Skip to main content

The Data Protection Act (DPA) of Jamaica stands as a critical framework ensuring the responsible handling and protection of personal information. As stewards of personal data, Data Controllers play a pivotal role in safeguarding the privacy rights of individuals, ensuring compliance with legal standards, and fostering a culture of trust and transparency in the digital landscape of Jamaica. 

The DPA not only aligns Jamaica with international data protection standards but also serves as a cornerstone in the protection of personal data against misuse and unauthorized access in the digital age.

Data controllers must:

  1. Register with the Information Commissioner
    1. Data controllers who process personal data must register with the Information Commissioner as processing personal data without being registered is an offence.
  2. Appoint a Data Protection Officer
    1. The DPA requires a data controller to have a Data Protection Officer if it is a Public authority; mandated by a Commissioner's notice; or processes sensitive personal data, personal data relating to convictions, or personal data on a large scale.
  3. Submit Annual Data Protection Impact Assessment
    1. A data controller must submit a Data Protection Impact Assessment covering all personal data in their control to the Commissioner within the first 90 days of each calendar year.
  4. Comply with the 8 Data Standards
    1. Data controllers must comply with the 8 standards for processing personal data prescribed by the Act. These relate to fairness and lawfulness, purpose limitation, data minimization, accuracy, technical and organizational measures, adequacy requirements, storage limitation, and respect for data subject rights in the processing of personal data.
  5. Notify the Information Commissioner and data subjects of breaches
    1. The DPA mandates data controllers to report breaches or contraventions of the Act to the Commissioner within 72 hours of becoming aware and also to alert affected data subjects.