OIC urges data controllers to use up grace period
With companies given more time beyond the initial December 1, 2023 deadline to comply with the requirements of the Data Protection Act (DPA), the Office of the Information Commissioner (OIC) is encouraging more businesses to commence the registration process during the current grace period set to expire in June.
Deputy Information Commissioner David Grey speaking with the Jamaica Observer on Tuesday, said the office is now doing the necessary due diligence to ensure that the legislations are ready in order to have more companies complaint under the Act as it also work to ensure a seamless transition.
“The Government has granted a six-month period within which all data controllers should take the necessary steps to become registered. At this stage, several data controllers have already began to set up their accounts which will be used to facilitate registration and we hope to have more following suit,” he said to the Business Observer.
Just last week president of the Shipping Association of Jamaica (SAJ) Corah Ann Robertson-Sylvester urged members of her association to take the steps necessary to ensure that their respective organisations are compliant with requirements under the Act. In warning industry players about the level of work involved and the swift movement of time, she urged members to “not relax their efforts in ensuring that all systems are put in place before the extension period passes.”
“For members of the SAJ, adherence to the DPA is an urgent priority. As data controllers within an association, it is important to determine whether the DPA applies to their operations. This determination is based on several factors, including the processing of personal data and the offering of products or services to people living in Jamaica.
“An underlying aspect of compliance is the registration process with the OIC. Data controllers are required to provide thorough information, including contact details, data processing descriptions, and measures taken to ensure compliance. SAJ members are [therefore] encouraged to visit the OIC’s website to register their organisation as part of their ongoing groundwork to establish procedures to become compliant,” Robertson-Sylvester said.
Prime Minister Andrew Holness, in his recent contribution to the budget debate, said that with the extended period for registration set to expire at the end of June, the Government has been actively exploring how it can further provide additional time for certain businesses particularly micro, small and medium-sized enterprises (MSMEs).
To this end, he advised the OIC to be guided by international best practices in adopting a strategic approach for implementing the Act. At the end of the grace period in June, Holness said the OIC should only commence registration for controllers in certain categories including: ministries, departments and agencies of Government, entities operating in high-risk sectors such as financial, health, education, tourism and ICT services and other businesses that conduct data processing on a large scale as well as for those data controllers required to appoint a data protection officer.
“The OIC will publish the categories of controllers who will be required to be registered at the end of the extension and persons can liaise with the OIC to clarify whether or not they need to register in June,” the prime minister said during his presentation.
Grey said that following these announcements by the prime minister, the OIC anticipates having some outstanding processes complete and the office being well underway in also having most things ready by the stipulated June timeline.
“While these processes continue to take place we await the final editing and finishing of the regulations which will facilitate the registration form that data controllers are to complete,” Grey said.
The DPA passed by Parliament in 2020 stands as a critical framework created to ensure the responsible handling and protection of personal information. Under the Act, data controllers which include companies, individuals and other entities that process or store customer information are considered stewards of personal data that are to play a pivotal role in safeguarding the privacy rights of data subjects, ensuring compliance with legal standards while fostering a culture of trust and transparency in the local digital landscape.
“We are encouraging all data controllers to look at their systems and to ensure they are robust and also to put in place the required steps to protect the privacy of data subjects,” the deputy information commissioner said.
Providing update on some previously mentioned staffing challenges, Grey said the office has since then moved to make additional hires as it continues to “refine the organisational structure of the office so as to ensure that it can effectively undertake its functions” in a better way.