The British Virgin Islands (BVI) has not enacted formal legislation to regulate data protection. However, it is expected that BVI will promulgate data protection legislation in the near future to adapt internationally recognized standards.
BVI accepts English common law as persuasive authority. BVI courts accordingly recognize the common law duties of privacy and confidentiality. Entities have a duty to maintain confidentiality in a person’s details, unless an applicable exception applies. The duty of confidentiality has been statutorily codified in various aspects of BVI legislation, including the Banks and Trust Companies Act, 1990 (as amended), which regulates all banking, trust and fiduciary related activities in BVI.
The common law duty of privacy and confidentiality is limited by specific exceptions under applicable anti-money laundering legislation, primarily regulated under the BVI Proceeds of Criminal Conduct Act, 1997, and the Anti-Money Laundering Regulations, 2008.
Definition of personal data
There is no specific definition of personal data.
Definition of sensitive personal data
There is no specific definition of sensitive personal data.
There is no national data protection authority in the BVI. Instead, courts are guided by the English common law duties of privacy and confidentiality. The Financial Services Commission (Commission) regulates the fiduciary and trust business sectors pursuant to the Banks and Trusts Companies Act, 1990 (as amended).
There are no data protection registration requirements in the BVI.
There is no requirement to appoint a data protection officer in the BVI.
Entities that manage and maintain personal data in the BVI are subject to the common law duties of privacy and confidentiality. Fiduciary and trust licensees are required to maintain the privacy and confidentiality of client personal data, and may not release or disseminate such information to third parties without specific permission from the individual. This obligation may be limited under applicable anti-money laundering legislation.
With respect to corporate data, the Registrar of Corporate Affairs (Registrar) is permitted to release limited information regarding registered companies, including company name, type, registration or incorporation date, registered office address and company status. Shareholder and director information is not publicly accessible unless specifically disseminated by company authorization, except where required by law to assist law enforcement agencies. Government officials, professional agents, attorneys and accountants, and their employees, are prohibited from disclosing information.
The common law duty of privacy and confidentiality applies to third party data transfers. Depending on the nature of data, a statutory duty may apply where the common law duty of privacy and confidentiality has been codified. Entities should ensure that required consent is obtained prior to any third party data transfer.
The Computer Misuse and Cybercrime Act, 2014 regulates and penalizes the unauthorized transfer and dissemination of information stored on a computer.
The Commission retains a limited exception to the duty of privacy and confidentiality when disclosing information to certain third parties. For example, the Commission may disclose information to foreign regulators in approved jurisdictions to enable foreign regulators to exercise functions similar to that of the Commission. Prior to disclosure, the foreign regulator must certify that information will not be transmitted to any individual without prior written consent from the Commission.
There are no formal statutory security measures in place. Entities that maintain personal data are generally required to ensure technical and organizational safeguards are in place to protect the confidentiality of personal data and confidential information.
There is no requirement to report data security breaches in the BVI.
The Commission and the BVI courts are responsible for enforcement of violations of the duty of privacy and confidentiality.
There is no formal electronic communications legislation in place. The Telecommunications Act (No 10 2006) regulates the BVI telecommunications industry and provides sanctions to protect the confidentiality of personal data.
There is no online privacy legislation in the BVI.