The Office of the Information Commissioner

Slogan: “Your Data. Your Rights. Protected!”


Overview

The Office of the Information Commissioner (OIC) in Jamaica is an independent governmental body established in December 2021 to protect the privacy and security of personal data. The OIC operates in accordance with the Data Protection Act (DPA) enacted in June 2020.


Key Functions of the Office of the Information Commissioner:

  1. Monitoring Compliance: The OIC ensures adherence to the DPA, and any accompanying Regulations made under it. 

  2. Advising the Minister: The OIC provides expert advice and recommendations to the Minister on matters related to data protection. This includes assisting in developing policies, guidelines, and regulations to enhance data privacy and security in Jamaica. The OIC is currently assigned under the portfolio of Skills and Digital Transformation in the Office of the Prime Minister (OPM). 

  3. Disseminating of Guidelines: The OIC may develop or direct the preparation and disseminate guidelines to be adhered to as good practice. These guidelines outline recommended practices and standards to be followed, ensuring the responsible handling and protection of personal data. 

  4. Promoting the observance of the DPA and Good Practices: To promote the observance of the requirements of the DPA and the following of good data protection practices. The OIC is required to raise public awareness about data protection. Through various channels such as The Gazette (Jamaica’s official legal newspaper), newspaper publications, and public engagements, the OIC provides information regarding the operation of the DPA, individuals' rights, and best practices for data controllers.


Vision Statement

To be a model for the promotion of access to information and the protection of the public’s right to data privacy through the promulgation and enforcement of best practices in the collection and processing of personal data.


Mission Statement

To promote public confidence in the privacy and protection of their personal data by advising and supporting individuals, organisations, and the Government in their compliance with local legislation and international standards and investigating and ensuring redress to complaints.


Core Values

1.Professionalism

2.Respect

3.Independence

4.Versatility 

5.Accountability

6.Transparency 

7.Efficiency


Obligations of Data Controllers under the Data Protection Act, 2020

Who is a Data Controller?

The Data Protection Act, 2020 defines a data controller as any individual or public authority that, acting alone, jointly, or in common with others, determines the reasons and means for which any personal data are, or are to be, processed. In cases where personal data are processed solely for reasons for which processing is mandated by law, the entity that is subject to the law's obligation to process the personal data is, for the purposes of this Act, a data controller.

A “person” is considered as any club, organisation, corporation, association, or other body made up of one or more people.


The Act applies to a data controller with respect to any personal data if the data controller: 

  1. is based in Jamaica or any other location where Jamaican law is applicable, and the personal data are processed in the context of that establishment.

  2. is not based in Jamaica, but uses equipment there to process personal data other than for transit through Jamaica.

  3. processes personal data of a data subject who is in Jamaica, and the processing activities are related to the offering of products or services to data subjects in Jamaica, regardless of whether the data subject must pay or the monitoring of the data subject's behaviour.


Personal Data

The Act defines personal data as information relating to a living individual or an individual who has been deceased for less than thirty years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller. It includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.

Personal data includes a person’s name, address, email address, telephone number, TRN, location, data, etc.


Sensitive Personal Data

The Act defines sensitive personal data as data including any of the following:

  • Genetic data or biometric data.

  • Filiation, racial or ethnic origin.

  • Political opinions, philosophical beliefs, religious beliefs, or other beliefs of a similar nature.

  • Membership in any trade union.

  • Physical or mental health or condition.

  • Sex life.

  • The alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject.


What is meant by ‘process’?

The Act defines process as meaning obtaining, recording, or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including—

  1. Organisation, adaptation or alteration of the information or data.

  2. Retrieving, consulting, or using the information or data.

  3. Disclosing the information or data by transmitting, disseminating, or otherwise making it available; or

  4. Aligning, combining, blocking, erasing, or destroying the information or data, or rendering the data anonymous. 


Whose personal data does the Act protect?

The Act seeks to protect the personal data of a data subject.

