Role of Data Protection Officers

The Data Protection Act, 2020, mandates Data Controllers to register with the Office of the Information Commissioner (OIC), but not all Data Controllers are required to appoint a Data Protection Officer (DPO).

DPOs play an essential role in assisting Data Controllers to safeguard data privacy and ensure compliance with the Data Protection Act, 2020.

They guide entities in the development and implementation of data protection policies and procedures and can assist with sensitising staff about the risks and responsibilities related to data protection.

Information Commissioner, Celia Barclay, told JIS News that a DPO functions as a liaison between a Data Controller and the OIC and acts as the contact person for data subjects who may wish to make requests or have enquiries of a Data Controller.

“That is also the person to whom the data subject would usually submit any complaints that they have or reports they would wish to make to a Data Controller about, for example, allegations of wrongful practices in the processing of their information or making a request for correction of data,” she explained.

Ms. Barclay further explained that DPOs are expected to regularly monitor an entity’s data processing activities to assess their compliance with data protection standards and recommend measures for remedying any non-compliance.

DPOs are responsible for conducting Data Protection Impact Assessments (DPIAs) as well as investigating and managing data breaches.

Ms. Barclay advised that all public authorities are required to appoint a DPO, noting that the term is widely defined in the Act, to include all entities that are wholly or partly owned by Government.

“It also includes all entities in which the Government has an influential role. A company that the Government has a share in or a certain amount of influence over would also rank as a public authority,” she informed.

In addition to public authorities, any entity that processes personal data on a large scale must appoint a DPO.

“Entities would need to look at their size, the number of data subjects that they process information for, and your data subjects do include your staff members – employees of the organisation as well as your contractors for whom you might collect information, any temporary or permanent persons engaged by the organisation,” she detailed.

Ms. Barclay pointed out that entities must examine the volume of information they collect and the complexity of their processing activities to determine whether the entity would be classified as a large-scale processor.

She further noted that an entity that processes or intends to process sensitive personal data – criminal convictions, health records, biometric data, political opinion, associations and other affiliations – is also required to appoint a DPO.

Ms. Barclay said entities must ensure that the DPOs they appoint are appropriately qualified to perform their duties.

She underscored that the appointed officer should not have a conflicting role within the entity.

“What you would not want is to appoint someone who is a part of their own data-processing activities and then have them perform the role as a Data Protection Officer, because that would have an inherent conflict in and of itself,” she said.

Ms. Barclay emphasised that DPOs should be able to operate with a certain level of “independence and influence” in carrying out their functions.

“Based on the nature of the role, this person will have to be able to observe the data-processing practices of the organisation and make a determination on a preliminary level as to whether or not these practices actually conform to the requirements of the Act and also international standards,” she stated.

She reasoned that if the officer is a part of the data-processing activities, then by human nature there might be an inclination to seek to justify how the entity has been operating.

“Ideally, you would want the person to act, as far as possible, independently and objectively in making an assessment and making any recommendations,” Ms. Barclay said.

She added that it is also recommended that DPOs have direct reporting to the Head of entity or as close as possible, to be in the best position to influence the decision- making of the entity as it relates to any policies or procedures that might govern their data-protection practices.

The Office of the Information Commissioner serves as the cornerstone of data protection in Jamaica, safeguarding the rights of individuals to the privacy of their personal data.