59
AN ACT to provide for the protection of personal privacy and information [Assented to , 2011] ENACTED by the Parliament of Trinidad and Tobago as follows: PART I PRELIMINARY 1. (1) This Act may be cited as the Data Protection Act, 2011. Enactment Short title and commencement First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO Act No. 13 of 2011 [L.S.]

Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

AN ACT to provide for the protection of personalprivacy and information

[Assented to , 2011]

ENACTED by the Parliament of Trinidad and Tobago asfollows:

PART IPRELIMINARY

1. (1) This Act may be cited as the Data ProtectionAct, 2011.

Enactment

Short title andcommencement

First Session Tenth Parliament Republic of Trinidad and Tobago

REPUBLIC OF TRINIDAD AND TOBAGO

Act No. 13 of 2011

[L.S.]

Page 2: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(2) This Act shall come into operation on such dayas is fixed by the President by Proclamation.

2. In this Act—“Commissioner” means the Information

Commissioner appointed under section 8;“Court” means the High Court of Trinidad and

Tobago;“data” means any document, correspondence,

memorandum, book, plan, map, drawing,pictoral or graphic work, photograph, film,microfilm, sound recording, videotape,machine-readable record and any otherdocumentary material, regardless ofform or characteristics, and any copy ofthose things;

“data matching” means the comparison,whether naturally or by means of anyelectronic or other device, of any data thatcontains personal information aboutindividuals with other documents containingpersonal information about individuals forthe purpose of producing new forms ofinformation about individuals;

“enterprise” means a partnership or body(corporate or unincorporated) engaged inbusiness;

“Head of a Public Body” means the President,the Prime Minister, the President of theSenate, the Speaker of the House ofRepresentatives, the Chief Administratorof the Tobago House of Assembly, the ChiefSecretary of the Tobago House ofAssembly, the Permanent Secretary of aMinistry, the Head of a GovernmentDepartment, the Head of the Judiciary,Chief Executive Officer of an enterprise orthe Chairman of an agency or where suchtitle does not exist, the person whoperforms such duties;

Interpretation

2 No. 13 Data Protection 2011

Page 3: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

“health care body” means a regional healthauthority established under the RegionalHealth Authorities Act, a hospital, extendedcare facility, clinic, psychiatric hospital asdefined under the Mental Health Act, aprivate hospital as defined under thePrivate Hospitals Act, and similar bodieslicensed by the Minister with responsibilityfor health;

“individual” means a natural person;

“information sharing agreement” means anagreement that sets conditions for one ormore of the following:

(a) the exchange of personal informationbetween a public body and aperson, a group of persons or anorganization;

(b) the disclosure of personal informationby a public body to a person, agroup of persons or an organization;or

(c) a collection of personal informationby a public body from a public body,a person or a group of persons of anorganization;

“Minister” means the Minister to whomresponsibility for data protection isassigned and “Ministry” shall be construedaccordingly;

“personal information” means informationabout an identifiable individual that isrecorded in any form including—

(a) information relating to the race,nationality or ethnic origin,religion, age or marital status ofthe individual;

Chap. 29:05

Chap. 28:02

Chap. 29:03

No. 13 Data Protection 2011 3

Page 4: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) information relating to theeducation or the medical, criminalor employment history of theindividual or information relatingto the financial transactions inwhich the individual has beeninvolved or which refers to theindividual;

(c) any identifying number, symbol orother particular designed to identifythe individual;

(d) the address and telephone contactnumber of the individual;

(e) the name of the individual where itappears with other personalinformation relating to theindividual or where the disclosureof the name itself would revealinformation about the individual;

(f) correspondence sent to anestablishment by the individualthat is explicitly or implicitly of aprivate or confidential nature, andany replies to such correspondencewhich would reveal the contents ofthe original correspondence;

(g) the views and opinions of any otherperson about the individual; or

(h) the fingerprints, deoxyribonucleicacid, blood type or the biometriccharacteristics of the individual;

“personal information bank” means a collectionof personal information that is organizedor retrievable by the name of the individualor by an identifying number, symbol or otherparticulars assigned to the individual;

4 No. 13 Data Protection 2011

Page 5: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

“premises” includes land or any vessel, vehicleor aircraft and references to the occupier orany premises include references to theperson in charge of the land or any vessel,vehicle or aircraft;

“privacy impact assessment” means anassessment that is conducted to determine ifa proposed enactment, system, project,programme or activity meets therequirements of the General PrivacyPrinciples of section 6;

“public body” means—(a) the Office of the President;(b) Parliament, a Joint Select

Committee of Parliament or acommittee of either House ofParliament;

(c) the Court of Appeal, the HighCourt, the Industrial Court, theTax Appeal Board or any court ofsummary jurisdiction;

(d) the Cabinet as constituted underthe Constitution, a Ministry orDepartment, Division or Agency ofa Ministry;

(e) the Tobago House of Assembly, theExecutive Council of the TobagoHouse of Assembly or a division ofthe Tobago House of Assembly;

(f) a municipal corporation establishedunder the Municipal CorporationsAct;

(g) a statutory body, responsibility forwhich is assigned to a Minister ofGovernment;

Chap. 25:04

No. 13 Data Protection 2011 5

Page 6: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(h) a company incorporated under thelaws of Trinidad and Tobago that isowned and controlled by the State;

(i) a Service Commission establishedunder the Constitution or otherwritten law; or

(j) a body corporate or an unincorporat-ed entity in relation to any functionthat it exercises on behalf of theState, or which is supported, directlyor indirectly by Government fundsand over which Government is in aposition to exercise control;

“record” means recorded information collected,created or received in the initiation,conduct or completion of an activity andthat comprises sufficient content, contextand structure to provide evidence or proofof that activity or transaction;

“sensitive personal information” meansinformation on a person’s–

(a) racial or ethnic origins;

(b) political affiliations or trade unionmembership;

(c) religious beliefs or other beliefs of asimilar nature;

(d) physical or mental health orcondition;

(e) sexual orientation or sexual life; or

(f) criminal or financial record;

6 No. 13 Data Protection 2011

Page 7: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

“sensory disability” means a disability thatrelates to sight or hearing; and

“service provider” means a person retainedunder a contract to perform services of apublic body.

3. This Act binds the State.

4. The object of this Act is to ensure that protection isafforded to an individual’s right to privacy and the rightto maintain sensitive personal information as privateand personal.

5. This Act shall not—

(a) limit information available by law to a partyin any proceeding;

(b) limit the power of a court or tribunal tocompel a witness to testify or to compel theproduction of a document or other evidence;or

(c) apply to notes prepared by or for an individualpresiding in a court of Trinidad and Tobago orin a tribunal if those notes are prepared forthat individual’s personal use in connectionwith the proceedings.

6. The following principles are the General PrivacyPrinciples which are applicable to all persons whohandle, store or process personal information belongingto another person:

(a) an organization shall be responsible for thepersonal information under its control;

(b) the purpose for which personal informationis collected shall be identified by theorganization before or at the time ofcollection;

Act binds the State

Object of the Act

Inapplicability of Act

General Privacy Principles

No. 13 Data Protection 2011 7

Page 8: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(c) knowledge and consent of the individual arerequired for the collection, use or disclosureof personal information;

(d) collection of personal information shall belegally undertaken and be limited to what isnecessary in accordance with the purposeidentified by the organization;

(e) personal information shall only be retainedfor as long as is necessary for the purposecollected and shall not be disclosed forpurposes other than the purpose ofcollection without the prior consent of theindividual;

(f) personal information shall be accurate,complete and up-to-date as is necessary forthe purpose of collection;

(g) personal information is to be protected bysuch appropriate safeguards having regardto the sensitivity of the information;

(h) sensitive personal information is protectedfrom processing except where otherwiseprovided for by written law;

(i) organizations are to make available toindividuals documents regarding their policiesand practices related to the management ofpersonal information except where otherwiseprovided by written law;

(j) organizations shall, except where otherwiseprovided by written law, disclose at therequest of the individual, all documentsrelating to the existence, use and disclosureof personal information, such that theindividual can challenge the accuracy andcompleteness of the information;

8 No. 13 Data Protection 2011

Page 9: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(k) the individual has the ability to challengethe organization’s compliance with theabove principles and receive timely andappropriate engagement from theorganization; and

(l) personal information which is requested tobe disclosed outside of Trinidad and Tobagoshall be regulated and comparablesafeguards to those under this Act shallexist in the jurisdiction receiving thepersonal information.

PART II

OFFICE OF THE INFORMATION COMMISSIONER

7. There is hereby established a body corporate to beknown as the Office of the Information Commissioner.

8. (1) There shall be an Information Commissioner(hereinafter referred to as “the Commissioner”) whoshall—

(a) be the head of the Office of the Information Commissioner;

(b) be appointed by the President; and

(c) possess the qualifications and experienceset out in subsection (2).

(2) A person appointed to be the InformationCommissioner under subsection (1) shall be an attorney-at-law within the meaning of the Legal Profession Actwith at least ten years standing and shall have trainingor experience in economics, finance, information security,technology, audit or human resource management.

(3) A person appointed under subsection (1) shallhold office for five years and may be reappointed.

