BAHAMAS | DATA PROTECTION AND PRIVACY OF PERSONAL INFORMATION

Data protection laws exist to strike a balance between the rights of individuals to privacy and the ability of organisations to use data for the purposes of their business. The Data Protection Act 2003 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. These rules and rights were revised and superseded by the Data Protection Act 2003 which came into force on 2^nd April 2007. This Guide explains what you should know about data protection under the Data Protection Act 2003 ('the Act').

When does data protection law apply?

Data protection law applies whenever a data controller processes personal data. These words are given special meanings by the Act.

Data controllers

A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. In other words, you will be a data controller if the processing of personal data is undertaken for your benefit and you decide what personal data should be processed and why. A typical example of a data controller is an employer. 

Personal data

Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. For example, most organisations will process personal data relating to employees, customers, suppliers and business contacts. These individuals are referred to in the Act as 'data subjects'.

Processing

The Act applies when personal data is processed or is to be processed and “processing” under the Act means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

(a)     organisation, adaptation or alteration of the information or data;

(b)     retrieval, consultation or use of the information or data;

(c)     transmission of data;

(d)    dissemination or otherwise making available; or

(e)     alignment, combination, blocking, erasure or destruction of the information or data;

The term 'processing' therefore covers virtually any use which can be made of personal data, from collecting the data, storing it and using it to destroying it.

What are the obligations?

The data protection principles

In order to comply with the Act, a data controller must comply with the following principles:

1. The data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the Act.
2. Data or the information constituting the data should be collected by means which are both lawful and fair in the circumstances of the case.
3. Data should be adequate, relevant and not excessive.
4. Data should be accurate and, where necessary, kept up to date.
5. Data should not be kept longer than is necessary for the purposes for which it is processed except in the case of personal data kept for historical, statistical or research purposes.
6. Data should not be used or disclosed in any manner incompatible with that purpose or those purposes
7. Data should be processed in accordance with the rights of the data subject under the Act.
8. Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
9. Data should not be transferred to a country or territory outside the Commonwealth of The Bahamas  unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Other requirements for data controllers

Under the first data protection principle, a data controller must justify its processing of personal data under one of the following conditions:

• the data subject has given his consent to the processing;
• the processing is necessary for the performance of a contract or the entering into of a contract to which the data subject is a party;
• the processing is necessary for compliance with any legal obligation to which the data controller is subject;
• the processing is necessary in order to protect the vital interests of the data subject;
• the processing is necessary for the administration of justice;
• the processing is necessary for the purposes of legitimate interests pursued by the data controller provided such processing does not harm the rights and freedoms or legitimate interests of data subjects; or
• the particular circumstances fall under one of the exceptions in the Act.

The data controller must also register with the Data Protection Commissioner ('the Commissioner').

Sensitive personal data

Where the data controller intends to process sensitive personal data, there are further conditions. Sensitive personal data consists of information relating to the racial or ethnic origin of a data subject, his political opinions, religious beliefs, trade union membership, sexual life, physical or mental health or condition, or criminal offences or record. Of these further conditions, the most useful to most businesses will be:

• where the data subject has given his explicit consent;
• where the processing is required for the purposes of complying with employment law;
• where it is necessary to establish, exercise or defend legal rights.

If none of the conditions can be met, processing cannot legally continue.

Purposes of processing

Data subjects must be given information about the purposes of the processing. This information is generally provided in the form of a data protection notice, which can be given in application forms, terms and conditions, by telephone or on a website. The information to be set out in a data protection notice must include a description of:

• details of the data controller;
• the purposes for the processing, including any non-obvious purposes (e.g. cross-mailing, host mailing);
• details of any recipients of the personal data (e.g. other companies within the group) and their purposes;
• an opt-out / opt-in to marketing, as appropriate;
• a description of the methods to be used for contacting individuals for marketing purposes (e.g. telephone, fax, SMS, email and/or mail); and
• any other information that is necessary to make the processing fair (e.g. whether it is obligatory to provide all the information requested or whether provision of some of that information is optional).

By using an appropriately worded data protection notice, an online business can ensure that there is consent from visitors to its web site to allow the business to build a valuable contacts database and market its services to the visitors.

