Dear Editor,
When Jamaica’s Data Protection Act (2020) came into full effect the country took a significant step towards aligning with global privacy standards. However, this progress has been accompanied by a concerning trend, a noticeable increase in reported data breaches as highlighted by the Office of the Information Commissioner (OIC) in February 2025.
These incidents highlight both the Act’s success in encouraging reporting and the urgent need for greater transparency. A public data breach registry, a centralised, openly accessible database of breaches, would address this gap and improve accountability and resilience.

The current landscape
The DPA Act mandates that data controllers report breaches to the Office of the Information Commissioner (OIC). While this has improved regulatory oversight, the surge in breaches reveals systemic vulnerabilities; cyber threats are escalating faster than defences. Crucially, the public remains largely unaware of these incidents, undermining their ability to protect themselves and stifling broader lessons for businesses and policymakers. A public registry would empower citizens to identify sector-wide risks and hold institutions accountable.
The increase in breaches also signals that compliance alone is not enough. A public registry would incentivise organisations to go beyond minimal reporting requirements and invest in robust cybersecurity measures. Businesses could no longer dismiss breaches as “isolated incidents” but would face reputational and financial consequences for negligence. This shift is critical for sectors like health-care and financial services, where customer trust directly impacts certain outcomes.
Benefits for stakeholders
A registry would reveal patterns, such as whether breaches stem from phishing, weak encryption, or insider threats. This intelligence could guide targeted regulations, like mandatory cybersecurity training for health-care workers or stricter standards for government contractors.
Government: A registry would demonstrate proactive governance, aligning with Vision 2030’s digital goals. It could also inform national cybersecurity strategies, particularly as Jamaica faces growing threats to critical infrastructure.
Businesses: While transparency may seem risky, companies that openly address breaches often regain public trust faster. A registry would also help small and medium-sized enterprises identify common vulnerabilities and adopt cost-effective solutions.
Public: A registry would democratise access to breach data, enabling Jamaicans to make informed choices about whom they trust with their data.
Regulators: The OIC could use registry metrics to prioritise high-risk sectors, allocate resources efficiently, and collaborate with regional bodies like Caricom on cross-border threats.
Critics may argue that publicising breaches could deter reporting or aid cybercriminals. However, jurisdictions like the United Kingdon and in several US states have shown that registries are a feasible undertaking and that technical details can be anonymised to prevent misuse while still providing actionable insights. Additionally, the recent rise in breaches proves that secrecy has not curbed incidents and has only left the public unprepared.

Let’s act now
The DPA was a necessary first step; however, stronger tools are required to remain resilient and combat the surge in breaches. A public registry would transform Jamaica’s approach from reactive compliance to one that is more proactive and focused on prevention, fostering a culture of cybersecurity awareness. By embracing transparency, we can turn recent challenges into a road map for resilience, ensuring that our digital economy grows safely, inclusively, and sustainably.

Shaquile Reid
Director
insightMint Limited
sareid@insightmint.io