The Act defines a data subject as a named or otherwise identifiable individual who is the subject of personal data, and in determining whether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual.


All data controllers MUST:

  1. Register with the Information Commissioner - A data controller that processes personal data must be registered with the Information Commissioner. They are required to submit to the Information Commissioner the following information:

  1. The data controller’s registration particulars- The Information Commissioner must be informed as to any changes in those particulars.

  2. A general description of measures to be taken by the data controller to ensure compliance with the seventh data protection standard, that is, to ensure appropriate technical and organisational measures are taken –

    • Against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    • To ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data; and

  1. Where applicable, a statement of fact that the particulars provided do not include particulars in relation to –

      1. personal data processed; or

      2. data controller

of a particular description, specified by the Minister, to be excluded from the requirement to submit Registration Particulars, by Order published in the Gazette.

Registration particulars to be submitted to the Commissioner include the following:

    1. The Data Controller’s name, address, and other relevant contact information.

    2. Data Controller Representative (if appointed): Their name, address, and other relevant contact information.

    3. Data Protection Officer (If appointed): Their name, address, and other relevant contact information.

    4. Description of personal data being processed and the categories of data subjects to which they relate.

    5. Description of the purpose of the data being processed. 

    6. Description of all recipients that the data controller may disclose the data to.

    7. The names of any external States or territories that the personal data may be directly or indirectly transferred to.

    8. Where the Data Controller is a public authority, a statement of this fact.

    9. Any other information about the Data Controller required in Regulations issued by the Commissioner.


The primary address of data controllers and data controller representatives are: 

  • In the case of a registered company, its registered office.

  • In the case of an entity other than a registered company carrying on a business, is that entity’s principal place of business in Jamaica.


Fees 

  • Registration fee: To complete the registration process, data controllers are required to pay a prescribed fee. 

  • Annual fees: A data controller is also required to pay a prescribed annual fee for the maintenance of the required registration particulars of the data controller in the Commissioner’s Register. No entry shall be retained in the Register for longer than twelve months, except on the payment of the prescribed annual fee.


NB: The Regulations, which are being finalised, will provide a breakdown of the fees to be paid. The Regulations, once passed, will be published in the Jamaica Gazette. 


    1. Appoint a Data Protection Officer

A data controller must designate a Data Protection Officer in the following situations: 

a) If it is a public authority.

b) If it processes or plans to process sensitive personal data or data related to criminal convictions.

c) If it engages in extensive processing of personal data.

d) When mandated by a Commissioner's notice.


The Act establishes that a data controller shall appoint an appropriately qualified person to act as the Data Protection Officer (DPO) responsible for monitoring, in an independent manner, the data controller’s compliance with the Act.

A person will not be qualified to be appointed as a DPO if there is or is likely to be any conflict of interest between their duties as DPO and any other duties of that person.


Functions of a Data Protection Officer

  • Ensures that the Data Controller processes personal data in compliance with each data protection standard and in compliance with the DPA and good practice.

  • Consults with the Information Commissioner to resolve any doubt about how the provisions of the DPA and any regulations made under the Act are to be applied.

  • Notifies the Data Controller, immediately, that he/she has reason to believe the Data Controller has contravened a data protection standard or a provision of the Act and if he/she is not satisfied that the contravention has been rectified within a reasonable time after notification, report this contravention to the Commissioner.

  • Assists data subjects in the exercise of their rights under the Act, in relation to the Data Controller concerned.


    1. Prepare to submit a Data Protection Impact Assessment

A data controller is required within ninety (90) days after the end of each calendar year to submit to the Commissioner a Data Protection Impact Assessment (DPIA) in respect of all personal data in the custody and control of the data controller.


The DPIA must include:

  • A detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable the legitimate interest pursued by the data controller.

  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes.

  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, considering the rights and legitimate interests of data subjects and other persons concerned.


The DPIA form will be provided in the Regulations currently being finalised.


