The DPA, Establishing New Grounds for Data Privacy

The Data Protection (Privacy of Personal Information) Act 2003, also known as the DPA for short, is a data protection and privacy law that was passed in the Bahamas in 2003. The Data Protection (Privacy of Personal Information) Act 2003 was one of the first data protection laws to be passed within the region of the Caribbean, and applies to data collection and processing activities that take place with both the private and public sectors of the country. As such, the DPA establishes the legal basis for which personal data can be collected and processed within the Bahamas, as well as the sanctions and punishments that can be imposed against data controllers and processors who fail to comply with the law.

How are data controllers and processors defined under the DPA?

Under the Data Protection (Privacy of Personal Information) Act 2003, a data controller is defined as “a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed.” Alternatively, a data processor is defined as “a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.” Moreover, the law defines personal data as “data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller.”

What are the requirements of data controllers and processors under the DPA?

Under the DPA, data controllers and processors who operate within the Bahamas are responsible for fulfilling the following obligations:

• The data or the information constituting the data shall have been collected by means which are both lawful and fair in the circumstances of the case.”
• Personal data that has been collected or processed must be accurate and kept up to date, where necessary.
• Personal data may only be collected, processed, or used for specific and lawful purposes, and may not be further processed or disclosed for any other purpose.
• Personal data that has been collected or processed must be adequate, relevant, and non-excessive in relation to the purposes for which said data has been collected or processed.
• Personal data that is collected or processed may not be kept for any period of time longer than is necessary in relation to the purposes for which it collected or processed, “except in the case of personal data kept for historical, statistical or research purposes.”
• Data controllers and processors are responsible for implementing and maintaining appropriate security measures for the purposes of safeguarding personal data that has been collected and processed from alteration, unlawful destruction or disclosure, unauthorized access, and accidental loss.

What are the rights of data subjects under the DPA?

Under the DPA, data subjects within the Bahamas have the following data protection and data privacy rights:

• The right to be informed of details concerning their personal data.
• The right to access their personal data.
• The right to rectify their personal data.
• The right to erase your personal data.
• The right to object to the use of their personal data for direct marketing purposes.
• The right to file a complaint with the Data Protection Commissioner.

To this point, the DPA is enforced by the Bahamas Data Protection Commissioner, or the Commissioner for short. As such, the Commissioner has the authority to impose a variety of punishments against data controllers and processors who fail to comply with the law. For instance, “where a person is convicted of an offence under this Act, the court may order any data material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any relevant data to be erased.” Furthermore, data controllers and processors who violate the law are subject to monetary penalties ranging from $2,000 to $100,000, depending on the scope and extent of their offences.

While many countries within the region of the Caribbean have taken legitimate measures to ensure that the personal data of their respective citizens is protected at all times, such as Jamaica’s Data Protection Act 2020 and Saint Lucia’s Data Protection (Amendment) Act 2014, the Bahamas was very much ahead of the curve in passing the Data Protection (Privacy of Personal Information) Act 2003. Despite the fact that the law was passed more than fifteen years ago, the DPA still offers a level of data protection that is on par with other laws that have been passed far more recently. As such, data subjects within the Bahamas can rest assured that any personal data they disclose to a data controller, processor, or associated third party will be protected at all times.