Office of theInformationCommissioner

Appointment ofInformationCommissioner

Chap. 90:03

No. 13 Data Protection 2011 9

Page 10: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(4) A person appointed under subsection (1) shall,before he performs the functions of InformationCommissioner, take and subscribe to the oath of officeset out in Part A of the Schedule.

9. (1) The Commissioner shall monitor the administra-tion of this Act to ensure its purposes are achieved.

(2) In carrying out his powers under subsection(1), the Commissioner may—

(a) conduct audits and investigations to ensurecompliance with any provision of this Act;

(b) advise on the privacy protection implicationsof proposed legislative schemes or governmentprogrammes and receive representations fromthe public concerning data protection andprivacy matters;

(c) after hearing representations from the Headof a Public Body or an organization subjectto a mandatory code of conduct and who maybe engaged in processes that may be incontravention of this Act, order the publicbody or organization to cease collectionpractices or destroy collections of personalinformation that contravene this Act;

(d) authorize the collection of personal informationotherwise than directly from the individualin appropriate circumstances;

(e) make orders regarding the reasonablenessof fees required by an organization subject tothis Act;

(f) authorize data matching by a public body orpublic bodies;

(g) make orders, including such terms andconditions as the Commissioner considersappropriate, following an appeal orcomplaint filed by an individual pursuant tosection 58, 78 or 79A;

Schedule

Powers ofInformationCommissioner

10 No. 13 Data Protection 2011

Page 11: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(h) make orders regarding compliance with theGeneral Privacy Principles set out insection 6 by a public body or an organizationsubject to a mandatory code of conduct;

(i) publish guidelines regarding compliancewith the Act, including but not limited toguidelines on the development of industrycodes of conduct, firm compliance policies,procedures for handling complaints, guidelinesdealing with conflict of interest for industrybodies or individuals who mediate or deal withcomplaint resolution, guidelines dealing withsecurity of information and informationsystems, and guidelines for informationsharing agreements or data matchingagreements;

(j) exercise his corporate powers in relationthereto in such manner as he thinks fit, inaccordance with this Act;

(k) make such administrative arrangements asmay be necessary for the proper conduct ofhis functions; and

(l) exercise such other powers as may beassigned to him under any other writtenlaw.

10. The Commissioner appointed under section 8shall—

(a) promote the development of codes of conductfor guidance as to good practice;

(b) promote the adherence to good practices bypersons subject to this Act;

(c) disseminate information about this Act;(d) monitor compliance with this Act;

Functions ofInformationCommissioner

No. 13 Data Protection 2011 11

Page 12: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(e) co-operate with counterparts in otherjurisdictions to promote the protection ofpersonal privacy in the public and privatesectors;

(f) carry out special studies or research regardingprivacy or related issues;

(g) bring to the attention of the head of thepublic body or organization subject to amandatory code of conduct any failure tomeet the standards imposed by the GeneralPrivacy Principles set out in section 6 or theresponsibilities established by Part III andPart IV of this Act;

(h) issue public reports on the status ofcompliance with this Act;

(i) review and approve privacy impactassessments as required by this Act; and

(j) exercise such other functions that may beassigned to him under any other writtenlaw.

11. (1) The President may appoint no more than twoDeputy Information Commissioners who shall meet thesame requirements for qualifications or experience asspecified for the Information Commissioner undersection 8.

(2) Where more than one Deputy InformationCommissioner is appointed the President shall specifywhich function each respective Deputy InformationCommissioner shall perform either under this Act orunder the Freedom of Information Act, 1999 or anyother written law.

(3) A Deputy Information Commissionerappointed under subsection (1) shall hold office for aperiod not exceeding five years and may be reappointed.

Deputy InformationCommissioner

12 No. 13 Data Protection 2011

Page 13: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(4) A Deputy Information Commissioner may, inthe absence or incapacity of the Commissioner, act inhis place.

(5) Where the post of Information Commissioner isvacant, a Deputy Information Commissioner may act asthe Information Commissioner until such time as aCommissioner is appointed to the vacant post.

(6) In the absence or incapacity of a DeputyInformation Commissioner, the President may appointan acting Deputy Information Commissioner.

(7) A person appointed under subsection (1) shall,before he performs the functions of Deputy InformationCommissioner, take and subscribe to the oath of officeset out in Part B of the Schedule.

12. (1) The Commissioner or Deputy InformationCommissioner may be removed from office only forcause, including misconduct in relation to his duties orphysical or mental inability to fulfil the responsibilitiesof the office.

(2) The Commissioner or Deputy InformationCommissioner may at any time resign his office byletter addressed to the President.

13. Section 141 of the Constitution shall apply to theoffices of the Commissioner and the Deputy InformationCommissioner.

14. (1) The Office of the Information Commissionershall have a seal which shall be kept in the custody ofthe Commissioner and shall be judicially noticed assuch.

(2) The seal of the Office of the InformationCommissioner may be affixed to documents andinstruments in the presence of the Commissioner andshall be attested by the signature of the Commissionerand the signature shall be sufficient evidence that theseal was duly and properly affixed and is the lawful sealof the Office of the Information Commissioner.

Resignation orremoval ofInformationCommissioner andDeputy InformationCommissioner

Remuneration ofInformationCommissioner andDeputy InformationCommissioner

Seal of Office of theInformationCommissioner

No. 13 Data Protection 2011 13

Page 14: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(3) All documents, other than those required bylaw to be under seal made by, and all decisions of theCommissioner may be signified under the hand of theCommissioner.

(4) Notwithstanding the provisions of theConveyancing and Law of Property Act and the RealProperty Act relating to the matters thereunderrequired to be performed and to the mode of theirperformance prior to the registration of a Deed, documentor other instrument, the affixing of the seal of the Office ofthe Information Commissioner and the signing by theCommissioner in the manner set out in subsection (2) shallbe, and shall be taken as sufficient evidence for thepurposes of those Acts of the due execution by the Officeof the Information Commissioner of any Deed,document or other instrument.

15. Service upon the Commissioner of any notice,order or other document shall be effected by deliveringthe same or by sending it by registered post addressedto the Commissioner at the office of the Office of theInformation Commissioner.

16. (1) Any document required to be executed by theOffice of the Information Commissioner shall be deemedto be duly executed if signed—

(a) by the Commissioner; or(b) outside Trinidad and Tobago, by the person

or persons authorized by the Commissionerso to sign, but in such case the instrumentso authorizing such person or persons shallbe attached to and form part of thedocument.

(2) Any cheque, bill of exchange or order for thepayment of money required to be executed by theCommissioner shall be deemed to be duly executed ifsigned by a person or persons authorized to do so by theCommissioner.

Chap. 56:02

Chap. 56:01

Service of documents

Execution ofdocuments

14 No. 13 Data Protection 2011

Page 15: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

17. (1) The Commissioner may employ such personsas he considers necessary for the due and efficientperformance of his duties and functions under this Acton such terms and conditions as are agreed between theCommissioner and the person and subject to suchmaximum limit of remuneration as the Minister maydetermine.

(2) Subject to subsection (3) and the approval ofthe appropriate Service Commission or StatutoryAuthority and with the consent of the officer, any officerin the public service or a Statutory Authority may beseconded to the service of the Office of the InformationCommissioner.

(3) Where a secondment referred to in subsection(2) is effected, arrangements shall be made to preservethe rights of the officer so transferred to any pension,gratuity or other allowance for which he would havebeen eligible had he not been seconded to or from theservice of the Office of the Information Commissioner.

(4) A period of transfer on secondment shall be forthree years and may only be extended for a further twoyears.

(5) Subject to the approval of the Commissioner,the appropriate Service Commission and with theconsent of the officer, an officer in the public service ora Statutory Authority may be transferred to the serviceof the Office of the Information Commissioner on termsand conditions no less favourable than those enjoyed bythe officer at the time of transfer in the public service orStatutory Authority, as the case may be.

(6) The Commissioner shall establish a pensionplan, or where the establishment of a plan is notfeasible, the Commissioner shall make arrangementsfor membership in an existing plan.

(7) Subject to the rules of the pension plan establishedin accordance with subsection (6), all employees of theOffice of the Information Commissioner shall be eligible tobecome members of the pension plan established inaccordance with subsection (6).

Staff of the Office ofInformationCommissioner

No. 13 Data Protection 2011 15

Page 16: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(8) Superannuation benefits which had accrued toa person transferred in accordance with subsection (5)shall be preserved as at the date of his employment bythe Commissioner and such benefits shall continue toaccrue under the relevant pension law up to the date ofestablishing a pension plan for the date on whicharrangements are made for membership in a plan on thebasis of pay, pensionable emoluments or salary, as thecase may be, applicable, at the time of this transfer to theoffice held by him immediately prior to his employment bythe Commissioner.

(9) Where a person who is transferred inaccordance with subsection (5) dies, retires or his post inthe Office of the Information Commissioner is abolishedor he is retrenched by the Commissioner prior toestablishing or prior to the arrangements being madefor membership in a pension plan and, if at the date thathis service is terminated by any of the above-mentionedmethods he was in receipt of a salary higher than thepay, pensionable emoluments or salary referred to insubsection (8), the superannuation benefits payable tohis estate or to him, as the case may be, shall be basedon the higher salary.

