December 2023

1. Governing Texts

Since the implementation of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') there has been a race amongst territories in the Caribbean to enforce data protection legislation. Prior to 2010, only four territories in the region had comprehensive data protection laws. Currently, over 15 territories in the region have implemented comprehensive data protection laws, including Barbados, Bermuda, Brazil, Cayman Islands, Jamaica, and Panama being the most recent additions.

1.1. Key acts, regulations, directives, bills

The Data Protection Act, 2020 ('the Act') was passed by the Government of Jamaica ('the Government') in June 2020, however, the substantive provisions under the Act which include the rights of a data subject and legal obligations of a data controller are not yet in effect. Those provisions will not come into operation until the Government has publicly appointed an effective date. The provisions appointing and establishing the Office of the Information Commissioner came into effect on December 1, 2021. The result of this is that the two-year transition period for data controllers to take the necessary steps to ensure full compliance with the requirements under the Act commenced on December 1, 2021, and expired on November 30, 2023.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Act applies to both public and private sector organizations. The Act also applies to identifiable natural persons and individuals who have been deceased for less than 30 years.

2.2. Territorial scope

The Act applies to a data controller who:

• is established in Jamaica or in any place where Jamaican law applies by virtue of international public law, and personal data is processed in the context of that establishment; or
• though not established in Jamaica:
  • uses equipment in Jamaica for processing of personal data otherwise than for the purpose of transit through Jamaica; or
  • processes personal data, of a data subject who is in Jamaica, and the processing activities are related to:
    • the offering of products or services to data subjects in Jamaica, irrespective of whether a payment of the data subject is required; or
    • the monitoring of the behavior of data subjects as far as their behavior takes place within Jamaica.

For the purposes stated above, each of the following shall be treated as established in Jamaica:

• an individual who is ordinarily resident in Jamaica;
• a body incorporated under the laws of Jamaica;
• a partnership or other unincorporated association formed under the laws of Jamaica; and
• any person who does not fall within the above cases but who maintains in Jamaica:
  • an office, branch, or agency through which the person carries on any activity; or
  • a regular practice.

2.3. Material scope

The term 'processing' is a very wide concept under the Act and is defined as obtaining, recording, or storing information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including:

• organization, adaptation, or alteration of information or data;
• retrieving, consulting, or using information or data;
• disclosing information or data by transmitting, disseminating, or otherwise making it available; or
• aligning, combining, blocking, erasing, or destroying information or data, or rendering data anonymous.

Personal data that is processed for the sole purpose of transit through Jamaica would be exempted from the Act.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Information Commissioner ('the Commissioner') is the main regulator under the Act.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the Commissioner include:

• monitoring compliance with the Act and any regulations made under the Act;
• providing advice to the relevant minister on any matter relating to the operation of the Act or otherwise for the protection of personal data;
• promoting the observance of the requirements under the Act and the following of good practice by data controllers;
• disseminating information to the public about the operation of the Act, about good practice, and advising persons about any of those matters;
• preparing and disseminating guidelines under the Act; and
• the Commissioner may intervene as a party in any proceedings before a court, in respect of any matter concerning the processing of personal data or the enforcement of any provision of the Act, other than proceedings for the prosecution of an offence.

4. Key Definitions

Data controller: A data controller is defined under the Act as 'any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data is processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a data controller'.

Data processor: A data processor is defined under the Act as 'any person, other than an employee of the data controller, who processes the data on behalf of the data controller'.

Personal data: Personal data is defined under the Act as 'information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and which includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual'.

Sensitive data: Sensitive personal data is defined under the Act as personal data consisting of any of the following information in respect of a data subject:

• genetic data or biometric data;
• filiation, racial, or ethnic origin;
• political opinions, philosophical beliefs, religious beliefs, or other beliefs of a similar nature;
• membership in any trade union;
• physical or mental health or condition;
• sex life; or
• the alleged commission of any offense by the data subject or any proceedings for any offense alleged to have been committed by the data subject.

Health data: A 'health record' is defined under the Act as any record which:

• is in the custody or control of a health professional in connection with the care of an individual; and
• consists of information relating to:
  • the past or present physical or mental health, or condition, of an individual, for example:
    • clinical information about diagnosis and treatment;
    • genetic data;
    • information about the testing of any body part or bodily substance, or the donation of a body part or bodily substance; or
    • biometric data;
• the registration of an individual for the provision of health services and any number, symbol, or code assigned to uniquely identify the individual for those services;
• the name of the individual’s health care provider; or
• payments made by, or the eligibility of, the individual for the provision of health services, or any other health-related information about the individual that is collected in the course of the provision of health services to that individual.

