Trinidad and Tobago - Data Protection Overview
1. Governing Texts
Privacy as the overarching principle of which data or information privacy is a subset has been generally guaranteed protection in Trinidad and Tobago, as in numerous other jurisdictions, through constitutional provisions and international human rights law. In terms of specific legislation, the Data Protection Act 2011 ('the Act') is the sole piece of legislation on the topic and deals, not with the broad issue of privacy, but specifically with that of the protection of personal information in the public and private sectors. It is not fully proclaimed as detailed below.
The Act is the sole piece of legislation dealing with privacy in some form but as noted above is not fully proclaimed. It is partially proclaimed by Legal Notice No. 2 Republic of Trinidad and Tobago No. 2 of 2012 and by Legal Notice No. 220 Republic of Trinidad and Tobago No. 220 of 2021 and the Sections that have been proclaimed include:
- Part One, Sections 1 to 6 (the object and application of the Act as well as the General Privacy Principles ('the Principles'); and
- Part Two, Sections 7 to 18, 22, 23, 25(1), 26 and 28 (certain powers and duties of the Office of the Information Commissioner ('the Commissioner')); and
- Part Three, Section 42(a) and (b).
The Act is divided into six parts and its object is to ensure the protection of an individual's right to privacy, and to establish the right to maintain sensitive personal information as private, confidential, and personal.
The Act separates data privacy into data protection in the public sector and data protection in the private sector, with specific considerations for each sector.
Codes of conduct
With respect to the protection of personal data in the private sector, all entities and individuals in the private sector are subject to the Principles (as noted above).
Further, to ensure compliance, the Commissioner will oversee the application of the Principles through either voluntary or mandatory codes of conduct dealing with the application of those Principles to the particular industry or sector and, where there is a government regulator for the industry or sector, the Commissioner may request the regulator to oversee the development of the code. Additionally, where mandatory codes are developed, they shall require at a minimum that personal information under the custody or control of the organisation not be disclosed to a third party without the consent of the individual, except where such information is disclosed in respect of a court order or in complying with any written law. Both mandatory and voluntary codes require approval from the Commissioner prior to their use, and there are set rules as to how the Commissioner shall go about approving a code.
Where the Commissioner has approved a mandatory code, there is also a provision for the Minister responsible for Data Protection ('the Minister') to make its compliance mandatory by order, and for government regulators who have jurisdiction over the industry to make the code mandatory pursuant to other legislation. In instances where personal information is to be disclosed to a foreign party, the same procedure as noted above for disclosure by a public body to a foreign party is to be followed.
Other notable provisions include the individual's right of access to personal information stored in an organisation subject to a mandatory code, provided the request is specific, reasonably retrievable, and in the form approved by the Commissioner. Also, the head of an organisation subject to a mandatory code may, upon the written authorisation of the Commissioner, disregard requests from individuals for access to their personal information where these would unreasonably interfere with the operations of the organisation.
There is also a provision that if individuals have a reasonable belief that an organisation subject to a mandatory code has personal information regarding them that they have a right to request such information and to lodge a complaint with the Commissioner if their requests are refused. When the Commissioner receives such requests or complaints, it shall inform the organisation concerned and any other affected person and commence an enquiry, after which it shall:
- affirm the decision of the organisation;
- order the release of the information;
- make the correction requested;
- dismiss the complaint; or
- order the organisation to comply with the code or the Act.
Part Six of the Act makes provision for issues such as who should be responsible for the payment of audit costs, recourse to and the jurisdiction of the Courts, whistleblowing protection, and the ability of the Minister to make regulations under the Act. Additionally, there are also several provisions relating to the amendment of the Freedom of Information Act, Chapter 22:02 with the intention of ensuring consistency with the Act.
The Act, having been partially proclaimed, has allowed for the gap with respect to the protection of personal data to remain open. Whereas private organisations have begun to comply generally with the Principles enunciated in the Act, most of the compliance has been voluntary and as a result of the desire to comply with international best practice in regards to data protection.
There are general guidelines mainly formulated as policy documents in the private arena that speaks to data privacy generally under the overarching principle of confidentiality and non-disclosure of information obtained or to which an individual may come in contact with as a result of their employment.
The Commissioner is the authority in charge of monitoring the administration of the Act to ensure it achieves its purposes (Article 9 of the Act). There is currently no information available as to its establishment. Consequently, no guidance has been issued.
1.3. Case law
There are several cases in recent times that have touched on privacy but they are usually entwined with other legal issues such as intellectual property, confidentiality, employment law, etc.
2. Scope of Application
The applies to identifiable natural persons, private/public organisations and deceased individuals.
With regards to the protection of personal data within the private sector, the Act states that a person who:
- collects, retains, manages, uses, processes, or stores personal information in Trinidad and Tobago;
- collects personal information from individuals in Trinidad and Tobago; or
- uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of points 1 or 2, shall follow the Principles set out in Section 6 of the Act when dealing with personal information.