(10) The difference between the superannuationbenefits payable on the basis of the higher salaryreferred to in subsection (9) and the superannuationbenefits payable under the relevant pension law, on thebasis of the pay, pensionable emoluments or salaryreferred to in subsection (8), shall be paid by theCommissioner.

(11) Where a person who is transferred inaccordance with subsection (5) dies, retires or his post inthe Office of the Information Commissioner is abolishedor he is retrenched from the Office of the InformationCommissioner while being a member of the pensionplan established in accordance with subsection (6), heshall be paid superannuation benefits by the pensionplan at the amount which, when combined withsuperannuation benefits payable under the relevant

16 No. 13 Data Protection 2011

Page 17: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

pension law, is equivalent to the benefits based on hispensionable service in the public service or a StatutoryAuthority combined with his service in the Office of theInformation Commissioner and calculated at the finalsalary applicable to him on the date that his service wasterminated by any of the above-mentioned methods.

(12) For the purpose of subsection (11), “finalsalary” shall have the meaning assigned to it by thepension plan.

18. (1) Subject to subsection (2), the Commissionermay authorize any person according to their qualificationsfor the purposes of this Act, to exercise or perform,subject to such restrictions or limitations as theCommissioner may specify, any powers, duties orfunctions of the Commissioner.

(2) The Commissioner may delegate to only theDeputy Information Commissioner responsibilitiesregarding review of personal information that dealswith matters that may be exempt from disclosurepursuant to sections 24 to 26 of the Freedom ofInformation Act.

19. (1) The Commissioner may appoint officers withinthe Office of the Information Commissioner to be inspectorsaccording to their qualifications for the purposes of thisAct and shall furnish each such inspector with a certificateof his designation.

(2) Where the Commissioner is conducting anenquiry or inspection under this Act the officersappointed under subsection (1) shall act on his behalf.

(3) An inspector shall, subject to sections 20 and21, have the power to do all or any of the followingthings for the purpose of the execution of this Act:

(a) if he considers necessary, take with himwhen entering any premises, a police officer;

Delegation

Chap. 22:02

Designation andpowers of inspectors

No. 13 Data Protection 2011 17

Page 18: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) to require any person whom he finds in or onsuch premises to give such information as isin his power to give as to who is the owneror occupier thereof and the employer ofworkers employed to work thereon;

(c) to make such examinations, inspections,investigations and enquiries as may benecessary to ascertain whether this Act isbeing complied with;

(d) to require the production of or to seize,inspect or examine and to copy registers,records or other documents;

(e) to examine, either alone or in the presence ofany other person as the inspector deemsnecessary, for the purposes of this Act, withrespect to the observance of the provisions ofthis Act or the Regulations, any person whomhe finds on premises or whom he hasreasonable cause to believe to be, or to havebeen within the preceding two months,employed thereon, and to require any suchperson to be so examined and to sign adeclaration of the truth of the mattersrespecting which he is so examined; so,however, that no person shall be requiredunder this provision to answer any questionor to give evidence tending to incriminatehimself; and

(f) to seize and detain for such time as may benecessary any article by means of which, orin relation to which he reasonably believes anyprovision of this Act has been contravened.

20. (1) Where the Information Commissioner isconducting an audit or enquiry into the practices of aPublic Body for the purposes of ensuring compliancewith the General Privacy Principles set out in Part I, or

Power ofCommissioner toconduct an audit orenquiry of a PublicBody pursuant toPart III

18 No. 13 Data Protection 2011

Page 19: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

determining an appeal pursuant to Part III, theCommissioner may—

(a) with the permission of the head of the publicbody or on application for a warrant undersubsection (4), enter and inspect any premisesoccupied by a public body for the purposes ofan audit or enquiry;

(b) require the production of any document orrecord relevant to the enquiry that is in thecustody or control of a public body; or

(c) seize and detain relevant documents onobtaining a warrant under subsection (4).

(2) The Commissioner shall not retain anyinformation obtained from an audit or enquiry undersubsection (1) beyond the period for which it is required.

(3) The Commissioner may exercise his powersunder this section with respect to the Office of thePresident, Parliament, a Joint Select Committee ofParliament or a committee of either House ofParliament, the Cabinet, the Court of Appeal, the HighCourt, the Industrial Court, the Tax Appeal Board orany court of summary jurisdiction, the Tobago House ofAssembly, the Executive Council of the Tobago House ofAssembly only with the consent of the President, theSpeaker of the House of Representatives or thePresident of the Senate, the Head of the Cabinet, theChief Justice, the Presiding Officer, the ChiefAdministrator of the Tobago House of Assembly, theChief Secretary of the Tobago House of Assembly or theHead of the Executive Council, as the case may be.

(4) Where the head of a public body refuses to—(a) allow the Information Commissioner or any

person acting for or under him to enter andinspect premises under subsection (1)(a), theInformation Commissioner shall, where hebelieves that such entry is necessary, applyto a Magistrate for a warrant to so enter,seize and inspect; or

No. 13 Data Protection 2011 19

Page 20: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) produce a document or record undersubsection (1)(b), the InformationCommissioner shall, where he believes therequest to be reasonable, apply to the Courtfor an Order requiring the public body toproduce such documents.

(5) Subsection (4) shall not apply to any publicbody referred to in subsection (3).

(6) Where the Head of a Public Body referred to insection (3) refuses to—

(a) allow the Information Commissioner or anyperson acting for or under him to enter andinspect premises under subsection (1)(a);

(b) produce a document or record undersubsection (1)(b);

the Information Commissioner may apply to a judge foran order to direct the Head of the Public Body to—

(c) allow the Information Commissioner or anyperson acting for or under him to enter andinspect premises and seize any documentfound therein for the purposes of an adult orenqiry; or

(d) produce the document or record.

21. (1) Where the Commissioner is conducting anaudit or enquiry into the compliance practices of a personsubject to the provisions of an enforceable code of conductpursuant to Part IV of this Act, the Commissioner may,pursuant to the authority provided under subsection (2)by an order of the Court—

(a) require the production of any document orrecord that is in the custody or control of aperson subject to an enforceable code ofconduct; or

(b) enter and inspect any premises occupied bya person subject to an enforceable code of

Power ofCommissioner toconduct audit orenquiry pursuant toPart IV

20 No. 13 Data Protection 2011

Page 21: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

conduct and seize any document or recordfound therein relevant to the audit orenquiry.

(2) Where a private enterprise refuses to allowthe Commissioner or any person acting for or under himto enter and inspect premises under subsection (1)(b),the Commissioner may apply to the Court for an Orderto so enter and inspect.

(3) Where a private enterprise refuses to producea document or record under subsection (1)(b), theCommissioner may apply to the Court for an Orderrequiring the private enterprise to produce suchdocuments.

(4) The Commissioner shall not retain anyinformation obtained from an audit or enquiry undersubsection (1) beyond the period for which it is required.

22. (1) All expenses of the Office of the InformationCommissioner shall be met out of moneys provided byParliament.

(2) All revenues of the Office of the InformationCommissioner shall be paid into the Consolidated Fund.

(3) The accounts of the Office of the InformationCommissioner shall be audited by the Auditor Generalin accordance with the provisions of the Exchequer andAudit Act.

23. A statement made to or an answer given by aperson during an investigation or enquiry by theCommissioner is inadmissible as evidence in court orany other proceeding, except in—

(a) a prosecution for perjury in respect of sworn testimony made before the Commissioner;

(b) a prosecution for an offence under this Act;or

(c) an application for judicial review under thisAct or an appeal from a decision with respectto that application.

Expenses andaccounts of the Officeof the InformationCommissioner

Chap. 69:01

Statements made toCommissioner notadmissible

No. 13 Data Protection 2011 21

Page 22: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

24. Anything said in information supplied or anydata produced by a person during an investigation orenquiry by the Commissioner is privileged in the samemanner as if the investigation or enquiry were aproceeding in a court.

25. (1) The Commissioner and anyone acting for orunder the direction of the Commissioner shall notdisclose any information obtained in performing theirduties, powers and functions under this Act.

(2) Notwithstanding subsection (1), theCommissioner may disclose or may authorize anyoneacting for or under the direction of the Commissioner, todisclose information—

(a) necessary to conduct an investigation, auditor enquiry under this Act or establishgrounds for findings and recommendationscontained in a report under the Act; or

(b) in the course of a prosecution or an appealfrom, or judicial review of, a decision of theCommissioner.

26. Proceedings shall not lie against the Commissioneror a person acting for or under the direction of theCommissioner for anything done, reported or said ingood faith in the exercise or performance or the intendedexercise or performance of a duty, power or functionunder this Part.

27. (1) The Commissioner shall submit a reportannually to Parliament within three months after theend of the calendar year on the activities of the Office ofthe Information Commissioner for the previous yearcommencing one year after the coming into operation ofthis Act.

(2) the Commissioner may submit a specialreport to Parliament at any time commenting on anymatters within the scope, duties and functions of theCommissioner where the matter is of such urgency orimportance that it should not be deferred to the time ofthe next annual report to Parliament.