Biometric data: Biometric data is defined as any information relating to the physical, physiological, or behavioral characteristics of that individual, which allows for the unique identification of the individual, and includes:

• physical characteristics such as the photograph or other facial image, fingerprint, palm print, toe print, footprint, iris scan, retina scan, blood type, height, vein pattern, or eye color, of the individual, or such other biological attribute of the individual as may be prescribed; and
• behavioral characteristics such as a person's gait, signature, keystrokes, or voice.

Pseudonymization: This term has not been defined in the Act.

5. Legal Bases

Note that the data controller's obligations under the Act are subject to certain exemptions such as where the personal data is being processed in the interests of national security or for journalistic purposes.

5.1. Consent

The Act stipulates that consent is a legal basis for processing personal data, particularly where the data is being processed for direct marketing purposes or where the data is being transferred to a third party. Consent must be freely given, specific, unequivocal, and shown either by a statement or a clear affirmative action which signifies agreement to the processing. Data subjects must be provided with all the relevant information regarding the processing of their personal data which will enable them to make an informed decision.

5.2. Contract with the data subject

Personal data can be processed where necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract (Article 23(1)(b) of the Act).

5.3. Legal obligations

Where the personal data is being processed for the purposes of discharging any legal obligations of the data controller or where it is being processed in the interests of the data subject or the public interest as a whole, the data controller would be exempted from complying with a number of provisions under the Act and would have a legal basis for processing the data. For example, the right of the data subject to be provided with access to the data as well as to be informed of certain information regarding the data would not be applicable.

5.4. Interests of the data subject

Similarly, where the data is being processed in the interests of the data subject including to protect the vital interests of the data subject, the data controller would have a legal basis for processing and would be exempted from certain disclosure requirements under the Act. 

5.5. Public interest

Personal data can be processed where necessary for the administration of justice, the exercise of any functions conferred by or under any enactment, or conditions for processing personal data in accordance with the first standard, and the exercise of any other functions of a public nature exercised in the public interest (Article 23(e) of the Act).

5.6. Legitimate interests of the data controller

Personal data can be processed where necessary for the purposes of legitimate interests pursued by the data controller or by any third party to whom the personal data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (Article 23(f) of the Act).

5.7. Legal bases in other instances

Other legal bases would be where the data is being processed solely for journalistic, literary, artistic, and research purposes. In such circumstances, the data controller would be exempted from complying with certain standards under the Act as well as disclosure requirements.

6. Principles

All data controllers are required to comply with the eight data protection standards set out under the Act. These data protection standards are as follows:

Fairness and lawfulness

Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information. There must be a legitimate reason for processing the data. The data subject, must expressly consent to the processing of their data and such consent must be informed, freely given, specific, and unequivocal. The data subject must be provided with all the relevant information regarding the processing of their personal data which would enable the data subject to make an informed decision. Note, however, that consent is not deemed to be 'freely given' if the data subject is required, as a condition for the provision of goods or services, to consent to the collection, use, or disclosure of their personal data beyond what is reasonable for the provision of those goods/services.

Purpose limitation

Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes. Prior to collecting the personal data, companies would be required to specify the purpose for obtaining the data and would not be permitted to use the data for any other purpose without first informing, and where necessary, receiving the consent of the data subject. For example, where a company collects the personal data of its customers such as a telephone number or email address to provide a specific service, the company is prohibited from disclosing and/or selling the data to a third party for direct marketing purposes without first obtaining the customer's consent. The Act defines 'direct marketing' as 'approaching a data subject in person or by any means of communication (electronic or otherwise) for the direct or indirect purpose of promoting or offering to supply any goods or services'. Additionally, personal data must not be obtained for any illegal or immoral purpose.

Data minimization

Personal data must be adequate, relevant, and must only be limited to the purpose for which it is being processed. The data collected by companies must be relevant to the specified purpose it was collected for and must not be more than what is reasonably required. The processing of too much data may amount to an invasion of privacy.

Accuracy

Personal data must be accurate and, where necessary, kept up to date. A company would not be in breach of this standard if the inaccurate data was provided by the data subject or a third party. However, companies that process personal data would be required to take reasonable steps to verify the accuracy of the data.

Storage limitation

Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the Act. This is, however, subject to any applicable retention periods prescribed by law. The Act does not speak to what would be considered an appropriate retention period for personal data. However, companies would be required to inform the data subject of the expected period of retention of their personal data, and this must be clearly set out in a privacy notice.

Rights of data subject

Personal data must be processed in accordance with the rights of the data subject. Some of these rights include the right to access the data and the right to prevent processing of the data in certain specified circumstances.

