On 30^th November, 2021 the Government of Jamaica, through its publication in the Jamaica Gazette, enacted sections 2,4, 56, 57, 60, 66, 74 and 77, and the First Schedule, of the Data Protection Act 2020 with an operative date of the 1^st December 2021. A week later, it was reported via local news outlets, that the Governor General had also appointed an Information Commissioner – Ms. Celia Barclay, also with an effective date of 1^st December 2021. These developments have the primary effect of:

1. Establishing the Office of the Information Commissioner with certain powers, duties and responsibilities as conferred under the Act;
2. Commencing the two year transitional period stipulated in section 76 of the Act; and
3. Effecting immediate obligations & data standards for data that can’t be processed automatically, or that does not form a part of a structured filing system.

The Office of the Information Commissioner

The sections of the act brought into operation with the gazette notice, primarily apply to the establishment of the role and office of the Information Commissioner. With these enactments, the duties & responsibilities of the Commissioner are now operational. In particular, the Commissioner is to establish procedures and make regulations to give effect to the provisions of the act and create a data sharing code after consultation with industry stakeholders. Additionally, the published notice officially conferred to the Commissioner the duty to prepare reports & guidelines for parliament; to adhere to regulations for international co-operation; and to maintain confidentiality of information in her role. The newly appointed Information Commissioner, Ms. Celia Barclay brings to her role a wealth of legal & regulatory experience with over fourteen years at the bar and  over seven years in public service.

Commencement of Transitionary Period for Data Controllers

The Act directs controllers to take all necessary measures to ensure compliance with the provisions of the Act and the standards articulated therein for a period of two years after the earliest date of enactment. For this transitionary period, no proceedings may be taken against a data controller for any processing done in good faith. Data controllers now therefore have until 30^th November 2023 to reform their data processing practices to ensure that the comply with the provisions of the Data Protection Act.  

Immediately Effective Standards & Obligations

As of the earliest effective date of the Act, being December 1^st 2021, any personal data that is held in a way that:

1. does not allow the data to be processed automatically or;
2. is not a part of a filing system where the information is structured (either by a reference to individuals or by reference to criteria relating to individuals) in a way that allows specific information relating to a particular individual to be readily accessible;

shall be subject to certain obligations under the Act. In particular, any such data must adhere to the following data standards in accordance with the Act:

1. The personal data shall be processed fairly and lawfully;
2. The personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with those purpose;
3. The personal data shall be adequate, relevant, and limited to what is necessary for the purposes for which they are processed
4. The personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
5. Appropriate technical and organisational measures shall be taken— (a) against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (b) to ensure that the Commissioner is notified, without any undue delay, of any breach of the data controller’s security measures which affect or may affect any personal data.
6. The personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
7. That personal data shall be processed in accordance with the rights of data subjects conferred under the Act, with the exception of the right to access and the right to request rectification of inaccuracies.

In addition to this, Controllers processing the data falling within this category are required to:

1. Obtain consent for any direct marketing in accordance with the Act;
2. Adhere to written requests for the prevention or cessation of processing in accordance with the Act;
3. Respect the rights conferred on data subjects with regard to automated decision making;
4. Meet registration requirements with the Information Commissioner; and
5. Where applicable, appoint a data protection officer.

Notwithstanding this enactment, without the establishment and structure of a formal registration process within the Office of the Information Commissioner, it is unlikely these provisions will be immediately enforced. Moreover, where a data controller can demonstrate that he has been processing data in good faith during this transitionary period no proceedings may be brought against him under the Act.