    1. Comply with the Data Protection Standards

The Act has established eight (8) data protection standards that each data

controller must comply with:

  1. Lawful, Fair, and Transparent Processing: Personal data must be processed lawfully, fairly, and in a transparent manner. Data subjects should be informed about how their data will be used.

  2. Purpose Limitation: Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a way that is incompatible with those purposes.

  3. Data Minimisation: Data controllers should only collect the personal data that is necessary for the intended purpose.

  4. Accuracy: Personal data should be accurate and, where necessary, kept up to date. Inaccurate data should be rectified or erased.

  5. Storage Limitation: Personal data should be kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

  6. Personal data should be processed in accordance with the rights of data subjects under the Act. The rights of data subjects under the Act include the:

(a) Right to be informed.

(b) Right to access.

(c) Right to rectification.

(d) Right to erasure.

(e) Right to restrict processing.

(f) Right to data portability.

(g) Right to object.

(h) Right not to be subject to automated individual decision-making, including profiling.

  1. Implementation of appropriate technical and organisational measures

  2. Cross Border Transfers: 

Personal data should not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


    1. Report a Contravention of a Data Protection Standard or Breach of Security Measure

Data Controllers are obligated to report all contraventions of data protection standards and all security breaches to the Commissioner within 72 hours after becoming aware of the contravention or security breach.

The Data Controller is mandated to notify each data subject, whose personal data is affected by the breach of the nature of the contravention or security breach. The data subject should also be informed of the measures taken or proposed to be taken that will mitigate or address the possible adverse effects of the breach.


Exemptions to Data Subject Rights and Data Protection Standards

The Act prescribes exemptions to specific data subject rights and data protection standards art Part V and the Second Schedule of the Act.

It is recommended that these provisions be reviewed to determine which, if any, exemptions may apply to you.


Enforcement Mechanism

Failure to comply with these obligations, may leave the data controller subject to:

  • The data controller being served by the Commissioner an Enforcement Notice, Assessment Notice, Information Notice, or a Fixed Penalty Notice

  • Criminal Prosecution:

  • An individual may be subject to imprisonment or fine.

  • A body corporate may be subject to a fine not exceeding 4% of the annual gross worldwide turnover of the body corporate.

  • Civil suit – an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage.



Our 8 Data Protection Standards Explained


Fairness and Lawfulness

All personal data must be processed fairly and lawfully and should not be obtained through fraudulent means. The purpose for which the data is processed should be valid. The data subject must give explicit consent to the processing of their personal data. This consent must be specific, transparent, well-informed, and given of free will.

To make an informed decision, data subjects must first be given all relevant information regarding the processing of their data. If the data subject is required to give consent before their personal information is collected, used, or disclosed for purposes other than those necessary for the supply of goods or services, then that consent is not considered as "freely given."


Purpose Limitation

Personal data should only be collected for particular and lawful purposes and must not be treated in any way that conflicts with those purposes. All organisations are required to specify their purpose for collecting the data before doing so. They are not permitted to use this data for any other purpose without first informing and obtaining the explicit consent of the data subject.


Data Minimisation

All personal data being processed should be adequate, relevant, and retained solely for that purpose. Under the DPA, organisations are only permitted to collect data that is relevant to the stated purpose for which it was collected and reasonably necessary. An excessive amount of collected personal data may lead to a privacy violation.


Accuracy

Personal data must be correct and updated as needed. Organisations are required to take the necessary measures to confirm the accuracy of the data provided.


Storage Limitation

Personal data, once processed, should not be kept for longer than is necessary for that purpose and the disposal of personal data by a data controller should be in accordance with the Regulations. 


Rights of the Data Subject

According to the Data Protection Act (DPA), a data subject is an individual who is the subject of personal data and has certain rights and protections under the DPA. Personal data refers to any information relating to an identified or identifiable natural person. This includes information such as names, addresses, phone numbers, email addresses, identification numbers, biometric data, and other identifying information. 

