Register with the Information Commissioner
A data controller that processes personal data must be registered with the Information Commissioner.
A data controller that wishes to process personal data must submit to the Information Commissioner the following information:
- The data controller’s Registration Particulars must ensure that the Commissioner is kept informed as to any changes in those Particulars;
- A general description of measures to be taken by the data controller to ensure compliance with the seventh data protection standard, that is, to ensure appropriate technical and organizational measures are taken – (i) against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; (ii) to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data; and (iii) Where applicable, a statement of fact that the Particulars provided do not include Particulars in relation to – (a) personal data processed; or (b) data controller, of a particular description, specified by the Minister, to be excluded from the requirement to submit Registration Particulars, by Order published in the Gazette.
Registration Particulars to be submitted to the Commissioner include the following:
- The data controller’s name, address, and other relevant contact information;
- Where the data controller has appointed a data controller representative, the name, address, and other relevant contact information of the data controller representative;
- The name, address, and other relevant contact information of the data protection officer appointed by the data controller;
- A description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of data subjects to which they relate;
- A description of the purpose or purposes for which the personal data are being, or are to be, processed;
- A description of any recipient or recipients to whom the data controller intends, or may wish, to disclose the personal data;
- The names of any State or territories outside of Jamaica to which the data controller directly or indirectly transfers or intends or may wish directly or indirectly to transfer, the personal data;
- Where the data controller is a public authority, a statement of this fact; and
- Any other information about the data controller is required in regulations issued by the Commissioner.
The address of data controllers and data controller representatives are –
- In the case of a registered company, its registered office; and
- In the case of an entity other than a registered company carrying on a business, is that entity’s principal place of business in Jamaica.
Please note: A registration form (which is intended to be accessible in both electronic and manual format) will be provided in the Regulations currently being finalized and to be issued before December 1, 2023.
Additionally, registration is to be accompanied by a registration fee.
A data controller is also required to pay a prescribed annual fee for the maintenance of the required Registration Particulars of the data controller in the Commissioner’s Register. No entry shall be retained in the Register for longer than twelve months, except on the payment of the prescribed annual fee.
Both the registration fee and annual fee will also be provided in the Regulations to be issued before December 1, 2023.
Appoint a Data Protection Officer
A data controller is required to appoint a data protection officer if it is a –
- Public authority;
- Processes or intends to process sensitive personal data or data relating to criminal convictions;
- Processes personal data on a large scale; or
- Is required by a Commissioner’s notice.
The Act establishes that a data controller shall appoint an appropriately qualified person to act as the data protection officer responsible for monitoring, in an independent manner, the data controller’s compliance with the Act.
The Act establishes that a person will not be qualified to be appointed data protection officer if there is or is likely to be any conflict of interest between the person’s duties as data protection officer and any other duties of that person.
The functions of the data protection officer include –
- Ensuring that the Data Controller processes personal data in compliance with each data protection standard and in compliance with the Act and good practice;
- Consulting with the Information Commissioner (“the Commissioner”) to resolve any doubt about how the provisions of the Act and any regulations made under the Act are to be applied;
- Notifying the Data Controller, immediately, that he/she has reason to believe the Data Controller has contravened a data protection standard or a provision of the Act, and if he/she is not satisfied that the contravention has been rectified within a reasonable time after notification, report this contravention to the Commissioner; and
- Assisting data subjects in the exercise of their rights under the Act, in relation to the Data Controller concerned.
Please note: Additional considerations and obligations concerning the data protection officer may be established through Regulations to be issued.
Prepare to Submit the Data Protection Impact Assessment
A data controller is required within ninety (90) days after the end of each calendar year to submit to the Commissioner a Data Protection Impact Assessment in respect of all personal data in the custody and control of the data controller.
The Data Protection Impact Assessment must include the following information:
- A detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable the legitimate interest pursued by the data controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes; and
- The measures in foreseeing addressing the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Please note: A Data Protection Impact Assessment Form will be provided in the Regulations currently being finalized and to be issued before December 1, 2023.
Comply with Data Protection Standards
The Act has established eight (8) data protection standards that each data controller must comply with.
The data protection standards are as follows:
- Personal data should be processed fairly and lawfully and in accordance with certain conditions based on whether the processing involves personal data or sensitive personal data.
- Personal data should be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
- Personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Personal data should be accurate and where necessary kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose and the disposal of personal data by a data controller should be in accordance with Regulations to be issued before the implantation date.
- Personal data should be processed in accordance with the rights of data subjects under the Act. The rights of data subjects under the Act include:
- The right to access
- The right to be informed
- The right to rectification
- The right to restrict processing
- The right to withdraw consent to processing
- The right to object to decisions being made solely based on automated processing
- Appropriate technical and organizational measures should be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, and the Commissioner must be notified without any undue delay of any breach of the data controller’s security measures which affect or may affect any personal data.
Technical and organizational measures include pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measure for ensuring the security of the processing and measures to ensure adherence to the technical and organizational requirements specified in the other provisions of this Act. - Personal data should not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Report a Contravention of a Data Protection Standard or Breach of Security Measure
As of December 1, 2023, the data controller is also obligated, where personal data is processed in contravention of data protection standards and any security breach in respect of the data controller’s operations affects or may affect personal data, to report the contravention or security breach to the Commissioner within 72 hours after becoming aware of the contravention or security breach.
Such a report should set out the facts surrounding the contravention or security breach; a description of the nature of the contravention or security breach, including the categories, number of data subjects concerned and the type and number of personal data concerned; the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; the consequences of the breach; and the name, address and other relevant contact information of the data protection officer.
In addition to notifying the Commissioner, the Act has also obliged the data controller to notify each data subject, whose personal data is affected by the breach of the nature of the contravention or security breach, the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach and the name and address and other relevant contact information of the data protection officer.
Exemptions to Data Subject Rights and Data Protection Standards
The Act prescribes exemptions to specific data subject rights and data protection standards art Part V and the Second Schedule of the Act.
It is recommended that these provisions be reviewed to determine which, if any, exemptions may apply.
Enforcement Mechanism
Failure to comply with these obligations may leave the data controller subject to:
- The data controller being served by the Commissioner an Enforcement Notice, Assessment Notice, Information Notice, or Fixed Penalty Notice.
- Criminal Prosecution:
- An individual may be subject to imprisonment or fine;
- A body corporate may be subject to a fine not exceeding 4% of the annual gross worldwide turnover of the body corporate.
- Civil suit – an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation from the data controller for that damage.