Data Controllers in High-Risk Sectors to Register with the OIC Beginning June 1

The Office of the Information Commissioner (OIC) will proceed with the registration of data controllers in several categories as a matter of priority, beginning June 1, 2024.

These include Ministries, Departments and Agencies of Government; data controllers in high-risk sectors such as financial, health, education, tourism, and ICT Services; data controllers who are required to appoint a Data Protection Officer (DPO); and other controllers processing personal data for in excess of 10,000 data subjects.

They are required to register under the Data Protection Act (DPA).

The Act is pivotal in safeguarding personal privacy, enhancing economic growth, aligning with international standards, and fostering innovation.

Minister without Portfolio in the Office of the Prime Minister with direct oversight for Skills and Digital Transformation, Senator Dr. the Hon. Dana Morris Dixon provided an update during a Ministerial Statement in the Senate on May 10.

She said the data controllers identified for prioritization represent large stakeholder groupings that are important for the protection of consumers, who undertake transactions locally, regionally, and internationally.

For these consumers, data protection and privacy practices are paramount in the conduct of their day-to-day business.

“Our small businesses will not be required as at June 1 to register…unless you are a small business that is processing a lot of data,” she said.

Dr. Morris Dixon said since December 1, 2023, data controllers have been able to commence the registration process by creating their unique data controller accounts on the website- www.oic.gov.jm.

She said as at May 8, 2024, a total of 760 data controllers have created their accounts with the OIC.

It is anticipated that many more prospective data controllers will eventually register with the OIC, and this is based on the number of businesses registered with the Companies Office of Jamaica.

“The Act applies to every business no matter how small it is… and so the obligation of a large-scale data processor should never be the same responsibility as that of a smaller processor…. My shoemaker should not be held to the same standards as a telecoms provider and that is what we are currently exploring,” Dr. Morris Dixon said.

“We have listened especially to the MSME (medium, small and micro enterprises) sector…The MSME sector has said these are difficult rules for us to be able to follow, to have a data protection officer and to have those systems in place and so in listening, the administration has adopted their recommendation in terms of a difference between a small-scale processor and a large-scale processor,” she added.

Dr. Morris Dixon said while the OIC’s focus during the initial period will be on registering the previously mentioned categories of data controllers, other data controllers not identified for priority registration will not be precluded from registering if they are ready and wish to do so.

She said as part of the journey to full implementation of the DPA, the OIC has been responding to requests from and concerns raised by key stakeholders and has also been updating its online platforms, including social media accounts, with information for the public.

Senator Morris Dixon said the OIC will shortly be engaging in a media campaign, to further increase public awareness of the June 1 end of grace period and the groups prioritized for registration.

Meanwhile, she said the OIC has conducted sensitization sessions, reaching upwards of 7000 persons, adding that the Office has also issued over 100 legal opinions to various stakeholders on the interpretation and application of different provisions of the legislation.

“We don’t want to put anyone out of business, it is not in the interest of our country to do that, and this administration is not that type of an administration. We believe the data protection rules are necessary and we will work with every business to ensure that they are compliant with it,” she said.

The Minister’s statement coincided with the tabling of National Identification and Registration Authority (NIRA) Regulations which will, in part, see the eventual rollout of a national identification system.

The establishment of NIRA and the rollout of the digital ID later this year are important to creating a true digital society that can lead to enhanced efficiency in the country.

Passed in 2020, the Data Protection Act provides guidelines on how personal data should be handled in physical and electronic form.

The law came into effect on Dec. 1, 2023, however companies were given a six-month grace period to comply with the requirements of the Act.

For more information persons may contact info@oic.gov.jm or 876-920-4390.