Kingston, Jamaica– The Office of the Information Commissioner (OIC) has expressed concern over the increasing number of data breaches reported in the public domain during the past several months.

Reacting to the increasing number of breaches, Information Commissioner Celia Barclay in a statement on Friday, reminded the public and data controllers, that under section 21 of the Data Protection Act (DPA) it is the duty of a data controller to comply with the data protection standards about all personal data which is being processed by that data controller.

Likewise, data controllers shall report contraventions of the data protection standards and security breaches to the Information Commissioner within 72 hours of initial discovery and data controllers shall notify each data subject whose personal data are affected by the breach within a prescribed time, being 72 hours in accordance with the Data Protection Regulations, 2024.

She noted that failure to process personal data in accordance with the data protection standards, to report a breach or contravention, or to notify individuals of a data breach or contravention affecting their personal data, constitutes an offence, for which the data controller shall be liable to either a fine or imprisonment for up to seven years.

Barclay said not all breaches reported in the public space have been reported to the OIC as required by the DPA.

She is reminding data controllers who have experienced, but not yet reported breaches to the Office, that it is in their interest to do so as a matter of urgency so that the matters can be treated as appropriate.

The commissioner notes further that most of the breaches reported to the OIC have resulted from malicious acts by third parties with damage to the data controller, data processor or the data subject. Others have been due to accidental or negligent acts by the employees or other agents of the data controller, such as sending emails with the incorrect attachments.

While the commissioner has not commented publicly on the specific breaches reported to the OIC or in various media, the Office has responded by requiring data controllers to account for the measures in place to mitigate the risks of breaches, reduce their impact and implement additional security measures to prevent future breaches.

The commissioner has also issued directives, where necessary, for data controllers to notify affected individuals whose data have been compromised and to provide support to them.

The enforcement provisions have generally not yet been brought into effect to enable the prosecution of offences under the Act. However, the OIC is urging data controllers to be mindful of the high costs, through loss of income or profit from reputational damage, that can be suffered as a result of their failure to protect personal data.

Further, the commissioner, as part of the effort to empower data subjects, has highlighted their right under the DPA to seek compensation, via civil proceedings, for damage or distress suffered due to a breach.

The OIC says it remains committed to enhancing data protection and privacy through continuous monitoring, enforcement, and public awareness initiatives, and providing guidance to data controllers to strengthen their data protection practices, even as we continue to build out our nascent office.

The OIC, as the regulatory authority established under the DPA, is mandated to, among other things, promote good practice in the processing of personal data and monitor and enforce compliance with the DPA.

The DPA outlines general principles for the treatment of personal data relating to an individual by data controllers.