The DPA places a great emphasis on the protection of the rights of data subjects. It recognizes that individuals have a right to privacy and that their personal data should be protected. The DPA sets out several obligations for data controllers, who are organisations or individuals who collect, use, store, or disclose personal data, to ensure that they protect the rights of data subjects.


Under the Data Protection Act, data subjects have the following rights regarding their personal information:

  1. Right to be informed:

Data subjects have the right to be informed about the collection, use, storage, and disclosure of their personal data. The DPA mandates that data controllers must provide the data subjects with comprehensible and brief details regarding their data processing operations, which include the intention of processing, types of personal data being gathered, and any third parties who may access the information.


  1. Right to access:

Data subjects have the right to access their personal data held by data controllers. The DPA mandates that data controllers must respond to such requests within 30 days. The data subjects are authorized to request a duplicate of their personal data, details of the reasons for the processing, and any third parties who may access their data.


  1. Right to rectification:

Data subjects have the right to request the correction of incomplete or inaccurate personal data held by data controllers. The DPA requires data controllers to respond to requests for rectification within 30 days, taking reasonable steps to ensure the accuracy of the data. 


  1. Right to erasure:

Data subjects have the right to request the erasure of their personal data held by data controllers. This right allows individuals to ask for their personal data to be deleted if:

  • The personal data is no longer necessary.

  • An individual withdraws consent.

  • The personal data has been unlawfully processed.

  • The individual objects to the processing, and the data controller has no reason to continue processing.

  • Data erasure is necessary for compliance with a legal obligation. 


  1. Right to restrict processing:

Data subjects have the right to request the restriction of processing of their personal data held by data controllers. The DPA requires data controllers to respond to requests for restriction within 21 days. The Data controller is not automatically obligated to delete the data. However, they do have to refrain from processing it in certain situations: 

  • If the data is inaccurate (during the verification process).

  • If the processing is unlawful, but the individual does not want the data to be erased and requests restriction (which is different from the right to be erased).

  • The data controller no longer needs data, but the individual wants the data to be preserved so the legal claim can be exercised.

  • The organisation is taking measures to verify the data erasure request.


  1. Right to data portability:

Data subjects have the right to object to the processing of their personal data for certain reasons. Data subjects can request that their personal data be transferred to another data controller if the processing is based on consent or if it is necessary for the performance of a contract.


  1. Right to object: 

Data subjects have the right to object to the processing of their personal data at any time when it is being carried out:

  • For the performance of a task carried out in the public interest or under the official authority of the data controller.

  • For the purposes of legitimate interests pursued by the data controller or by a third party.


  1. Right not to be subject to automated individual decision-making, including profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing. This includes profiling or any other practice which produces legal effects or otherwise significantly affects you.



Implementation of Technical and Organisational Measures

Personal data should be properly secured using the necessary technical and administrative measures to prevent the unauthorised or unlawful processing of the data and any accidental loss or destruction of, or damage to the data. 


These organisational measures include:

  • Pseudonymisation and encryption of personal data.

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

  • The ability to restore the availability of, and access to, personal data in a timely manner in the event of a physical or technical incident.

  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

  • Measures to ensure adherence to the technical and organisational requirements specified in the other provisions of this Act.


Cross-Border Transfers

Personal data cannot be moved to a territory or State outside of Jamaica unless that country guarantees an equal or greater degree of protection for the rights and freedoms of the individuals whose data is to be processed.

An acceptable level of protection is one that takes into consideration:

  • The type of data being or to be processed.

  • The State or territory of the final destination.

  • The laws of the State or territory.

  • The international commitments of the State or territory.

  • The security measures the State or territory has put in place.

The Act, however, imposes certain limitations on this standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract. 


The Management Team

Information Commissioner, Miss Celia Barclay

The Information Commissioner has strategic oversight for the operations of the Office of Information Commissioner in keeping with the Data Protection Act, 2020 and the Access to Information Act within the ambit of international best

practices for independent regulatory bodies in charge of information rights and data protection.


