Skip to main content
Educational institutions urged to appoint data protection officers

EDUCATIONAL INSTITUTIONS are being urged to appoint data protection officers to monitor compliance with the Data Protection Act, 2020 and report non-conformity not remedied within reasonable time.

The call comes from Information Commissioner Celia Barclay, and is in light of the anticipated implementation of the legislation later this year.

She was speaking at a recent hybrid Cybersecurity and Data Protection Forum for educators and administrators, hosted by e-learning Jamaica Company Limited in partnership with the Ministry of Education and Youth.

Barclay noted that the appointment of the officers will not absolve the institutions of their duties under the act, which provides for protection of the privacy and personal information of Jamaicans.

“The responsibilities in the legislation are imposed on controllers. So, every organisation now has to see itself in a new light. You have to look at yourself not just as a provider of knowledge. You have to look at yourself as protectors, guardians of people’s information and recognise that, where you fail, you cannot blame an officer,” she said.

By law, educational institutions are considered data controllers that handle and determine how individuals’ personal information is used. Non-compliance will put them at risk of prosecution and liability for fines or imprisonment.

The information commissioner said the entities must recognise their obligations as data controllers, which includes registering with the Office of the Information Commissioner (OIC) when the enlistment window opens.

The OIC is responsible for monitoring compliance with the act and attendant regulations, as well as advising the Government on matters relating to data protection and access to information.

Schools have also been encouraged to become familiar with data privacy and how to deal with issues that may arise.

“Security is only one aspect of data protection. If you have invested widely in your antivirus [and] bought all the spyware possible … you can still fall short of the requirements under the Data Protection Act, 2020, because you have not met requirements in terms of the privacy component,” Barclay said