Project Name: Intellibus Hackathon 2025
Prepared for: Intellibus (Intelligent Business Platforms LLC)
Prepared by: Design Privacy Limited
Date: March 13, 2025
Version: 1.0
This document contains confidential and sensitive information regarding the processing of personal data for the Intelligent Business Platforms LLC. It is intended solely for authorized personnel involved in data protection and compliance oversight. Unauthorized access, distribution, or disclosure of this document is strictly prohibited.
For inquiries related to this DPIA, please contact:
Chukwuemeka Cameron
intellibusdpo@designprivacy.io
The Intellibus Hackathon 2025 is a coding initiative designed for high school and college students with an interest in computer science and application development. The event aims to identify and recruit talented candidates for potential employment with Intellibus.
The hackathon is promoted through participating schools, newspaper articles, TV coverage, social media, and word of mouth. Participants will learn more about the event via an official website and register through DevPost, a third-party data processor. During the event, participants will be assigned to teams via table numbers, and winners will be selected based on their performance.
Selected winners will receive financial prizes or job opportunities with Intellibus. Post-event, participants may receive communications about future events and opportunities.
The processing of personal data impacts multiple stakeholders, each with distinct concerns regarding privacy and security:
| Stakeholders | Impact |
|---|---|
| Participants (students, job applicants) | Their personal and potentially sensitive data will be collected, stored, and processed. |
| Parents/Guardians | May provide consent if participants are minors. |
| Intellibus | Will process participant data to identify potential hires. |
| Third-Party Service Providers (Google, DevPost) | Handle data storage and registration functions. |
| Regulatory Bodies | Must ensure compliance with data protection laws in Jamaica, the US, and applicable international laws. |
Personal data will be collected and used for the following purposes:
| Processing Activity | Data Collected |
|---|---|
| Registration and verification | Name, age, education, email, online identifiers. |
| Event participation | Team numbers assigned for anonymized tracking. |
| Evaluation and assessment | Coding submissions linked to team numbers. |
| Winner identification and prize processing | Names and financial details (for prize winners). |
| Recruitment | Additional personal details (from job offer recipients). |
| Post-event communication | Name, email (for AI Academy and future events). |
The processing of personal data within this project must adhere to applicable privacy and data protection laws, including:
As Intellibus operates across multiple jurisdictions, cross-border data transfers require appropriate safeguards to ensure compliance with applicable data protection regulations.
The processing of personal data for the Intellibus Hackathon 2025 is necessary to achieve the following objectives:
Given the nature of the event, collecting and processing personal data is essential to fulfill these purposes. However, appropriate safeguards are to be implemented to minimize data collection, limit access, and ensure compliance with the Jamaica Data Protection Act (JDPA) 2020.
The processing of personal data in this initiative is justified under the following provisions of the Jamaica Data Protection Act (JDPA) 2020:
| Processing Activity | Lawful Basis (JDPA Reference) | Justification |
|---|---|---|
| Registration and verification | Section 23(1)(d) - Legitimate Interest | Required to authenticate participants and ensure fair competition. |
| Event participation (team assignment, evaluation) | Section 23(1)(b) - Performance of a Contract | Participants agree to event terms and conditions. |
| Winner identification and prize processing | Section 23(1)(b) - Performance of a Contract | Necessary to fulfill financial obligations to winners. |
| Recruitment of top participants | Section 23(1)(d) - Legitimate Interest | Intellibus seeks to identify and offer employment opportunities to top talent. |
| Post-event communication (AI Academy, future events) | Section 23(1)(a) - Consent | Participants will be given an opt-in option for further communications. |
For financial data processing (prize winners) and additional personal details for job offers, explicit consent will be obtained as an additional safeguard under Section 23(1)(a) of the JDPA.