Deputy Information Commissioner, Mr. David Grey

Under the direction of the Information Commissioner, the Deputy Information Commissioner provides strategic direction for enterprise-wide operations in the technical and administrative areas of the OIC. Under the Data Protection Act, the Deputy Commissioner carries out the functions of the Commissioner in her absence. 


Director of Complaints Resolution and Compliance, Ms. Andree Holness

The Director of Complaints Resolution and Compliance is required to establish and maintain systems for receiving complaints, directing investigations, and ensuring compliance with data protection laws. She also determines whether a complaint justifies a criminal or disciplinary charge or may be informally resolved.


The Director, Legal Services, Mrs. Samantha Wood-Tolan

The Director, Legal Services oversees all legal matters within the OIC, offering legal counsel regarding the OIC's regulatory and supervisory functions, safeguarding its interests in legal affairs, and providing legal guidance to the Commissioner and organisational departments on legal issues.


Information Systems Manager, Mr. Ronald Frue

The Information Systems Manager ensures the management and optimization of IT systems, technologies and telecommunications and their suitability to the present and future needs of the OIC.


The Human Resource Manager, Mrs. Sophia Boyd

The Human Resource Manager provides effective human resources management by promoting the development and motivation of the employees through the development and implementation of effective policies supported by internal communication, stimulating cohesion and organisational development. 



The Data Protection Oversight Committee

The objective of the Committee was established to hold the Information Commissioner accountable to the public in the performance of the Commissioner’s functions under the Data Protection Act.


Functions of the Data Protection Oversight Committee

  • Monitors and reviews the performance of the functions of the Information Commissioner.

  • Reports to both Houses of Parliament on any matter relating to the performance of the functions of the Information Commissioner.

  • Reviews the reports laid before Parliament and makes recommendations thereon to both Houses of Parliament.

  • Performs other functions as may be necessary for promoting the objective of the Committee. 


DPOC Members

  1. Christopher Reckord- Chairman

  2. The Hon. Justice Lennox Campbell 

  3. Jacqueline Lynch Stewart

  4. Richard Fraser

  5. Sacha-Gaye Russell

  6. Maurice Coke

  7. Andrew Nooks



FREQUENTLY ASKED QUESTIONS

  1. What is Data Protection?

Data protection refers to the practices and measures taken to safeguard the privacy, integrity, and security of personal data. It involves the collection, storage, use, and disclosure of personal information in a manner that respects individuals' rights and ensures compliance with relevant laws and regulations.


  1. Who is a Data Controller?

A data controller is any person or public authority (individual or corporate) who determines the purpose for which data is processed and / or processes data pursuant to any enactment. 


  1. What is meant by “process”?

The Act defines process as meaning obtaining, recording, or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including— 

(a) organisation, adaptation, or alteration of the information or data 

(b) retrieving, consulting, or using the information or data 

(c) disclosing the information or data by transmitting, disseminating, or otherwise making it available

(d) aligning, combining, blocking, erasing, or destroying the information or data, or rendering the data anonymous.


  1. Who is a data processor?

A data processor is any individual or organisation that processes personal data on behalf of a data controller. The data processor handles this personal data in accordance with the controller's specifications and operates under the controller's authority and directions.


  1. How do I respond to a data breach?

All data breaches should be reported to the OIC within 72 hours of discovery. Once this is done, the OIC will investigate the circumstances of the breach. We will also conduct assessments to determine whether the data controller has taken the necessary steps to ensure the prevention of future contraventions or breaches. The Information Commissioner may also recommend sanctions to be applied to the data controller.


  1. Does my organisation have to register with the Office of the Information Commissioner (OIC)?

Yes, all data controllers must register with the OIC.


  1. When does registration begin?

Registration began on December 1, 2023. The process is facilitated through an online portal and requires the payment of a fee as prescribed by the Regulations.


  1. What happens if my organisation does not register with the OIC?

Your organisation will be prohibited from processing personal data and will be deemed to have committed an offense.


