Frequently asked questions

Quick answers about the Data Protection Act

Short, plain-language answers to the questions Jamaican businesses ask most. For more detail, browse the learning modules.

These answers are general information, not legal advice, and are being reviewed. For your situation, consult the Act or a qualified professional.

Basics

Yes. The Act applies based on what you do with personal data, not your size. A sole trader with a customer list is covered.

CCTV and monitoring

Yes, for a legitimate purpose such as security, with clear signage, limited access, and a set retention period.

Cloud and online tools

Yes, using reputable, secured services. You remain responsible as the controller, so check the provider's security and terms.

Employees and HR

Yes. Staff records, payroll, and recruitment data are personal data, and some, such as health information, are sensitive.

Breaches and security

Any incident where personal data is lost, stolen, exposed, altered, or accessed without authorisation, including a lost laptop or an email sent to the wrong person.

Rights and requests

They can be informed about its use, access it, correct it, object to certain uses such as marketing, and limit purely automated decisions.

Children's data

Children deserve particular care. In practice, parents or guardians usually exercise rights on a child's behalf, always with the child's best interests in mind.

International transfers

The Act allows international transfers where there is appropriate protection for the data. Check that protection is in place before relying on overseas tools.

Retention and disposal

Only as long as necessary for the purpose you collected it for, plus any legal requirement. The fifth standard says do not keep it longer than needed.

Registration

Some data controllers must register. Whether you need to depends on your activities, so confirm the requirement against the Act and current OIC guidance.