JAMAICA’S Information Commissioner Celia Barclay has warned data controllers that while the enforcement provisions for the Data Protection Act (DPA) are not yet in full swing, individuals are still able to bring civil suits and seek compensation if their rights are breached.

In the same breath, Barclay, speaking at the 2025 Data Privacy Conference at AC Hotel Kingston on Wednesday, said the courts must be ready to adjudicate in such cases and overcome their own difficulties in settling those kinds of matters.

“Data controllers must make best efforts to uphold and facilitate data subjects in the exercise of rights under the Data Protection Act. While our enforcement provisions have, for the most part, not yet been given effect, the Act [has] in no way limited or removed a data subject’s recourse to civil proceedings for redress. Thus, a data controller who fails to uphold data subjects rights under the Act could find themselves subject to suit,” Barclay said.

“In this regard, our judiciary must stand ready to receive claims and applications by data subjects and to overcome their own challenges in adjudication of data protection matters. In other countries that have fully implemented data protection laws and regulations, courts have encountered their own challenges in deciding cases related to the exercise of data subject rights. Among these challenges are interpreting highly technical and ever-evolving data protection laws and regulations, assessing appropriate remedies, and/or determining liability for material and non-material harm, and how same can be allocated or shared between multiple controllers,” she pointed out.

Said Barclay: “There has been a lot of talk about data controllers needing to adhere to the eight data protection standards, and we know that efforts are being made to develop and implement privacy programmes that will ensure compliance with the Act. This year, we add to the narrative. This year everyone’s attention, especially data controllers’ attention, must be drawn to this most important compliance requirement — process personal data with due regard to the rights and interest of data subjects. A failure to have regard to the rights of data subjects can be as costly as any breach.”

Experts estimate that one per cent of the world’s population, or 88.5 million people, fall victim to cybercrime globally each year. Jamaica has a special vulnerability, being part of the Latin American and Caribbean region identified as the least protected region in which there are gaps in cybersecurity capacity due to, among other things, rapid post-pandemic digitalisation.

Wednesday, Barclay said with threat levels that high, individuals must not just seek to protect themselves but should take proactive steps to ensure that the data controllers to whom they provide their personal data — whether directly or indirectly, knowingly or unknowingly — are also taking positive action to safeguard that data against loss, misuse, and other wrong processing.

“Data protection is not just a responsibility or obligation of data controllers under the DPA. We are entitled to it. It is a right of data subjects, a right broken down into several privacy and access rights that must be freely exercised and firmly defended,” she said.

A data controller is defined in the Act as any person or public authority who, either alone or jointly or in common with other persons, determines the purposes for which and the manner in which any personal data is or is to be processed. Where personal data is required to be processed under any law, the person on whom the obligation to process the personal data is imposed by or under that law will also be a data controller.

Personal data is defined under the DPA as information, however stored, relating to a living individual, or an individual who has been deceased for less than 30 years, and who can be identified from that information alone, or from that information and other information in the possession of, or likely to come into the possession of, the data controller. Personal data includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual.

The DPA came into effect in December of 2023 and is aimed at providing greater safeguards for the handling of the personal information of Jamaicans held in physical or electronic form. The legislation, which was passed in 2020, is poised to transform the way organisations manage personal data, including the collection, storage, utilisation, disclosure, and disposal.

The Office of the Information Commissioner is responsible for monitoring compliance with the Act and attendant regulations, as well as advising the Government on matters relating to data protection, disseminating information to the public in relation to the operation of the Act, and preparing and distributing guidelines that promote good practices to be adhered to by data controllers.