  1. How can I protect myself as a data subject?

Familiarise yourself with your 8 data privacy rights and take proactive measures to safeguard them. Begin by reviewing the privacy policies of entities that handle your data. When completing forms, especially online or mobile applications, pay close attention to the data requested. Ask pertinent questions, including:

  • Why is this personal information necessary?

  • What are the intended purposes?

  • Who will have access to it? 


Avoid unnecessary sharing of personal data. Enhance data security with suitable devices and software. Seek professional guidance when needed. Your data privacy is in your hands.


  1. Do all data controllers have to appoint a Data Protection Officer (DPO)?

No. While it is beneficial and therefore encouraged, the DPA only requires data controllers to appoint a DPO if they are a public authority, if they process personal data on a large scale, if they process sensitive personal data, or if they fall within a prescribed class of controllers. 


  1. Who is a large-scale processor?

Widely regarded as the most comprehensive and intricate data privacy regulation, the European Union’s General Data Protection Regulation (GDPR) sheds light on the concept of 'large scale processing.'

Like Jamaica’s Data Protection Act, the GDPR does not define what constitutes as large-scale processing, rather, EU States utilise the Article 29 Working Party (WP29) recommendations as a guide when determining whether the processing is carried out on a large scale: 


1. The number of data subjects concerned - either as a specific number or as a proportion of the relevant population.

2. The volume of data and/or the range of different data items being processed.

3. The volume of data and/or the range of different data items being processed.

4. The geographical extent of the processing activity.


  1. Can my organisation appoint a current employee as its Data Protection Officer (DPO)? 

There is no expressed prohibition against an employee being appointed as the DPO; however, data controllers must be mindful that this person’s duties as DPO do not conflict with their duties as an employee.


  1. What are the functions of the Data Protection Officer? 

The Data Protection Officer is appointed by the Data Controller and undertakes the following functions:

  1. Ensures that the data controller processes personal data in compliance with the data protection standards and in compliance with this Act and good practice. 

  2. Consults with the Commissioner to resolve any doubt about how the provisions of this Act and any regulations made under this Act are to be applied.

  3. Ensures that any contravention of the data protection standards or any provisions of this Act by the data controller is dealt with in accordance with the Act.

  4. Assists data subjects in the exercise of their rights under this Act, in relation to the data controller concerned.


  1. Is the Data Protection Officer required to have special qualifications? If so, what are they?

Yes, a Data Protection Officer (DPO) is typically required to possess specific qualifications and expertise to effectively fulfil their role. While the exact qualifications may vary depending on the jurisdiction and the specific requirements of the organisation, here are some common qualifications and characteristics that are often expected of a DPO: 


1.Data Protection Knowledge: A DPO should have a strong understanding of data protection laws and regulations relevant to the jurisdiction in which the organisation operates. 

2.Legal Expertise: DPOs often have a legal background, which can be beneficial in interpreting and applying complex data protection laws. However, legal qualifications are not always mandatory.

3.Ethical and Professional Conduct: DPOs should adhere to the highest ethical standards and professional conduct to ensure they act in the best interests of data subjects and the organisation.

4.Privacy Expertise: Knowledge of privacy principles and best practices is essential. DPOs should understand the concepts of data minimization, purpose limitation, and data subject rights.

5.IT and Security Knowledge: Proficiency in information technology and data security is valuable, especially when addressing technical aspects of data protection.

6.Communication Skills: Effective communication is crucial for a DPO, as they often serve as a point of contact for data subjects and data protection authorities. They need to explain complex data protection concepts in a clear and accessible manner.

7.Problem-Solving Abilities: DPOs must be capable of identifying data protection issues and finding practical solutions to address them.

8.Independence and Objectivity: DPOs should be independent from any conflicts of interest and should be able to perform their role objectively.

9.Experience: Experience in data protection, privacy, or compliance roles is beneficial. This experience helps in understanding the practical aspects of data protection implementation.


