National Data Protection Authority

In Trinidad and Tobago The Data Protection Act, 2011 provides for the protection of personal privacy and information ('DPA') processed and collected by public bodies and private organisations.

The DPA was partially proclaimed on the 6th January 2012 by Legal Notice 2 of 2012 and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.

No timetable has been set for the proclamation of the remainder of the DPA and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Definition of personal data

Personal data (which is referred to in the DPA as ‘Personal Information’) is defined as information about an identifiable individual that is recorded in any form including:

• the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
  
  
• the address and telephone number of the individual
  
  
• any identifying number, symbol or other particular identifier designed to identify the individual
  
  
• information relating to the individual’s race, nationality or ethnic origin, religion, age or marital status
  
  
• information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual
  
  
• correspondence sent to an establishment by the individual
  
  
• information that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence
  
  
• the views and opinions of any other person about the individual, and
  
  
• the fingerprints, DNA, blood type or other biometric characteristics of the individual.

Definition of sensitive personal data

Sensitive Personal Data (which is referred to in the DPA as ‘sensitive personal information’) is defined as personal information on a person’s:

• racial or ethnic origins
• political affiliations or trade union membership
• religious beliefs or other beliefs of a similar nature
• physical or mental health or condition
• sexual orientation or sexual life, or
• criminal or financial record.

The entity responsible for the oversight, interpretation and enforcement of the DPA is the Office of the Information Commissioner. It has broad authority, including to authorise the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.

There is no registration requirement under the DPA.

There is no such requirement under the DPA.

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Furthermore, collection is required to be undertaken in accordance with the purpose identified by the organisation collecting, the personal information and other legal requirements.

Sensitive personal information may not be processed except as specifically permitted by law.

The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises respectively, however these are not yet in force. Nevertheless, they are presented below.

Public Bodies

Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met:

• the collection of that information is expressly authorised by law
  
  
• the information is collected for the purpose of law enforcement
  
  
• the information relates directly to and is necessary for an operating programme or activity of the public body
  
  
• the collection of personal information is collected directly from the individual:
  • another method of collection is authorised by the individual, Information Commissioner or law 
    
    
  • the information is necessary for medical treatment
    
    
  • the information is required for determining the suitability of an award
    
    
  • for judicial proceedings
    
    
  • the information is required for the collection of a debt or fine, or
    
    
  • it is required for law enforcement purposes
    
    
• the individual is informed of the purpose for collecting his/her personal information; the legal authorisation for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection.

Private Bodies

Part IV of the DPA provides that the collection and processing of personal information by private organisations will be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and with the General Privacy Principles (which are currently in force).

Sensitive Information

As to both public bodies and private organisations, Sensitive Personal Information may not be processed without the consent of the individual unless:

• it is necessary for the healthcare of the individual
• the individual has made the information public
• it is for research or statistical analysis
• it is by law enforcement
• for the purpose of determining access to social services, or
• as otherwise authorised by law.

Section 6(1) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the foreign country requesting the individual’s personal information has safeguards for the regulation of the personal information which are comparable to Trinidad and Tobago’s.

In this regard, the Office of the Information Commissioner is required to publish in the Gazette and at least two newspapers in daily circulation in Trinidad and Tobago a list of countries which have comparable safeguards for personal information as provided by this Act. As of January 6, 2015, this has not yet happened because a Commissioner has yet to be appointed.

Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for private bodies it must require at a minimum that personal information under the custody or control of a private organisation not be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where personal information under the custody and control of an organisation is to be disclosed to a party residing in another jurisdiction, the organisation must inform the individual to whom the information relates.

Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following ‘General Privacy Principles’:

• an organisation shall be responsible for the personal information under its control
   
• the purpose for which personal information is collected shall be identified by the organisation before or at the time of collection
   
• knowledge and consent of the individual are required for the collection, use or disclosure of personal information
   
• collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organisation
   
• personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual
   
• personal information shall be accurate, complete and up-to-date, as is necessary for the purpose of collection
   
• personal information is to be protected by such appropriate safeguards having regard to the sensitivity of the information
   
• sensitive personal information is protected from processing except where specifically permitted by written law
   
• organisations are to make available to individuals documents regarding their policies and practices related to the management of personal information, except where otherwise provided by written law
   
• organisations shall, except where otherwise provided by written law, disclose at the request of the individual, all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information
   
• the individual has the ability to challenge the organisation’s compliance with the above principles and receive timely and appropriate engagement from the organisation, and
   
• personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.

The DPA generally requires that personal information be protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.

There is no provision in the DPA for notifying data subjects or the Information Commissioner of a security breach.

The Office of the Information Commissioner is responsible for monitoring the administration of this Act to ensure that its purposes are achieved (s.9 (1)).

The Information Commissioner has several broad powers to conduct audits and investigations of compliance with the DPA.

Part V of the DPA (which is not in force) details the penalties for contraventions of the DPA and also makes further provisions for the enforcement of the DPA.

The DPA has no specific provision regarding electronic marketing.

The DPA has no specific provision regarding online privacy.