Last modified 26 January 2023

Data Protection in Trinidad and Tobago

Breach notification in Trinidad and Tobago

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Trinidad and Tobago

The Data Protection Act, 2011 (DPA) provides for the protection of personal privacy and information processed and collected by public bodies and private organizations.

The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II,42(a),(b) of Part III have come into operation, including the processing of personal information under the control of a public body.

No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Related resources

Definitions

Definitions in Trinidad and Tobago

Definition of personal data

Personal information is defined as information about an identifiable individual that is recorded in any form including:

The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
The address and telephone number of the individual
Any identifying number, symbol or other particular identifier designed to identify the individual
Information relating to the individual's race, nationality or ethnic origin, religion, age or marital status
Information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual
Correspondence sent to an establishment by the individual
Information that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence
The views and opinions of any other person about the individual
The fingerprints, DNA, blood type or other biometric characteristics of the individual

Definition of sensitive personal data

Sensitive personal information is defined as personal information on a person's:

Racial or ethnic origins
Political affiliations or trade union membership
Religious beliefs or other beliefs of a similar nature
Physical or mental health or condition
Sexual orientation or sexual life
Criminal or financial record

Authority

National data protection authority in Trinidad and Tobago

The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has broad authority, including to authorize the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.

Registration

Registration in Trinidad and Tobago

There is no registration requirement under the DPA.

Data protection officers

Data protection officers in Trinidad and Tobago

There is no such requirement under the DPA.

Collection and processing

Collection and processing in Trinidad and Tobago

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection must be made in accordance with the purpose identified by the organization collecting the personal information.

Sensitive personal information may not be processed except as specifically permitted by law.

The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. Nevertheless, they are presented below.

Public Bodies

Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met: the collection of that information is expressly authorized by law and

The information is collected for the purpose of law enforcement
The information relates directly to and is necessary for an operating program or activity of the public body when the collection of personal information is collected directly from the individual:
- Another method of collection is authorized by the individual, Information Commissioner or law
- The information is necessary for medical treatment
- The information is required for determining the suitability of an award
- The information is collected for judicial proceedings
- The information is required for the collection of a debt or fine, or
- It is required for law enforcement purposes
The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection

Private Bodies

Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and the General Privacy Principles (which are currently in force).

Sensitive Information

Sensitive personal information may not be processed by public bodies and private organizations without the consent of the individual unless:

It is necessary for the healthcare of the individual
The individual has made the information public
It is for research or statistical analysis
It is by law enforcement
It is for the purpose of determining access to social services, or
As otherwise authorized by law

Related resources

Transfer

Transfer in Trinidad and Tobago

Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the laws in the recipient country povide safeguards for the personal information comparable to those provided by Trinidad and Tobago law.

In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago. Such list has not been published to date.

Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for private bodies, at a minimum, it must require that personal information under the custody or control of a private organization not be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates.

Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following General Privacy Principles:

An organization shall be responsible for the personal information under its control.
The purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual.
Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
Sensitive personal information is protected from processing except where specifically permitted by written law.
Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law.
Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law.
The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.

Related resources

Security

Security in Trinidad and Tobago

The DPA generally requires that personal information is protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.

Related resources

Breach notification

Breach notification in Trinidad and Tobago

There is no provision in the DPA for notifying data subjects or the Information Commissioner of a security breach.

Related resources

Enforcement

Enforcement in Trinidad and Tobago

The Office of the Information Commissioner is responsible for monitoring the administration of this Act to ensure that its purposes are achieved.

The Information Commissioner has several broad powers to conduct audits and investigations of compliance with the DPA.

Part V of the DPA (which is not in force) details the penalties for contraventions of the DPA and also makes further provisions for the enforcement of the DPA.

Electronic marketing

Electronic marketing in Trinidad and Tobago

The DPA has no specific provision regarding electronic marketing.

However, Section 58 of the Electronics Transaction Act (not yet in force) requires that anyone performing the following acts shall provide the consumer with a clearly specified and easily activated option to opt out of receiving future communications:

Sending unsolicited commercial communications through electronic media to consumers in Trinidad and Tobago
Knowingly using an intermediary or a telecommunications service provider in Trinidad and Tobago to send unsolicited commercial communications
Sending unsolicited electronic correspondence to consumers while having a place of business in Trinidad and Tobago

Online privacy