Trinidad and Tobago - Data Protection Act
First Session Tenth Parliament Republic of
Trinidad and Tobago
REPUBLIC OF TRINIDAD AND TOBAGO
Act No. 13 of 2011
[L.S.]
AN ACT to provide for the protection of personal privacy and information
[Assented to
, 2011]
ENACTED by the Parliament of Trinidad and Tobago as Enactment follows:
PART I
PRELIMINARY
1. (1) This Act may be cited as the Data Protection Act, 2011.
Short title and commencement
2 No. 13 Data Protection 2011
Interpretation
(2) This Act shall come into operation on such day as is fixed by the President by Proclamation.
2. In this Act—
“Commissioner” means the Information Commissioner appointed under section 8;
“Court” means the High Court of Trinidad and Tobago;
“data” means any document, correspondence, memorandum, book, plan, map, drawing, pictoral or graphic work, photograph, film, microfilm, sound recording, videotape, machine-readable record and any other documentary material, regardless of form or characteristics, and any copy of those things;
“data matching” means the comparison, whether naturally or by means of any electronic or other device, of any data that contains personal information about individuals with other documents containing personal information about individuals for the purpose of producing new forms of information about individuals;
“enterprise” means a partnership or body (corporate or unincorporated) engaged in business;
“Head of a Public Body” means the President, the Prime Minister, the President of the Senate, the Speaker of the House of Representatives, the Chief Administrator of the Tobago House of Assembly, the Chief Secretary of the Tobago House of Assembly, the Permanent Secretary of a Ministry, the Head of a Government Department, the Head of the Judiciary, Chief Executive Officer of an enterprise or the Chairman of an agency or where such title does not exist, the person who performs such duties;
No. 13 Data Protection 2011 3
“health care body” means a regional health authority established under the Regional Health Authorities Act, a hospital, extended Chap. 29:05 care facility, clinic, psychiatric hospital as defined under the Mental Health Act, a Chap. 28:02 private hospital as defined under the Private Hospitals Act, and similar bodies Chap. 29:03 licensed by the Minister with responsibility
for health;
“individual” means a natural person;
“information sharing agreement” means an agreement that sets conditions for one or more of the following:
(a) the exchange of personal information between a public body and a person, a group of persons or an organization;
(b) the disclosure of personal information by a public body to a person, a group of persons or an organization; or
(c) a collection of personal information by a public body from a public body, a person or a group of persons of an organization;
“Minister” means the Minister to whom responsibility for data protection is assigned and “Ministry” shall be construed accordingly;
“personal information” means information about an identifiable individual that is recorded in any form including—
(a) information relating to the race, nationality or ethnic origin, religion, age or marital status of the individual;
4 No. 13 Data Protection 2011
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to the financial transactions in which the individual has been involved or which refers to the individual;
(c) any identifying number, symbol or other particular designed to identify the individual;
(d) the address and telephone contact number of the individual;
(e) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
(f) correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence which would reveal the contents of the original correspondence;
(g) the views and opinions of any other person about the individual; or
(h) the fingerprints, deoxyribonucleic
acid, blood type or the biometric
characteristics of the individual;
“personal information bank” means a collection of personal information that is organized or retrievable by the name of the individual or by an identifying number, symbol or other particulars assigned to the individual;
No. 13 Data Protection 2011 5
“premises” includes land or any vessel, vehicle or aircraft and references to the occupier or any premises include references to the person in charge of the land or any vessel, vehicle or aircraft;
“privacy impact assessment” means an assessment that is conducted to determine if a proposed enactment, system, project, programme or activity meets the requirements of the General Privacy Principles of section 6;
“public body” means—
(a) the Office of the President;
(b) Parliament, a Joint Select Committee of Parliament or a committee of either House of Parliament;
(c) the Court of Appeal, the High Court, the Industrial Court, the Tax Appeal Board or any court of summary jurisdiction;
(d) the Cabinet as constituted under the Constitution, a Ministry or Department, Division or Agency of a Ministry;
(e) the Tobago House of Assembly, the Executive Council of the Tobago House of Assembly or a division of the Tobago House of Assembly;
(f) a municipal corporation established
under the Municipal Corporations
Act;
Chap. 25:04
(g) a statutory body, responsibility for which is assigned to a Minister of Government;
6 No. 13 Data Protection 2011
(h) a company incorporated under the laws of Trinidad and Tobago that is owned and controlled by the State;
(i) a Service Commission established under the Constitution or other written law; or
(j) a body corporate or an unincorporat-ed entity in relation to any function that it exercises on behalf of the State, or which is supported, directly or indirectly by Government funds and over which Government is in a position to exercise control;
“record” means recorded information collected, created or received in the initiation, conduct or completion of an activity and that comprises sufficient content, context and structure to provide evidence or proof of that activity or transaction;
“sensitive personal information” means information on a person’s–
(a) racial or ethnic origins;
(b) political affiliations or trade union membership;
(c) religious beliefs or other beliefs of a similar nature;
(d) physical or mental health or
condition;
(e) sexual orientation or sexual life; or
(f) criminal or financial record;
No. 13 Data Protection 2011 7
“sensory disability” means a disability that relates to sight or hearing; and
“service provider” means a person retained under a contract to perform services of a public body.
3. This Act binds the State.
Act binds the State
4. The object of this Act is to ensure that protection is Object of the Act afforded to an individual’s right to privacy and the right
to maintain sensitive personal information as private and personal.
5. This Act shall not—
Inapplicability of Act
(a) limit information available by law to a party in any proceeding;
(b) limit the power of a court or tribunal to compel a witness to testify or to compel the production of a document or other evidence; or
(c) apply to notes prepared by or for an individual presiding in a court of Trinidad and Tobago or in a tribunal if those notes are prepared for that individual’s personal use in connection with the proceedings.
6. The following principles are the General Privacy General Principles which are applicable to all persons who Privacy Principles handle, store or process personal information belonging
to another person:
(a) an organization shall be responsible for the personal information under its control;
(b) the purpose for which personal information is collected shall be identified by the organization before or at the time of collection;
8 No. 13 Data Protection 2011
(c) knowledge and consent of the individual are required for the collection, use or disclosure of personal information;
(d) collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization;
(e) personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual;
(f) personal information shall be accurate, complete and up-to-date as is necessary for the purpose of collection;
(g) personal information is to be protected by such appropriate safeguards having regard to the sensitivity of the information;
(h) sensitive personal information is protected from processing except where otherwise provided for by written law;
(i) organizations are to make available to individuals documents regarding their policies and practices related to the management of personal information except where otherwise provided by written law;
(j) organizations shall, except where otherwise provided by written law, disclose at the request of the individual, all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information;
No. 13 Data Protection 2011 9
(k) the individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization; and
(l) personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.
PART II
OFFICE OF THE INFORMATION COMMISSIONER
7. There is hereby established a body corporate to be Office of the known as the Office of the Information Commissioner. InformationCommissioner
8. (1) There shall be an Information Commissioner Appointment of
(hereinafter referred to as “the Commissioner”) who InformationCommissionershall—
(a) be the head of the Office of the Information Commissioner;
(b) be appointed by the President; and
(c) possess the qualifications and experience set out in subsection (2).
(2) A person appointed to be the Information Commissioner under subsection (1) shall be an attorney-at-law within the meaning of the Legal Profession Act Chap. 90:03 with at least ten years standing and shall have training
or experience in economics, finance, information security, technology, audit or human resource management.
(3) A person appointed under subsection (1) shall
hold office for five years and may be reappointed.
10 No. 13 Data Protection 2011
Schedule
Powers of Information Commissioner
(4) A person appointed under subsection (1) shall, before he performs the functions of Information Commissioner, take and subscribe to the oath of office set out in Part A of the Schedule.
9. (1) The Commissioner shall monitor the administra-tion of this Act to ensure its purposes are achieved.
