On June 1st, 2024, the Office of the Information Commissioner (“OIC”) began to accept applications for registration from data controllers, in accordance with section 15 of the Data Protection Act of Jamaica, 2020 (“the Act”) with widespread anticipation. Sections of the Act were brought into force in December 2021, with additional sections further brought into force in December 2023.
For many persons, this signals the commencement of companies being required to publicly demonstrate data protection compliance in Jamaica, after having a received a six month extension of time to comply with the Act in December 2023.
The OIC has approached the requirement for data controllers to be compliant with the Act in a phased manner, recognizing that many small and medium-sized controllers were still in various stages of implementing their data protection compliance programmes. Therefore, June 1, 2024 is the commencement of the initial phase, which will continue through from June 1, 2024 to August 31, 2024.
The OIC has stated that they will be processing registration for the following categories of data controllers as a matter of priority:
- All Public Authorities
- All data controllers processing personal data, including sensitive personal data or data related to criminal convictions, for an estimate of 10,000 or more data subjects and operating within the sectors specified below:
- Education
- Finance
- Health
- Information and Communications Technologies (ICT)
- Tourism and Hospitality
The OIC has indicated, however, that any data controller, including sole proprietors/practitioners or operators of micro, small and medium-sized enterprises (MSMEs) across all sectors or industries, can submit their application for registration. Data processors are not required to register.
Who is required to register under the Act?
All data controllers are required under section 15 of the Act to register with the OIC. A data controller is defined as “any person or public authority who, either alone or jointly or in common with other persons, determines the purpose for which and the manner in which any personal data are, or are to be processed..” , similar to the definition under the GDPR.
Importantly, the Act requires the registration of data controllers established outside of Jamaica to be registered before the processing of personal data of data subjects in Jamaica . The Act places an obligation on such data controllers to appoint data controller representatives locally, and the particulars of this representative are to be disclosed to the OIC as part of the registration particulars.
What is required for registration?
The registration particulars include the name and contact details of the data controller; name and contact details of the data protection officer or authorised officer (if not required to appoint a data protection officer); an identification of the conditions for processing personal data, as well as the additional conditions for processing sensitive personal data; and the estimated number of data subjects, amongst other things.
The OIC has also issued a registration notice which provided further clarity on additional information required, such as:
- A description of the technical and organisational measures against unauthorised or unlawful processing of person data under the 7th data protection standard; and
- Measures to ensure timely reporting to the OIC of any personal data breaches
Further information on how to register is available here: oic.gov.jm/page/information-note-registration
Consequences
Failure to register is an offence and a data controller may face a fine of almost US$13,000 or imprisonment for up to six(6) months.
As controllers continue to tackle or monitor their data protection programmes, they will need to consider how they intend to maintain it, aside from merely prioritising registration, which has been the main objective of many controllers. The registration particulars, policies, procedures and documentation requested by the OIC on registration should highlight to many local data controllers the need to ensure that data protection compliance is a priority for implementation.
Furthermore, recent local events have raised within the public consciousness the need for local data controller representatives to assist with criminal investigations. Accordingly, the requirement for the appointment of data controller representatives for international data controllers is one which may likely be placed in sharp focus within the public eye.
It remains to be seen the approach the OIC shall take with enforcement, as data protection continues to be a topical issue, particularly within the context of recent political manoeuvres
Article provided by INPLP member: Justine A. Collins (Hart Muirhead Fatta, Jamaica)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)