Author: Jennifer Bryant, IAPP Associate Editor
Jamaica’s Data Protection Act, passed in 2020, established the Office of the Information Commissioner to enforce data privacy rights outlined in the legislation. Appointed Dec. 1, 2021 to give strategic direction to the OIC, Information Commissioner Celia Barclay is in the process of building the office from the ground up.
“We are literally starting from scratch as all we have is a legislation which creates an office and prescribes its mandate. I have the responsibility of building out every aspect of that office," Barclay, the first and only appointment within the OIC thus far, said.
Barclay, who has authority over establishing the office's structure and determining its operations, said, “the best part of it is that you have a blank slate to create what you believe will best serve the purpose. While there are roadmaps that can be followed, there is some discretion to follow them or chart a new course.”
Jamaica’s Data Protection Act sets requirements around all aspects of the processing of personal data including its collection, storage, and use and applies to individuals or entities that collect data in or process personal data through Jamaica. Under the Act, the OIC is responsible for monitoring compliance and enforcement, providing information to the public, releasing guidelines, and more.
Since her appointment three months ago, Barclay — who has more than 14 years of experience practicing law in the private and public sectors and 10 years' experience in management and administration — has embarked on the process of determining the ideal structure for the office, recruiting staff, engaging in public awareness activities around the Data Protection Act, and establishing relationships with international bodies that may support the OIC’s work.
When the office is built out, she envisions a full staff of approximately 60 people utilizing “an almost fully automated system with digitized information to carry out all the required functions, including registration of data controllers, review of data privacy impact assessments, investigation of complaints, tracking the prosecution of breaches, and the provision of advice and guidance as necessary to the government and different sector groups, as well as disseminating information to the general public.”
Barclay’s 2021 appointment date commenced a two-year transitional period which will run to Dec. 1, 2023 for data controllers to put themselves in a position of compliance with the DPA.
“In the meantime, and in addition to building out the Office of the Information Commission, we have been using public awareness activities to also garner information about the issues and concerns which may be particular to specific interest groups,” she said. “This will later inform our consultations for the development of guidelines for different sectors/industries.”
While the Act passed in 2020, the supporting regulations that Barclay said will “give full force to the legislation” are still pending. She said the regulations — which will give further directions on how to best go about meeting the data protection standards and other requirements within the legislation — are anticipated to be promulgated within the next six months.
Conversations with regional colleagues in data protection, and the broader community through the Common Thread Network, are also underway. Barclay said discussions have begun “regarding support we can give each other with the sharing of information and/or approaches to common issues” and the possibility of agreeing to minimum standards “to address any differences countries may have in their legislative requirements which would impact their ability to properly and efficiently deal with each other."
Barclay noted the OIC could have discretion to prosecute breaches prior to the expiration of the transitional period, subject to the relevant sections of the DPA being brought into effect and if the circumstances deem it necessary. Enforcement, she said, will include monitoring and investigating data controllers’ data processing practices, notifying controllers of necessary changes required to ensure compliance, and “where necessary, the prosecution and imposition of fines and penalties to controllers who fail to comply.”
With strong support for the OIC, high expectations for its work to come, and a heightened interest in data privacy and the rights and obligations imposed by the DPA, Barclay said every day presents an opportunity to both learn and impart knowledge.
“We’ve had persons contacting us to ask, ‘Does this affect me? What are the implications?’ and of course, you have the larger organizations such as membership associations, major corporations, various sector representatives, and other groups reaching out to say, ‘We heard about this. What does it really mean? What is it that we need to do and where can we get help?’ So that is of course good,” she said. “I have really been welcoming those queries and encouraging persons to take the next steps to find out more.”
Despite the interest, Barclay said data privacy and data protection is still “relatively understated in Jamaica.” She encourages citizens to educate themselves and organizations and those working in the data space to implement the necessary measures to become compliant, adding “two years pass fast, and there’s a lot you need to do, so get the ball rolling now.”
She’s been working to broaden public awareness through participation in public discussions. In celebration of Data Protection Day this past January — Jamaica’s first opportunity to participate with its own legislation passed — Barclay participated in several activities initiated by private sector entities geared towards informing the public. She also published an article in the countries' two newspapers of widest circulation highlighting the rights of data subjects and advising on what they can do to protect themselves as well as the obligations of data controllers and steps they should take during the two-year transitional period. The OIC has additional public awareness events planned into the summer.
“Jamaican citizens should know that they have a constitutional right to the privacy of their personal data and the Data Protection Act entitles them to determine whether and how their personal data is processed,” Barclay said. “Public bodies, corporate entities and other persons who receive and process data subjects' personal data have a duty to do so within certain limits and adhering to certain standards of data protection. Once the Act is in full effect and the OIC becomes fully operational, persons who believe their data privacy rights were or are being contravened, will be able to report it to the Information Commissioner and have the matter investigated and resolved, including where applicable, obtaining redress."
Barclay said the tasks of building out a regulatory office and implementing a new legislation are challenging but she is tackling them with the same excitement that drew her to the role as information commissioner.
“The data protection field is still relatively new, but rapidly growing and it’s importance and applicability to individuals, businesses and countries is global,” she said. “The potential for development in the area is unlimited and I like the idea of being able to contribute to that.”