Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the laws in the recipient country povide safeguards for the personal information comparable to those provided by Trinidad and Tobago law.

In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago. Such list has not been published to date.

Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for private bodies, at a minimum, it must require that personal information under the custody or control of a private organization not be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates.

Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following General Privacy Principles:

• An organization shall be responsible for the personal information under its control.
• The purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
• Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
• Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
• Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual.
• Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
• Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
• Sensitive personal information is protected from processing except where specifically permitted by written law.
• Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law.
• Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law.
• The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
• Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.