Data Protection Bill offers stiff fines for breaches – Senator

Stiff penalties, as much as half-a-million dollars, are coming for criminally mismanaging personal information under a new Data Protection Act introduced today in Parliament.

A data czar to police Barbadians’ personal data is to be created by the law, to be formally titled Data Protection Commissioner, backed up by a tribunal and additional officers.

There are other sanctions for non-compliance with the law’s requirements, with data breaches attracting the most severe of the penalties, said Minister of Innovation, Science and Smart Technology, Senator Kay McConney as she introduced the bill in the Upper Chamber today.

“There are criminal sanctions, and there are administrative sanctions, all defined in this Act.

“The Data Protection Commissioner, however, can impose an administrative sanction if it is in the public interest, or if the seriousness of the contravention merits it.

“You can get some fines anywhere from $1 to $50,000. If, however, people sell your data, or even offer to sell data, $100,000 dollars summary conviction, three years in jail, or both.

“If when you make a query, or there has been an enforcement order or some attempt to deal with compliance from the data protection commissioner, and people then come in and lie, or they make false statements, that attracts the highest penalty of $500,000, half a million on summary convictions.

“The penalties are deliberately stiff because it is important that in this digital age where data is currency, people are not mismanaging your personal data and that the consequences are significant.”

Senator McConney told lawmakers: “Now every single entity that will be collecting and processing your information is required to designate a data privacy officer, except for the courts.

“The data privacy officer is not an employee of the data protection commissioner. Another one of the actors in addition to the data protection officer and the data privacy officer is the data controller. That can be a natural person or a legal person that controls the purpose. They have the final say for the purpose for which your data is being used.

“And then you have a data processor who can be a natural person or a legal person. But the data processor now is responsible for doing actual manipulation and processing.”

Senator McConney further explained that the tribunal would be the judicial body set up to hear complaints under the Act. She said the decision of the tribunal would have the same weight as that of the courts, and added that the decisions can be appealed.

“So what if your data is obtained and not from you? Now, in this Bill we have taken particular care to make sure that when someone obtains your data from a source other than you directly you must be told. You must be told of any intention to transfer your data to others.

“Not only any intention to transfer your data you must be told, you must be told if anybody other than you is sharing that data, the safeguards that would be in place, how long the data will be kept, where the processing of your data will be done,” she said.