The Act regulates personal information which is requested to be disclosed both within and outside of Trinidad and Tobago.
Covers personal data, sensitive personal data (defined in the Act), processing for specific purposes, retention, processing, dissemination, and to a lesser extent destruction.
3.1. Main regulator for data protection
The Act establishes the Commissioner and stipulates who can be appointed to it.
3.2. Main powers, duties and responsibilities
The Commissioner is charged with the responsibility of administering the Act, and in that regard has to:
- monitor compliance, conduct audits, and investigations;
- receive representations and complaints from the public and organisations or individuals accused of infringements;
- authorise the collection of personal data other than directly from the individual; and
- make orders on complaints or compliance, publish guidelines on industry codes of conduct, and provide advice on privacy and data protection issues.
Another notable provision in relation to the Commissioner is that when conducting an audit or enquiry into practices of either an entity subject to an enforceable code of conduct or in respect of a public body (such as the Office of the President, the various branches of the Judiciary, the Houses of Parliament, and the Cabinet), it can, pursuant to a court order, exercise certain search and seizure powers in relation to the particular audit or enquiry.
Also, an inspector (who is appointed by the Commissioner under Section 19 of the Act) has similar powers to conduct audits and investigations including:
- recourse to police accompaniment when entering any premises;
- the right to question individuals;
- the right to conduct examinations, inspections, investigations, and enquiries as may be necessary to ascertain compliance with the Act; and
- the requirement for persons undergoing an examination to sign a declaration of truth pursuant to such examination.
Please note that the Commissioner has not yet been appointed.
4. Key Definitions
- collects, retains, manages, uses, processes, or stores personal information in Trinidad and Tobago;
- collects personal information from individuals in Trinidad and Tobago; or
- uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of paragraph 1 or 2, shall follow the Principles set out in Section 6 when dealing with personal information.
- information relating to the race, nationality or ethnic origin, religion, age, or marital status of the individual;
- information relating to the education, medical, criminal, or employment history of the individual;
- information relating to the financial transactions in which the individual has been involved or which refers to the individual;
- any identifying number, symbol, or other particular designed to identify the individual;
- the address and telephone contact number of the individual;
- the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
- correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence which would reveal the contents of the original correspondence;
- the views and opinions of any other person about the individual; or
- the fingerprints, deoxyribonucleic acid, blood type, or the biometric characteristics of the individual.
- racial or ethnic origins;
- political affiliations or trade union membership;
- religious beliefs or other beliefs of a similar nature;
- physical or mental health or condition;
- sexual orientation or sexual life; or
- criminal or financial record.
Data: Any document, correspondence, memorandum, book, plan, map, drawing, pictorial or graphic work, photograph, film, microfilm, sound recording, videotape, machine-readable record and any other documentary material, regardless of form or characteristics, and any copy of those things.
5. Legal Bases
The Act establishes that all persons who handle, store or process personal information belonging to another person must follow the principle of consent and knowledge of the individual, which is required for the use or disclosure of such information (Section 5(c) of the Act).
The Act does not explicitly refer to legal obligations as a basis for the use of data, however it stipulates that in certain circumstances, sensitive personal data may be processed except where otherwise provided for by written law, and sensitive personal data may be processed or disclosed if required by written law (Section 6(h) and 72 of the Act).
The Act does not expressly refer to the interests of the data subject, however, it establishes that sensitive personal information shall not be collected or processed for the purposes of medical treatment unless (Sections 31(2)(b), 40(2), and 76(2) of the Act):
- by a public body's or corporation's health care professional or agent for the purposes:
- preventative medicine and the protection of public health;
- medical diagnosis;
- health care and treatment; and
- the management of health and hospital care services;
- where it has been made public by the person to whom such information relates;
- for research and statistical purposes in accordance with section 43;
- in the interest of law enforcement and national security;
- for the purposes of determining access to social services; or
- in accordance with or where authorised by any other written law.
According to Section 43(a) and (b) of the Act, a public body may disclose personal information or may cause personal information in its custody or control to be disclosed for a research purpose, including statistical research only if:
- the research purpose cannot reasonably be accomplished unless that information is provided in individually identifiable form; and
- the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in research.
Please see also section on interests of the data subject, above.
The Act covers the general principles of transparency, purpose limitation, data minimisation, accuracy, storage limitation, confidentiality, and accountability.
