The Office of the Information Commissioner (OIC) has warned against breaches of regulations under the Data Protection Act, outlining possible sanctions which could result in the payout of millions in fines under the legislation.

According to Information Commissioner Celia Barclay, breaches under the Act, whether of the legislation itself or those concerning security, will be considered liable for sanctions. The penalties which could range from a simple warning for minor breaches, she said, could also go as far as stipulating more serious punishment in the form of fines and/or imprisonment for gross violations.

“The Act imposes an obligation on the data controller, to notify the regulator [which is the OIC] of a breach within 72 hours of it happening or being brought to attention. Depending on what the nature of the breach is, its impact or who is affected — the directives issued will stipulate how a particular offence or breach is to be treated with.

“Breaches considered offensive under the Act will therefore allow for an actual prosecution in court, but there are also some other offences for which incarceration could be a penalty. Like most other offences under law, this will be matter for the judge to determine the penalty that is to be imposed,” she told journalist during a recent Jamaica Observer Business Forum.

With liability resting heavily at the feet of data controllers, acting as the vanguards of data held by entities across the public and private sectors, David Gray, deputy information commissioner further spoke to some of the specific penalties as stipulated by the legislation.

“Under Section 68 of the Act, a fine can be as much as four per cent of the annual gross worldwide turnover. What this clause highlights is the severity of how the Act treats with a data breach. If the breach is so egregious, it can move from a fine as low as $2 million to one as high as the charge of four per cent of worldwide turnover. This sorts of point out why a lot of entities are very keen on ensuring that they comply with the stipulated requirements,” he added.

The fines drafted in accordance with those under the General Data Protection Regulation (GDPR) out of Europe, and in which a number of the recent legislations are rooted, should likewise be effective, proportionate and dissuasive based on the individual case. Under article 83(5) of the GDPR, fines can be as much as “up to 20 million euros, or in the case of an undertaking [a large entity], up to 4 per cent of the total global turnover of the preceding fiscal year, whichever is higher”.

Similarly, a punishable situation for a company under the GDPR can also be revealed through proactive inspection activities conducted by the data protection authorities, by an unsatisfied employee or by customers or potential customers who complain to the authorities.

Just months away from the December 1, 2023 implementation date, Barclay therefore underscored some of the regulations to which entities must comply in order to safeguard against possible violations.

“Having had two years to put things in place to ensure your compliance, come December 1 the expectation is that an entity would have already identified its data protection officer and is now ready to include the details of such a person or establishment in the details of their registration. We would also wish for them to have all the other information listed in their registration particulars ready and available to become registered as a data controller with the office. As a controller, we also expect that if it is that you want to become compliant on December 1, that you would have also reviewed your systems to outline what data and processing activities you have,” she stated.

“Finally, we would like to know that come December entities would have also set up a privacy or data protection framework within their organisations to be able to treat with any aspect of non-compliance,” Barclay said.