THE Office of the Information Commissioner (OIC) is urging data controllers to get compliant with the Data Protection Act ahead of December 1 by seeking out the requirements to get registered and the different information that will be expected from public or private entities.

“In the registration process, it is a requirement that you [data controller] indicate whether you are a public body or not, it’s an ingredient of the registration process which allows us, again also looking at the risk, as to whether it being public, the risk and control features vis-à-vis it being a private entity and, of course, the types of data that is being handled,” David Grey, deputy information commissioner, told journalists at a Jamaica Observer Business Forum.

Grey noting that some data would be more sensitive than others, such as biometric and genetics, said it would result in a different risk assessment such as in the case of a public body that deals with national security that is vested in a statutory function.

It was pointed out that once the entity has been identified, the only difference with the requirement is the need for a body to govern all data laws for that particular entity.

“A factor that is definitely expressly stated as relevant to government entities is the requirement for the appointment of a data protection officer, as a private sector organisation you may not necessary be required to appoint a DPO [data protection officer] in order to register,” explained Information Commissioner Celia Barclay.

A public body is any entity that the Government has an interest in, or majority control and influence.

Barclay explained further that the decision of a private entity to appoint a DPO would depend on how and what data are being processed.

“Persons who are processing sensitive personal data, persons who are processing criminal records, persons who are considered large scale processors” she said would required a DPO.

Still, Barclay did not discourage private entities from appointing DPOs.

“If you have the means and you are able to, then yes, we would recommend it, cause there is a benefit to having the DPO [data protection officer]. If you choose not to, then you just have to know how it is that you are going to ensure that you are complying based on all the requirements that the Act imposes on you.”

She outlined, however, that in registration certain information must be provided to ensure that the OIC can identify who are the data controllers in each organisation.

The information include “what data are you keeping. How are the data being processed. Who are you sharing that data with, and what are the safeguards you have in place in relation to the data that you have,” Barclay explained.

She said once the information is collected and the entities are registered, the OIC can exercise authority over how data are utilised. Entities will also be required to make annual reports to the OIC on their collection and handling of data.

However, it was pointed out that not being registered does not exclude entities from the oversight of the OIC.

“The commission does have a discretion under the Act to identify the persons to whom it should apply at a particular time and when,” Barclay said.

“Those are decisions that we [OIC] will make as we build out the system and the framework to say well where do we see the greatest risk? Who is this most necessary for?” she continued.

Barclay, however, acknowledged that there are missing pieces to the legislation.

“It is still a new legislation, it is still a new office, it is still a new regime, we are not going to necessarily be able to do every single thing at once from the out set,” the information commissioner said.

When questioned about whether the Act will have regulations to accompany it, Barclay said the regulations are in the preparatory stage.

“We are currently working on those, we are very conscious of the fact that the date for full implementation is at present the 1st of December this year, and so the aim is to have the regulations out and promulgated well ahead of that date.”