(2) In carrying out his powers under subsection
(1), the Commissioner may—
(a) conduct audits and investigations to ensure compliance with any provision of this Act;
(b) advise on the privacy protection implications of proposed legislative schemes or government programmes and receive representations from the public concerning data protection and privacy matters;
(c) after hearing representations from the Head of a Public Body or an organization subject to a mandatory code of conduct and who may be engaged in processes that may be in contravention of this Act, order the public body or organization to cease collection practices or destroy collections of personal information that contravene this Act;
(d) authorize the collection of personal information otherwise than directly from the individual in appropriate circumstances;
(e) make orders regarding the reasonableness of fees required by an organization subject to this Act;
(f) authorize data matching by a public body or public bodies;
(g) make orders, including such terms and conditions as the Commissioner considers appropriate, following an appeal or complaint filed by an individual pursuant to section 58, 78 or 79A;
No. 13 Data Protection 2011 11
(h) make orders regarding compliance with the General Privacy Principles set out in section 6 by a public body or an organization subject to a mandatory code of conduct;
(i) publish guidelines regarding compliance with the Act, including but not limited to guidelines on the development of industry codes of conduct, firm compliance policies, procedures for handling complaints, guidelines dealing with conflict of interest for industry bodies or individuals who mediate or deal with complaint resolution, guidelines dealing with security of information and information systems, and guidelines for information sharing agreements or data matching agreements;
(j) exercise his corporate powers in relation thereto in such manner as he thinks fit, in accordance with this Act;
(k) make such administrative arrangements as may be necessary for the proper conduct of his functions; and
(l) exercise such other powers as may be assigned to him under any other written law.
10. The Commissioner appointed under section 8 shall—
(a) promote the development of codes of conduct for guidance as to good practice;
(b) promote the adherence to good practices by persons subject to this Act;
Functions of
Information
Commissioner
(c) disseminate information about this Act;
(d) monitor compliance with this Act;
12 No. 13 Data Protection 2011
Deputy Information Commissioner
(e) co-operate with counterparts in other jurisdictions to promote the protection of personal privacy in the public and private sectors;
(f) carry out special studies or research regarding privacy or related issues;
(g) bring to the attention of the head of the public body or organization subject to a mandatory code of conduct any failure to meet the standards imposed by the General Privacy Principles set out in section 6 or the responsibilities established by Part III and Part IV of this Act;
(h) issue public reports on the status of compliance with this Act;
(i) review and approve privacy impact assessments as required by this Act; and
(j) exercise such other functions that may be assigned to him under any other written law.
11. (1) The President may appoint no more than two Deputy Information Commissioners who shall meet the same requirements for qualifications or experience as specified for the Information Commissioner under section 8.
(2) Where more than one Deputy Information Commissioner is appointed the President shall specify which function each respective Deputy Information Commissioner shall perform either under this Act or under the Freedom of Information Act, 1999 or any other written law.
(3) A Deputy Information Commissioner appointed under subsection (1) shall hold office for a period not exceeding five years and may be reappointed.
No. 13 Data Protection 2011 13
(4) A Deputy Information Commissioner may, in the absence or incapacity of the Commissioner, act in his place.
(5) Where the post of Information Commissioner is vacant, a Deputy Information Commissioner may act as the Information Commissioner until such time as a Commissioner is appointed to the vacant post.
(6) In the absence or incapacity of a Deputy Information Commissioner, the President may appoint an acting Deputy Information Commissioner.
(7) A person appointed under subsection (1) shall, before he performs the functions of Deputy Information Commissioner, take and subscribe to the oath of office set out in Part B of the Schedule.
12. (1) The Commissioner or Deputy Information Resignation or
Commissioner may be removed from office only for removal of cause, including misconduct in relation to his duties or InformationCommissioner and
physical or mental inability to fulfil the responsibilities Deputy Information
Commissioner
of the office.
(2) The Commissioner or Deputy Information Commissioner may at any time resign his office by letter addressed to the President.
13. Section 141 of the Constitution shall apply to the Remuneration of
offices of the Commissioner and the Deputy Information InformationCommissioner and
Commissioner. Deputy Information Commissioner
14. (1) The Office of the Information Commissioner Seal of Office of the
shall have a seal which shall be kept in the custody of InformationCommissioner the Commissioner and shall be judicially noticed as
such.
(2) The seal of the Office of the Information Commissioner may be affixed to documents and instruments in the presence of the Commissioner and shall be attested by the signature of the Commissioner and the signature shall be sufficient evidence that the seal was duly and properly affixed and is the lawful seal of the Office of the Information Commissioner.
14 No. 13 Data Protection 2011
Chap. 56:01
Chap. 56:02
(3) All documents, other than those required by law to be under seal made by, and all decisions of the Commissioner may be signified under the hand of the Commissioner.
(4) Notwithstanding the provisions of the Conveyancing and Law of Property Act and the Real Property Act relating to the matters thereunder required to be performed and to the mode of their performance prior to the registration of a Deed, document or other instrument, the affixing of the seal of the Office of the Information Commissioner and the signing by the Commissioner in the manner set out in subsection (2) shall be, and shall be taken as sufficient evidence for the purposes of those Acts of the due execution by the Office of the Information Commissioner of any Deed, document or other instrument.
Service of documents
Execution of documents
15. Service upon the Commissioner of any notice, order or other document shall be effected by delivering the same or by sending it by registered post addressed to the Commissioner at the office of the Office of the Information Commissioner.
16. (1) Any document required to be executed by the Office of the Information Commissioner shall be deemed to be duly executed if signed—
(a) by the Commissioner; or
(b) outside Trinidad and Tobago, by the person or persons authorized by the Commissioner so to sign, but in such case the instrument so authorizing such person or persons shall be attached to and form part of the document.
(2) Any cheque, bill of exchange or order for the payment of money required to be executed by the Commissioner shall be deemed to be duly executed if signed by a person or persons authorized to do so by the Commissioner.
No. 13 Data Protection 2011 15
17. (1) The Commissioner may employ such persons as he considers necessary for the due and efficient performance of his duties and functions under this Act on such terms and conditions as are agreed between the Commissioner and the person and subject to such maximum limit of remuneration as the Minister may determine.
(2) Subject to subsection (3) and the approval of the appropriate Service Commission or Statutory Authority and with the consent of the officer, any officer in the public service or a Statutory Authority may be seconded to the service of the Office of the Information Commissioner.
(3) Where a secondment referred to in subsection
(2) is effected, arrangements shall be made to preserve the rights of the officer so transferred to any pension, gratuity or other allowance for which he would have been eligible had he not been seconded to or from the service of the Office of the Information Commissioner.
(4) A period of transfer on secondment shall be for three years and may only be extended for a further two years.
(5) Subject to the approval of the Commissioner, the appropriate Service Commission and with the consent of the officer, an officer in the public service or a Statutory Authority may be transferred to the service of the Office of the Information Commissioner on terms and conditions no less favourable than those enjoyed by the officer at the time of transfer in the public service or Statutory Authority, as the case may be.
(6) The Commissioner shall establish a pension plan, or where the establishment of a plan is not feasible, the Commissioner shall make arrangements for membership in an existing plan.
(7) Subject to the rules of the pension plan established in accordance with subsection (6), all employees of the Office of the Information Commissioner shall be eligible to become members of the pension plan established in accordance with subsection (6).
Staff of the Office of Information Commissioner
16 No. 13 Data Protection 2011
(8) Superannuation benefits which had accrued to a person transferred in accordance with subsection (5) shall be preserved as at the date of his employment by the Commissioner and such benefits shall continue to accrue under the relevant pension law up to the date of establishing a pension plan for the date on which arrangements are made for membership in a plan on the basis of pay, pensionable emoluments or salary, as the case may be, applicable, at the time of this transfer to the office held by him immediately prior to his employment by the Commissioner.
(9) Where a person who is transferred in accordance with subsection (5) dies, retires or his post in the Office of the Information Commissioner is abolished or he is retrenched by the Commissioner prior to establishing or prior to the arrangements being made for membership in a pension plan and, if at the date that his service is terminated by any of the above-mentioned methods he was in receipt of a salary higher than the pay, pensionable emoluments or salary referred to in subsection (8), the superannuation benefits payable to his estate or to him, as the case may be, shall be based on the higher salary.
(10) The difference between the superannuation benefits payable on the basis of the higher salary referred to in subsection (9) and the superannuation benefits payable under the relevant pension law, on the basis of the pay, pensionable emoluments or salary referred to in subsection (8), shall be paid by the Commissioner.