Protection ofCommissioner andstaff

Annual report ofCommissioner

Privilegedinformation

Restrictions ondisclosure ofinformation byCommissioner andstaff

22 No. 13 Data Protection 2011

Page 23: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

28. The Commissioner shall by Order publish in theGazette and at least two newspapers in daily circulationin Trinidad and Tobago a list of countries which havecomparable safeguards for personal information asprovided by this Act.

PART IIIPROTECTION OF PERSONAL DATA BY PUBLIC BODIES

29. (1) The following information about an individualwho is or has been an employee or official of a publicbody is not personal information for the purpose of thisAct:

(a) the fact that the individual is or has been anemployee or official of a public body;

(b) the title, business address and businesstelephone number of the individual;

(c) the name of the individual on a documentprepared by the individual in the course ofemployment; and

(d) the professional opinions or views of theindividual given in the course of employment.

(2) Information about an individual who is or wasperforming services under contract for a public bodythat relates to the services performed, including theterms of the performance, the name of the individual,and the opinions or views of the individual given in thecourse of the performance of those services is notpersonal information for the purposes of the Act.

(3) Information relating to any discretionarybenefit of a financial nature including the granting of alicence or permit conferred to an individual, includingthe name of the individual and the exact nature of thebenefit is not personal information for the purposes ofthe Act.

(4) Information about an individual who has beendeceased for more than twenty years is not personalinformation for the purpose of this Act.

Commissioner topublish list ofequivalentjurisdictions

Personal information

No. 13 Data Protection 2011 23

Page 24: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

30. Personal information shall not be collected by orfor a public body unless—

(a) the collection of that information isexpressly authorized by or under anywritten law;

(b) the information is collected for the purposesof law enforcement; or

(c) that information relates directly to and isnecessary for an operating programme oractivity of the public body.

31. (1) Where a public body requires personalinformation from an individual it shall collect thepersonal information or cause the personal informationto be collected directly from that individual.

(2) Notwithstanding subsection (1), personalinformation may be collected from a source other thanthe individual where—

(a) another method of collection is authorizedby the individual, by the Commissioner or byany other written law;

(b) the collection of information is necessary formedical treatment of an individual and it isnot possible to collect the information directlyfrom that individual or the collection isnecessary to obtain authority from thatperson for another method of collection; and

(c) the information is collected for the purposeof—

(i) determining the suitability for anhonour or award including anhonorary degree, scholarship, prizeor bursary;

(ii) proceedings before a court or ajudicial or quasi-judicial tribunal;

(iii) collecting a debt or fine or making apayment; or

(iv) law enforcement.

Collection ofpersonal information

Personal informationto be collecteddirectly

24 No. 13 Data Protection 2011

Page 25: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

32. (1) A public body shall ensure that the individualfrom whom it collects personal information or causespersonal information to be collected is informed of—

(a) the purpose for collecting it;(b) the legal authority for collecting it; and(c) the title, business address and business

telephone number of an official or employeeof the public body who can answer theindividual’s questions about the collection.

(2) Subsection (1) shall not apply if compliancewith subsection (1) would—

(a) result in the collection of inaccurateinformation;

(b) defeat the purpose or prejudice the use forwhich the information is to be collected;

(c) prejudice a law enforcement matter; or(d) prejudice the defence of Trinidad and

Tobago or of any foreign state allied to orassociated with Trinidad and Tobago or harmthe detection, prevention or suppression ofespionage, sabotage or terrorism.

33. Personal information that has been used by apublic body for an administrative purpose shall beretained by the authority for such period of time after ithas been used as may be prescribed by Order of theMinister, to ensure that the individual to whom itrelates has a reasonable opportunity to obtain access tothat information.

34. Where the personal information of an individualis in the custody or control of a public body and thepersonal information will be used by or on behalf of thepublic body to make a decision that directly affects theindividual, the public body shall make every reasonableeffort to ensure that the personal information isaccurate and complete.

Retention of personalinformation used foran administrativepurpose

Accuracy of personalinformation

Individual to beinformed of purpose

No. 13 Data Protection 2011 25

Page 26: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

35. A public body shall protect personal informationin its custody or under its control by making reasonablesecurity arrangements against such risks as unauthorizedaccess, collection, use, alteration, disclosure or disposal.

36. A public body shall ensure or take steps to ensurethat personal information in its custody or under itscontrol is stored only in Trinidad and Tobago andaccessed only in Trinidad and Tobago unless—

(a) the individual to whom the informationrelates has identified the information andhas consented in the prescribed manner toits being stored in or accessed from anotherjurisdiction; or

(b) the information is stored in or accessed fromanother jurisdiction that has comparablesafeguards as provided by this Act.

37. A public body shall dispose of all personal informationin its control or custody in accordance with Regulationsmade by the Minister under this Act.

38. Personal information under the custody or controlof a public body shall not, without the consent of theindividual to whom it relates, be used by the authorityexcept for the purpose for which the information wasobtained or compiled by the public body, or for a useconsistent with that purpose, or for a purpose for whichthe information may be disclosed by the public bodypursuant to section 42.

39. The use of personal information is consistent withthe purposes for which it was obtained or compiled, ifthe use has a reasonable and direct connection to thepurpose, and is necessary for performing the statutoryduties of, or for operating a legally authorizedprogramme of a public body that uses or discloses theinformation or causes the information to be used ordisclosed.

Disposal of personalinformation

Use of personalinformation

Consistent purpose

Protection of personal information

Storage and access ofpersonal informationin Trinidad andTobago

26 No. 13 Data Protection 2011

Page 27: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

40. (1) A public body shall not process sensitivepersonal information unless it obtains the consent of theperson to whom that sensitive personal informationrelates.

(2) Notwithstanding subsection (1), sensitivepersonal information may be processed—

(a) by a health care professional or an employeeor agent of a health care body at the directionof a health care professional for the purposesof health and hospital care where it isnecessary for—

(i) preventative medicine and theprotection of public health;

(ii) medical diagnosis;(iii) health care and treatment; and(iv) the management of health and

hospital care services;(b) where it has been made public by the person

to whom such information relates;(c) for research and statistical purposes in

accordance with section 43;(d) in the interest of law enforcement and

national security; (e) for the purposes of determining access to

social services; or(f) in accordance with or where authorized by

any other written law.(3) For the purpose of this section, “health care

professional” means a person registered under the–(a) Medical Board Act;(b) Dental Profession Act;(c) Opticians Registration Act;(d) Pharmacy Board Act; (e) Nurses and Midwives Registration Act; (f) Professions Related to Medicine Act; and(g) Emergency Ambulance Services and

Emergency Medical Personnel Act, 2009.

Chap. 29:50

Chap. 29:54

Chap. 29:51

Chap. 29:52

Chap. 29:53

Chap. 90:04

Limitation onprocessing ofsensitive personalinformation inpossession of publicbody

Act No. 8 of 2009

No. 13 Data Protection 2011 27

Page 28: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(4) A person who contravenes this section commitsan offence.

41. Personal information under the custody or controlof a public body shall not be disclosed by the public bodyin Trinidad and Tobago without the consent of theindividual to whom it relates, except in accordance withsections 42, 43, 44 and 45.

42. Except as provided under any other written law,personal information under the control of a public bodymay only be disclosed—

(a) for the purposes for which the informationwas collected or compiled by the public bodyor for a use consistent with that purpose;

(b) for any purpose in accordance with anywritten law or any order made pursuant tosuch written law that authorizes suchdisclosure;

(c) for the purpose of complying with a subpoenaor warrant issued or order made by a court,person or body with jurisdiction to compelthe production of information or for thepurpose of complying with rules of courtrelating to the production of information;

(d) to the Attorney General of Trinidad andTobago for the purpose of, or in connectionwith, legal proceedings involving the State,where such disclosure is reasonablyrequired in the interests of fairness andprior notice of such disclosure is given to theperson to whom the information relates;

(e) to an investigative body specified by theMinister by Order, on the written request ofthe investigative body, for the purpose ofinvestigating compliance with any writtenlaw or carrying out a lawful investigation, ifthe request specifies the purpose anddescribes the information to be provided;

When personalinformation may bedisclosed

Disclosure of personalinformation inTrinidad and Tobago

28 No. 13 Data Protection 2011

Page 29: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(f) by one law enforcement agency in Trinidadand Tobago to another law enforcementagency within Trinidad and Tobago for thepurpose of enforcement of a written law;

(g) to a law enforcement agency in a foreigncountry under a written agreement, treatyor under the authority of the Government ofTrinidad and Tobago;

(h) if the head of the public body agrees that acompelling circumstance exists that affectsthe health or safety of any person and ifnotice of the disclosure is mailed to the lastknown address of the individual to whomthe information relates, unless the head ofthe public body has a reasonable belief thatproviding notification could harm the healthor safety of any person;

(i) so that the next of kin or friend of aninjured, ill or deceased person may becontacted;

(j) for the purpose of collecting monies owing byan individual to the Government of Trinidadand Tobago or by a public body to anindividual;

(k) for statistical purposes where the disclosuremeets the requirements of section 43; or

(l) for archival purposes where the disclosuremeets the requirements of section 44.

