The National Identification and Registration Authority ensures the protection, security and confidentiality of the identity information of enrolled individuals. In doing so, the Authority may:
- verify the identity information with the consent of the citizen or the individual ordinarily resident in Jamaica and as permitted in the National Identification and Registration Act, 2021;
- take all necessary and appropriate measures for the information stored in the databases to be protected against access, use or disclosure not permitted under the law and accidental or intentional destruction, loss or damage;
- adopt and implement appropriate technological and manual security measures;
- classify identity information of enrolled individuals to facilitate the implementation of security protocols to ensure that such information is given the highest level of control;
- ensure that agencies, consultants, advisors or other individuals appointed to or engaged by the Authority to assist the Authority in the performance of its functions implement appropriate security measures at all times;
- ensure that agreements or arrangements entered with such agencies, consultants, advisors and other individuals impose obligations equivalent to those imposed on the Authority;
- develop and refresh information security policies and protocols for adherence by its staff and any other user of the database;
- implement controls to prevent and detect any unauthorised access and misuse of information;
- implement controls to detect and protect against internet-based viruses and malware, other vulnerabilities and security risks and offences under the Cybercrimes Act;
- implement a monitoring process for equipment, systems and networks aimed at identifying unusual events and patterns that could negatively affect the performance of the information systems;
- encrypt data packets containing biometrics and other identity information and enabling decryption only in secured circumstances;
- employ appropriate and effective measures for fraud prevention;
- impose restrictions on categories of staff concerning access to processes, systems and networks;
- take steps necessary to ensure the physical security of the database servers and to employ backup measures that are appropriate to guard against theft, natural disasters, and equipment failure.
