Antigua And Barbuda - Data Protection Act 2013
ANTIGUA AND BARBUDA
DATA PROTECTION ACT, 2013
No. 10 of 2013
[Published in the Official Gazette Vol. XXXIII No. 64 dated 7th November, 2013]
Printed at the Government Printing Office, Antigua and Barbuda, by Ralph George, Government Printer
— By Authority, 2013.
600— 11.13 [Price $7.15]
DATA PROTECTION ACT, 2013
Sections
ARRANGEMENT OF SECTIONS
PART I PRELIMINARY
1. Short title.
2. Interpretation
3. Objectives of Act
4. Savings
PART II
PRIVACY AND DATA PROTECTION PRINCIPLES
5. General Principle
6. Notice and Choice Principle
7. Disclosure Principle
8. Security Principle
9. Detention Principle
10. Data Integrity Principle
11. Access Principle
PART III
RIGHTS OF DATA SUBJECTS
12. Right of access to personal data
13. Notice and time where access is requested
14. Denial of access to personal data
15. Form of access
16. Right of rectification of personal data
17. Extent of disclosure of personal data
18. Processing of sensitive personal data
PART IV
19. Exemption
20. Power to make further exemptions
EXEMPTIONS
PART V
INFORMATION COMMISSIONER AND MISCELLANEOUS PROVISIONS
21. Information Commissioner and data protection
22. Intentional disclosure of information
23. General penalty
24. Appeals to Court
25. Protection from criminal or civil proceedings
26. Confidentiality
27. Report to Parliament
[ L.S.]
I Assent,
Louise Lake-Tack,
Governor-General.
28th October, 2013
ANTIGUA AND BARBUDA
DATA PROTECTION ACT, 2013
No. 10 of 2013
AN ACT to promote the protection of personal data processed by public and private bodies and for incidental and connected purposes.
ENACTED by the Parliament of Antigua and Barbuda as follows:
PART I PRELIMINARY
1. Short title
This Act may be cited as the Data Protection Act, 2013.
2. Interpretation
In this Act, unless the context otherwise requires:
“alternative format” means, with respect to personal data, a format that allows a person with
a sensory disability to read or listen to the personal data;
“Chief Executive Officer” means the officer for the time being exercising the highest level of
administrative functions within a public body or private body;
“commercial transaction” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating tothe supply or exchange of goods or services, agency, investments, financing, banking and insurance;
“correct” means, in relation to personal data, to alter the data by way of amendment, deletion,
or addition;
“Court” means the Eastern Caribbean Supreme Court;
“data subject” means a natural or legal person who is the subject of personal data;
“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has controlover or authorizes the processing of any personal data, but does not include a data processor;
“document” means any medium in which data is recorded, whether printed or on tape or film or by electronic means or otherwise and also means any map, diagram, photograph, film, microfilm, video-tape, sound recording, or machine readable record or any record which is capable of being produced from a machine-readable record by means of equipment or a program, or a combination of both, which is used for that purpose by the public body or private body which holds the record; equipment or a program, or a combination of both, which is used for that purpose by the public body or private body which holds the record;
“Information Commissioner” means the Commissioner appointed pursuant to section 35 of the Freedom of Information Act 2004;
“local authority” means a city council, a village council, or a town council;
“Minister” means the Minister with responsibility for public information;
“personal data” means any information in respect of commercial transactions, which–
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions givenfor that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the datasubject;
“private body” means a body, excluding a public body, that–
(a) carries on any trade, business or profession, but only in that capacity; or
(b) has legal personality;
“processing”, in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation orset of operations on the personal data, including the–
(a) organization, adaptation or alteration of personal data;
(b) retrieval, consultation or use of personal data;
(c) disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d) alignment, combination, correction, erasure or destruction of personal data;
“public body” includes–
(a) Parliament;
(b) the Cabinet;
(c) a ministry, a department or a division of the ministry or a constituency office of a
Minister, wherever located;
(d) a local authority;
(e) a statutory corporation or body;
(f) a body corporate or an incorporated public body established for a public purpose, which is owned or controlled by the State;
(g) an embassy, consulate or mission of the Antigua and Barbuda or an office of the Antigua and Barbuda situated outside Antigua and Barbuda whose functions include the provision of diplomatic or consular services for or on behalf of Antigua andBarbuda; and
(h) any other body designated by the Minister by Regulations made under this Act, to be a public body for the purposes of this Act.
