Time for a public data breach registry

THE EDITOR, Madam:

When Jamaica’s Data Protection Act came into full effect, the country took a significant step towards aligning with global privacy standards. However, this progress has been accompanied by a concerning trend, a noticeable increase in reported data breaches as highlighted by the Office of the Information Commissioner (OIC) in February 2025. These incidents highlight both the act’s success in encouraging reporting and the urgent need for greater transparency. A public data breach registry, a centralised, openly accessible database of breaches, would address this gap and improve accountability and resilience.

The Data Protection Act (2020) mandates that data controllers report breaches to the OIC. While this has improved regulatory oversight, the surge in breaches reveals systemic vulnerabilities; cyberthreats are escalating faster than defences. Crucially, the public remains largely unaware of these incidents, undermining their ability to protect themselves and stifling broader lessons for businesses and policymakers. A public registry would empower citizens to identify sector-wide risks and hold institutions accountable.

The increase in breaches also signals that compliance alone is not enough. A public registry would incentivise organisations to go beyond minimal reporting requirements and invest in robust cybersecurity measures. Businesses could no longer dismiss breaches as ‘isolated incidents’, but would face reputational and financial consequences for negligence. This shift is critical for sectors like healthcare and financial services, where customer trust directly impacts certain outcomes.

A registry would reveal patterns, such as whether breaches stem from phishing, weak encryption, or insider threats. This intelligence could guide targeted regulations, like mandatory cybersecurity training for healthcare workers or stricter standards for government contractors.

A registry would demonstrate proactive governance, aligning with Vision 2030’s digital goals. It could also inform national cybersecurity strategies, particularly as Jamaica faces growing threats to critical infrastructure.

While transparency may seem risky, companies that openly address breaches often regain public trust faster. A registry would democratise access to breach data, enabling Jamaicans to make informed choices about whom they trust with their data.

The OIC could use registry metrics to prioritise high-risk sectors, allocate resources efficiently, and collaborate with regional bodies like CARICOM on cross-border threats.

Critics may argue that publicising breaches could deter reporting or aid cybercriminals. However, jurisdictions like the United Kingdom and in several US states have shown that registries are a feasible undertaking, and that technical details can be anonymised to prevent misuse, while still providing actionable insights.

SHAQUILE REID