Everyday we share personal data — when we open bank accounts, shop online, visit the doctor, conduct business, or use social media. Names, phone numbers, e-mail addresses, photos, and even location data are constantly being collected and stored. Jamaica’s Data Protection Act (DPA) was introduced to ensure that those who collect this information have the obligation to handle it fairly, securely, and responsibly.

At the heart of the DPA is the concept of a “data subject” — an identifiable natural individual whose personal data is collected or processed. A key component of the DPA is the rights that data subjects have in relation to how their personal data is handled. These rights empower data subjects to control, review, correct, or even require the erasure of their personal data in certain circumstances.

Data controllers are those individuals and entities that determine why and how a data subject’s personal data is collected, used, or processed. Data controllers must be registered with the Office of the Information Commissioner. It is crucial for data controllers to be well versed in the rights of data subjects under the DPA and ensure their data protection policies and procedures address the steps to be taken when a data subject exercises any of those rights. These rights of the data subject are not absolute and must be balanced against the rights of other data subjects and objectives such as national security or compliance with certain regulatory functions.

Under the DPA, these rights include:

1) Right to Be Informed

Data subjects have the right to be informed about the collection and processing of their personal data. This means data controllers must clearly disclose what information is being collected, why it is being collected, how it will be used, who it may be shared with, and how long it will be retained.

2) Right of Access

The right of access allows a data subject to inquire whether a data controller holds personal data on that data subject and, if so, to see and obtain a copy of that data. Data controllers are generally required to respond to access requests from data subjects within 30 days of receipt of a request.

3) Right to Rectification

The right to rectification gives a data subject the ability to require a data controller to correct, update, or complete personal data that is inaccurate, misleading, or incomplete. This right ensures that decisions or actions taken based on personal data are founded on accurate information. Once a request is made, the data controller must take reasonable steps to correct the data without undue delay. Where the inaccurate, misleading, or incomplete personal data has been shared with third parties, the data controller must also take steps to notify those parties of the correction, where appropriate.

4) Right to Erasure (“Right to Be Forgotten”)

Under certain conditions, individuals can exercise the right to erasure, also known as the “right to be forgotten”. This allows a data subject to request that their personal data be deleted when it is no longer necessary for the original purpose of collection, when consent has been withdrawn, or when that data has been unlawfully processed.

5) Right to Restrict Processing

Data subjects may choose to restrict the processing of their personal data in specific scenarios. For example, if accuracy is in question, but the individual prefers data preservation for a legal claim, the data subject may request that further processing be suspended. This right provides an intermediary option when erasure is not appropriate, but ongoing unrestricted processing is undesirable.

6) Right to Object and Withdraw Consent

The DPA also allows data subjects to object to processing of their personal data, particularly where processing is based on consent. A data subject may withdraw his or her consent at any time, thus requiring the data controller to cease processing unless there is another lawful basis for doing so. Individuals have the right to object to processing for purposes such as direct marketing.

7. Right Not to Be Subject to Automated Decision-Making

Modern data systems often use automated tools to make decisions about individuals. Under the DPA, data subjects have the right not to be subject to decisions based solely on automated processing.

Data controllers will, therefore, benefit from putting in place an effective step plan to be exercised in the event data subjects opt to exercise their rights under the DPA. Included in those steps must be an assessment of whether the Data Controller may comply with a request to exercise the particular right.

The DPA places individuals at the centre of personal data governance and so the Office of the Information Commissioner’s theme for Data Privacy Week 2026, ‘Take Charge of Your Rights’ is certainly fitting. Data controllers must ensure these rights and the recognition of them is woven into their data protection policies, procedure, and culture to ensure compliance with the DPA and allow data subject to, in fact, take charge of their rights.

Joanna Marzouca is an Associate at Myers, Fletcher and Gordon, and is a member of the firm’s Commercial Department. Joanna may be contacted via joanna.marzouca@mfg.com.jm or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.

Joanna Marzouca.