Information Commissioner Celia Barclay is warning financial institutions to put measures in place to protect customers’ data, noting that, under the new Data Protection Act, they will have sole responsibility for any breaches.

Barclay was speaking at the annual the Anti Money Laundering/Counter Financing of Terrorism Conference yesterday (October 11) where she presented on the Data Protection Act to the heads of financial institutions in Jamaica.

“If you have not started to put in place systems that will allow you not just to protect and secure information but to uphold and enforce [customers’] rights, you are already on the wrong side of the Act,” she warned the institutions.

She explained that, under the new law, financial institutions will be held responsible for the data of their current customers and those who died 30 years ago.

The new Act also places sole responsibility on these institutions and not their data processing officers, said Barclay.

“At the end of the day, if there is a breach, you cannot blame your data processor. What the Act says is that you, as the controller or institution, and in some cases the individual, are liable,” said Barclay.

She added that data processors “are only there as a form of guidance and they do not assume the responsibility of the institutions they operate”.

However, there is some level of responsibility placed on data processing officers.

“Your data processor has a duty to the regulator authority,” said Barclay.

“Where you fail, they have a responsibility to inform the authorities” and actions will be taken against the institution.

She noted that, under the Act, data processing officers are mandatory and financial institutions cannot refuse to appoint one in fear that they will be reported and held responsible for breaches.

Barclay also noted that, though security measures are good, they are not perfect and financial institutions need to assess how they will deal with breaches when they arise, as they cannot just sweep it under the rug.

“The legislation is called the Data Protection Act for a reason. We did not pass the data security act… so it is not just about how well you secure the information that you have,” said Barclay.

“Data protection is where security meets privacy and then proceeds to intermeddle with governance.”

The aim of the Act is to give back customers’ ownership of their information, said Barclay, allowing them to request information when they want, dictate what information can be shared or used by these institutions and take action if their information and privacy is not protected.