Barclay seeking to ramp up localised focus of data protection law
Information commissioner says controllers not ready to ensure compliance, most subjects still unaware of law and their rights
Published:Monday | February 3, 2025 | 4:49 PMErica Virtue/Senior Gleaner Writer
Nearly four years after the enactment of the Data Protection Act (DPA) in Jamaica, the island’s data protection regime remains primarily functional at just the national level and is not yet as localised as it would have been expected to be by now. Data controllers are still not ready to ensure compliance, and many subjects remain unaware of the law and its provisions.
That was the picture painted, of the current state of data protection affairs in the island, by Jamaica’s Information Commissioner Celia Barclay yesterday as she delivered the keynote address during a ceremony commemorating Data Privacy Day at the University of Technology (UTech) in St Andrew.
Since the passage of the legislation, the Office of the Information Commissioner (OIC) has itself been without enforcement capabilities, rendering it powerless to enforce of any aspect of the legislation where data breaches occur.
In delivering her address, Barclay said some Jamaicans were far more aware of their rights since the law came into effect, and were unwilling to put up with breaches, but a large majority remain for the most part unaware.
“Jamaica’s data protection regime is still in a national state, and data controllers are not ready for compliance as data subjects remain largely unaware of the Data Protection Act, and the right they have under it. That is why, this year, the Office of the Information Commissioner is commemorating Data Protection Day under the theme, ‘Your data is power, Defend your rights, secure your future’,” she told the audience.
DATA CONTROLLERS RESPONSIBILITIES
Data controllers are persons who, or entities that decide how and why personal data is processed. They are responsible for the processing of personal data and must ensure it is done in accordance with the country’s law.
According to Barclay, over the past three years her office has primarily, but not exclusively, focused on data controllers, and the obligations the act imposes on them.
She said her office would this year be seeking to increase focus on the data subjects – the people – the act was passed to protect.
Barclay noted that it was the objective of the OIC to educate and empower data subjects and, through this process, it is hoped that they will make sure their data is protected. It is also the mandate of the office, she reinforced to the gathering, to make sure data controllers comply with the act.
She said the process requires organisations to consider the rights of data subjects to privacy, and must be enmeshed with the needs and interests of the organisations in carrying out their business.
In seeking to increase efficiency in business processes, entities may gather more personal data and store it for longer than particular transactions require or use it for purposes not contemplated at the time when the data subjects gave consent. This is sometimes done in the quest to increase marketing capabilities in order to grow businesses and drive profit.
According to Barclay, a balance must be sought as it becomes increasingly more difficult the higher the profit motive.
The key compliance requirement under the DPA, she said, should be well known by all and includes the appointment of a data protection officer who must register with the OIC, as a data controller.
There is also a requirement for the submission of a data protection impact assessment (DPI) to identify and assess potential risks arising from processing personal data, but the requirement is not yet in effect. The submission should be within 90 days at the end of the calendar year.
Breaches must be reported as soon as possible and steps taken to ensure that corrective actions are taken and the matter reported to the OIC.
She noted that small entities with even smaller budgets will face challenges, but she encouraged them to start somewhere.
As information continues to evolve, she said, there may be no such thing as perfect compliance, but the key is making an effort towards achieving compliance.
Controllers must also adhere to the eight data protection standards.
They are:
Fairness and Lawfulness - personal data must be processed fairly and lawfully;
Purpose Limitation - data should only be collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes;
Data Minimisation -only the necessary amount of personal data should be collected for the intended purpose;
Accuracy - personal data should be accurate and kept up to date;
Storage Limitation - data should not be kept for longer than necessary;
Rights of the Data Subject - data processing must respect the rights of the data subject;
Implementation of Technical and Organisational Measures – appropriate technical and organisational measures must be taken to protect personal data;
Cross-Border Transfers - transferring data outside of Jamaica requires ensuring adequate protection for data subject rights in the receiving country.