FOR IMMEDIATE RELEASE

Kingston, Jamaica– The Office of the Information Commissioner (OIC) has noted with concern the increasing number of data breaches reported in the public domain over the past several months. The breaches, which have affected several organisations in both the private and public sectors, underscore the importance of stringent data protection measures and prompt response protocols.

The OIC, as the regulatory authority established under the Data Protection Act, 2020 (“the DPA”), is mandated to, among other things, promote good practice in the processing of personal data and monitor and enforce compliance with the DPA. Since commencing operations on December 1, 2021, the Office has been committed to ensuring that data controllers, such as companies, associations, sole traders, partnerships and public authorities or government entities, are aware of their responsibility to protect the personal data of the individuals to whom it relates (data subjects). The OIC has also sought, through its public education and awareness activities, to empower data subjects to exercise their rights under the Act.

The DPA outlines general principles for the treatment of personal data relating to an individual by data controllers. The Act prescribes eight (8) standards for processing personal data (referred to as the data protection standards). Among the data protection standards is the Seventh Standard that requires data controllers to implement and maintain appropriate organisational and technical measures to protect against unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data. 

The fact that a data controller suffers a security breach does not necessarily mean that the data controller behaved inappropriately or negligently, nor that appropriate due diligence and level of care were not maintained or exercised. However, a significant number of breaches do occur from a failure of data controllers to implement appropriate measures. Regardless of the cause of the breach, data controllers are required to inform data subjects about any potential adverse effects so that they may take action to protect themselves from harm, if possible. 

Having regard to the increasing number of breaches, the Information Commissioner (Commissioner) reminds the public and, particularly, data controllers, that Section 21 of the Act provides that: 

• It shall be the duty of a data controller to comply with the data protection standards in relation to all personal data which is being processed by that data controller.

   

• Data controllers shall report contraventions of the data protection standards and security breaches to the Information Commissioner within seventy-two (72) hours of initial discovery.

   

• Data controllers shall notify each data subject whose personal data are affected by the breach within a prescribed time, being seventy-two (72) hours in accordance with the Data Protection Regulations, 2024.

Failure to process personal data in accordance with the data protection standards, to report a breach or contravention, or to notify individuals of a data breach or contravention affecting their personal data, constitutes an offence, for which the data controller shall be liable to either a fine or imprisonment for up to seven years.

The Commissioner has noted that not all breaches reported in the public space have been reported to the OIC as required by the DPA. The Commissioner reminds data controllers who have experienced, but not yet reported breaches to the Office, that it is in their interest to do so as a matter of urgency, so that the matters can be treated as appropriate. The Commissioner notes further that most of the breaches reported to the OIC have resulted from malicious acts by third parties with damage to the data controller, data processor or the data subject. Others have been due to accidental or negligent acts by the employees or other agents of the data controller (such as sending emails with the incorrect attachments).

While the Commissioner has not commented publicly on the specific breaches reported to the OIC or in various media, the Office has responded by requiring data controllers to account for the measures in place to mitigate the risks of breaches, reduce their impact and implement additional security measures to prevent future breaches. The Commissioner has also issued directives, where necessary, for data controllers to notify affected individuals whose data have been compromised and to provide support to them. 

The enforcement provisions have generally not yet been brought into effect to enable the prosecution of offences under the Act. However, data controllers should be mindful of the high costs, through loss of income or profit from reputational damage, that can be suffered as a result of their failure to protect personal data. Further, the Commissioner, as part of the effort to empower data subjects, has highlighted their right under the DPA to seek compensation, via civil proceedings, for damage or distress suffered due to a breach. 

The commitment to comply with the requirements for the protection of personal data must stem from an appreciation that compliance is not just a legal responsibility, but a moral and ethical obligation, the fulfilment of which will redound to the benefit of us all. As the risk of data breaches increases, all data controllers must apply due diligence to ensure their full compliance with the DPA. At the same time, individuals must help to hold them accountable by staying informed about data protection matters, exercising their rights under the DPA, and reporting any breaches or other concerns to the Commissioner.

The OIC remains committed to enhancing data protection and privacy through continuous monitoring, enforcement, and public awareness initiatives, and providing guidance to data controllers to strengthen their data protection practices, even as we continue to build out our nascent office.

For more information on data protection matters, including the role of the OIC, your rights under the Data Protection Act, or to report a breach, please contact:

The Office of the Information Commissioner

Address: 2^nd Floor, The Masonic Building, 45-47 Barbados Avenue, Kingston 5. 

Phone: 876-929-6952 | 876-929-8568 | 876-960-0874 | 876-968-5622

Email: Click here to show mail address  |  Website: www.oic.gov.jm 

Facebook, Instagram and X (formerly Twitter): @theoicjm 

YouTube: Office of the Information Commissioner Jamaica

LinkedIn: Office of the Information Commissioner 

The OIC: Your Data. Your Rights. Protected!