If biometric data (e.g., facial recognition for authentication) or other special category data is collected, an additional lawful basis is required under Section 30 of the JDPA.
| Sensitive Processing Activity | Lawful Basis (JDPA Reference) | Justification |
|---|---|---|
| Collection of biometric data (if applicable) | Section 30(1)(a) - Explicit Consent | Participants must provide written consent before collection. |
| Processing of financial data for prize distribution | Section 30(1)(e) - Legal Obligation | Required for tax and financial reporting. |
Intellibus applies data minimization principles to ensure that only necessary data is collected and used for clearly defined purposes:
Under the Jamaica Data Protection Act (JDPA) 2020, participants have the following rights:
To ensure transparency, participants will be informed about their data rights during registration, with a clear point of contact for data inquiries:
Data Protection Officer (DPO): Chuk Cameron
Email: dpo@designprivacy.io
The Intellibus Hackathon 2025 must comply with the Jamaica Data Protection Act (JDPA) 2020, which outlines key privacy principles and requirements for the processing of personal data. The following table maps the applicable privacy requirements to relevant sections of the JDPA, along with the compliance measures that Intellibus must implement.
| Requirement | Description | Relevant Section in JDPA | Compliance Measures |
|---|---|---|---|
| Lawful Basis for Processing | Personal data must only be processed under a valid legal basis, such as legitimate interest, consent, or contract performance. | Section 23(1) | Identify and document the legal basis for all processing activities. Obtain explicit consent where required (e.g., for post-event communications). |
| Processing of Special Category Data | Processing biometric data (photos) or financial data requires an additional lawful basis. | Section 30(1) | Ensure explicit consent is obtained for participant photos. Implement encryption and strict access controls for financial data. |
| Data Minimization | Only the minimum necessary personal data should be collected and processed. | Section 12(1)(b) | Use pseudonymization for team assignments. Collect only required personal data for registration and participation. |
| Purpose Limitation | Personal data should only be used for the purposes stated at the time of collection. | Section 12(1)(c) | Define clear data usage policies. Prevent function creep by restricting data use beyond stated purposes. |
| Transparency & Right to Be Informed | Participants must be provided with clear information about how their data is processed. | Section 6(1)(a) | Provide a privacy notice during registration. Ensure participants understand how their data will be used. |
| Data Item / Information Asset | Privacy Risks | Potential Impact | Mitigation Measures |
|---|---|---|---|
| Personal Identifiers (Name, Age, Email, Address, Education, Employment Details) | Identity theft, unauthorized access, phishing | Participants' personal details could be exposed in a data breach, leading to fraud or misuse. | Encrypt personal data at rest and in transit; restrict access to authorized personnel; implement multi-factor authentication for data access. |
| Online Identifiers (Email, Social Media Handles) | Unwanted contact, impersonation, phishing attacks | Exposure of email addresses or social media profiles could lead to spam, fraud, or impersonation. | Limit visibility of social media handles; restrict sharing of participant contact details without consent. |
| Financial Information (Bank Account Details of Prize Winners) | Fraud, unauthorized financial transactions, identity theft | Unauthorized access to financial data could lead to fraud or financial loss for winners. | Store financial data in a segregated and encrypted environment; restrict access to finance team only; use secure payment gateways. |
| Photo Uploaded During Registration (Biometric Data) | Unauthorized use, facial recognition misuse | If photos are shared or misused, participants may face privacy violations or reputational risks. | Ensure that photo uploads are optional and used only for identification during the event; restrict public visibility of participant photos; delete photos after event conclusion unless consent is given for retention. |
| Team Number Assignments (Pseudonymized Identifiers for Event Participation) | Re-identification risk, data correlation | Even pseudonymized data may be linked back to participants if additional information is exposed. | Ensure that personal identifiers are stored separately from team numbers; implement strict role-based access controls. |
| Coding Submissions and Evaluations | Unfair profiling, bias in evaluations | Use of coding performance data for unintended profiling could lead to discrimination. | Ensure transparency in evaluation criteria; conduct bias reviews in selection algorithms. |
| Post-Event Communications (Emails for Future Events, AI Academy Invitations) | Unsolicited communication, spam, violation of opt-out rights | Participants may receive unwanted communications or have their email addresses shared without consent. | Implement a clear opt-in mechanism; provide easy opt-out options in all communications. |