, transparently, and securely while respecting the rights of data subjects.

Purpose

The purpose of this policy is to establish clear guidelines for the processing of personal data in accordance with the JDPA 2020. It aims to:

  • Define how personal data must be collected, stored, and used within Intellibus.
  • Ensure compliance with applicable data protection laws and best practices.
  • Safeguard the privacy rights of employees, customers, hackathon participants, job applicants, and vendors.
  • Provide a framework for handling data security risks, breaches, and retention policies.

Scope

This policy applies to all personal data processed by Intellibus, including data collected in electronic and manual formats. It covers:

  • All employees, contractors, and third-party service providers who handle personal data on behalf of Intellibus.
  • Hackathon participants, job applicants, customers, and vendors whose personal data is processed.
  • Information systems, databases, cloud storage, and physical files used in business operations.

Regardless of their role, all individuals within the organization must adhere to this policy when handling personal data.

Definitions

For the purposes of this policy, the following definitions apply:

  • Personal Data refers to any information that can be used to identify an individual, such as name, email address, phone number, or online identifier.
  • Sensitive Personal Data includes biometric data (such as participant photos), financial information, or any data categorized as sensitive under the JDPA 2020.
  • Data Subject refers to any individual whose personal data is collected or processed by Intellibus.
  • Data Controller refers to Intellibus, which determines the purpose and means of processing personal data.
  • Data Processor refers to third-party entities that process personal data on behalf of Intellibus.
  • Processing refers to any action performed on personal data, including collection, storage, use, transfer, or deletion.

Data Protection Principles

Intellibus adheres to the following eight data protection principles as outlined in the JDPA 2020:

  • Lawfulness and Fairness – Personal data must be processed lawfully and fairly. Intellibus ensures that all data processing activities comply with legal requirements.
  • Purpose Limitation – Data shall only be collected for specific, legitimate purposes and not used beyond its original intent.
  • Data Minimization – Only the necessary amount of personal data should be collected to fulfill business or legal obligations.
  • Accuracy – Personal data must be kept accurate and up to date. Data subjects have the right to request corrections if errors are identified.
  • Storage Limitation – Personal data shall not be retained longer than necessary for its intended purpose. Retention periods must align with regulatory requirements.
  • Integrity and Confidentiality – Intellibus implements appropriate security measures to prevent unauthorized access, data breaches, and loss of data.
  • Accountability – The organization takes responsibility for ensuring compliance with data protection laws and internal security protocols.
  • Transparency – Individuals must be informed about how their personal data is collected, stored, and used.

Responsibilities

Responsibilities of Intellibus as Data Controller

As a Data Controller, Intellibus must ensure that personal data is processed in accordance with the JDPA 2020. The company is required to:

  • Register with the Office of the Information Commissioner (OIC) to ensure compliance.
  • Appoint a Data Protection Officer (DPO) to oversee and enforce data protection measures.
  • Implement policies and procedures that align with data protection standards.
  • Report any data breaches to the OIC within 72 hours of becoming aware of an incident.
  • Conduct annual Data Protection Impact Assessments (DPIAs) to assess risks and mitigate potential threats.

Responsibilities of the Board of Directors

The Board of Directors is responsible for ensuring that Intellibus maintains full compliance with this policy and applicable laws. The Board must:

  • Oversee the development and implementation of data protection strategies.
  • Ensure adequate resources and training are allocated for data security measures.

Responsibilities of the Data Protection Officer (DPO)

The DPO serves as the primary authority on data protection matters and is responsible for:

  • Monitoring compliance with the JDPA 2020.
  • Handling data subject access requests and complaints.
  • Conducting regular audits and impact assessments.
  • Reporting non-compliance issues to the Board of Directors.

Responsibilities of Employees and Contractors

All employees and contractors must:

  • Follow this policy and data security procedures when handling personal data.
  • Complete annual data protection training to stay informed of compliance requirements.
  • Report any suspected data breaches or unauthorized access to the DPO immediately.

Data Collection and Processing

Intellibus collects and processes personal data for specific business and operational needs. The legal basis for processing includes:

Processing ActivityLegal Basis (JDPA Section)
Hackathon registration and participationLegitimate Interest (Section 23(1)(d))
Job applicant data processingPerformance of Contract (Section 23(1)(b))
Prize payment processingLegal Obligation (Section 30(1)(e))
Marketing communicationsConsent (Section 23(1)(a))

Data Security Measures

To protect personal data, Intellibus implements:

  • Encryption for sensitive data to prevent unauthorized access.
  • Access controls that limit data access based on role-based permissions.
  • Secure storage methods for both electronic and physical records.
  • Regular audits to assess and improve security controls.
  • Data Processing Agreements (DPAs) with third-party vendors to ensure compliance.

Data Retention and Disposal

  • Hackathon registration data will be retained for six months after the event.
  • Financial records will be stored for seven years for tax and audit compliance.
  • Employee records will be retained for the legally required period.
  • Secure data disposal procedures must be followed, including shredding and permanent deletion.

Handling Data Breaches

If a data breach occurs, Intellibus will:

  • Notify the OIC within 72 hours of detecting the breach.
  • Inform affected individuals if there is a high risk to their privacy.
  • Investigate the breach, apply corrective actions, and document lessons learned.

Non-Compliance and Disciplinary Action

Failure to comply with this policy may result in:

  • Disciplinary action, up to and including termination of employment.
  • Legal consequences, including regulatory fines under the JDPA 2020.

Review and Updates

This policy will be reviewed annually or as required by changes in regulatory requirements or business operations.