This week, Jamaicans learned at a post-Cabinet press briefing that a hacker group claims to hold National Health Fund client data — our medication and prescription-benefit records. The NHF did several things right, and it deserves to be told so: the Minister disclosed the matter publicly, the agency filed an initial report with the Office of the Information Commissioner, and brought in the Major Organised Crime and Anti-Corruption Agency.

Then read the NHF’s own release closely, because the architecture of the response is described in two sentences. First: “the investigation is being conducted with the assistance of its cyber security consultant and the Major Organised Crime and Anti-Corruption Agency”. Its consultant — the agency’s own, incumbent cybersecurity advisor.

Second: the NHF “had engaged an international cyber security firm to reinforce its data security measures” “in response to the evolving global cyber security landscape.

Reinforce — a hardening engagement, not an investigative one. Nowhere in the public record is anyone described as conducting an independent forensic investigation into how this incident occurred. And before we count MOCA toward that role: MOCA’s job is the criminal pursuit of the attacker. It does not exist to audit the controller’s security posture and tell the board which controls failed.

Let me be clear about what this article is not. It is not an allegation against the NHF, its staff, or any firm working that incident. I do not know what role the NHF’s consultant played in designing or operating the defences in question, and I have no evidence that anyone involved has downplayed anything. Nothing below should be read as a claim about them.

But the release’s own words put a structural question on the national table — one I have been watching build for years across this region, and it is time we named it plainly. When the public is reassured that the incident is being investigated with the assistance of the organisation’s own security consultant, and that an international firm has been engaged to reinforce — not to investigate — what we have been offered is a sense of assurance.

Whether it is a false sense of assurance turns on a question nobody has answered: who, independent of everyone whose work is under examination, is finding the facts?

The pattern

Here is the arrangement, and you will recognise it because it is nearly universal. An organisation hires an information security provider to design and implement its defences. Months or years later, an incident occurs. Who does the organisation call to investigate? The same provider.

Think about what we have just asked that firm to do. We have asked the people who built the wall to tell us, objectively, how the wall failed. Every finding they produce is a commentary on their own work. Every gap they document is a gap they were paid to close. They are not bad people. They are people with a structural incentive — in their minds, the impact of the attack reflects on their job, and so the impact of the attack shrinks in the telling.

The same incentive operates inside the building. Your internal IT security team built and runs the controls that were just defeated. Rest assured they will adopt the same stance. This is not a vendor problem; it is a self-assessment problem. Nobody marks their own examination paper generously against themselves.

Now make it worse. In our market, the same information security provider frequently sells data protection services too — including serving as the client’s data protection officer. When the incident comes, that firm is wearing both hats. And under pressure, the IT hat always wins. The DPO responsibilities — advise the controller that a breach has occurred, advise the controller that it must be reported to the OIC and, where necessary, to the data subjects — quietly default in favour of incident containment and reputation management.

What the law already says about this

Here is what too few boards have read. The Data Protection Act, 2020 did not overlook this conflict. It legislated against it — six years ago.

Section 20(1) requires the data protection officer to monitor the controller’s compliance “in an independent manner”. Section 20(2) goes further than most people realise: a person “shall not be qualified to be appointed” as DPO “if there is or is likely to be any conflict of interest between the person’s duties as data protection officer and any other duties of that person”. That is not guidance. It is a statutory disqualification — and it captures likely conflicts, not just realised ones.

Ask the question squarely: can the firm that designed, implemented, and operates your security controls independently monitor whether your processing — secured by those very controls — complies with the Act? When the breach comes, their “other duties” are on trial. The conflict is not hypothetical; it is the precise scenario the section anticipates.

Regulators elsewhere have already enforced this exact principle. The Berlin data protection authority fined a retail group €525,000 because its DPO was monitoring decisions he himself had made in another corporate capacity — the regulator’s point being that you cannot independently audit yourself. Austria’s authority fined a company that appointed its managing director as DPO.

Croatia’s authority did the same for a company procurator. The Court of Justice of the European Union has confirmed the underlying test: a DPO cannot hold a role that determines the purposes and means of the very processing he is meant to oversee. Different statutes, same architecture — Jamaica’s section 20(2) is our local expression of a principle the data protection world treats as settled.

And the Act does not stop at disqualifying the conflicted appointment. Section 20(5) arms the properly appointed DPO with a duty that should change how every incident call is run: where the DPO “has reason to believe” the controller has contravened the Act, the DPO must notify the controller in writing forthwith — and if the contravention is not rectified within a reasonable time, the DPO must report it to the Commissioner.

Read that again. The DPO is not a member of the incident-response team taking instructions from IT. The DPO is a statutory escalation channel over everyone’s head, triggered not by proof but by reason to believe.

The sentences an astute DPO should never accept at face value

When the incident call convenes, listen for two sentences from the information security side — external or internal, it makes no difference:

“There is no evidence of that.”