(11) Where a person who is transferred in accordance with subsection (5) dies, retires or his post in the Office of the Information Commissioner is abolished or he is retrenched from the Office of the Information Commissioner while being a member of the pension plan established in accordance with subsection (6), he shall be paid superannuation benefits by the pension plan at the amount which, when combined with superannuation benefits payable under the relevant
No. 13 Data Protection 2011 17
pension law, is equivalent to the benefits based on his pensionable service in the public service or a Statutory Authority combined with his service in the Office of the Information Commissioner and calculated at the final salary applicable to him on the date that his service was terminated by any of the above-mentioned methods.
(12) For the purpose of subsection (11), “final salary” shall have the meaning assigned to it by the pension plan.
18. (1) Subject to subsection (2), the Commissioner Delegation may authorize any person according to their qualifications
for the purposes of this Act, to exercise or perform, subject to such restrictions or limitations as the Commissioner may specify, any powers, duties or functions of the Commissioner.
(2) The Commissioner may delegate to only the Deputy Information Commissioner responsibilities regarding review of personal information that deals with matters that may be exempt from disclosure pursuant to sections 24 to 26 of the Freedom of Information Act.
19. (1) The Commissioner may appoint officers within the Office of the Information Commissioner to be inspectors according to their qualifications for the purposes of this Act and shall furnish each such inspector with a certificate of his designation.
(2) Where the Commissioner is conducting an enquiry or inspection under this Act the officers appointed under subsection (1) shall act on his behalf.
(3) An inspector shall, subject to sections 20 and 21, have the power to do all or any of the following things for the purpose of the execution of this Act:
(a) if he considers necessary, take with him when entering any premises, a police officer;
Chap. 22:02
Designation and powers of inspectors
18 No. 13 Data Protection 2011
Power of
Commissioner to
conduct an audit or
enquiry of a Public
Body pursuant to
Part III
(b) to require any person whom he finds in or on such premises to give such information as is in his power to give as to who is the owner or occupier thereof and the employer of workers employed to work thereon;
(c) to make such examinations, inspections, investigations and enquiries as may be necessary to ascertain whether this Act is being complied with;
(d) to require the production of or to seize, inspect or examine and to copy registers, records or other documents;
(e) to examine, either alone or in the presence of any other person as the inspector deems necessary, for the purposes of this Act, with respect to the observance of the provisions of this Act or the Regulations, any person whom he finds on premises or whom he has reasonable cause to believe to be, or to have been within the preceding two months, employed thereon, and to require any such person to be so examined and to sign a declaration of the truth of the matters respecting which he is so examined; so, however, that no person shall be required under this provision to answer any question or to give evidence tending to incriminate himself; and
(f) to seize and detain for such time as may be necessary any article by means of which, or in relation to which he reasonably believes any provision of this Act has been contravened.
20. (1) Where the Information Commissioner is conducting an audit or enquiry into the practices of a Public Body for the purposes of ensuring compliance with the General Privacy Principles set out in Part I, or
No. 13 Data Protection 2011 19
determining an appeal pursuant to Part III, the Commissioner may—
(a) with the permission of the head of the public body or on application for a warrant under subsection (4), enter and inspect any premises occupied by a public body for the purposes of an audit or enquiry;
(b) require the production of any document or record relevant to the enquiry that is in the custody or control of a public body; or
(c) seize and detain relevant documents on obtaining a warrant under subsection (4).
(2) The Commissioner shall not retain any information obtained from an audit or enquiry under subsection (1) beyond the period for which it is required.
(3) The Commissioner may exercise his powers under this section with respect to the Office of the President, Parliament, a Joint Select Committee of Parliament or a committee of either House of Parliament, the Cabinet, the Court of Appeal, the High Court, the Industrial Court, the Tax Appeal Board or any court of summary jurisdiction, the Tobago House of Assembly, the Executive Council of the Tobago House of Assembly only with the consent of the President, the Speaker of the House of Representatives or the President of the Senate, the Head of the Cabinet, the Chief Justice, the Presiding Officer, the Chief Administrator of the Tobago House of Assembly, the Chief Secretary of the Tobago House of Assembly or the Head of the Executive Council, as the case may be.
(4) Where the head of a public body refuses to—
(a) allow the Information Commissioner or any person acting for or under him to enter and inspect premises under subsection (1)(a), the Information Commissioner shall, where he believes that such entry is necessary, apply to a Magistrate for a warrant to so enter, seize and inspect; or
20 No. 13 Data Protection 2011
Power of
Commissioner to
conduct audit or
enquiry pursuant to
Part IV
(b) produce a document or record under subsection (1)(b), the Information Commissioner shall, where he believes the request to be reasonable, apply to the Court for an Order requiring the public body to produce such documents.
(5) Subsection (4) shall not apply to any public body referred to in subsection (3).
(6) Where the Head of a Public Body referred to in section (3) refuses to—
(a) allow the Information Commissioner or any person acting for or under him to enter and inspect premises under subsection (1)(a);
(b) produce a document or record under subsection (1)(b);
the Information Commissioner may apply to a judge for an order to direct the Head of the Public Body to—
(c) allow the Information Commissioner or any person acting for or under him to enter and inspect premises and seize any document found therein for the purposes of an adult or enqiry; or
(d) produce the document or record.
21. (1) Where the Commissioner is conducting an audit or enquiry into the compliance practices of a person subject to the provisions of an enforceable code of conduct pursuant to Part IV of this Act, the Commissioner may, pursuant to the authority provided under subsection (2) by an order of the Court—
(a) require the production of any document or record that is in the custody or control of a person subject to an enforceable code of conduct; or
(b) enter and inspect any premises occupied by a person subject to an enforceable code of
No. 13 Data Protection 2011 21
conduct and seize any document or record found therein relevant to the audit or enquiry.
(2) Where a private enterprise refuses to allow the Commissioner or any person acting for or under him to enter and inspect premises under subsection (1)(b), the Commissioner may apply to the Court for an Order to so enter and inspect.
(3) Where a private enterprise refuses to produce a document or record under subsection (1)(b), the Commissioner may apply to the Court for an Order requiring the private enterprise to produce such documents.
(4) The Commissioner shall not retain any information obtained from an audit or enquiry under subsection (1) beyond the period for which it is required.
22. (1) All expenses of the Office of the InformationExpenses and
accounts of the Office
Commissioner shall be met out of moneys provided byof the Information
Parliament.
Commissioner
(2) All revenues of the Office of the Information Commissioner shall be paid into the Consolidated Fund.
(3) The accounts of the Office of the Information Commissioner shall be audited by the Auditor General in accordance with the provisions of the Exchequer and
Audit Act. Chap. 69:01
23. A statement made to or an answer given by a Statements made to person during an investigation or enquiry by the Commissioneradmissible not Commissioner is inadmissible as evidence in court or
any other proceeding, except in—
(a) a prosecution for perjury in respect of sworn testimony made before the Commissioner;
(b) a prosecution for an offence under this Act; or
(c) an application for judicial review under this Act or an appeal from a decision with respect to that application.
22 No. 13 Data Protection 2011
Privileged
information
24. Anything said in information supplied or any data produced by a person during an investigation or enquiry by the Commissioner is privileged in the same manner as if the investigation or enquiry were a proceeding in a court.
Restrictions on disclosure of information by Commissioner and staff
Protection of Commissioner and staff
25. (1) The Commissioner and anyone acting for or under the direction of the Commissioner shall not disclose any information obtained in performing their duties, powers and functions under this Act.
(2) Notwithstanding subsection (1), the Commissioner may disclose or may authorize anyone acting for or under the direction of the Commissioner, to disclose information—
(a) necessary to conduct an investigation, audit or enquiry under this Act or establish grounds for findings and recommendations contained in a report under the Act; or
(b) in the course of a prosecution or an appeal from, or judicial review of, a decision of the Commissioner.
26. Proceedings shall not lie against the Commissioner or a person acting for or under the direction of the Commissioner for anything done, reported or said in good faith in the exercise or performance or the intended exercise or performance of a duty, power or function under this Part.
Annual report of Commissioner
27. (1) The Commissioner shall submit a report annually to Parliament within three months after the end of the calendar year on the activities of the Office of the Information Commissioner for the previous year commencing one year after the coming into operation of this Act.
(2) the Commissioner may submit a special report to Parliament at any time commenting on any matters within the scope, duties and functions of the Commissioner where the matter is of such urgency or importance that it should not be deferred to the time of the next annual report to Parliament.
No. 13 Data Protection 2011 23
28. The Commissioner shall by Order publish in theCommissioner to
publish list of
Gazette and at least two newspapers in daily circulationequivalent in Trinidad and Tobago a list of countries which havejurisdictions
comparable safeguards for personal information as provided by this Act.
