Celia Barclay, Information Commissioner for Jamaica, says with the full promulgation of the Data Protection Act in the next year and a half, businesses will be required to adhere to provisions in the legislation to safeguard customer information.

Sections of the Data Protection Act came into force in November 2021, a day before Barclay’s office was created, which means that by December 1, 2023, data controllers must be as close to fully compliant as the Information Commission of Jamaica’s regulatory role also takes effect.

Barclay was among several panellists speaking during a Private Sector Organisation of Jamaica (PSOJ) forum entitled, ‘The Data Protection Act & Your Business’ on Friday (April 29). The forum is the PSOJ’s first Roadmap 2.0 webinar for 2022. She was joined by attorneys Georgia Gibson Henlin, Chukwuemeka Cameron and Samantha Grant as well as Christopher Reckord, chairman of the PSOJ’s Innovation and Digital Transformation Committee.

Jamaica’s Information Commissioner noted that the law does grant sweeping powers to the newly established office in protecting citizens’ rights and how their data is used/stored by the private sector.

“The [Data Proection] Act does give relatively far-reaching powers in terms of allowing us to conduct enforcement, but one of the things we would like to focus on is the fact that there will naturally be numerous cases of breach. In terms of our ability, for example, to prosecute every single case that comes up—I don’t think there is any organisation in any country that is in a position to do that,” she said.

“But what we recommend and certainly seek to do is to have the full buy-in of [data] controllers into the system so that they can help us to resolve the problems. The Act also looks at allowing the Commissioner, in certain circumstances, to appoint a mediator to help address some situations. That will help to minimise the workload in terms of matters that need to be prosecuted through the court; and so we hope that by utilising that system as well, we’re able to do more,” the commissioner added.

Barclay further explained that the State itself is not exempt from its mandate of data protection compliance, adding she was “quite pleased” with the public sector’s embracing of the new legislation.

“I can say from my office’s perspective that several organisations of Government have reached out to us. They have looked at the Act and they fully recognise that all public authorities under the Act are [also] required to comply and required to appoint a data protection officer. So they have been taking steps to make themselves aware of what their legal obligations are as well as what technical assistance they may need in bringing themselves compliant. Already, we have organisations within the Government that are looking at their structure and trying to determine who would be an appropriate [data protection] officer for them to appoint,” Barclay told the PSOJ forum.

Understandably, some of the concerns raised by public institutions revolve more around budgetary limitations, how these services would be paid for, whether new roles must be made to facilitate data protection oversight and how the Government of Jamaica is going to finance these costs.

Continuing, Barclay posited that once the use and storage of personal/customer information is involved, the Data Protection Act will be enforced irrespective of business size. Businesses will also be required to give informed consent even if one’s data is publicly available.

“I’m pleased to say that this Act is, in that way, non-discriminatory. Whether you are a ‘small man’ or a large enterprise, the Act treats everybody fairly in terms of the rights and obligations. So the ‘big man’ to the ‘little man’ has the same duty in terms of compliance,” asserted Barclay.

“The [data] controller bears the responsibility for compliance under the legislation. It makes the duties and responsibilities for upholding the standards and ensuring the exercise of the data subject’s rights strictly at the feet of the controller. In the event that there is liability, that’s the first place we will look, the controller,” she disclosed.

According to the Information Commissioner, a data controller is described as anyone who determines what personal information is processed, how this is done, and applies even if businesses utilise a third-party data processing tool; thereby needing to register with Barclay’s office. Appointed data protection officers must also be publicly disclosed, with a their full name, location and contact information provided either through the data controller or Information Commissioner’s office.

To this end, Barclay said that provisions of the law dictate businesses file data protection impact assessments annually, which will be mandatory.

Not all incidents may be considered breaches, however, all data breaches are incidents and must be reported to the Information Commissioner’s office within 72 hours of the event.