National Data Protection Authority

The Data Protection Act, 2011 (DPA) provides for the protection of personal privacy and information processed and collected by public bodies and private organizations.

The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.

No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Definition of personal data

Personal information is defined as information about an identifiable individual that is recorded in any form including:

• The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
• The address and telephone number of the individual
• Any identifying number, symbol or other particular identifier designed to identify the individual
• Information relating to the individual's race, nationality or ethnic origin, religion, age or marital status
• Information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual
• Correspondence sent to an establishment by the individual
• Information that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence
• The views and opinions of any other person about the individual
• The fingerprints, DNA, blood type or other biometric characteristics of the individual

Definition of sensitive personal data

Sensitive personal information is defined as personal information on a person's:

• Racial or ethnic origins
• Political affiliations or trade union membership
• Religious beliefs or other beliefs of a similar nature
• Physical or mental health or condition
• Sexual orientation or sexual life
• Criminal or financial record

The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has broad authority, including to authorize the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.

There is no registration requirement under the DPA.

There is no such requirement under the DPA.

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection must be made in accordance with the purpose identified by the organization collecting the personal information.

Sensitive personal information may not be processed except as specifically permitted by law.

The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. Nevertheless, they are presented below.

Public Bodies

Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met: the collection of that information is expressly authorized by law and

• The information is collected for the purpose of law enforcement
• The information relates directly to and is necessary for an operating program or activity of the public body when the collection of personal information is collected directly from the individual:
  • Another method of collection is authorized by the individual, Information Commissioner or law
  • The information is necessary for medical treatment
  • The information is required for determining the suitability of an award
  • The information is collected for judicial proceedings
  • The information is required for the collection of a debt or fine, or
  • It is required for law enforcement purposes
• The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection

Private Bodies

Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and the General Privacy Principles (which are currently in force).

Sensitive Information

Sensitive personal information may not be processed by public bodies and private organizations without the consent of the individual unless:

• It is necessary for the healthcare of the individual
• The individual has made the information public
• It is for research or statistical analysis
• It is by law enforcement
• It is for the purpose of determining access to social services, or
• As otherwise authorized by law

Section 6(1) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the foreign country requesting the individual's personal information has safeguards comparable to Trinidad and Tobago's for the regulation of the personal information which are.

In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago. As of April 4, 2018, such publication has not happened.

Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for private bodies, at a minimum, it must require that personal information under the custody or control of a private organization not be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates.

Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following General Privacy Principles:

• An organization shall be responsible for the personal information under its control.
• The purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
• Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
• Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
• Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual.
• Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
• Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
• Sensitive personal information is protected from processing except where specifically permitted by written law.
• Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law.
• Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law.
• The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
• Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.

The DPA generally requires that personal information is protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.

There is no provision in the DPA for notifying data subjects or the Information Commissioner of a security breach.

The Office of the Information Commissioner is responsible for monitoring the administration of this Act to ensure that its purposes are achieved.

The Information Commissioner has several broad powers to conduct audits and investigations of compliance with the DPA.

Part V of the DPA (which is not in force) details the penalties for contraventions of the DPA and also makes further provisions for the enforcement of the DPA.

The DPA has no specific provision regarding electronic marketing.

However, Section 58 of the Electronics Transaction Act (not yet in force) requires that anyone performing the following acts shall provide the consumer with a clearly specified and easily activated option to opt out of receiving future communications:

• Sending unsolicited commercial communications through electronic media to consumers in Trinidad and Tobago
• Knowingly using an intermediary or a telecommunications service provider in Trinidad and Tobago to send unsolicited commercial communications
• Sending unsolicited electronic correspondence to consumers while having a place of business in Trinidad and Tobago

The DPA has no specific provision regarding online privacy.