“We have not seen any further activity.”

These sentences are not lies. They are precisely engineered truths. “No evidence of exfiltration” routinely means we did not have the logging in place to produce such evidence. “No further activity” means nothing since we started looking. An astute data protection officer is attuned to this standard position and listens for what is not being said: How long was the access window before detection? What could an intruder reach from where they sat? What logging would we need to rule exfiltration out — and did we have it?

Here is why this matters legally and not just rhetorically. Under section 21(3), the controller must report to the Commissioner “any security breach in respect of the data controller’s operations which affects or may affect personal data, within seventy-two hours after becoming aware” [3]. The seventh data protection standard repeats the formula: the Commissioner must be notified without undue delay of any breach of the controller’s security measures “which affect or may affect any personal data” [3].

May affect. The statute does not ask you to prove exfiltration. It does not ask IT to be “satisfied.” Once there has been unauthorised access to systems holding personal data, you are inside the reporting provision — the trigger is the breach of your security measures and the possibility of effect on personal data, not forensic confirmation of theft.

The duty to notify affected data subjects under section 21(5) runs from the moment the controller becomes aware “or has reason to become aware” of the breach [3]. Suspicion, properly grounded, starts the clock. Waiting for proof is not diligence; it is delay the statute has already rejected.

And the stakes of getting this wrong are not reputational. Under section 21(2), failing to make the required report or notification is a criminal offence — on summary conviction, a fine of up to two million dollars or two years’ imprisonment; on indictment, a fine or up to seven years [3].

The Act even supplies the incentive to do it right: section 21(7) gives a due-diligence defence to the person who can show they exercised all due diligence — which is exactly what a documented, timely escalation by an independent DPO looks like.

Why we report at all

Somewhere in the argument about evidence thresholds, we lose the point of the exercise. Breach notification is not a confession ritual and it is not a punishment. It exists to put the data subject in a position to protect herself — at the earliest opportunity. To change her passwords before they are tried elsewhere.

To treat the unexpected call from “the bank” with suspicion because she knows her details may be circulating. To watch her accounts. To warn her family. That is what section 21(5) is for, and it is why the DPO’s statutory functions include assisting data subjects in the exercise of their rights.

Every week of delay purchased by “no evidence of exfiltration” is a week in which the people whose data it actually is — and it is theirs, not the controller’s — face the risk unwarned. The medication records the NHF incident has put in play illustrate the stakes precisely: data that discloses what condition you are likely being treated for is exactly the raw material of a convincing scam call.

The fix is procedural

Three separations, none of which requires new legislation:

Separate the forensics from the build. When an incident is discovered, retain a different provider to conduct the forensic investigation — one with no authorship of the compromised environment, mandated to determine how the incident occurred and to identify, objectively, the shortfall in the cybersecurity posture.

The incumbent provider remains essential for containment and remediation; they know the environment. But the finding of fact about what failed cannot belong to the party whose work failed.

Separate the DPO from IT — really separate them. Section 20(2) is not satisfied by an organisational chart. If your DPO service is bundled with your security operations contract, you have purchased a conflict, and on the plain words of the Act you may have appointed someone the statute disqualifies. The DPO’s first loyalty in an incident is to the data subjects and the law, not to the incident-response narrative.

Separate the reporting decision from the technical assessment. The question “must we report?” is a legal question answered by the may affect standard — it is the DPO’s call to advise on, not IT’s. The question “what happened technically?” belongs to the independent forensics. A controller who wires these decision rights in advance — in the incident-response plan, before any incident — will never have to untangle them at 2 a.m. during one.

Before we write a new law, switch on the one we have

There is a live campaign to fast-track a Cybersecurity Act, and it is hoped the new statute will speak to this conflict of interest between the IT function and the DPO role. Perhaps it will. But I want to resist the reflex that every governance failure needs fresh legislation.

While there may well be a case for it let us first fully implement the Data Protection Act that already holds data controllers accountable for how they implement or fail to implement technical (cyber security measures).

What it lacks is not powers. It is implementation — the machinery, the activation, the enforcement. The responsible Minister told Parliament this month that the Act’s enforcement provisions have never been activated in the five years since passage . The regulator’s registration portal has been offline since last year. The Oversight Committee the Act contemplates is not currently constituted. A new statute layered on top of an unimplemented one does not create accountability; it creates a second shelf.

Full implementation of the Data Protection Act — activated enforcement, a functioning registration system, a constituted oversight body, and a Commissioner resourced to use section 44 — would do more for Jamaica’s cyber resilience than any new bill, because it would change the incentive structure inside every incident call in the country. The day “we have decided not to report” carries a realistic prospect of a seven-year exposure, the IT hat and the DPO hat will be worn by different heads. The law already says they must be. We simply have to mean it.

About the author