Security requirements

Data controllers must put in place adequate technical and organisational measures to safeguard personal data which they are processing from destruction, adequate loss, unauthorised access or disclosure. This would include, for example, using a secure server when payments are made online.

Furthermore, all data controllers must put in place processing contracts with their 'data processors'. A data processor is a third party appointed by the data controller to process personal data on its behalf, although it will still be the data controller who ultimately decides what happens to the data. These processing contracts must be in writing and must set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. Data controllers should reserve for themselves the right to audit data processors to ensure compliance with the contract.

To give a practical example, if a website collects e-mail addresses, this could constitute personal data – so the data controller not only has to register with the Commissioner but ensure that security be put in place to guard against hacking. If the website is actually hosted by a third party on behalf of the data controller, then the data controller will have to contractually oblige that third party to put the relevant security in place.  Of course, the data controller will also have to comply with other principles.

Transfer of data overseas

If personal data is disclosed or made available to a person overseas, that is considered a transfer for the purposes of the eighth data protection principle above. In the context of the internet, if the information is placed on a website without specific consent from the individual, this may be in breach of the Act since the data can be accessed in countries with less stringent data protection laws.

Rights of individuals

Data controllers must give the following rights to data subjects:

• the right of access to his or her personal data;
• the right to object to certain processing causing substantial damage or distress;
• the right to object to automated decision taking; and
• the right to object to direct marketing.

The most important of these rights is the right to access personal data. An individual may request access to all personal data of which he or she is the subject and which is being processed by the data controller. The Minister Responsible for Data Protection may prescribe a fee for data controllers to charge data subjects, for making the request in writing and for the data controller complying with the request. There are exemptions from these access rules in certain limited circumstances.

Another right which will be of importance to any organisation which markets to individuals, is the right given to data subjects to object to direct marketing. There are no exemptions to this right.

What are the consequences of non-compliance?

Compliance with the Act should not be taken lightly, as the Commissioner has been given extensive powers of enforcement. Data controllers could, for example, find these powers used against them by disgruntled employees or customers, who contact the Commissioner to complain that there has been a breach of the rules.

The Commissioner can now serve a data controller with an 'information notice' requiring the data controller to provide certain information within set time limits. Failure to comply with such notice, or providing deliberately false information, is a criminal offence. If the Commissioner concludes that there has been a breach of the Act, he may then serve a data controller with an 'enforcement notice'. This could force a data controller to cease processing personal data, or cease processing data in a particular way. Failure to comply with an enforcement notice is a criminal offence.

Criminal liability does not lie just with the data controller. It is possible for officers of a company, such as its directors, officers or managers, to be personally criminally liable if the offence has been committed with their consent, connivance or neglect. Employees may also incur criminal liability in certain limited circumstances if they disclose or obtain personal data without authority of the data controller.

Although the commission of a criminal offence under the Act will not result in a prison sentence, it will result in fines which, depending on the circumstances, may be up to $100,000.  It is also increasingly the case that industry regulators are looking at matters of data security which are similar to those addressed by the Act.

However, the fines are unlikely to be the reason why most data controllers will want to comply. Few data controllers will be able to continue with business as usual if they are prevented from processing personal data as a result of an enforcement notice and no data controller will want the bad publicity which is attached to the unfair processing of personal data. 

Conclusion

The increasing use of information technology and the internet ensures that data protection has become one of the most important and relevant laws that online businesses are required to comply with.  The internet is all about the transfer of information.  Not only is the internet used to disseminate information, but also to collect it.  Organisations must look now at how they collect, store and use personal data and ask themselves whether they comply with the Act. This may involve amending employment and marketing practices in addition to internal training.

This post is for your information only and is not intended to constitute a legal opinion.  If you require detailed legal advice you should contact a Bahamian e-commerce attorney.  You can contact a Bahamian e-commerce attorney by clicking here.

W. A. Brenford Christie is the managing partner of the Bahamas-based business law firm Lord Ellor & Co.  He is a qualified commercial lawyer admitted to the Bahamas Bar and the Bar of England & Wales.   He also offers consultant services with respect to E-commerce regulatory compliance and data protection.

Email: brenford@lordellor.com