7. Controller and Processor Obligations
In pursuance of the object of the Act, there are 12 listed Principles applicable to all persons who handle, store or process personal information belonging to another person. They (in essence) state that:
- the organisation is responsible for the personal information under its control;
- the organisation must identify the purpose for which the personal information is collected before or at the time of collection;
- knowledge and consent of the individual are required for the collection, use, or disclosure of personal information;
- collection must be undertaken legally and limited to what is necessary for the specified purpose;
- personal information must not be kept longer than is necessary;
- personal information must be accurate, complete, up-to-date, secure, adequate, relevant, and not excessive;
- personal information shall not be transferred out of Trinidad without consent and to a jurisdiction that does not provide adequate protection;
- organisations must make available to individuals documents regarding their policies and practices related to the management of personal information except where otherwise provided by written law;
- sensitive personal information must be protected from processing; and
- organisations shall, except where otherwise provided by written law, disclose at the request of the individual all the documents relating to the existence, use, and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information.
Persons who process or store personal information in Trinidad and Tobago must also comply with the Principles mentioned above.
There is no notification requirement in the Act.
However, Part IV of the Act provides that private organisations who process personal information in Trinidad and Tobago must follow certain codes of conduct determined by the Commissioner (Article 70 of Part IV of the Act). The Commissioner has not yet been established, consequently, there is no additional information on processing notification requirements.
Personal information shall not be transferred out of Trinidad without consent and to a jurisdiction that does not provide adequate protection. The Act also states that it is the duty of the Commissioner to publish a list of countries that have comparable safeguards for personal information as provided by the Act.
The Act states that every public body must prepare a privacy impact assessment ('PIA') and take all reasonable steps in accordance with its PIA to avoid unnecessary intrusions into personal privacy when designing, implementing, or enforcing enactments, systems, projects, programs, or activities (Section 47 of the Act).
There are no provisions on compulsory appointment of a data protection officer in the Act as it is now.
There are no provisions on data breach notification in the Act as it is now.
Although there are no express provisions on retention periods under the Act, it provides that personal information may only be retained for as long as is necessary for the purpose collected (Section 6(e) of the Act).
8. Data Subject Rights
The object of the Act is to ensure that protection is afforded to an individual's right to privacy and the right to maintain sensitive personal information as private and personal.
Individuals have the following rights under the Act:
- to not have their personal information collected, used, or disclosed unless they have given their consent;
- to access their information and challenge any organisation on compliance with the Principles;
- to challenge an organisation's compliance with the Principles and receive timely and appropriate engagement from the organisation; and
- to lodge a complaint with the Commissioner if their request for access to their personal information is denied.
The Act stipulates that a person must be informed prior to the collection of their data the following (Section 32 of the Act):
- the purpose for collecting it;
- the legal authority for collecting it; and
- the title, business address, and business telephone number of an official or employee of the public body who can answer the individual's questions about the collection.
The Act establishes that personal information held by a public body must ensure that the individual to whom it relates to, has a reasonable opportunity to obtain access to that information (Sections 33 and 52 of the Act). An individual whose personal information is held by organisation that falls under mandatory codes of conduct, has a right to and shall on request, be given access to the personal information held about the individual that is reasonably retrievable (Section 75(1) of the Act).
The Act states that where an individual suspects their personal information held by a public body is incorrect or has omissions, they may request to correct the information (Section 57 of the Act).
The Act does not expressly refer to the right to erasure.
The Act does not expressly refer to the right to object/opt-out.
The Act does not expressly refer to the right to data portability.
The Act does not expressly refer to the right to not be subject to automated decision-making.
The Act provides that every director and officer of a corporation has a duty of care in ensuring compliance with the Act and any orders imposed by the Commissioner, and can be held liable for any offence provided for in the Act committed by the corporation if they directed, authorised, assented to, or participated in the commission of the offence.
The Act provides that it is an offence:
- to wilfully obstruct the Commissioner or their delegate in the performance of their duties;
- to request access to personal information under false pretenses;
- to make a false statement or mislead the Commissioner;
- to fail to comply with an order of the Commissioner or mandatory code;
- to breach the confidentiality obligations stipulated in the Act;
- to wilfully disclose personal information in contravention of the Act;
- to collect, store, or dispose of personal information in contravention of the Act; or
- to contravene whistleblowing provisions (Section 99 of the Act).
In terms of penalties, persons committing offences under the Act are liable, upon summary conviction, to a fine of up to TTD 50,000 (approx. €6,220) or to imprisonment for a term of three years; and upon conviction on indictment, to a fine of up to TTD 100,000 (approx. €12,440) or to imprisonment for a term of not more than five years.
Where the offences are committed by a body corporate, the penalty upon summary conviction is a fine of TTD 250,000 (approx. €31,090); and upon conviction on indictment, to a fine of TTD 500,000 (approx. €62,180). Further, where a corporation contravenes any of the provisions of the Act, the Court may impose a fine of up to 10% of the annual turnover of the enterprise (taking into account factors such as the estimate of the economic cost of the contravention, the estimate of the economic benefit of the contravention to the enterprise, and the like).