43. A public body may disclose personal informationor may cause personal information in its custody orcontrol to be disclosed for a research purpose, includingstatistical research only if—

(a) the research purpose cannot reasonably beaccomplished unless that information isprovided in individually identifiable form;

Disclosure forresearch andstatistical purposes

No. 13 Data Protection 2011 29

Page 30: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) the information is disclosed on conditionthat it not be used for the purpose ofcontacting a person to participate inresearch;

(c) any record linkage is not harmful to theindividual to whom that information isabout and the benefits to be derived from therecord linkage are clearly in the publicinterest;

(d) the head of the public body concerned hasapproved conditions relating to the following:

(i) security and confidentiality;(ii) the removal or destruction of the

individual identifiers at the earliestreasonable time; and

(iii) the prohibition of any subsequentuse or disclosure of that informationin individually identifiable formwithout the express authorizationof that public body; and

(e) the person to whom that information isdisclosed has signed an agreement to complywith the approved conditions, this Act andany of the public body’s policies andprocedures relating to the confidentiality ofpersonal information.

44. The archives of the Government of Trinidad andTobago or the archives of a public body may disclosepersonal information or cause personal information inits custody or control to be disclosed for archival orhistorical purposes if—

(a) the disclosure would not be an unreasonableinvasion of professional or personal privacy;

(b) the disclosure is for historical research andis in accordance with section 42;

Disclosure forarchival or historicalpurposes

30 No. 13 Data Protection 2011

Page 31: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(c) the information concerns someone who hasbeen deceased for twenty or more years; or

(d) the information is in a record that has beenin existence for one hundred or more years.

45. Notwithstanding sections 42, 43 and 44, medicalinformation shall not be disclosed by a public bodyexcept—

(a) with the consent of the person to whom suchinformation relates; or

(b) by order of the Court.

46. (1) Where personal information under thecustody and control of a public body is to be disclosed toa party residing in another jurisdiction, the public bodyshall inform the individual to whom it relates of—

(a) the purpose for which the information isbeing collected once that purpose is knownto the public body; and

(b) the identity of—(i) the person requesting the information;

and(ii) the relevant public body with

responsibility for Data Protectionin the other jurisdiction,

and obtain his consent before disclosing theinformation.

(2) Where a person under subsection (1) does notconsent to the release of his personal information, thepublic body shall not so disclose.

(3) Subsections (1) and (2) shall not apply wherethe circumstances set out in section 41 exist, butpersonal information may be limited where the publicbody determines that the jurisdiction to which thepersonal information is being sent does not havecomparable standards.

Disclosure ofpersonal informationoutside of Trinidadand Tobago

Disclosure of medicalinformation to berestricted

No. 13 Data Protection 2011 31

Page 32: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(4) Where a person under subsection (1) consentsto the release of his information and the public body is—

(a) satisfied that the jurisdiction to which theinformation is being sent has comparablesafeguards, as provided by this Act, thepublic body shall disclose the personalinformation; or

(b) not satisfied that the jurisdiction to which theinformation is being sent has comparablesafeguards, the public body shall refer thematter to the Commissioner for a determinationas to whether the other jurisdiction hascomparable safeguards as provided by thisAct and inform the individual to whom thepersonal information relates, of the referral.

(5) Upon a referral under subsection (4)(b), theCommissioner shall make a determination whether theother jurisdiction has or does not have comparablesafeguards as provided by this Act, and inform thepublic body accordingly.

(6) Where the public body is informed that thejurisdiction to which the information is being sent—

(a) has comparable safeguards, the public bodyshall inform the person concerned anddisclose the personal information;

(b) does not have comparable safeguards, thepublic body shall inform the personconcerned and obtain his consent for thedisclosure—

(i) without limitation; or

(ii) with limitation on the informationsharing to the extent necessary toensure the protection of personalprivacy and information.

32 No. 13 Data Protection 2011

Page 33: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

47. (1) Every public body shall prepare a privacyimpact assessment, in the form prescribed by theCommissioner, for any proposed enactment, system,project, programme or activity where such enactment,system, project, programme or activity would or wouldreasonably be expected to substantially or materiallyimpact personal information.

(2) Upon preparation of a privacy impact assess-ment, every public body shall submit such privacyimpact assessment to the Commissioner for approval.

(3) Where a privacy impact assessment has beensubmitted in accordance with subsection (2), theCommissioner shall evaluate such privacy impactassessment in accordance with the General PrivacyPrinciples set out in section 6 and where necessary,make recommendations to the public body foramendments.

(4) Where the Commissioner makes arecommendation under subsection (3), the public bodyshall make the necessary amendments to its privacyimpact assessment.

(5) Every public body shall take all reasonablesteps in accordance with its privacy impact assessmentto avoid unnecessary intrusions into personal privacywhen designing, implementing or enforcing enactments,systems, projects, programmes or activities.

48. (1) The Head of a Public Body shall cause to beincluded in personal information banks, all personalinformation under the control or in the custody of thepublic body that—

(a) has been used, is being used or is availablefor use for an administrative purpose; or

(b) is organized or intended to be retrieved bymeans of the name of an individual or by anidentifying number, symbol or other particularassigned to an individual.

Personal informationbanks

Privacy impactassessment andmitigation

No. 13 Data Protection 2011 33

Page 34: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(2) Notwithstanding subsection (1), personalinformation under the custody or control of the Archivesof the Government of Trinidad and Tobago that hasbeen transferred to it by a public body for historical orarchival purposes shall not be included in personalinformation banks.

49. (1) Where a public body intends to share informationwith other public bodies, it shall do so only pursuant toan agreement in a manner prescribed by theCommissioner by Order.

(2) An Order under subsection (1) shall bepublished in the Gazette and two newspapers in dailycirculation in Trinidad and Tobago.

50. (1) Subject to subsection (5), before a public bodymatches personal information from a set of data withpersonal information from another set of data, whetheror not pursuant to an information sharing agreement,the public body shall obtain the written authorization ofthe Commissioner.

(2) In determining whether to authorize datamatching by a public body or public bodies, using a datamatching programme, the Commissioner shall considerwhether or not—

(a) the objective of the matching programmerelates to a matter of significant publicimportance;

(b) the matching programme would achieve theobjective in a way which would achievemonetary savings that are both significantand quantifiable or will achieve othersignificant benefits to society;

(c) the public interest in allowing the matchingprogramme to proceed outweighs the publicinterest in adhering to the General PrivacyPrinciples set out in section 6 that theprogramme would otherwise contravene; or

Data matching shallbe approved byCommissioner

Information sharing

34 No. 13 Data Protection 2011

Page 35: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(d) the programme involves data or informationmatching on a scale that is excessive, havingregard to the number of public bodies thatwill be involved in the programme and theamount of details about the individual thatwould be matched under the programme.

(3) The Information Commissioner shall completehis determination in respect of the data matchingrequest within sixty days of the request.

(4) In approving data matching by a public body orpublic bodies, the Commissioner may impose whateverterms and conditions that he considers appropriate.

(5) Where the Information Commissioner fails tocomplete his determination in respect of a data matchingrequest under subsection (3), the public body may applyto the Minister for a determination of the matter.

(6) In giving his authorization under subsection (1),the Commissioner may give covering authorization toallow the matching of data where such matching is partof a system of practice approved by him.

51. (1) The Commissioner shall publish periodically,but not less than annually, an index of the personalinformation that is held by the public bodies thatincludes a summary of the following:

(a) the personal information banks that are inthe custody or control of each public body;

(b) the information sharing agreements enteredinto by any public body with another publicbody or other person;

(c) the data matching activities approved by theCommissioner;

(d) the contact information of the official towhom requests relating to personal informationcontained in the data bank should be sent;

Personal informationindex

No. 13 Data Protection 2011 35

Page 36: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(e) a statement of the purposes for whichpersonal information in the data bank wasobtained or compiled and a statement of theuses consistent with those purposes forwhich the information is used or disclosed;

(f) a statement of the retention and disposalstandards and practices that apply to thepersonal information in the data bank; and

(g) privacy impact assessments prepared by anyMinistry of the Government of Trinidad andTobago.

(2) For the purpose of this section, “contactinformation” means the title, business address, businesstelephone and facsimile number and business e-mail ofan official or employee of the public body.

(3) Where the Commissioner publishes the indexof personal information held by public bodies undersubsection (1), such publication shall be made in theGazette and at least two newspapers in daily circulationin Trinidad and Tobago.

52. (1) Subject to section 53, every individual who isin Trinidad and Tobago has a right to and shall onrequest, be given access to—

(a) personal information about that individualcontained in a personal information bank inthe custody and control of a public body; and

(b) any other personal information about theindividual under the custody or control of apublic body with respect to which theindividual is able to provide sufficientlyspecific information on the location of theinformation as to render it reasonablyretrievable by the public body.

Right of access topersonal informationin a public body

36 No. 13 Data Protection 2011

Page 37: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(2) A request for access to personal informationshall be made to the public body that has control of thepersonal information bank or of the information, as thecase may be, in the form approved by the Commissioner.

(3) The Head of a Public Body may, wherereasonable and in appropriate circumstances, providepersonal information in accordance with the provisionsof this Act in response to an oral request.

