The new Data Protection Act comes into effect today.
It’s aimed at providing greater safeguards for the handling of the personal information of Jamaicans held in physical or electronic form.
The legislation, which was passed in 2020, is poised to transform the way organizations manage personal data, including the collection, storage, utilization, disclosure, and disposal.
Entities, particularly those that process personal information on a daily basis, are required to implement measures to ensure the safety, security, and confidentiality of the data that they handle, and failure to do so could result in them facing harsh penalties, including hefty fines.
These entities include public authorities, financial and educational institutions, health and security services providers, processors of sensitive personal data, among others.
Under the new law, these organizations, or individuals, defined as data controllers, are required to be registered with the office of the information commissioner (OIC) effective December 1, and pay an annual fee.
They are also obligated to appoint a responsible individual, such as a Data Protection Officer (DPO) to oversee the controller’s compliance with the act.
Persons or organisations that process personal data without registering with the OIC could face sanctions.
Recognising that some local entities will not be ready to implement the data security measures on December 1, the government has granted a six-month grace period for them to register with the OIC.
The OIC is encouraging persons who have been implementing the necessary organisational and technical measures to comply with the data protection act, and are ready to register, to begin the process today by visiting its official website at www.oic.gov.jm.
The OIC is responsible for monitoring compliance with the act and attendant regulations, as well as advising the government on matters relating to data protection; disseminating information to the public in relation to the operation of the act; and preparing and distributing guidelines that promote good practices to be adhered to by data controllers.
The information commissioner aims to create a robust regulatory regime, which will foster stakeholder buy-in, while ensuring the quick and effective investigation of complaints and prosecution of contraventions.