PART III
PROTECTION OF PERSONAL DATA BY PUBLIC BODIES
29. (1) The following information about an individual Personal information who is or has been an employee or official of a public
body is not personal information for the purpose of this Act:
(a) the fact that the individual is or has been an employee or official of a public body;
(b) the title, business address and business telephone number of the individual;
(c) the name of the individual on a document prepared by the individual in the course of employment; and
(d) the professional opinions or views of the individual given in the course of employment.
(2) Information about an individual who is or was performing services under contract for a public body that relates to the services performed, including the terms of the performance, the name of the individual, and the opinions or views of the individual given in the course of the performance of those services is not personal information for the purposes of the Act.
(3) Information relating to any discretionary benefit of a financial nature including the granting of a licence or permit conferred to an individual, including the name of the individual and the exact nature of the benefit is not personal information for the purposes of the Act.
(4) Information about an individual who has been deceased for more than twenty years is not personal information for the purpose of this Act.
24 No. 13 Data Protection 2011
Collection of personal information
Personal information to be collected directly
30. Personal information shall not be collected by or for a public body unless—
(a) the collection of that information is expressly authorized by or under any written law;
(b) the information is collected for the purposes of law enforcement; or
(c) that information relates directly to and is necessary for an operating programme or activity of the public body.
31. (1) Where a public body requires personal information from an individual it shall collect the personal information or cause the personal information to be collected directly from that individual.
(2) Notwithstanding subsection (1), personal information may be collected from a source other than the individual where—
(a) another method of collection is authorized by the individual, by the Commissioner or by any other written law;
(b) the collection of information is necessary for medical treatment of an individual and it is not possible to collect the information directly from that individual or the collection is necessary to obtain authority from that person for another method of collection; and
(c) the information is collected for the purpose of—
(i) determining the suitability for an honour or award including an honorary degree, scholarship, prize or bursary;
(ii) proceedings before a court or a judicial or quasi-judicial tribunal;
(iii) collecting a debt or fine or making a payment; or
(iv) law enforcement.
No. 13 Data Protection 2011 25
32. (1) A public body shall ensure that the individual Individual to be from whom it collects personal information or causes informed of purpose personal information to be collected is informed of—
(a) the purpose for collecting it;
(b) the legal authority for collecting it; and
(c) the title, business address and business telephone number of an official or employee of the public body who can answer the individual’s questions about the collection.
(2) Subsection (1) shall not apply if compliance
with subsection (1) would—
(a) result in the collection of inaccurate information;
(b) defeat the purpose or prejudice the use for which the information is to be collected;
(c) prejudice a law enforcement matter; or
(d) prejudice the defence of Trinidad and Tobago or of any foreign state allied to or associated with Trinidad and Tobago or harm the detection, prevention or suppression of espionage, sabotage or terrorism.
33. Personal information that has been used by a Retention of personal
public body for an administrative purpose shall be information used for
an administrative
retained by the authority for such period of time after it purpose has been used as may be prescribed by Order of the Minister, to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to that information.
34. Where the personal information of an individual is in the custody or control of a public body and the personal information will be used by or on behalf of the public body to make a decision that directly affects the individual, the public body shall make every reasonable effort to ensure that the personal information is accurate and complete.
Accuracy of personal information
26 No. 13 Data Protection 2011
Protection of personal information
Storage and access of personal information in Trinidad and Tobago
Disposal of personal information
Use of personal information
35. A public body shall protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, alteration, disclosure or disposal.
36. A public body shall ensure or take steps to ensure that personal information in its custody or under its control is stored only in Trinidad and Tobago and accessed only in Trinidad and Tobago unless—
(a) the individual to whom the information relates has identified the information and has consented in the prescribed manner to its being stored in or accessed from another jurisdiction; or
(b) the information is stored in or accessed from another jurisdiction that has comparable safeguards as provided by this Act.
37. A public body shall dispose of all personal information in its control or custody in accordance with Regulations made by the Minister under this Act.
38. Personal information under the custody or control of a public body shall not, without the consent of the individual to whom it relates, be used by the authority except for the purpose for which the information was obtained or compiled by the public body, or for a use consistent with that purpose, or for a purpose for which the information may be disclosed by the public body pursuant to section 42.
Consistent purpose 39. The use of personal information is consistent with the purposes for which it was obtained or compiled, if the use has a reasonable and direct connection to the purpose, and is necessary for performing the statutory duties of, or for operating a legally authorized programme of a public body that uses or discloses the information or causes the information to be used or disclosed.
No. 13 Data Protection 2011 27
40. (1) A public body shall not process sensitive Limitation on
personal information unless it obtains the consent of the processing of
sensitive personal
person to whom that sensitive personal information information in
relates. possession of public body
(2) Notwithstanding subsection (1), sensitive personal information may be processed—
(a) by a health care professional or an employee or agent of a health care body at the direction of a health care professional for the purposes of health and hospital care where it is necessary for—
(i) preventative medicine and the protection of public health;
(ii) medical diagnosis;
(iii) health care and treatment; and
(iv) the management of health and hospital care services;
(b) where it has been made public by the person to whom such information relates;
(c) for research and statistical purposes in accordance with section 43;
(d) in the interest of law enforcement and national security;
(e) for the purposes of determining access to social services; or
(f) in accordance with or where authorized by any other written law.
(3) For the purpose of this section, “health care professional” means a person registered under the–
(a) Medical Board Act;
(b) Dental Profession Act;
(c) Opticians Registration Act;
(d) Pharmacy Board Act;
(e) Nurses and Midwives Registration Act;
(f) Professions Related to Medicine Act; and
Chap. 29:50
Chap. 29:54
Chap. 29:51
Chap. 29:52
Chap. 29:53
Chap. 90:04
(g) Emergency Ambulance Services and Act No. 8 of 2009 Emergency Medical Personnel Act, 2009.
28 No. 13 Data Protection 2011
Disclosure of personal information in Trinidad and Tobago
When personal information may be disclosed
(4) A person who contravenes this section commits an offence.
41. Personal information under the custody or control of a public body shall not be disclosed by the public body in Trinidad and Tobago without the consent of the individual to whom it relates, except in accordance with sections 42, 43, 44 and 45.
42. Except as provided under any other written law, personal information under the control of a public body may only be disclosed—
(a) for the purposes for which the information was collected or compiled by the public body or for a use consistent with that purpose;
(b) for any purpose in accordance with any written law or any order made pursuant to such written law that authorizes such disclosure;
(c) for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information;
(d) to the Attorney General of Trinidad and Tobago for the purpose of, or in connection with, legal proceedings involving the State, where such disclosure is reasonably required in the interests of fairness and prior notice of such disclosure is given to the person to whom the information relates;
(e) to an investigative body specified by the Minister by Order, on the written request of the investigative body, for the purpose of investigating compliance with any written law or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be provided;
No. 13 Data Protection 2011 29
(f) by one law enforcement agency in Trinidad and Tobago to another law enforcement agency within Trinidad and Tobago for the purpose of enforcement of a written law;
(g) to a law enforcement agency in a foreign country under a written agreement, treaty or under the authority of the Government of Trinidad and Tobago;
(h) if the head of the public body agrees that a compelling circumstance exists that affects the health or safety of any person and if notice of the disclosure is mailed to the last known address of the individual to whom the information relates, unless the head of the public body has a reasonable belief that providing notification could harm the health or safety of any person;
(i) so that the next of kin or friend of an injured, ill or deceased person may be contacted;
(j) for the purpose of collecting monies owing by an individual to the Government of Trinidad and Tobago or by a public body to an individual;
(k) for statistical purposes where the disclosure meets the requirements of section 43; or
(l) for archival purposes where the disclosure meets the requirements of section 44.
43. A public body may disclose personal information Disclosure for
or may cause personal information in its custody or research and
statistical purposes
control to be disclosed for a research purpose, including statistical research only if—
(a) the research purpose cannot reasonably be accomplished unless that information is provided in individually identifiable form;
30 No. 13 Data Protection 2011
Disclosure for archival or historical purposes
(b) the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in research;
(c) any record linkage is not harmful to the individual to whom that information is about and the benefits to be derived from the record linkage are clearly in the public interest;
(d) the head of the public body concerned has approved conditions relating to the following:
(i) security and confidentiality;
(ii) the removal or destruction of the individual identifiers at the earliest reasonable time; and
(iii) the prohibition of any subsequent use or disclosure of that information in individually identifiable form without the express authorization of that public body; and
(e) the person to whom that information is disclosed has signed an agreement to comply with the approved conditions, this Act and any of the public body’s policies and procedures relating to the confidentiality of personal information.