53. (1) A head of a public body may refuse to disclosepersonal information to the individual to whom theinformation relates where—

(a) the disclosure would constitute an unjustifiedinvasion of another individual’s personalprivacy;

(b) the disclosure could reasonably be expectedto reveal information supplied in confidence;

(c) it is evaluative or opinion material compiledsolely for the purpose of determiningsuitability, eligibility or qualifications foremployment or for the awarding of governmentcontracts and other benefits where thedisclosure would reveal the identity of asource who furnished information to theinstitution in circumstances where it mayreasonably be assumed that the identity ofthe source would be held in confidence; and

(d) a disclosure would result in disclosure ofinformation that is exempt from disclosureunder Part IV of the Freedom of InformationAct.

(2) The Head of a Public Body may disregardrequests from an individual for access to that individual’spersonal information where it would unreasonablyinterfere with the operations of the public body becauseof the repetitious or systematic nature of the requests orthe requests are frivolous or vexatious.

Chap. 22:02

Refusal of access topersonal information

No. 13 Data Protection 2011 37

Page 38: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

54. (1) The Head of a Public Body shall make everyeffort to sever information that is exempt from disclosurepursuant to section 53 from information that may bemade available to the individual requesting access to hispersonal information and make the non-exemptinformation available.

(2) Where acknowledgment of the existence ofinformation that is exempt from disclosure would revealcritical information about the nature or contents of theinformation, the Head of a Public Body may refuse todisclose the existence of the information.

55. Any right or power conferred on an individual bythis Act may be exercised—

(a) where the individual is deceased, by theindividual’s personal representative if theexercise of the right or power relates to theadministration of the individual’s estate;

(b) by the individual’s attorney under a power ofattorney;

(c) by the individual’s guardian; or(d) where the individual is less than eighteen

years of age, by a person who has lawfulcustody of the individual.

56. (1) Where a request is made for access to personalinformation pursuant to section 52, the head of thepublic body shall, within thirty days of the request beingreceived where access is—

(a) granted in whole or in part, give theinformation to the individual who made therequest; or

(b) refused in whole or in part, give the individualwho made the request a written responsestating—

(i) that the information does not exist;or

Exercise of rights ofdeceased persons, etc.

Responsibilities ofpublic bodies

Severance andrefusal to discloseexistence ofinformation

38 No. 13 Data Protection 2011

Page 39: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(ii) the specific provision of the Act onwhich a refusal could reasonably beexpected to be based if the informationexisted; or

(c) refused in whole or in part, give the individualwho made the request information regardingthe right of appeal to the Commissioner.

(2) Where access is granted in whole or in part, thehead of the public body shall ensure that the informationis available in a comprehensive form, including wherereasonable, comprehensible to an individual with asensory disability.

57. (1) Where an individual believes there is an erroror omission in his personal information, the individualmay request the Head of a Public Body that has theinformation in its custody or under its control, to correctthe information.

(2) If no correction is made in response to arequest under subsection (1), the Head of a Public Bodyshall annotate the information with the correction thatwas requested but not made and notify the individualwho made the request that no correction was made.

(3) On correcting or annotating personalinformation under this section, the Head of a PublicBody shall notify any other public body or any thirdparty to whom that information has been disclosedduring the one-year period before the correction wasrequested, of such correction or annotation.

(4) Upon being notified under subsection (3) of acorrection or annotation of personal information, a publicbody shall make the correction or annotation on anyrecord of that information in its custody or control.

58. An individual who has filed a request for hispersonal information pursuant to section 52 or who hasrequested correction of personal information pursuantto section 57 may appeal any decision of the head of thepublic body to the Commissioner.

Right to requestcorrection ofpersonal information

Appeal toInformationCommissioner

No. 13 Data Protection 2011 39

Page 40: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

59. An appeal to the Commissioner under section 58shall be made within six weeks of the date when thenotice was given of the decision appealed from, by filingwith the Commissioner a written notice of appeal.

60. Where an individual has a reasonable belief thata public body is not complying with the provisions of thisAct, he may make a complaint to the Commissioner.

61. The Commissioner may dismiss—(a) an appeal if the notice of appeal does not

present a reasonable basis for concludingthat the personal information to which thenotice relates exists or is incorrect; or

(b) a complaint if the written complaint doesnot contain sufficient particulars to make adetermination of non-compliance with theprovisions of this Act.

62. Upon receiving the notice of appeal under section59, or a complaint under section 60, the Commissionershall inform the Head of a Public Body concerned andany other affected person of the notice of appeal or thecomplaint.

63. The Commissioner may authorize a mediator toinvestigate the circumstances of the appeal undersection 58 and to try to effect a settlement of the matterunder appeal.

64. (1) The Commissioner may conduct an enquiry toreview the decision of the Head of a Public Body, or acomplaint in respect of a public body, if the Commissionerhas—

(a) not authorized a mediator to conduct aninvestigation under section 63; or

(b) authorized a mediator to conduct aninvestigation under section 63, but nosettlement has been reached.

Complaints to theCommissioner

Immediate dismissal

Informing of noticeof appeal

Mediation

Enquiry by theCommissioner

Time for application

40 No. 13 Data Protection 2011

Page 41: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(2) Where the Commissioner conducts an enquiryunder this section he may, on the conclusion of suchenquiry in respect of—

(a) a request for access either—(i) affirm the decision of the Head of a

Public Body; or (ii) order the Head of a Public Body to

release the personal information ormake the corrections requested;

(b) a complaint—(i) dismiss the complaint; or

(ii) order the Head of the Public Bodyto comply with the relevantprovisions of this Act deemed to bein breach.

(3) Where an enquiry is conducted under thissection, it may be conducted by the Commissioner on hisown or by a tribunal comprising the Commissioner andone or more Deputy Commissioners.

(4) A person aggrieved by a decision of theCommissioner or the tribunal under this section mayapply to the High Court for Judicial Review.

65. The enquiry by the Commissioner or a mediatorand any meetings held by a mediator with parties to theappeal may be conducted in private.

66. The individual who requested access to orcorrection of personal information, the Head of a PublicBody concerned and any affected party shall be giventhe opportunity to make representations to theCommissioner, but none is entitled to—

(a) be present during;(b) have access to; or (c) comment on,

representations made to the Commissioner by any otherperson.

Enquiry in private

Representations

No. 13 Data Protection 2011 41

Page 42: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

67. An individual who requests access to personalinformation, the Head of a Public Body concerned andany affected party may be represented by counsel or anagent.

68. Where a public body refuses to give access topersonal information, the burden of proof that theinformation lies within one of the specified exemptionsof the Act is on a balance of probabilities and lies uponthe public body.

PART IV

PROTECTION OF PERSONAL DATA BY THE PRIVATE SECTOR

69. A person who—(a) collects, retains, manages, uses, processes or

stores personal information in Trinidad andTobago;

(b) collects personal information from individualsin Trinidad and Tobago; or

(c) uses an intermediary or telecommunicationsservice provider located in Trinidad andTobago to provide a service in furtherance ofparagraph (a) or (b),

shall follow the General Privacy Principles set out insection 6 in dealing with personal information.

70. The Commissioner shall consult with industry topromote the application of the General PrivacyPrinciples through the development of codes of practicethrough such means as—

(a) providing guidance on the development ofcodes of practice;

(b) providing guidance on complaint resolutionmechanisms;

(c) fostering education on the General PrivacyPrinciples;

Application ofGeneral PrivacyPrinciples

Codes of practice

Burden of proof

Right to counsel oran agent

42 No. 13 Data Protection 2011

Page 43: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(d) working with government and private sectorbodies to promote awareness of codes ofconduct among consumers; and

(e) taking any action that appears to theCommissioner to be appropriate.

71. (1) Notwithstanding section 69 where, in theopinion of the Commissioner, the public interestwarrants the immediate and mandatory development ofcodes of conduct dealing with the application of theGeneral Privacy Principles to a particular industry,economic sector, or activity, the Commissioner may, byOrder, require the development of a code of conduct andset a time limit for its development.

(2) Subject to subsection (1), where there is anappropriate government regulator of an industry,economic sector or activity, the Commissioner mayrequest the regulator to oversee the development of thecode of conduct for that industry, economic sector oractivity.

72. (1) Where a mandatory code of conduct is developedpursuant to section 71, it shall require at a minimumthat personal information under the custody or controlof an organization shall not be disclosed by thatorganization to any third party without the consent ofthe individual to whom it relates, except in general,where such information is disclosed for the purposes—

(a) for which the information was collected orfor use consistent with that purpose;

(b) of a Court Order; or(c) of complying with any written law.

(2) Where personal information under thecustody and control of an organization is to be disclosedto a party residing in another jurisdiction, theorganization shall inform the individual to whom itrelates of the—

(a) purpose for which the information is beingcollected once that purpose is known to theorganisation;

Cross borderdisclosure ofpersonal information

Commissioner mayrequire developmentof code of conduct

No. 13 Data Protection 2011 43

Page 44: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) identity of—(i) the person requesting the information;

and(ii) the relevant public body with

responsibility for Data Protectionin the other jurisdiction,

and obtain his consent before disclosing the information.(3) Where a person under subsection (2) does not

consent to the release of his personal information, theorganization shall not so disclose.