Implementation of technical and organizational measures

Personal data must be protected using appropriate technical and organizational measures so as to prevent unauthorized or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data. Some of these technical and organizational measures would include:

• conducting security audits;
• implementing data protection policies and privacy notices;
• proper training of employees on the handling, storage, and disclosure of personal data;
• pseudonymisation and encryption of the data;
• limiting employees' access to the data;
• ensuring that any data-processing software and antivirus software used by the company are effectively maintained and up-to-date;
• selecting data processors who sufficiently guarantee that they have adequate security measures in place and will report security breaches; and
• the ability to restore the availability of and access to, personal data in a timely manner in the event of a physical or technical incident.

Cross-border transfers

Personal data shall not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data. In determining what is considered an 'adequate level of protection', the Commissioner would consider, among other things:

• the nature of the data;
• the State or territory of final destination;
• the laws of the State or Territory;
• the international obligations of the State or Territory; and
• the security measures taken by the State or territory.

The Act, however, imposes certain limitations on this standard such as where the data subject has consented to the transfer or where the transfer is necessary for reasons of a substantial public interest or for the performance of a contract.

7. Controller and Processor Obligations

Prior to processing personal data, all data controllers must pay a prescribed fee and register certain 'registration particulars' with the Commissioner. Furthermore, certain categories of data controllers are required to appoint a data protection officer ('DPO') under the Act. These categories include:

• data controllers who are public authorities;
• data controllers who process or intend to process sensitive personal data or data relating to criminal convictions;
• data controllers who process personal data on a large scale; and
• data controllers that are designated by the Commissioner as requiring a DPO.

In addition, data controllers are required to submit annually to the Commissioner, a Data Protection Impact Assessment ('DPIA') with respect to all data in their possession.

Processor obligation

The Act does not provide any rights or responsibilities for data processors.

7.1. Data processing notification

All data controllers under the Act are required to register certain 'registration particulars' with the Commissioner prior to processing personal data. The registration particulars include:

• the data controller's name, address, and other relevant contact information;
• the name, address, and other relevant contact information of any data controller representative appointed by the data controller;
• the name, address, and other relevant contact information of any DPO appointed by the data controller;
• a description of the personal data being, or to be, processed by or on behalf of the data controller and the category or categories of data subjects to which they relate;
• a description of the purpose or purposes for which the personal data are being, or are to be, processed;
• a description of any recipient or recipients to whom the data controller intends, or may wish, to disclose personal data;
• the names of any states or territories outside of Jamaica to which the data controller directly or indirectly transfers, intends or may wish directly or indirectly to transfer, personal data;
• where the data controller is a public authority, a statement of that fact; and
• such information about the data controller as may be prescribed in regulations.

In addition, the controller must provide a general description of the measures to be taken to comply with the standard of implementing appropriate technical and organizational measures and where data is being processed or intended to be processed based on an order of the Minister of Science, Energy and Technology which sets out processing activities unlikely to prejudice the rights and freedoms of data subjects, a statement of that fact must be provided.

Data controllers would be required to pay an annual fee for the maintenance of the required particulars in the register, no entry would be retained for longer than 12 months, if that fee has not been paid.

Exemptions

The requirement to only process personal data that is included in the register does not apply to processing which is unlikely to prejudice the rights and freedoms of data subjects, as specified by the Minister by order to be published in the Official Government Gazette.

7.2. Data transfers

The Act imposes a general obligation on data controllers to obtain consent before transferring personal data to third parties. The Act also requires data controllers to ensure that such third parties are subject to similar data protection obligations and that they have certain technical and organizational measures in place to safeguard against a security breach before transferring personal data.

7.3. Data processing records

There is no such obligation in the Act.

7.4. Data protection impact assessment

Unless otherwise indicated by the Commissioner, data controllers are required to annually submit to the Commissioner, DPIA in respect of all personal data in the custody or control of the data controller. The DPIA must be submitted within 90 days after the end of the relevant calendar year and shall require at least the following information:

• a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms, of data subjects; and
• the measures envisaged addressing the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

The Commissioner has the power to specify the classes or kinds of personal data, or data controller, to which the requirement for a DPIA would be applicable or not. In determining any class or kind of personal data, the Commissioner shall have regard to the likely level of risk to the rights and freedoms of data subjects involved in processing the data concerned, taking into account the nature, scope, context, and purposes of the processing.

Once the DPIA is received, the Commissioner will issue directions to the data controller as it deems appropriate including the implementation of amendments to the data controller's systems of operation or other activities among other recommendations as may be necessary to ensure compliance with the Act.