44. The archives of the Government of Trinidad and Tobago or the archives of a public body may disclose personal information or cause personal information in its custody or control to be disclosed for archival or historical purposes if—
(a) the disclosure would not be an unreasonable invasion of professional or personal privacy;
(b) the disclosure is for historical research and is in accordance with section 42;
No. 13 Data Protection 2011 31
(c) the information concerns someone who has been deceased for twenty or more years; or
(d) the information is in a record that has been in existence for one hundred or more years.
45. Notwithstanding sections 42, 43 and 44, medical Disclosure of medical
information shall not be disclosed by a public body informationrestricted to beexcept—
(a) with the consent of the person to whom such information relates; or
(b) by order of the Court.
46. (1) Where personal information under theDisclosure of
custody and control of a public body is to be disclosed topersonal information
outside of Trinidad
a party residing in another jurisdiction, the public bodyand Tobago shall inform the individual to whom it relates of—
(a) the purpose for which the information is being collected once that purpose is known to the public body; and
(b) the identity of—
(i) the person requesting the information; and
(ii) the relevant public body with responsibility for Data Protection in the other jurisdiction,
and obtain his consent before disclosing the information.
(2) Where a person under subsection (1) does not consent to the release of his personal information, the public body shall not so disclose.
(3) Subsections (1) and (2) shall not apply where the circumstances set out in section 41 exist, but personal information may be limited where the public body determines that the jurisdiction to which the personal information is being sent does not have comparable standards.
32 No. 13 Data Protection 2011
(4) Where a person under subsection (1) consents to the release of his information and the public body is—
(a) satisfied that the jurisdiction to which the information is being sent has comparable safeguards, as provided by this Act, the public body shall disclose the personal information; or
(b) not satisfied that the jurisdiction to which the information is being sent has comparable safeguards, the public body shall refer the matter to the Commissioner for a determination as to whether the other jurisdiction has comparable safeguards as provided by this Act and inform the individual to whom the personal information relates, of the referral.
(5) Upon a referral under subsection (4)(b), the Commissioner shall make a determination whether the other jurisdiction has or does not have comparable safeguards as provided by this Act, and inform the public body accordingly.
(6) Where the public body is informed that the jurisdiction to which the information is being sent—
(a) has comparable safeguards, the public body shall inform the person concerned and disclose the personal information;
(b) does not have comparable safeguards, the public body shall inform the person concerned and obtain his consent for the disclosure—
(i) without limitation; or
(ii) with limitation on the information sharing to the extent necessary to ensure the protection of personal privacy and information.
No. 13 Data Protection 2011 33
47. (1) Every public body shall prepare a privacy Privacy impact
impact assessment, in the form prescribed by the assessmentmitigation andCommissioner, for any proposed enactment, system,
project, programme or activity where such enactment, system, project, programme or activity would or would reasonably be expected to substantially or materially impact personal information.
(2) Upon preparation of a privacy impact assess-ment, every public body shall submit such privacy impact assessment to the Commissioner for approval.
(3) Where a privacy impact assessment has been submitted in accordance with subsection (2), the Commissioner shall evaluate such privacy impact assessment in accordance with the General Privacy Principles set out in section 6 and where necessary, make recommendations to the public body for amendments.
(4) Where the Commissioner makes a recommendation under subsection (3), the public body shall make the necessary amendments to its privacy impact assessment.
(5) Every public body shall take all reasonable steps in accordance with its privacy impact assessment to avoid unnecessary intrusions into personal privacy when designing, implementing or enforcing enactments, systems, projects, programmes or activities.
48. (1) The Head of a Public Body shall cause to be Personal information included in personal information banks, all personal banks information under the control or in the custody of the
public body that—
(a) has been used, is being used or is available for use for an administrative purpose; or
(b) is organized or intended to be retrieved by means of the name of an individual or by an identifying number, symbol or other particular assigned to an individual.
34 No. 13 Data Protection 2011
Information sharing
Data matching shall be approved by Commissioner
(2) Notwithstanding subsection (1), personal information under the custody or control of the Archives of the Government of Trinidad and Tobago that has been transferred to it by a public body for historical or archival purposes shall not be included in personal information banks.
49. (1) Where a public body intends to share information with other public bodies, it shall do so only pursuant to an agreement in a manner prescribed by the Commissioner by Order.
(2) An Order under subsection (1) shall be published in the Gazette and two newspapers in daily circulation in Trinidad and Tobago.
50. (1) Subject to subsection (5), before a public body matches personal information from a set of data with personal information from another set of data, whether or not pursuant to an information sharing agreement, the public body shall obtain the written authorization of the Commissioner.
(2) In determining whether to authorize data matching by a public body or public bodies, using a data matching programme, the Commissioner shall consider whether or not—
(a) the objective of the matching programme relates to a matter of significant public importance;
(b) the matching programme would achieve the objective in a way which would achieve monetary savings that are both significant and quantifiable or will achieve other significant benefits to society;
(c) the public interest in allowing the matching programme to proceed outweighs the public interest in adhering to the General Privacy Principles set out in section 6 that the programme would otherwise contravene; or
No. 13 Data Protection 2011 35
(d) the programme involves data or information matching on a scale that is excessive, having regard to the number of public bodies that will be involved in the programme and the amount of details about the individual that would be matched under the programme.
(3) The Information Commissioner shall complete his determination in respect of the data matching request within sixty days of the request.
(4) In approving data matching by a public body or public bodies, the Commissioner may impose whatever terms and conditions that he considers appropriate.
(5) Where the Information Commissioner fails to complete his determination in respect of a data matching request under subsection (3), the public body may apply to the Minister for a determination of the matter.
(6) In giving his authorization under subsection (1), the Commissioner may give covering authorization to allow the matching of data where such matching is part of a system of practice approved by him.
51. (1) The Commissioner shall publish periodically, but not less than annually, an index of the personal information that is held by the public bodies that includes a summary of the following:
(a) the personal information banks that are in the custody or control of each public body;
(b) the information sharing agreements entered into by any public body with another public body or other person;
(c) the data matching activities approved by the Commissioner;
(d) the contact information of the official to whom requests relating to personal information contained in the data bank should be sent;
Personal information index
36 No. 13 Data Protection 2011
Right of access to personal information in a public body
(e) a statement of the purposes for which personal information in the data bank was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed;
(f) a statement of the retention and disposal standards and practices that apply to the personal information in the data bank; and
(g) privacy impact assessments prepared by any Ministry of the Government of Trinidad and Tobago.
(2) For the purpose of this section, “contact information” means the title, business address, business telephone and facsimile number and business e-mail of an official or employee of the public body.
(3) Where the Commissioner publishes the index of personal information held by public bodies under subsection (1), such publication shall be made in the Gazette and at least two newspapers in daily circulation in Trinidad and Tobago.
52. (1) Subject to section 53, every individual who is in Trinidad and Tobago has a right to and shall on request, be given access to—
(a) personal information about that individual contained in a personal information bank in the custody and control of a public body; and
(b) any other personal information about the individual under the custody or control of a public body with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the public body.
No. 13 Data Protection 2011 37
(2) A request for access to personal information shall be made to the public body that has control of the personal information bank or of the information, as the case may be, in the form approved by the Commissioner.
(3) The Head of a Public Body may, where reasonable and in appropriate circumstances, provide personal information in accordance with the provisions of this Act in response to an oral request.
53. (1) A head of a public body may refuse to disclose Refusal of access to personal information to the individual to whom the personal information information relates where—
(a) the disclosure would constitute an unjustified invasion of another individual’s personal privacy;
(b) the disclosure could reasonably be expected to reveal information supplied in confidence;
(c) it is evaluative or opinion material compiled solely for the purpose of determining suitability, eligibility or qualifications for employment or for the awarding of government contracts and other benefits where the disclosure would reveal the identity of a source who furnished information to the institution in circumstances where it may reasonably be assumed that the identity of the source would be held in confidence; and
(d) a disclosure would result in disclosure of information that is exempt from disclosure under Part IV of the Freedom of Information Chap. 22:02 Act.
