The Data Protection Act 2011, Securing Privacy In Trinidad

Trinidad’s Data Protection Act 2011 is a data privacy law that was passed in 2011. The Data Protection Act 2011 is the first law to be passed within Trinidad and Tobago that specifically protects the personal data of citizens within the country, in both the private and public sectors. To this point, the Data Protection Act 2011 sets forth the regulatory framework that data controllers within the country must abide by when engaging in data processing activities. Moreover, the law also places Trinidad and Tobago at the forefront of data protection in the Caribbean, as few data privacy laws have been passed as a whole throughout the region.

How are data controllers and processors defined under the law?

The Data Protection Act 2011 defines a data controller as a person who:

• Collects, retains, manages, uses, processes, or stores personal information in Trinidad and Tobago.
• Collects personal information from individuals in Trinidad and Tobago.
• Uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of paragraph 1 or 2, shall follow the Principles set out in Section 6 when dealing with personal information.

Conversely, the law does not provide a specific definition for what constitutes a data processor, and defines personal data to mean  “Information about an identifiable individual that is recorded in any form”. This includes information related to race, education, and financial transactions, among a host of others. Alternatively, as it pertains to the scope and application of the law, the Data Protection Act 2011 applies to personal data that is disclosed both inside the country of Trinidad, as well as outside of the country. Furthermore, the material scope of the law also covers “personal data, sensitive personal data processing for specific purposes, retention, processing, dissemination, and to a lesser extent destruction”.

What are the obligations of data controllers under the Data Protection Act 2011?

As is the case with many comprehensive data protection laws such as the EU’s General Data Protection Regulation or GDPR, the Data Protection Act 2011 establishes various principles pertaining to safeguarding and protection of personal data. These data protection principles include:

• Organizations are responsible for all personal data that is under their control.
• Organizations must identify the purposes for which personal data will be used at or before the time of collection.
• The knowledge and consent of data subjects are required prior to the collection, use, or disclosure of personal data.
• The collection of personal data must be done legally and limited to the specific reason for which it is to be processed.
• Personal data must be kept for no period longer than is necessary.
• All personal data that is collected must be complete, accurate, secure, relevant, adequate, up to date, and not excessive.
• Personal data is prohibited from being transferred outside of Trinidad without consent, or to a jurisdiction that does not provide an adequate level of data protection.
• Organizations must provide data subjects with documentation detailing their practices and policies as it relates to the management of personal data, except where otherwise stated by written law.
  Sensitive personal data must be protected from processing.
• Organizations shall disclose, at the request of a data subject, all documents relating to the existence, use, and disclosure of their personal data, so that said data subject can challenge the accuracy and completeness of such personal data, except where otherwise provided by written law.

What are the rights of data subjects under the Data Protection Act 2011?

Comparatively speaking, the Data Protection Act 2011 does not provide data subjects with many rights with respect to their personal data and privacy rights. To illustrate this point further, the Data Protection Act 2011 does not provide Trinidadian citizens with the right to erasure, the right to object or opt-out of their consent, the right to data portability, or the right not to be subject to data processing decisions based solely on automated decision making. On the contrary, the law does provide citizens with the right to be informed, the right to access, the right to rectification, and the right to challenge an organization’s compliance under the law.

As it relates to the enforcement of the law, the Office of the Information Commissioner, or the Commissioner for short has the authority to impose penalties as it pertains to non-compliance. These penalties include a monetary fine of up to TTD 50,000 ($7,219), as well as a term of imprisonment of up to three years. Additionally, upon conviction on a criminal indictment, violators of the law are also subject to a monetary fine of up to TTD 100,000 ($14,438), as well as a term of imprisonment of up to five years. To this end, the following actions constitute an offense under the law:

• Willfully obstructing the Commissioner or their delegate in the performance of their duties.
• Requesting access to personal data under false claims or pretenses.
• Making false statements or otherwise misleading the Commissioner.
• Failing to comply with an order or mandatory code set forth by the Commissioner.
• Breaching the confidentiality obligations set forth by the law.
• Willfully disclosing personal data in contravention of the law.
• Collecting, storing, or disposing of personal data in contravention of the law.

With the passing of the Data Protection Act 2011, Trinidadian citizens were provided with guaranteed privacy protection through the means of legislation for the first time. While the law does not provide data subjects within the country with many rights that have become commonplace in recent years as it relates to privacy, the Data Protection Act 2011 nevertheless provides citizens with a means to protect themselves should an organization or individual infringe on their data privacy rights. Even more so, the country joined only a handful of countries within the Caribbean to provide privacy protection to their respective citizens through government policy.