Information Commission concerned about data breaches
Published:Friday | February 7, 2025 | 5:27 PM
The Office of the Information Commissioner says it has noted with concern the increasing number of data breaches reported in the public domain over the past several months.
The breaches, which have affected several organisations in both the private and public sectors, underscore the importance of stringent data protection measures and prompt response protocols, argues the agency.
The office is the regulatory authority established under the Data Protection Act, with the mandated to, among other things, promote good practise in the processing of personal data and monitor and enforce compliance with the legislation.
Data controllers, such as companies, associations, sole traders, partnerships and public authorities or government entities, have a responsibility to propel process and maintain personal data.
The office notes that the fact that a data controller suffers a security breach does not necessarily mean that the data controller behaved inappropriately or negligently, nor that appropriate due diligence and level of care were not maintained or exercised.
However, a significant number of breaches do occur from a failure of data controllers to implement appropriate measures, it was quick to add.
Regardless of the cause of the breach, data controllers are required to inform data subjects about any potential adverse effects so that they may take action to protect themselves from harm, if possible.
Noting the increasing number of breaches, Information Commissioner Celia Barclay, is reminding the public and, particularly, data controllers, under Section 21 of the Act, they have to duty to comply with the data protection standards in relation to all personal data which is being processed and that they shall report contraventions and security breaches to the commission within 72 hours of initial discovery.
And data controllers shall notify each data subject whose personal data are affected by the breach within 72 hours in accordance with the Data Protection Regulations, 2024.
Failure to process personal data in accordance with the data protection standards, to report a breach or contravention, or to notify individuals of a data breach or contravention affecting their personal data, constitutes an offence, for which the data controller shall be liable to either a fine or imprisonment for up to seven years.
Barclay notes that not all breaches reported in the public space have been reported to the commission.
She is reminding data controllers who have experienced, but not yet reported breaches to the office, that it is in their interest to do so as a matter of urgency, so that the matters can be treated as appropriate.
The Information Commissioner notes further that most of the breaches reported to the agency have resulted from malicious acts by third parties with damage to the data controller, data processor or the data subject.
Others have been due to accidental or negligent acts by the employees or other agents of the data controller (such as sending emails with the incorrect attachments), it states.
While not commenting publicly on the specific breaches reported to the commission or in the media, the office has responded by requiring data controllers to account for the measures in place to mitigate the risks of breaches, reduce their impact and implement additional security measures to prevent future breaches.
The commissioner has also issued directives, where necessary, for data controllers to notify affected individuals whose data have been compromised and to provide support to them.
The enforcement provisions have generally not yet been brought into effect to enable the prosecution of offences under the Act.
However, data controllers should be mindful of the high costs, through loss of income or profit from reputational damage, that can be suffered as a result of their failure to protect personal data, the office underscores.
Further, the commissioner, as part of the effort to empower data subjects, has highlighted their right under the law to seek compensation, via civil proceedings, for damage or distress suffered due to a breach.
She says her office remains committed to enhancing data protection and privacy through continuous monitoring, enforcement, and public awareness initiatives, and providing guidance to data controllers to strengthen their data protection practises.
Follow The Gleaner on X, formerly Twitter, and Instagram @JamaicaGleaner and on Facebook @GleanerJamaica. Send us a message on WhatsApp at 1-876-499-0169 or email us at onlinefeedback@gleanerjm.com or editors@gleanerjm.com.