(2) The Head of a Public Body may disregard
requests from an individual for access to that individual’s personal information where it would unreasonably interfere with the operations of the public body because of the repetitious or systematic nature of the requests or the requests are frivolous or vexatious.
38 No. 13 Data Protection 2011
Severance and refusal to disclose existence of information
Exercise of rights of deceased persons, etc.
Responsibilities of public bodies
54. (1) The Head of a Public Body shall make every effort to sever information that is exempt from disclosure pursuant to section 53 from information that may be made available to the individual requesting access to his personal information and make the non-exempt information available.
(2) Where acknowledgment of the existence of information that is exempt from disclosure would reveal critical information about the nature or contents of the information, the Head of a Public Body may refuse to disclose the existence of the information.
55. Any right or power conferred on an individual by this Act may be exercised—
(a) where the individual is deceased, by the individual’s personal representative if the exercise of the right or power relates to the administration of the individual’s estate;
(b) by the individual’s attorney under a power of attorney;
(c) by the individual’s guardian; or
(d) where the individual is less than eighteen years of age, by a person who has lawful custody of the individual.
56. (1) Where a request is made for access to personal information pursuant to section 52, the head of the public body shall, within thirty days of the request being received where access is—
(a) granted in whole or in part, give the information to the individual who made the request; or
(b) refused in whole or in part, give the individual who made the request a written response stating—
(i) that the information does not exist; or
No. 13 Data Protection 2011 39
(ii) the specific provision of the Act on which a refusal could reasonably be expected to be based if the information existed; or
(c) refused in whole or in part, give the individual who made the request information regarding the right of appeal to the Commissioner.
(2) Where access is granted in whole or in part, the head of the public body shall ensure that the information is available in a comprehensive form, including where reasonable, comprehensible to an individual with a sensory disability.
57. (1) Where an individual believes there is an error Right to request
or omission in his personal information, the individual correction of
personal information
may request the Head of a Public Body that has the information in its custody or under its control, to correct the information.
(2) If no correction is made in response to a request under subsection (1), the Head of a Public Body shall annotate the information with the correction that was requested but not made and notify the individual who made the request that no correction was made.
(3) On correcting or annotating personal information under this section, the Head of a Public Body shall notify any other public body or any third party to whom that information has been disclosed during the one-year period before the correction was requested, of such correction or annotation.
(4) Upon being notified under subsection (3) of a correction or annotation of personal information, a public body shall make the correction or annotation on any record of that information in its custody or control.
58. An individual who has filed a request for his personal information pursuant to section 52 or who has requested correction of personal information pursuant to section 57 may appeal any decision of the head of the public body to the Commissioner.
Appeal to Information Commissioner
40 No. 13 Data Protection 2011
Time for application
Complaints to the Commissioner
59. An appeal to the Commissioner under section 58 shall be made within six weeks of the date when the notice was given of the decision appealed from, by filing with the Commissioner a written notice of appeal.
60. Where an individual has a reasonable belief that a public body is not complying with the provisions of this Act, he may make a complaint to the Commissioner.
Immediate dismissal 61. The Commissioner may dismiss—
Informing of notice of appeal
(a) an appeal if the notice of appeal does not present a reasonable basis for concluding that the personal information to which the notice relates exists or is incorrect; or
(b) a complaint if the written complaint does not contain sufficient particulars to make a determination of non-compliance with the provisions of this Act.
62. Upon receiving the notice of appeal under section 59, or a complaint under section 60, the Commissioner shall inform the Head of a Public Body concerned and any other affected person of the notice of appeal or the complaint.
Mediation
63. The Commissioner may authorize a mediator to investigate the circumstances of the appeal under section 58 and to try to effect a settlement of the matter under appeal.
Enquiry by the Commissioner
64. (1) The Commissioner may conduct an enquiry to review the decision of the Head of a Public Body, or a complaint in respect of a public body, if the Commissioner has—
(a) not authorized a mediator to conduct an investigation under section 63; or
(b) authorized a mediator to conduct an investigation under section 63, but no settlement has been reached.
No. 13 Data Protection 2011 41
(2) Where the Commissioner conducts an enquiry under this section he may, on the conclusion of such enquiry in respect of—
(a) a request for access either—
(i) affirm the decision of the Head of a Public Body; or
(ii) order the Head of a Public Body to release the personal information or make the corrections requested;
(b) a complaint—
(i) dismiss the complaint; or
(ii) order the Head of the Public Body to comply with the relevant provisions of this Act deemed to be in breach.
(3) Where an enquiry is conducted under this section, it may be conducted by the Commissioner on his own or by a tribunal comprising the Commissioner and one or more Deputy Commissioners.
(4) A person aggrieved by a decision of the Commissioner or the tribunal under this section may apply to the High Court for Judicial Review.
65. The enquiry by the Commissioner or a mediator Enquiry in private and any meetings held by a mediator with parties to the
appeal may be conducted in private.
66. The individual who requested access to or Representations correction of personal information, the Head of a Public
Body concerned and any affected party shall be given the opportunity to make representations to the Commissioner, but none is entitled to—
(a) be present during;
(b) have access to; or
(c) comment on,
representations made to the Commissioner by any other person.
42 No. 13 Data Protection 2011
Right to counsel or an agent
67. An individual who requests access to personal information, the Head of a Public Body concerned and any affected party may be represented by counsel or an agent.
Burden of proof
Application of General Privacy Principles
Codes of practice
68. Where a public body refuses to give access to personal information, the burden of proof that the information lies within one of the specified exemptions of the Act is on a balance of probabilities and lies upon the public body.
PART IV
PROTECTION OF PERSONAL DATA BY THE PRIVATE SECTOR
69. A person who—
(a) collects, retains, manages, uses, processes or stores personal information in Trinidad and Tobago;
(b) collects personal information from individuals in Trinidad and Tobago; or
(c) uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of paragraph (a) or (b),
shall follow the General Privacy Principles set out in section 6 in dealing with personal information.
70. The Commissioner shall consult with industry to promote the application of the General Privacy Principles through the development of codes of practice through such means as—
(a) providing guidance on the development of codes of practice;
(b) providing guidance on complaint resolution mechanisms;
(c) fostering education on the General Privacy Principles;
No. 13 Data Protection 2011 43
(d) working with government and private sector bodies to promote awareness of codes of conduct among consumers; and
(e) taking any action that appears to the Commissioner to be appropriate.
71. (1) Notwithstanding section 69 where, in the opinion of the Commissioner, the public interest warrants the immediate and mandatory development of codes of conduct dealing with the application of the General Privacy Principles to a particular industry, economic sector, or activity, the Commissioner may, by Order, require the development of a code of conduct and set a time limit for its development.
(2) Subject to subsection (1), where there is an appropriate government regulator of an industry, economic sector or activity, the Commissioner may request the regulator to oversee the development of the code of conduct for that industry, economic sector or activity.
Commissioner may require development of code of conduct
72. (1) Where a mandatory code of conduct is developed Cross border pursuant to section 71, it shall require at a minimum disclosure of that personal information under the custody or control personal information
of an organization shall not be disclosed by that organization to any third party without the consent of the individual to whom it relates, except in general, where such information is disclosed for the purposes—
(a) for which the information was collected or for use consistent with that purpose;
(b) of a Court Order; or
(c) of complying with any written law.
(2) Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization shall inform the individual to whom it relates of the—
(a) purpose for which the information is being collected once that purpose is known to the organisation;
44 No. 13 Data Protection 2011
(b) identity of—
(i) the person requesting the information; and
(ii) the relevant public body with responsibility for Data Protection in the other jurisdiction,
and obtain his consent before disclosing the information.
(3) Where a person under subsection (2) does not consent to the release of his personal information, the organization shall not so disclose.
(4) Where a person under subsection (2) consents to the disclosure of his information and the organization is—
(a) satisfied that the jurisdiction to which the information is being sent has comparable safeguards as provided by this Act, the organization shall disclose the personal information;
(b) not satisfied that the jurisdiction to which the information is being sent has comparable safeguards, the organization shall refer the matter to the Commissioner for a determination as to whether the other jurisdiction has comparable safeguards as provided by this Act and inform the individual to whom the personal information relates of the referral.