  1. Can the Data Protection Officer also be the Nominated Compliance Officer?

The Act specifies four functions of the Data Protection Officer and a condition that there be no conflict of interest. A Nominated Compliance Officer undertakes the role of monitoring compliance with AML/CFT obligations and reports directly to the Supervisor of Banks in relation to the same. A perusal of the statute under which the Nominated Officer operates charges them with the substantive tasks of monitoring and reporting on threshold limits and public education in relation to the various policy papers as may be issued by the Bank of Jamaica or other institutions in addition to reporting to the Board at least once yearly.

Whilst the levels of responsibility are similar in relation to the Nominated Officer and the Data Protection Officer, they are two separate and distinct roles that will operate in two separate reporting regimes aspects of which carry time-bound reporting criteria. It may not be ideal that the duties under both reporting regimes be entrusted or the task of one individual as it may create reporting conflicts as well as other management issues.


  1. How can data controllers know if they are compliant with the DPA or not?

Data controllers can assess their compliance with the Data Protection Act (DPA) by taking the following steps:

  1. Review Data Processing Activities: Begin by conducting a comprehensive review of your organisation's data processing activities. Identify the types of personal data you collect, the purposes for processing, and the processes involved.

  2. Assess Legal Basis: Ensure that there is a lawful basis for processing personal data. This includes obtaining consent, fulfilling a contract, complying with legal obligations, protecting vital interests, performing a task carried out in the public interest or exercising official authority, and legitimate interests.

  3. Data Subject Rights: Confirm that data subjects' rights are respected. Are individuals able to access their data, request corrections, and exercise their rights to erasure, data portability, and objection?

  4. Privacy Notices: Check if your organisation provides clear and transparent privacy notices to data subjects, informing them about data processing activities, data retention periods, and other relevant information.

  5. Security Measures: Verify that appropriate security measures are in place to protect personal data from unauthorised access, loss, or breaches.

  6. Data Transfers: If your organisation transfers data internationally, ensure that mechanisms like Standard Contractual Clauses or Binding Corporate Rules are in place to facilitate lawful data transfers.

  7. Data Protection Impact Assessments (DPIAs): Conduct DPIAs where necessary to identify and mitigate risks associated with specific data processing activities.

  8. Data Breach Response: Establish procedures for detecting, reporting, and addressing data breaches in a timely manner.

  9. Record Keeping: Maintain records of data processing activities, which is often a legal requirement under data protection laws.

  10. Training and Awareness: Ensure that employees are educated and aware of data protection principles and compliance requirements.

  11. Data Protection Officer (if applicable): Appoint a Data Protection Officer if required by the DPA and ensure they fulfil their responsibilities effectively.

  12. Regular Audits and Updates: Regularly audit data protection practices and update them as needed to align with evolving legal requirements and changes in your organisation's operations.

  13. Consult Legal Experts: Seek legal advice or consult with data protection experts to ensure compliance with the DPA.


  1. Is there a penalty for a data controller who fails to adhere to the requirements of the DPA?

Yes. The Act provides various penalties for non-compliance with the data protection standards and other breaches. These include both fines and imprisonment, depending on the severity of the offence or impact of the breach. The penalties are imposed on the data controller who is given the obligation of protecting data subjects’ personal data, not on the Data Protection Officer who is tasked with monitoring the controller’s compliance with the DPA.


  1. What does the DPA mean for NIDS?

The National Identification and Registration Authority (NIRA) through the National Identification System (NIDS) will seek to ensure the identifiability of every Jamaican. As an entity that collects and processes a large volume of personal data from the public, NIDS is set to become Jamaica’s largest data controller. The authority will be bound by the Data Protection Act and must also comply with the eight data protection standards.


  1. What is the Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA) is a systematic and thorough process used to identify and evaluate the potential risks and impact of data processing activities, particularly those that involve the processing of personal data. DPIAs are a crucial tool for organisations to ensure compliance with data protection regulations.

