Barbados’ data privacy regulator has launched an official investigation into the administration of a controversial survey in five secondary schools to determine whether any data protection laws were breached.
A spokesperson for Lisa Greaves, the Commissioner of Data Protection, said on Wednesday that the matter surrounding the Inter-American Development Bank (IDB)-administered questionnaire that was distributed to first-formers in select schools as part of a computer science test, had been drawn to the commission’s attention by the Ministry of Education, Technological and Vocational Training.
The survey gathered information about the children’s sexuality, gender identity and home circumstances, among other things, without parental consent.
The Ministry of Education and the IDB have both apologised, with the latter taking responsibility for including the controversial questions in the survey.
Asked by Barbados TODAY if the survey had breached the Data Protection Act, the spokeswoman for Greaves said that now has to be determined.
“The department is looking into the matter right now, so at the moment we can’t give any comment because we ourselves are investigating,” she stated.
“It has been brought to our attention and we are bringing our comments to the Ministry of Education pertaining to the whole matter…. It’s a matter that we would have to look into further to see what’s really going on and then our advice would have to be given to them [the ministry].”
The Data Protection Commissioner, a post which Greaves took up on July 15, 2021 as the first such appointee, is responsible for the general administration of the Data Protection Act as the primary regulatory authority for data protection in Barbados.
The legislation requires the commissioner to investigate complaints from persons concerning abuses in the processing of personal data; receive and invite representations from members of the public on any matter affecting the privacy of persons in respect of their personal data; conduct investigations on the application of the Act, including on the basis of information received from a public authority; and provide for the collection of personal data by any public authority or the disclosure of personal data by one public authority to another public authority.
The Commissioner has several other roles, including sensitising members of the public about their privacy-related rights and obligations; tracking and advising on privacy-related developments; and monitoring the processing of personal data and, in particular, sensitive personal data, and any other matter affecting the privacy of persons in respect of their personal data.
Dean of the Faculty of Law at the Cave Hill Campus of the University of the West Indies, Professor Eddy Ventose told Barbados TODAY that “the mere possession by the Government of information that might be confidential or private does not of itself suggest any breach of the constitutional right to privacy”.
“The Government, through its various departments, including the Queen Elizabeth Hospital, possesses confidential information on many persons. It cannot and could not be suggested that that alone means that there exists a constitutional breach,” he said.
“In this context, any breach of a constitutional right to privacy can only be engaged if there is the disclosure by the Government of that confidential and private information of persons. The information gathered in the questionnaires is confidential and private information of students. Only if that information is used in a way that discloses the identity of the students would a constitutional infringement be arguable.”
The constitutional expert said while there could be queries about the justification for students having to identify themselves in the survey, that was not a constitutional argument. Questions relating to the propriety of certain questions posed on the questionnaire are similarly not constitutional questions,” the law professor argued.
In matters of data collection, the Data Protection Commissioner is also responsible for organising activities specifically for children to educate them about the risks, rules, safeguards, and rights in relation to processing; upon request, providing information to any data subject concerning the exercise of their rights under the Act; and conducting audits for the purpose of ascertaining whether or not data is processed in accordance with the Act.