(5) Upon a referral under subsection (4), the Commissioner shall make a determination whether the other jurisdiction has or does not have comparable safeguards as provided by this Act, and inform the organization accordingly.
(6) Where the organization is informed that the jurisdiction to which the information is being sent—
(a) has comparable safeguards, the organization shall inform the person concerned and disclose the personal information; or
No. 13 Data Protection 2011 45
(b) does not have comparable safeguards, the organization shall inform the person concerned and obtain his consent for the disclosure—
(i) without limitation on the personal information; or
(ii) with limitation on the personal information sharing to the extent necessary to ensure the protection of personal privacy and information.
73. (1) Where a mandatory code of conduct is Approval of code of developed, the sector shall apply to the Commissioner conduct
for the approval of such code prior to its use.
(2) Where a voluntary code of conduct is developed,
the sector may apply to the Commissioner for the approval of such code prior to its use.
(3) The Commissioner may approve a code of conduct dealing with compliance with the General Privacy Principles set out in section 6 developed by an industry sector, an industry organization or a professional body.
(4) Where the Commissioner is satisfied that a code of conduct submitted for approval in accordance with subsection (1) or (2) meets the requirements set out in subsection (5), he shall approve the code of conduct.
(5) In approving a code of conduct, the Commissioner shall consider—
(a) compliance with the General Privacy Principles set out in section 6;
(b) use and adequacy of dispute resolution mechanisms within the industry as well as within individual firms;
(c) the potential for development or encouragement of anti-competitive conduct;
(d) the adequacy of the process used to develop the code of conduct, including involvement of stakeholders, such as relevant consumers, suppliers and other interested groups;
46 No. 13 Data Protection 2011
Mandatory codes of conduct
Right of access to personal information
(e) the role of industry sector regulators if any; and
(f) any other matters that the Commissioner considers relevant.
74. (1) Where the Commissioner has approved a code of conduct, the Minister may by Order, make compliance with the code mandatory with respect to those to whom the code of conduct applies under this Act.
(2) An Order made by the Minister under subsection (1), shall be subject to negative resolution of Parliament.
(3) Where a code of conduct has been made mandatory under subsection (1), the persons or enterprises to whom or to which it applies shall comply with the provisions of the code of conduct.
(4) Without limiting the generality of subsection
(1), where a government regulator has jurisdiction over an industry, economic sector or activity so that the code of conduct dealing with the application of the General Privacy Principles can be made mandatory pursuant to other legislation, the regulator may make a code of conduct approved by the Commissioner mandatory.
(5) Where an industry regulator has mandated compliance in dealing with the protection of personal privacy that has been approved by the Commissioner and the legislation under which the code of conduct has been made mandatory has adequate provisions for complaint resolution and sanctions for non-compliance with the provisions of the code of conduct, the Commissioner may forebear from exercising his powers with respect to compliance.
75. (1) An individual who has personal information stored in an organization which is subject to a mandatory code of conduct has a right to and shall on request, be given access to—
(a) personal information about that individual in the custody and control of the organisation; and
No. 13 Data Protection 2011 47
(b) any other personal information about the individual under the custody or control of the organization with respect to which the individual is able to provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the organisation.
(2) A request for access to personal information shall be made to the organization that has control of the personal information in the form approved by the Commissioner.
(3) The organisation may, where reasonable and in appropriate circumstances, provide personal information in accordance with the provisions of this Act in response to an oral request.
76. (1) A corporation shall not process sensitive personal information in its possession unless it obtains the consent of the person to whom that sensitive personal information relates.
(2) Notwithstanding subsection (1), sensitive personal information may be processed—
(a) by a health care professional or an employee or agent of a health care body at the direction of a health care professional for the purposes of health and hospital care where it is necessary for—
Limitation on processing of sensitive personal information in the possession of a corporation
(i) preventative medicine and the protection of public health;
(ii) medical diagnosis;
(iii) health care and treatment; and
(iv) the management of health and hospital care services;
(b) where it has been made public by the person to whom such information relates;
(c) for research and statistical purposes in accordance with section 43; and
(d) where the disclosure is required by written law.
48 No. 13 Data Protection 2011
(3) For the purpose of this section, “health care professional” means a person registered under the—
Chap. 29:50
Chap. 29:54
Chap. 29:51
Chap. 29:52
Chap. 29:53
Chap. 90:04
Act No. 8 of 2009
Refusal of request for access to personal information
Request for review or complaint to the Commissioner
(a) Medical Board Act;
(b) Dental Profession Act;
(c) Opticians Registration Act;
(d) Pharmacy Board Act;
(e) Nurses and Midwives Registration Act;
(f) Professions Related to Medicine Act; and
(g) Emergency Ambulance Services and Emergency Medical Personnel Act; 2009.
(4) A person who contravenes this section commits an offence.
77. (1) The head of an organization subject to a mandatory code of conduct may, upon the written authorization of the Commissioner, disregard a request from an individual for access to that individual’s personal information where it would unreasonably interfere with the operations of the organization because of the repetitious or systematic nature of the requests or the requests are frivolous or vexatious.
(2) Where an organization disregards a request under subsection (1) it shall notify the individual making the request.
78. Where an organization is subject to a mandatory code of conduct and an individual has a reasonable belief that the organization has within its custody or control personal information regarding that individual, the individual may—
(a) where the individual has requested access to or the correction of personal information held by an organization and the organization has refused such request, ask the Commissioner to conduct a review of the resulting decision, act or failure to act of the organization; or
No. 13 Data Protection 2011 49
(b) make a complaint to the Commissioner regarding an alleged failure of the organization to comply with the provisions of the mandatory code of conduct.
79. A request for a review by, or a complaint to the Commissioner shall be made within six weeks of the date of the decision or six weeks from which the failure to comply with the mandatory codes of conduct first became known or should have become known.
79A. Where an individual has a reasonable belief that an organisation is not complying with the provisions of this Act, he may make a complaint to the Commissioner.
80. The Commissioner may not entertain—
(a) a request for a review of the decision where the written request does not present a reasonable basis for concluding that the personal information to which the request relates, exists; or
(b) a complaint under section 78 or 79A where the written complaint does not contain enough particulars to make a determination of non-compliance with the mandatory code of conduct on the part of the organization or this Act.
81. Upon receiving the written request or complaint under section 78 or 79A, the Commissioner shall inform the head of the organization concerned and any other affected person of the request or complaint.
Time for application for review or complaint
Complaint to the Commissioner on non-compliance
Immediate dismissal of request for review or complaint
Notification of request or complaint
82. (1) Subject to section 83(2), the Commissioner Enquiry of request may conduct an enquiry into a request or complaint or complaint under section 78 or 79A.
(2) Where the Commissioner conducts an enquiry under this section he may, on the conclusion of such enquiry in respect of—
(a) a request for access to information or the correction of information—
(i) affirm the decision of the organization;
50 No. 13 Data Protection 2011
(ii) order the head of an organization to release the personal information or make the correction requested; or
(iii) make the correction requested; or
(b) a complaint—
(i) dismiss the complaint; or
Mediation of request
Enquiry of request to be conducted in private
Representations
(ii) order the head of the organization to comply with the provisions of the mandatory code of conduct or this Act.
(3) Where an enquiry is conducted under this section, it may be conducted by the Commissioner on his own or by a tribunal comprising the Commissioner and one or more Deputy Commissioners.
(4) A person aggrieved by a decision of the Commissioner or the tribunal under this section may apply to the High Court for Judicial Review.
83. (1) The Commissioner may authorize a mediator to investigate the circumstances of the request under section 78 and to try to effect a settlement of the matter.
(2) Where the Commissioner has—
(a) not authorized a mediator to conduct an investigation under subsection (1); or
(b) authorized a mediator to conduct an investigation under subsection (1) but no settlement has been reached,
he may conduct an enquiry into a request under section 82.
84. An enquiry by the Commissioner or a mediator and any meetings held by a mediator with parties to the request may be conducted in private.
85. An individual who requested access to, the correction of personal information or who made a complaint, the head of the organization concerned and
No. 13 Data Protection 2011 51
any affected party shall be given the opportunity to make representations to the Commissioner, but none is entitled to—
(a) be present during;
(b) have access to; or
(c) comment on,
representations made to the Commissioner by any other person.
86. Every director and officer of a corporation shall Duties of directors take reasonable care to ensure that the corporation complies with—
(a) this Act and the regulations made thereunder; and
(b) any Orders imposed by the Commissioner or his delegate.