(4) Where a person under subsection (2) consentsto the disclosure of his information and the organizationis—

(a) satisfied that the jurisdiction to which theinformation is being sent has comparablesafeguards as provided by this Act, theorganization shall disclose the personalinformation;

(b) not satisfied that the jurisdiction to whichthe information is being sent has comparablesafeguards, the organization shall refer thematter to the Commissioner for adetermination as to whether the otherjurisdiction has comparable safeguards asprovided by this Act and inform the individualto whom the personal information relates ofthe referral.

(5) Upon a referral under subsection (4), theCommissioner shall make a determination whether theother jurisdiction has or does not have comparablesafeguards as provided by this Act, and inform theorganization accordingly.

(6) Where the organization is informed that thejurisdiction to which the information is being sent—

(a) has comparable safeguards, the organizationshall inform the person concerned anddisclose the personal information; or

44 No. 13 Data Protection 2011

Page 45: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) does not have comparable safeguards, theorganization shall inform the personconcerned and obtain his consent for thedisclosure—

(i) without limitation on the personalinformation; or

(ii) with limitation on the personalinformation sharing to the extentnecessary to ensure the protectionof personal privacy and information.

73. (1) Where a mandatory code of conduct isdeveloped, the sector shall apply to the Commissionerfor the approval of such code prior to its use.

(2) Where a voluntary code of conduct is developed,the sector may apply to the Commissioner for theapproval of such code prior to its use.

(3) The Commissioner may approve a code of conductdealing with compliance with the General PrivacyPrinciples set out in section 6 developed by an industrysector, an industry organization or a professional body.

(4) Where the Commissioner is satisfied that acode of conduct submitted for approval in accordancewith subsection (1) or (2) meets the requirements set outin subsection (5), he shall approve the code of conduct.

(5) In approving a code of conduct, theCommissioner shall consider—

(a) compliance with the General PrivacyPrinciples set out in section 6;

(b) use and adequacy of dispute resolutionmechanisms within the industry as well aswithin individual firms;

(c) the potential for development orencouragement of anti-competitive conduct;

(d) the adequacy of the process used to developthe code of conduct, including involvement ofstakeholders, such as relevant consumers,suppliers and other interested groups;

Approval of code ofconduct

No. 13 Data Protection 2011 45

Page 46: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(e) the role of industry sector regulators if any;and

(f) any other matters that the Commissionerconsiders relevant.

74. (1) Where the Commissioner has approved a codeof conduct, the Minister may by Order, make compliancewith the code mandatory with respect to those to whomthe code of conduct applies under this Act.

(2) An Order made by the Minister undersubsection (1), shall be subject to negative resolution ofParliament.

(3) Where a code of conduct has been mademandatory under subsection (1), the persons orenterprises to whom or to which it applies shall complywith the provisions of the code of conduct.

(4) Without limiting the generality of subsection(1), where a government regulator has jurisdiction overan industry, economic sector or activity so that the codeof conduct dealing with the application of the GeneralPrivacy Principles can be made mandatory pursuant toother legislation, the regulator may make a code ofconduct approved by the Commissioner mandatory.

(5) Where an industry regulator has mandatedcompliance in dealing with the protection of personalprivacy that has been approved by the Commissionerand the legislation under which the code of conduct hasbeen made mandatory has adequate provisions forcomplaint resolution and sanctions for non-compliancewith the provisions of the code of conduct, theCommissioner may forebear from exercising his powerswith respect to compliance.

75. (1) An individual who has personal informationstored in an organization which is subject to a mandatorycode of conduct has a right to and shall on request, begiven access to—

(a) personal information about that individualin the custody and control of the organisation;and

Mandatory codes ofconduct

Right of access topersonal information

46 No. 13 Data Protection 2011

Page 47: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) any other personal information about theindividual under the custody or control ofthe organization with respect to which theindividual is able to provide sufficientlyspecific information on the location of theinformation as to render it reasonablyretrievable by the organisation.

(2) A request for access to personal informationshall be made to the organization that has control of thepersonal information in the form approved by theCommissioner.

(3) The organisation may, where reasonable andin appropriate circumstances, provide personal informationin accordance with the provisions of this Act in responseto an oral request.

76. (1) A corporation shall not process sensitivepersonal information in its possession unless it obtainsthe consent of the person to whom that sensitivepersonal information relates.

(2) Notwithstanding subsection (1), sensitivepersonal information may be processed—

(a) by a health care professional or an employeeor agent of a health care body at the directionof a health care professional for the purposesof health and hospital care where it isnecessary for—

(i) preventative medicine and theprotection of public health;

(ii) medical diagnosis;(iii) health care and treatment; and(iv) the management of health and

hospital care services;(b) where it has been made public by the person

to whom such information relates;(c) for research and statistical purposes in

accordance with section 43; and(d) where the disclosure is required by written

law.

Limitation onprocessing ofsensitive personalinformation in thepossession of acorporation

No. 13 Data Protection 2011 47

Page 48: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(3) For the purpose of this section, “health careprofessional” means a person registered under the—

(a) Medical Board Act;

(b) Dental Profession Act;

(c) Opticians Registration Act;

(d) Pharmacy Board Act;

(e) Nurses and Midwives Registration Act;

(f) Professions Related to Medicine Act; and

(g) Emergency Ambulance Services andEmergency Medical Personnel Act; 2009.

(4) A person who contravenes this section commitsan offence.

77. (1) The head of an organization subject to amandatory code of conduct may, upon the writtenauthorization of the Commissioner, disregard a requestfrom an individual for access to that individual’spersonal information where it would unreasonablyinterfere with the operations of the organizationbecause of the repetitious or systematic nature of therequests or the requests are frivolous or vexatious.

(2) Where an organization disregards a requestunder subsection (1) it shall notify the individualmaking the request.

78. Where an organization is subject to a mandatorycode of conduct and an individual has a reasonablebelief that the organization has within its custody orcontrol personal information regarding that individual,the individual may—

(a) where the individual has requested access toor the correction of personal informationheld by an organization and the organizationhas refused such request, ask theCommissioner to conduct a review of theresulting decision, act or failure to act of theorganization; or

Chap. 29:50

Chap. 29:54

Chap. 29:51

Chap. 29:52

Chap. 29:53

Chap. 90:04

Refusal of requestfor access to personalinformation

Request for reviewor complaint to theCommissioner

Act No. 8 of 2009

48 No. 13 Data Protection 2011

Page 49: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(b) make a complaint to the Commissionerregarding an alleged failure of the organizationto comply with the provisions of the mandatorycode of conduct.

79. A request for a review by, or a complaint to theCommissioner shall be made within six weeks of thedate of the decision or six weeks from which the failureto comply with the mandatory codes of conduct firstbecame known or should have become known.

79A. Where an individual has a reasonable belief thatan organisation is not complying with the provisions ofthis Act, he may make a complaint to the Commissioner.

80. The Commissioner may not entertain—(a) a request for a review of the decision where

the written request does not present areasonable basis for concluding that thepersonal information to which the requestrelates, exists; or

(b) a complaint under section 78 or 79A wherethe written complaint does not containenough particulars to make a determinationof non-compliance with the mandatory codeof conduct on the part of the organization orthis Act.

81. Upon receiving the written request or complaintunder section 78 or 79A, the Commissioner shall informthe head of the organization concerned and any otheraffected person of the request or complaint.

82. (1) Subject to section 83(2), the Commissionermay conduct an enquiry into a request or complaintunder section 78 or 79A.

(2) Where the Commissioner conducts an enquiryunder this section he may, on the conclusion of suchenquiry in respect of—

(a) a request for access to information or thecorrection of information—

(i) affirm the decision of the organization;

Time for applicationfor review orcomplaint

Immediate dismissalof request for reviewor complaint

Notification ofrequest or complaint

Enquiry of requestor complaint

Complaint to theCommissioner onnon-compliance

No. 13 Data Protection 2011 49

Page 50: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(ii) order the head of an organization torelease the personal information ormake the correction requested; or

(iii) make the correction requested; or(b) a complaint—

(i) dismiss the complaint; or(ii) order the head of the organization

to comply with the provisions of themandatory code of conduct or thisAct.

(3) Where an enquiry is conducted underthis section, it may be conducted by the Commissioneron his own or by a tribunal comprising theCommissioner and one or more Deputy Commissioners.

(4) A person aggrieved by a decision of theCommissioner or the tribunal under this section mayapply to the High Court for Judicial Review.

83. (1) The Commissioner may authorize a mediatorto investigate the circumstances of the request undersection 78 and to try to effect a settlement of the matter.

(2) Where the Commissioner has—(a) not authorized a mediator to conduct an

investigation under subsection (1); or (b) authorized a mediator to conduct an

investigation under subsection (1) but nosettlement has been reached,

he may conduct an enquiry into a request under section 82.

84. An enquiry by the Commissioner or a mediatorand any meetings held by a mediator with parties to therequest may be conducted in private.

85. An individual who requested access to, thecorrection of personal information or who made acomplaint, the head of the organization concerned and

Mediation of request

Enquiry of request tobe conducted inprivate

Representations

50 No. 13 Data Protection 2011

Page 51: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

any affected party shall be given the opportunity tomake representations to the Commissioner, but none isentitled to—

(a) be present during;(b) have access to; or (c) comment on,

representations made to the Commissioner by any otherperson.

