The OIC responds to concerns regarding the requirements for the submission of annual Data Protection Impact Assessments (DPIAs)

FOR IMMEDIATE RELEASE

 

The OIC responds to concerns regarding the requirements for the submission of  annual Data Protection Impact Assessments (DPIAs)

The Office of the Information Commissioner (OIC), as the regulatory authority under the Data Protection Act, 2020 ("the Act" or DPA), has noted the concerns and anxiety of certain stakeholders surrounding the requirement, pursuant to section 45 (1) of the DPA, to submit an annual Data Protection Impact Assessment (DPIA).

 

The Act imposes obligations on persons who process personal data (data controllers) to submit a DPIA to the Information Commissioner (Commissioner) within ninety (90) days after the end of each calendar year in the form and manner to be prescribed by the Commissioner by way of a notice published in the Gazette.DPIAs are one of the tools by which the Commissioner monitors the data processing activities of data controllers. 

 

Section 45 governing the submission of DPIAs and the other sections in Part VI (Enforcement) of the Act have not been brought into operation. Furthermore, the Commissioner has not yet prescribed the form and manner of submission of DPIAs. Consequently, data controllers are not required to submit a DPIA to the Commissioner by March 31, 2025 for the 2024 calendar year.

 

Once these sections of the DPA have been brought into operation and Commissioner has determined the form and manner of submission of DPIAs, this will be published in the Gazette. The necessary notifications to data controllers and the general public, together with the specific standardised form, any appropriate instructions or explanatory note, will also be published on the Commissioner’s website (www.oic.gov.jm) and online platforms and in other media.

 

N.B. Alternative formats and methods of submission will NOT be accepted and will NOT satisfy the requirements of section 45. 

 

The Act requires that a DPIA be conducted in respect of each activity, process or transaction in or for which the data controller processes personal data. The information specified in section 45 (3) of the Act should inform the framework for the conduct of the assessment exercise so as to ensure comprehensiveness and accuracy. Data controllers are advised that it is prudent to continually analyse, assess and revise the data processing activities across their operations notwithstanding that the requirement for submission of DPIAs is not in effect. 

 

This should be done with a view to identifying and remedying gaps in data protection measures and risks to the privacy and security of personal data. Data controllers are therefore encouraged to work with a privacy specialist who can guide them in relation to the meaning and application of section 45 and, particularly, subsection 3 that states the information they will be required to submit to the Commissioner in a DPIA. This information generally includes:

 

  1. a description of processing activities and the purposes of the processing;

  2. an assessment of the necessity and proportionality of the processing;

  3. an assessment of the risks to the data subjects; and

  4. the measures to address the risks, ensure the protection of personal data and demonstrate compliance with the Act.

 

The Office of the Information Commissioner appreciates the concerns of data controllers regarding their ability and readiness to meet the various compliance requirements under the DPA. The Office also appreciates that the requirement for submission of DPIA, as provided by the Act, is particularly concerning given the time, effort and cost its fulfilment may involve for some controllers with more complex processing activities. The OIC aims to make the DPIA submission process as simple and convenient as possible so that data controllers can confidently approach this compliance requirement under the Act. The Commissioner assures data controllers that they will be given sufficient notice of the full submission requirements and process. 

 

The operationalisation of a regulatory framework for data protection in Jamaica requires the cooperation of all stakeholders. Optimal DPA compliance and enforcement will only be achieved through significant commitment and effort by both the regulator and regulated to develop the necessary policies, procedures and systems of work to fulfil our respective obligations. 

 

Jamaica is still in the early stages of this development where much remains uncertain and to be determined. The information provided herein is aimed at clarifying the position in respect of the submission of DPIAs. 

 

For more information about DPA compliance requirements and other data protection matters, please send an email to Click here to show mail address.

 

 

The Information Commissioner