PART V
CONTRAVENTION AND ENFORCEMENT
87. A person who wilfully obstructs the Information Commissioner or any other person acting for or under the direction of the Commissioner in the course of carrying out an audit or an investigation, commits an offence.
88. (1) A person who makes a request for access to or correction of personal information under false pretences, commits an offence.
(2) A person who wilfully makes a false statement to mislead or attempts to mislead the Commissioner in the performance of his functions under this Act, commits an offence.
89. A person who fails to comply with an order of the Commissioner, commits an offence.
90. A person who contravenes the provisions of section 99, commits an offence.
Obstruction
False and
misleading
statements
Failure to comply with an order
Violation of whistle-blowing provisions
52 No. 13 Data Protection 2011
Offence for not complying with mandatory code of conduct
Contravention of Act
91. Where a person to whom a mandatory code of conduct applies under section 74 fails to comply with such mandatory code of conduct, he commits an offence.
92. (1) A person who wilfully discloses personal information in contravention of this Act, commits an offence.
(2) A person who collects, stores or disposes of personal information in a manner that contravenes this Act commits an offence.
Breach of obligations of confidentiality
Offences by directors and officers
Penalties
93. A person who breaches the confidentiality obligations established by section 25, commits an offence.
94. Where a corporation commits an offence under this Act, any officer, director or agent of the corporation who directed, authorized, assented to, or participated in the commission of the offence is a party to and commits an offence and is liable to the punishment provided for the offence.
95. (1) A person who commits an offence under this Act is liable upon—
(a) summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment for a term of three years; and
(b) conviction on indictment, to a fine of not more than one hundred thousand dollars or to imprisonment for a term of not more than five years.
(2) Where the offence under this Act is committed by a body corporate, the body corporate shall be liable upon—
(a) summary conviction, to a fine of two hundred and fifty thousand dollars; and
(b) conviction on indictment, to a fine of five hundred thousand dollars.
No. 13 Data Protection 2011 53
96. (1) Where a corporation contravenes any of the provisions of this Act, the Court may impose a fine of up to ten per cent of the annual turnover of the enterprise.
(2) In imposing a fine under subsection (1), the Court shall take into account—
(a) the estimate of the economic cost of the contravention to the consumers, users of the services in question or any other person affected by the contravention;
Penalties for corporations
(b) the estimate of the economic benefit of the contravention to the enterprise;
(c) the time for which the contravention is in effect if continuing;
(d) the number and seriousness of any other contraventions, if any, committed by the corporation; and
(e) any other matter the Court may consider appropriate in the circumstances.
PART VI
MISCELLANEOUS
97. The Minister may order a public body or a Costs of audit corporation to pay the costs reasonably incurred in the performance of an audit pursuant to sections 20 and 21.
98. (1) The Court shall have jurisdiction to hear and Jurisdiction of the
determine— Court
(a) applications by the Information Commissioner for any Order which the Court considers appropriate to facilitate the enforcement of any provisions of this Act; and
(b) upon application by the Information Commissioner, cases involving any contravention of the provisions of this Act and make such appropriate Orders in relation thereto.
54 No. 13 Data Protection 2011
Whistle-blowing protection
Regulations
99. An employer whether or not a public body, shall not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee or deny that employee a benefit, because—
(a) the employee acting in good faith, and on the basis of reasonable belief has—
(i) notified the Commissioner that the employer or any other person has contravened or is about to contravene this Act;
(ii) done or stated the intention of doing anything that is required to be done in order to avoid having any person contravene this Act; or
(iii) refused to do or stated the intention of refusing to do anything that is in contravention of this Act; or
(b) the employer believes that the employee will do anything described in paragraph (a).
100. (1) The Minister may make Regulations for the purpose of—
(a) prescribing anything required to be prescribed under this Act; and
(b) giving effect to the provisions of this Act.
(2) Regulations made under this section shall be subject to negative resolution of Parliament.
Chap. 22:02 amended 101. The Freedom of Information Act is amended in—
(a) section 4—
(i) by inserting after the definition of “applicant” the following definitions:
“ “decision of a public authority” means the refusal of a public authority to grant access to an official document or the failure of a public authority to comply with section 15 or 16(1) herein;
No. 13 Data Protection 2011 55
“Information Commissioner”
means the person appointed
pursuant to section 8 of
the Data Protection Act;”;
(ii) by deleting the definition of “personal information” and substituting the following definition:
“personal information” has the
meaning assigned to it in
the Data Protection Act;”;
(iii) in the definition of “public authority”—
(A) in paragraph (j), by deleting
the word “or”;
(B) by inserting after the
words “control;” the word
“or”;
(C) by
inserting
after
paragraph (k) the following
new paragraph:
“(l) the
Office
of
I n f o r m a t i o n
Commissioner as
appointed under
section 7
of
the
Data
Protection
Act.”;
(b) section 23(1) in paragraph (d), by deleting the words “High Court for judicial” and substituting the words “Information Commissioner for”;
(c) section 30, by deleting subsections (1), (2) and (3) and substituting the following subsections:
“ (1) A document is an exempt document if its disclosure under this Act would involve the disclosure of personal information in a manner inconsistent with the Data Protection Act.
56 No. 13 Data Protection 2011
(2) The provisions of subsection (1) shall not apply to a request by an individual for his own personal information, which request shall be treated as a request under the Data Protection Act.
(3) here a request by a person other than a person referred to in subsection
(2) is made to a public body for access to a document containing personal information, the public body shall proceed in accordance with the Data Protection Act in deciding whether to grant access to such request.”;
(d) section 36, by deleting subsection (1) and substituting the following subsection:
“(1) Where a document (whether or
not it is one to which access has been
given under this Act) contains
personal information of an individual
and that individual believes that the
information is inaccurate, he shall
proceed, and the public body shall
address the matter in accordance with
section 57 of the Data Protection Act.”;
(e) section 38A—
(i) in subsection (1), by deleting the word “Ombudsman”
wherever it occurs and
substituting the word
“ I n f o r m a t i o n Commissioner”;
(ii) in subsection (2), by deleting the word “Ombudsman” and substituting the words, “ I n f o r m a t i o n Commissioner”; and
No. 13 Data Protection 2011 57
(iii) by deleting subsection (3) and substituting the following subsection:
“(3) The decisions of the
Information Commissioner on issues
relating to this Act shall be binding on
Public Bodies.”; and
(iv) by inserting after subsection (3) the following new subsection:
“(4) The Court shall have
jurisdiction to hear and determine
applications by the Information
Commissioner for any Order which the
Court considers appropriate to
facilitate the enforcement of any
provisions of this Act.;”
(f) section 39, by repealing subsection (3); and
(g) section 40, in—
(i) subsections (1) and (2), by deleting the words “The Minister” wherever they occur and substituting the words “The Information Commissioner”; and
(ii) subsection (3)(d), by deleting the word “Ombudsman” and substituting the word “Commissioner”.
58 No. 13 Data Protection 2011
SCHEDULE
PART A
(Section 8)
FORM OF OATH (AFFIRMATION) FOR INFORMATION COMMISSIONER
I, A. B. having been appointed Information Commissioner do swear by ……….....… (solemnly affirm) that I bear true faith and allegiance to Trinidad and Tobago and will uphold the Constitution and the law, that I will conscientiously, impartially and to the best of my knowledge, judgement and ability discharge the functions of my office and do right to all manner of people after the laws and usages of Trinidad and Tobago without fear or favour, affection or ill-will.
PART B
(Section11)
FORM OF OATH (AFFIRMATION) FOR DEPUTY INFORMATION
COMMISSIONER
I, A. B. having been appointed Deputy Information Commissioner do swear by …....……… (solemnly affirm) that I bear
true faith and allegiance to Trinidad and Tobago and will uphold the Constitution and the law, that I will conscientiously, impartially and to the best of my knowledge, judgement and ability discharge the functions of my office and do right to all manner of people after the laws and usages of Trinidad and Tobago without fear or favour, affection or ill-will.
No. 13 Data Protection 2011 59
Passed in the House of Representatives this 11th day of February, 2011.
Clerk of the House
Passed in the Senate this 23rd day of May, 2011.
Clerk of the Senate
Senate Amendments agreed to by the House of Representatives on this 3rd day of June, 2011.
Clerk of the House