Obligations Of Data Controllers – DPA

Every day, companies worldwide are selling people’s data, and here in Jamaica, it’s no different. For this reason, the Office of the Information Commissioner has implemented the Data Protection Act (DPA), to stand as a critical framework to ensure the responsible handling and protection of personal information.

“The DPA not only aligns Jamaica with international data protection standards but also serves as a cornerstone in the protection of personal data against misuse and unauthorized access in the digital age”
oic.gov.jm

Obligations of a Data Controller

Data Controllers play a pivotal role in safeguarding the privacy rights of individuals, ensuring compliance with legal standards, and fostering a culture of trust and transparency in the digital landscape of Jamaica.

As a Data Controller, you are required to:

1. Register with the Information Commissioner
   • Note: Data controllers who process and/or store personal data must register with the Information Commissioner, as processing personal data without being registered is an offense. 
2. Appoint a Data Protection Officer
   1. The DPA requires a data controller to have a Data Protection Officer if it is a public authority, mandated by a Commissioner’s notice; or processes sensitive personal data, personal data relating to convictions, or personal data on a large scale.
3. Submit Annual Data Protection Impact Assessment
   1. A data controller must submit a Data Protection Impact Assessment covering all personal data in their control to the Commissioner within the first 90 days of each calendar year.
4. Comply with the 8 Data Standards
   1. Data controllers must comply with the 8 standards for processing personal data prescribed by the Act. These relate to fairness and lawfulness, purpose limitation, data minimization, accuracy, technical and organizational measures, adequacy requirements, storage limitation, and respect for data subject rights in the processing of personal data.
5. Notify the Information Commissioner and data subjects of breaches
   1. The DPA mandates data controllers to report breaches or contraventions of the Act to the Commissioner within 72 hours of becoming aware and also to alert affected data subjects.

The Data Protection Act (DPA) of Jamaica serves as a vital safeguard, ensuring responsible handling and protection of personal information in the digital era. As stewards of personal data, Data Controllers uphold privacy rights, adhere to legal standards, and foster a culture of trust and transparency online.

Compliance with the DPA entails essential steps such as registration with the Information Commissioner, appointment of a Data Protection Officer, submission of annual Data Protection Impact Assessments, and adherence to the eight Data Standards. These measures not only align Jamaica with international data protection norms but also enhance personal data security against misuse and unauthorized access.

Ultimately, the DPA empowers individuals to have greater control over their personal information while promoting accountability and ethical data practices among organizations operating in Jamaica’s digital landscape.