Data controllers must submit an annual DPIA for all personal data in their custody or control. This assessment should be submitted to the Commissioner within 90 days after the end of each calendar year.


The first DPIA is due on March 31, 2024, and will include the following information:

a) a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller.

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes. 

c) an assessment of the risks to the rights and freedoms of data subjects.

d) the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, considering the rights and legitimate interests of data subjects and other persons concerned.


Rights of a data subject

Under the Data Protection Act, data subjects have the following rights regarding their personal information:


1.Right to be informed:

Data subjects have the right to be informed about the collection, use, storage, and disclosure of their personal data. The DPA mandates that data controllers must provide the data subjects with comprehensible and brief details regarding their data processing operations, which include the intention of processing, types of personal data being gathered, and any third parties who may access the information.


2.Right to access:

Data subjects have the right to access their personal data held by data controllers. The DPA mandates that data controllers must respond to such requests within 30 days. The data subjects are authorised to request a duplicate of their personal data, details of the reasons for the processing, and any third parties who may access their data.


3.Right to rectification:

Data subjects have the right to request the correction of incomplete or inaccurate of their personal data held by data controllers. The DPA requires data controllers to respond to requests for rectification within 30 days, taking reasonable steps to ensure the accuracy of the data. 


4.Right to erasure:

Data subjects have the right to request the erasure of their personal data held by data controllers. This right allows individuals to ask for their personal data to be deleted if:

  • Personal data is no longer necessary

  • An individual withdraws consent

  • The personal data have been unlawfully processed

  • Individual objects to the processing, and the data controller has no reason to continue processing

  • Data erasure is necessary for compliance with a legal obligation (EU law or national law)


5.Right to restrict processing:

Data subjects have the right to request the restriction of processing of their personal data held by data controllers. The DPA requires data controllers to respond to requests for restriction within 21 days. The Data Controller is not automatically obligated to delete the data. However, they do have to refrain from processing it in certain situations: 

  • If the data is inaccurate (during the verification process)

  • If the processing is unlawful, but the individual does not want the data to be erased and requests restriction (which is different from the right to be erased)

  • The data controller no longer needs data, but the individual wants the data to be preserved so the legal claim can be exercised

  • The organisation is taking measures to verify the data erasure request


6.Right to data portability:

Data subjects have the right to object to the processing of their personal data for certain reasons. Data subjects can request that their personal data be transferred to another data controller if the processing is based on consent or if it is necessary for the performance of a contract.


7.Right to object: 

Data subjects have the right to object to the processing of their personal data at any time when it is being carried out:

  • For the performance of a task carried out in the public interest or under the official authority of the data controller

  • For the purposes of legitimate interests pursued by the data controller or by a third party.


8.Right not to be subject to automated individual decision-making, including profiling:

Data subjects have the right not to be subject to a decision based solely on automated processing. This includes profiling or any other practice which produces legal effects or otherwise significantly affects the data subject.


Sensitisation Sessions

The Office of the Information Commissioner hosts virtual sensitisation sessions on the Data Protection Act every 2nd Friday and 4th Wednesday. 

Interested persons may send an email to [email protected]


Format of the session: 

  1. Presentation on the Data Protection Act

  2. Questions and Answers


Request to be listed as a Data Protection Service Provider

In an email to [email protected], submit the following information: 

  1. Name of Organisation

  2. Name of practitioner or contact person 

  3. Jurisdiction (local, regional or international)

  4. Phone number(s)

  5. Website

  6. Email address

  7. State the type of product or service offered (Legal advice / Technical assistance)

  8. Physical address


Contact Us

Visit our office:

Office of the Information Commissioner

2nd Floor, The Masonic Building

45 – 47 Barbados Avenue

Kingston 5


Email: [email protected] 

Telephone Number:

(876) 920-4390


Follow us on Social Media 

X, Facebook, and Instagram: @theoicjm

YouTube: Office of the Information Commissioner Jamaica 

LinkedIn: Office of the Information Commissioner