How the JDPA Empowers You to Access Your Data

Know Your Rights: How the Jamaica Data Protection Act Empowers You to Access Your Data

By Allan Roper – DataPro Consulting Limited

Are you being unlawfully charged to access your own data?

In today’s economy, data is currency. From telecommunications and banking, to health care and e-commerce, organizations collect and store vast amounts of our personal information. But how often do we consider what happens to that data, and more importantly, our rights in relation to it?

The Jamaica Data Protection Act (JDPA), passed in 2020, was designed to shift this power dynamic. It puts individuals at the center of their own data story, ensuring they can access, correct, and control the use of their personal information. Yet, too many citizens and even organizations remain unaware of what this law means in practice.

A Real-World Lesson: Exercising Data Rights

Recently, an individual made a request for historic account data from a major institution. Initially, the institution responded with a substantial fee for access to older records that weren’t available through the online customer portal. However, the individual knew their rights and wanted to exercise them. When they made reference to the Data Protection Act via email, the employee handling the matter was dismissive of the request and instead quoted a code of conduct that is often used within this business sector. This code of conduct was last updated in 2016 and under no circumstances would override a person’s rights as a citizen.

From there, the individual decided to be more direct. In their follow-up, they wrote that they were submitting a formal Data Subject Access Request (DSAR) to the organization’s Data Protection Officer (DPO) under the JDPA, referencing specific provisions in the Act. This prompted a more official response from the institution, which ultimately led to the release of the data free of charge as the law requires.

One of the key lessons from this case study is that many organizations are not up to date with recent legal developments. Employees within these organizations may simply be unaware of what the law requires and default to following legacy procedures they’ve been trained on. This doesn’t necessarily mean the organization is acting in bad faith or trying to mislead the customer, but it does underscore the power of being informed. When individuals understand their rights and communicate them confidently and clearly, they not only protect themselves but may also help prompt broader procedural change.

This real-world outcome is a reminder that knowing your rights is the first step to asserting them effectively.

Understanding Your Rights Under the JDPA

The JDPA provides a clear and robust framework for individuals to control their personal data. Here are a few critical rights:

• Right to Access: Individuals have the right to request and receive copies of their personal data from any organization that holds it.
  
• No Fee for First-Time Access: The law stipulates that the first copy of your data must be provided free of charge, unless the request is deemed excessive, repetitive, or unfounded.
  
• Timely Response: Organizations must respond to a data access request within 30 days.
  
• Right to Know the Purpose: Individuals can ask why their data is being collected and how it is being used.

These rights apply across all sectors. including; banking, telecommunications, education, healthcare, and beyond.

What You Can Do as a Consumer

If you need access to your personal data:

1. Submit a Formal Request: Reference the JDPA and explicitly state that you are making a “Data Subject Access Request.” Make note of that language as it is important for your request to be submitted to the correct department in the correct manner.
   
2. Be Respectful, but Clear: Politely assert your right and request a timeline for the response.
   
3. Ask for the Data Protection Officer: Every compliant organization should have a designated DPO. This person’s job is to ensure that all data subject access requests are handled inline with the law and get the requested data to you within 30 days of the request.
   
4. Keep Records: Save copies of your requests and correspondence. This step is important, if you don’t keep the evidence of your request, you will have nothing to share with the Office of the Information Commissioner (OIC) should your request not be handled correctly.
   

By being informed and proactive, you help normalize a culture of transparency and accountability.

Advice for Organizations: A Call to Leadership

While this example had a positive outcome, it highlights the need for organizations to revisit their data access policies. Many still operate under legacy frameworks that predate the JDPA, charging customers for access to their own data, misinterpreting legal obligations, or not training staff appropriately.

Organizations should:

• Align internal policies with the JDPA
  
• Train frontline and support staff on privacy rights
  
• Update customer-facing materials to reflect data access procedures
  
• Designate and empower a Data Protection Officer (DPO)
  

Far from being a burden, compliance with the JDPA is a business advantage. It builds trust, reinforces brand integrity, and reduces the risk of regulatory or reputational damage.

Conclusion: A Win for Everyone

This was not about challenging institutions, it was about working with them to uphold a shared legal and ethical standard. When individuals know their rights, and organizations respect those rights, everyone wins.

The Jamaica Data Protection Act is more than legislation, it’s a blueprint for responsible data governance. Let’s all ensure we know it, understand it, and live by it.