Prior consultation

The Commissioner, following an order from the Minister, may conduct an assessment as to whether the processing specific category of processing operations which are likely to cause substantial damage or substantial distress or otherwise significantly prejudice the rights and freedoms of data subjects.

Based on the information provided by the data controller, the Commissioner will consider whether that processing is likely to comply with the provisions of the Data Protection Act, give notice to the data controller stating the extent to which the processing is likely or unlikely to comply with the provisions of the Data Protection Act. The Commissioner has 30 days from when the information is received to provide its response.

Before the end of the 30-day period, the Commissioner may extend that period by issuing an extension notice to the data controller, specifying the period of the extension, which must not exceed 14 days (Section 19(3) of the Data Protection Act).

Not specified processing can be carried out by a data controller where the information required has been provided to the Commissioner and the period of 30 days, and such further period as is specified in an extension notice, has elapsed or before the end of the initial period or extension period, the data controller receives a notice from the Commissioner.

7.5. Data protection officer appointment

The data controller must appoint an appropriately qualified person to act as the DPO who will be responsible for monitoring independently the data controller's compliance with the provisions of the Data Protection Act. A data controller must notify the Commissioner of the name, address, and other relevant contact information of the DPO, and in the event of any changes thereto (Section 20(4) of the Data Protection Act).

Data controllers who are specifically exempt from appointing a DPO are those who process personal data only for the purpose of a public register or those who are non-profit organizations established for political, philosophical, religious, or trade union purposes.

The DPO is responsible for monitoring in an independent manner the data controller's compliance with the provisions of the Act and reporting any breaches to the Commissioner. A person shall not be qualified to be appointed as a DPO if there is or is likely to be any conflict of interest between the person's duties as a DPO and any other duties of that person.

Role and professional

The DPO's functions must include (Section 20(3) of the Data Protection Act):

• to ensure that the controller processes data in compliance with the data protection standards and good practice;
• to consult with the Commissioner to resolve any doubt about how the provisions of the Data Protection Act are to be applied;
• to ensure that any contravention of the data protection standards is dealt with according to Section 20(5); and
• to assist data subjects in exercising their rights.

Although the Data Protection Act does not explicitly list professional qualifications required for a DPO, it states that data controllers must appoint an 'appropriately qualified person' to act as DPO (Section 20(1) of the Data Protection Act).

7.6. Data breach notification

A data controller is required to report any security breach in respect of the data controller's operations that affects or may affect personal data to the Commissioner within 72 hours of becoming aware of the breach. The report must include:

• the facts surrounding the security breach;
• a description of the nature of the security breach, including the categories, number of data subjects concerned, and the type and number of personal data concerned;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;
• the consequences of the breach; and
• the name, address, and other relevant contact information of its DPO.

A data controller is also required to report any security breach to each data subject, whose personal data has been affected by such breach within such time as prescribed. The report must include:

• the nature of the security breach;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
• the name, address, and other relevant contact information of its DPO.

Under the Banking Services Act, there is a general duty of confidentiality or secrecy imposed upon employees and agents of financial institutions as it relates to customer information. Any employee or agent of a financial institution who unlawfully divulges or reveals any information regarding a customer account commits a criminal offense under the Act and may be liable to a fine of up to JMD 7.5 million (approx. $48,395) or to imprisonment for a term not exceeding five years.

7.7. Data retention

The Act does not speak to what would be considered an appropriate retention period for personal data. The Act, however, stipulates that personal data must not be kept for longer than is necessary. Data controllers are also required under the Act to inform data subjects of the expected period of retention of personal data. This information must be provided to the data subject at the time when the data controller first processes or seeks the personal data - whichever is first.

7.8. Children's data

The Act states that where the personal data being processed belongs to a minor, the rights granted to a data subject under the Act, may be exercised by a parent or legal guardian of the minor, or by the minor in any case where the law recognizes the capacity of the minor to act on their behalf.

The Act also stipulates that where consent is required for processing, in the case of a minor, the consent must be given by a parent or legal guardian of the minor unless the law recognizes the capacity of the minor to give consent on their own.

