June registration date for all ministries, high-risk data processors Loop Jamaica

The content originally appeared on: Jamaica News Loop News

All Government ministries, departments and agencies, as well as data controllers in high-risk sectors such as finance, health, education, tourism, and information communication technology services have been prioritised for registration with the Office of the Information Commissioner (OIC) effective June 1.

This is to ensure their compliance with the new Data Protection Act (DPA).

Additionally, data controllers who are required to appoint a data protection officer (DPO) and other controllers processing personal data for more than 10,000 data subjects are also required to register by the June 1 deadline.

This was stated on Friday by Senator Dr Dana Morris Dixon, the minister without portfolio in the Office of the Prime Minister with responsibility for skills and digital transformation. She was speaking during a ministerial statement in the Senate where the regulations governing the DPA were tabled.

She explained that “you may have a small business with two people who may be very data heavy in their data processing, it could be a third party data processor, they will have to comply”.

Morris Dixon said the data controllers identified for prioritisation represent large stakeholder groupings that are important for the protection of consumers, who undertake transactions locally, regionally, and internationally.

“For these consumers, data protection and privacy practices are paramount in the conduct of their day-to-day business,” she said.

She told the Senate that while the OIC’s focus during the initial period will be on registering the previously mentioned categories of data controllers, other data controllers not identified for priority registration will not be precluded from registering if they are ready and wish to do so.

All data controllers, in anticipation of needing to register, should seek to satisfy the following minimum data protection compliance requirements:

1. Appointment of a DPO or responsible officer for data protection

 2. Documented data protection policies and procedures 3. Published privacy notice

4. Data inventory and data mapping

5. Storage for physical records properly secured with limited access

6. Electronic storage secured using at least three privacy and security measures

7. Written agreements with data processors binding them to DPA compliance

8. System for the management of Data Subject Access Request (DSAR) i.e. requests from individuals in exercise of their right to information about personal data being processed by a data controller and the nature of the processing activities

9. Breach response strategy and plan

10.Staff training and sensitization. 

The registration fees, as prescribed in the regulations, are: 

First-time registration as a data controller (a) companies and public authorities: $25,000

(b) where the data controller is a partnership: $15,000  (c) Sole traders and individuals: $7,500

Yearly renewal of registration (a) companies and public authorities: $15,000

(b) where the data controller is a partnership: $10,000

(c) Sole traders and individuals: $5,000 

 Morris Dixon said the OIC will shortly be engaging in a media campaign to further increase public awareness of the June 1 end of grace period. This will include public service announcements and interviews on radio and other broadcasts and publications.