Dear Editor,

To what extent are end users aware of what happens when their personal identifiable information (PII) is breached at an organisation or institution where their data is collected? What regulatory mechanisms currently govern user access reviews within Jamaican institutions? Are users provided opportunities to participate in creating, testing, or implementing related policies and systems, or are they excluded from these critical phases?

These questions are crucial in determining whether existing policies are user-oriented, transparent, and capable of securing stakeholder buy-in. A user-centric, bottom-up approach to system and policy development is essential for compliance and effectiveness. Unfortunately, many Jamaican organisations still rely on top-down, rubber-stamped access reviews, missing opportunities for deeper user engagement.

Since the enactment of the Data Protection Act (DPA) on December 1, 2023, a pressing question remains: Are organisations in Jamaica compliant? Have appropriately qualified data protection officers (DPOs) been appointed, as required under the Act?

The DPO is tasked with independently monitoring compliance with data protection standards — a function that should be embedded within all companies and educational institutions handling PII.

Biometric data refers to physical or behavioural characteristics that enable unique identification. This includes facial images, fingerprints, retina scans, gait, voice, and more. The DPA categorises this as sensitive personal data, demanding the highest level of protection and ethical use.

Personal data, under the DPA, encompasses any information related to a living individual or one deceased for less than 30 years. This includes recorded opinions or intentions towards the individual. Processing refers to any operation performed on this data, such as collection, storage, retrieval, or deletion — automated or manual.

Key Stakeholders and Their Roles

• The data protection officer (DPO): The DPO is responsible for ensuring compliance, advising on data protection issues, addressing breaches, and assisting data subjects with their rights. If the DPO believes the data controller is non-compliant, they must notify them and, if unresolved, escalate the matter to the information commissioner.

• The data controller (DC): The DC is any public authority or institution that processes sensitive personal data. This includes entities handling large-scale data or data-related to criminal convictions.

• The information commissioner: An independent authority tasked with monitoring compliance, promoting best practices, advising the Government, and educating the public. The commissioner also reviews and validates self-initiated guidelines submitted by trade associations.

As Jamaica fully enforces its data protection framework, organisations must evolve beyond performative access reviews. A participatory, transparent approach involving users at each stage — from design to deployment — will foster compliance and enhance trust and accountability. Rubber-stamping policies is no longer sufficient; meaningful user engagement is key to safeguarding the rights of Jamaican citizens in an increasingly digital world.

Rorron A Clarke

raclarke6@gmail.com