7.9. Special categories of personal data

As it relates to sensitive personal data, including race, ethnic origin, sex life, and criminal conviction data, the Act stipulates that such data must not be processed unless at least one of the following conditions have been met:

• the data subject consents in writing to the processing of the personal data;
• the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred, or imposed, by law on that data controller in connection with employment or social security benefits;
• the processing is necessary:
  • in order to protect the vital interests of the data subject or another individual, in any case where:
    • consent cannot be given by or on behalf of the data subject; or
    • the data controller cannot reasonably be expected to obtain the consent of the data subject, the data controller having exhausted all reasonable efforts to obtain that consent; or
  • in order to protect the vital interests of another individual, in any case where consent by or on behalf of the data subject has been unreasonably withheld from the processing:
    • is carried out in the course of legitimate actions by anybody or association which:
      • is not established or conducted for profit; and
      • exists for political, philosophical, religious, or trade-union purposes;
    • is carried out with appropriate safeguards for the rights and freedoms of data subjects;
    • relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and
    • does not involve disclosure of personal data to a third party without the consent of the data subject;
• the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject;
• the processing:
  • is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
  • is necessary for the purpose of obtaining legal advice; or
  • is otherwise necessary for the purposes of establishing, exercising, or defending legal rights;
• the processing is necessary for:
  • the administration of justice; or
  • the exercise of any functions conferred on any person by or under any enactment;
• the processing:
  • is either:
    • the disclosure of sensitive personal data by a person as a member of an anti-fraud organization or otherwise in accordance with any arrangements made by such an organization; or
    • any other processing by a person referred to in subparagraph (A) or another person of sensitive personal data so disclosed; and
  • is necessary for the purpose of preventing fraud;
  • the processing is necessary for medical purposes and is undertaken by:
    • a health professional; or
    • a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional;
• the processing:
  • is of sensitive personal data consisting of information as to racial or ethnic origin;
  • is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between individuals of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and
  • is carried out with appropriate safeguards for the rights and freedoms of data subjects.

7.10. Controller and processor contracts

The Act provides that where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall:

• ensure that the processing is carried out under a written contract which stipulates that the data processor is to act only on instructions from the data controller; the contract must also require the data processor to comply with obligations equivalent to those imposed on the data controller under the Act;
• choose a data processor who provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and the reporting of security breaches to the data controller; and
• take reasonable steps to ensure compliance with those measures.

Failure to comply with the above may result in the data controller committing an offence under the Act and being liable upon summary conviction to a fine not exceeding JMD 2 million (approx. $12,905) or to imprisonment for a term not exceeding two years; or conviction on indictment to a fine, or to imprisonment for a term not exceeding seven years.

8. Data Subject Rights

Please note that the data subject's rights under the Act are subject to certain exemptions such as where the personal data is being processed in the interests of national security or for journalistic purposes.

8.1. Right to be informed

The right to be informed of whether their personal data is being processed by or on behalf of the data controller, and if so, they have the right to be provided with:

• a description of the personal data;
• the purposes for which the data is being processed; and
• the recipients to whom the disclosure is made.

8.2. Right to access

This is the same as the right to be informed under the Act.

8.3. Right to rectification

The right to request that the data controller rectify any inaccuracy in any personal data in its possession or control. For the purposes of the Act, the term 'rectify' means to amend, block, erase, or destroy and the term 'inaccuracy' includes any error or omission.

8.4. Right to erasure

This is the same as the right to rectification under the Act.

8.5. Right to object/opt-out

The right to prevent processing

The right to prevent the processing of their personal data in specified circumstances such as:

• where the processing is likely to cause substantial damage or substantial distress to the data subject or to another person and that the damage or distress caused or likely to be caused (as the case may be) is unwarranted;
• where the processing of the data is incomplete or irrelevant;
• where the processing of the data is prohibited by law; or
• where the data has been retained by the data controller for a period longer than required by law;

The right to prevent processing for direct marketing purposes

The data subject has the right to prevent the processing of their personal data for the purposes of direct marketing unless the data subject gives consent or is a customer of the data controller.

8.6. Right to data portability

The Act does not provide for this right.

8.7. Right not to be subject to automated decision-making

The right to request that a data controller does not make any decision which would significantly affect them solely on the basis of the results of the automated processing, these decisions include matters related to the evaluation of the data subject's work performance, credit worthiness, reliability, or conduct.

8.8. Other rights

Not applicable.

9. Penalties

Where a body corporate commits an offense under the Act, the body corporate may be liable to a fine not exceeding 4% of its annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act.

A director, manager, secretary, or similar officer of the body corporate or any person who purports to act in any such capacity can also be held personally liable.

Individuals who commit an offense under the Act may also be subjected to severe fines up to a maximum of JMD 5 million (approx. $32,260) and/or imprisonment up to a maximum of ten years.

Any person who can prove that they have suffered damage by reason of any contravention by a data controller of any of their obligations under the Act may be entitled to compensation from the data controller for that damage.

9.1 Enforcement decisions

Not applicable.