In more sophisticated jurisdictions, it is expected that there is a regulatory body overseeing the use and manipulation of personal data.
With so much of our daily activities being conducted online, the opportunity to misuse, steal, share or sell that data is far greater. As such, it was a step in the right direction when Government moved earlier this year to pass the Data Protection Act.
What exactly is to be found among the troves of data collected by companies, our employers, our banks, credit unions, retail stores? Endless amounts of valuable information that if compromised, could be extremely detrimental for those who store the data and the subjects in the data.
As innocent as it may appear, even placing your name, address, and telephone number in a book at your favourite restaurant to facilitate COVID-19 contact tracing could be a goldmine in the hands of the wrong persons.
There are people who make a tidy sum selling data they possess to other entities who use it to market their products and services and even undertake criminal activity.
Put in practical terms, a life insurance salesman who can get his hands on the names, addresses, and telephone numbers of all the recent graduates of the University of the West Indies for the past three years, has enormously valuable leads that place him or her at a distinct advantage over his industry colleagues who may be limited to just family and friends.
And so, any collection of personal data, whether by employers, credit card companies, telecommunications companies and the like, ought to be protected from misuse, abuse, or compromise in any way.
Risks such as identity theft and mishandling represent some of the scourges for which data protection regulations are designed.
The World Bank, in a publication offering guidelines for data protection and privacy laws wrote: “Data protection requires a holistic approach to system design that incorporates a combination of legal, administrative, and technical safeguards.
“To begin, identification systems should be underpinned by legal frameworks that safeguard individual data, privacy, and user rights.”
The World Bank points to the need to collect personal data in a transparent and fair manner, that it be collected lawfully and with the consent of the owner, that it be accurate, that it be retained for a limited time and for no longer than is necessary for the purposes for which it was collected in the first place, and appropriate technology be employed to keep that data confidential and protected from breaches.
This is particularly useful information as we in Barbados, earlier this year, effected into our laws the Data Protection Act and added teeth to the legislation by appointing the country’s first Data Protection Commissioner (DPC) Ms Lisa Greaves in June.
Unfortunately, like many important developments in this country which have serious legal implications and carry significant fines for breaches, this may have passed over the heads of ordinary members of the public.
What’s left is a population, unaware of its rights and ability to seek restitution in the event of infringements.
How does Ms Brathwaite from St Stephen’s Hill, know that the store, from which she made a hire purchase and has all her details including her next of kin, copies of her identification card and passport, her telephone numbers and possibly her bank account details, is keeping that information safe and not sharing it with another company in the group with which she has not done business?
How does Mr Holder from My Lord’s Hill know that his medical files with his entire medical history from the doctor he has not visited in 10 years, were not discarded improperly and that information is now in the hands of some unscrupulous person?
Though late in coming, the Data Protection Act is here and enforceable. There is a Data Protection Commissioner to whom complaints can be lodged. We are encouraged that even during the COVID-19 pandemic, the administration has made this issue a priority.
At the same time, the public is yet to be fully informed about the function and powers of the DPC, where can her office be found, and what is the process for lodging complaints?
Of course, the DPC cannot work alone. And so, will there be appropriately trained officers who have the capability to inspect and audit large and small entities to ensure compliance?
The British 2018 Data Protection Act is seen as the gold standard in this area and is an ideal example to follow where collectors of personal data are required to follow very strict rules called “data protection principles”.
Moreover, the UK has even stronger legal protection for data on areas such as sexual orientation, genetics, ethnic background, political opinions, and race.