86. Every director and officer of a corporation shalltake reasonable care to ensure that the corporationcomplies with—

(a) this Act and the regulations made thereunder;and

(b) any Orders imposed by the Commissioner orhis delegate.

PART VCONTRAVENTION AND ENFORCEMENT

87. A person who wilfully obstructs the InformationCommissioner or any other person acting for or underthe direction of the Commissioner in the course ofcarrying out an audit or an investigation, commits anoffence.

88. (1) A person who makes a request for access to orcorrection of personal information under falsepretences, commits an offence.

(2) A person who wilfully makes a false statementto mislead or attempts to mislead the Commissioner inthe performance of his functions under this Act, commitsan offence.

89. A person who fails to comply with an order of theCommissioner, commits an offence.

90. A person who contravenes the provisions ofsection 99, commits an offence.

Duties of directors

Obstruction

False and misleadingstatements

Failure to complywith an order

Violation of whistle-blowing provisions

No. 13 Data Protection 2011 51

Page 52: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

91. Where a person to whom a mandatory code ofconduct applies under section 74 fails to comply withsuch mandatory code of conduct, he commits an offence.

92. (1) A person who wilfully discloses personalinformation in contravention of this Act, commits anoffence.

(2) A person who collects, stores or disposes ofpersonal information in a manner that contravenes thisAct commits an offence.

93. A person who breaches the confidentialityobligations established by section 25, commits anoffence.

94. Where a corporation commits an offence underthis Act, any officer, director or agent of the corporationwho directed, authorized, assented to, or participated inthe commission of the offence is a party to and commits anoffence and is liable to the punishment provided for theoffence.

95. (1) A person who commits an offence under thisAct is liable upon—

(a) summary conviction, to a fine of not more thanfifty thousand dollars or to imprisonment for aterm of three years; and

(b) conviction on indictment, to a fine of notmore than one hundred thousand dollars orto imprisonment for a term of not more thanfive years.

(2) Where the offence under this Act is committedby a body corporate, the body corporate shall be liableupon—

(a) summary conviction, to a fine of twohundred and fifty thousand dollars; and

(b) conviction on indictment, to a fine of fivehundred thousand dollars.

Breach of obligationsof confidentiality

Offences by directorsand officers

Penalties

Offence for notcomplying withmandatory code ofconduct

Contravention of Act

52 No. 13 Data Protection 2011

Page 53: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

96. (1) Where a corporation contravenes any of theprovisions of this Act, the Court may impose a fine of upto ten per cent of the annual turnover of the enterprise.

(2) In imposing a fine under subsection (1), theCourt shall take into account—

(a) the estimate of the economic cost of thecontravention to the consumers, users of theservices in question or any other personaffected by the contravention;

(b) the estimate of the economic benefit of thecontravention to the enterprise;

(c) the time for which the contravention is ineffect if continuing;

(d) the number and seriousness of any othercontraventions, if any, committed by thecorporation; and

(e) any other matter the Court may considerappropriate in the circumstances.

PART VIMISCELLANEOUS

97. The Minister may order a public body or acorporation to pay the costs reasonably incurred in theperformance of an audit pursuant to sections 20 and 21.

98. (1) The Court shall have jurisdiction to hear anddetermine—

(a) applications by the Information Commissionerfor any Order which the Court considersappropriate to facilitate the enforcement ofany provisions of this Act; and

(b) upon application by the InformationCommissioner, cases involving anycontravention of the provisions of this Actand make such appropriate Orders inrelation thereto.

Costs of audit

Jurisdiction of theCourt

Penalties forcorporations

No. 13 Data Protection 2011 53

Page 54: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

99. An employer whether or not a public body, shallnot dismiss, suspend, demote, discipline, harass orotherwise disadvantage an employee or deny thatemployee a benefit, because—

(a) the employee acting in good faith, and on thebasis of reasonable belief has—

(i) notified the Commissioner that theemployer or any other person hascontravened or is about tocontravene this Act;

(ii) done or stated the intention ofdoing anything that is required tobe done in order to avoid havingany person contravene this Act; or

(iii) refused to do or stated the intentionof refusing to do anything that is incontravention of this Act; or

(b) the employer believes that the employee willdo anything described in paragraph (a).

100. (1) The Minister may make Regulations for thepurpose of—

(a) prescribing anything required to beprescribed under this Act; and

(b) giving effect to the provisions of this Act.

(2) Regulations made under this section shall besubject to negative resolution of Parliament.

101. The Freedom of Information Act is amendedin—

(a) section 4—(i) by inserting after the definition of

“applicant” the following definitions:“ “decision of a public authority”

means the refusal of a publicauthority to grant access toan official document or thefailure of a public authorityto comply with section 15or 16(1) herein;

Regulations

Chap. 22:02 amended

Whistle-blowingprotection

54 No. 13 Data Protection 2011

Page 55: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

“Information Commissioner”means the person appointedpursuant to section 8 ofthe Data Protection Act;”;

(ii) by deleting the definition of “personalinformation” and substituting thefollowing definition:

“personal information” has themeaning assigned to it inthe Data Protection Act;”;

(iii) in the definition of “publicauthority”—

(A) in paragraph (j), by deletingthe word “or”;

(B) by inserting after thewords “control;” the word“or”;

(C) by inserting afterparagraph (k) the followingnew paragraph:

“(l) the Office ofI n f o r m a t i o nCommissioner asappointed under section 7 of theData ProtectionAct.”;

(b) section 23(1) in paragraph (d), by deletingthe words “High Court for judicial” andsubstituting the words “InformationCommissioner for”;

(c) section 30, by deleting subsections (1), (2)and (3) and substituting the followingsubsections:

“ (1) A document is an exemptdocument if its disclosure under this Actwould involve the disclosure of personalinformation in a manner inconsistentwith the Data Protection Act.

No. 13 Data Protection 2011 55

Page 56: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(2) The provisions of subsection (1)shall not apply to a request by anindividual for his own personalinformation, which request shall betreated as a request under the DataProtection Act.

(3) here a request by a person otherthan a person referred to in subsection(2) is made to a public body for accessto a document containing personalinformation, the public body shallproceed in accordance with the DataProtection Act in deciding whether togrant access to such request.”;

(d) section 36, by deleting subsection (1) andsubstituting the following subsection:

“(1) Where a document (whether ornot it is one to which access has beengiven under this Act) containspersonal information of an individualand that individual believes that theinformation is inaccurate, he shallproceed, and the public body shalladdress the matter in accordance withsection 57 of the Data Protection Act.”;

(e) section 38A—(i) in subsection (1), by deleting

the word “Ombudsman”wherever it occurs andsubstituting the word“ I n f o r m a t i o nCommissioner”;

(ii) in subsection (2), by deletingthe word “Ombudsman”and substituting the words,“ I n f o r m a t i o nCommissioner”; and

56 No. 13 Data Protection 2011

Page 57: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

(iii) by deleting subsection (3) andsubstituting the following subsection:

“(3) The decisions of theInformation Commissioner on issuesrelating to this Act shall be binding onPublic Bodies.”; and

(iv) by inserting after subsection (3) thefollowing new subsection:

“(4) The Court shall havejurisdiction to hear and determineapplications by the InformationCommissioner for any Order which theCourt considers appropriate tofacilitate the enforcement of anyprovisions of this Act.;”

(f) section 39, by repealing subsection (3); and

(g) section 40, in—

(i) subsections (1) and (2), by deletingthe words “The Minister” whereverthey occur and substituting thewords “The Information Commissioner”;and

(ii) subsection (3)(d), by deleting theword “Ombudsman” and substitutingthe word “Commissioner”.

No. 13 Data Protection 2011 57

Page 58: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

SCHEDULE

PART A(Section 8)

FORM OF OATH (AFFIRMATION) FOR INFORMATION COMMISSIONER

I, A. B. having been appointed Information Commissioner doswear by ……….....… (solemnly affirm) that I bear true faith andallegiance to Trinidad and Tobago and will uphold the Constitutionand the law, that I will conscientiously, impartially and to the bestof my knowledge, judgement and ability discharge the functions ofmy office and do right to all manner of people after the laws andusages of Trinidad and Tobago without fear or favour, affection orill-will.

PART B(Section11)

FORM OF OATH (AFFIRMATION) FOR DEPUTY INFORMATIONCOMMISSIONER

I, A. B. having been appointed Deputy InformationCommissioner do swear by …....……… (solemnly affirm) that I beartrue faith and allegiance to Trinidad and Tobago and will upholdthe Constitution and the law, that I will conscientiously, impartiallyand to the best of my knowledge, judgement and ability dischargethe functions of my office and do right to all manner of people afterthe laws and usages of Trinidad and Tobago without fear or favour,affection or ill-will.

58 No. 13 Data Protection 2011

Page 59: Act No. 13 of 2011 - Organization of American States · Chap. 28:02 Chap. 29:03 No. 13 Data Protection 2011 3 (b) information relating to the education or the medical, criminal or

Passed in the House of Representatives this 11th dayof February, 2011.

Clerk of the House

Passed in the Senate this 23rd day of May, 2011.

Clerk of the Senate

Senate Amendments agreed to by the House ofRepresentatives on this 3rd day of June, 2011.

Clerk of the House

No. 13 Data Protection 2011 59