“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her sexual orientation, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offence or any other personal data as the Minister may determine by Orderpublished in the Gazette;
3. Objectives of Act
The objectives of this Act are to safeguard personal data processed by public bodies and private bodies in an era in which technologyincreasingly facilitates the processing of personal data by balancing the necessity of processing personal data and safeguarding personal datafrom unlawful processing by public bodies and private bodies; to promote transparency and accountability in the processing of personal data.
4. Savings of certain laws
This Act shall not affect the operation of any law of Antigua and Barbuda that makes provision for the processing of personal data and is capableof operating concurrently with this Act.
PART II
PRIVACY AND DATA PROTECTION PRINCIPLES
5. General Principle
(1) A data user shall not–
(a) in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject hasgiven his consent to the processing of the personal data; or
(b) in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with theprovisions of section 18.
(2) Notwithstanding paragraph (1)(a) and subject to subsection (3), a data user may process personal data about a data subject if theprocessing is necessary–
(a) for the performance of a contract to which the data subject is a party;
(b) for the taking of steps at the request of the data subject with a view to entering into a contract;
(c) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
(d) in order to protect the vital interests of the data subject;
(e) for the administration of justice; or
(f) for the exercise of any functions conferred on a person by or under any law. (3) Personal data shall not be processedunless the–
(a) personal data is processed for a lawful purpose directly related to an activity of the data user;
(b) processing of the personal data is necessary for or directly related to that purpose;
and
(c) personal data is adequate but not excessive in relation to that purpose.
6. Notice and Choice Principle
A data user shall inform a data subject upon a request for personal data–
(a) the purposes for which the personal data is being or is to be collected and further processed;
(b) of any information available to the data user as to the source of that personal data;
(c) of the data subject’s right to request access to and to request correction of the personal data and how to contact the datauser with any inquiries or complaints in respect of the personal data;
(d) of the class of third parties to whom the data user discloses or may disclose the personal data;
(e) whether it is obligatory or voluntary for the data subject to supply the personal data;
and
(f) where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he orshe fails to supply the personal data.
7. Disclosure Principle
Subject to section 17, no personal data shall, without the consent of the data subject, be disclosed–
(a) for any purpose other than–
(i) the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or
(ii) a purpose directly related to the purpose referred to in subparagraph (i);
(b) to any party other than a third party of the class of third parties as specified in section 6 (d).
8. Security Principle
(1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse,modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard to–
(a) the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction
(b) the place or location where the personal data is stored;
(c) any security measures incorporated into any equipment in which the personal data is stored;
(d) the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
(e) the measures taken for ensuring the secure transfer of the personal data.
(2) Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction,ensure that the data processor–
(a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to becarried out; and
(b) takes reasonable steps to ensure compliance with those measures.
9. Retention Principle
(1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose.
(2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it isno longer required for the purpose for which it was to be processed.
10. Data Integrity Principle
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
11. Access Principle
A data subject shall be given access to his or her personal data held by a data user and be able to correct that personal data where the personaldata is inaccurate, incomplete, misleading or not up- to-date, except where compliance with a request to such access or correction is refused underthis Act.
PART III
RIGHTS OF DATA SUBJECTS
12. Right of access to personal data
Subject to the provisions of this Act, a public body or a private body shall, on the written request of and the payment of the prescribed fee by aperson for access to personal data–
(a) inform the person whether personal data of which that person is the data subject is being processed by or on behalf of that body;
(b) if personal data is being processed by or on behalf of that body, communicate to the person in an intelligible form a description of–
(i) the personal data of which that person is the data subject;
(ii) the purposes for which the personal data is being or will be processed;
(iii) the recipients or classes of recipients to whom personal data is or may be disclosed; and
(iv) any information available to the body as to the source of the data.
13. Notice and time where access is requested
(1) Subject to section 14, where access to personal data is requested under section 12, the public body or private body to which therequest is made shall, subject to subsection (2), within thirty days after the request is received –
(a) give written notice to the person who made the request as to whether or not access to the personal data or a part thereof will begranted; and
(b) if access is granted, give to the person who made the request, access to the personal data or a part thereof.
(2) A Chief Executive Officer may extend the time limit for compliance with a request for access to personal data –
(a) by a maximum of thirty days if–
(i) meeting the original time limit would unreasonably interfere with the operations of the public body or private body; or
(ii) consultations are necessary to comply with the request that cannot be reasonably be completed within the original time limit, or
(b) by such period of time as is reasonable, if the additional time is necessary for converting the personal data into an alternative format; by giving notice of the extension and the length of the extension to the person who made the request within thirty days after the request is received, and a statement that the person has a right to make a complaint to the InformationCommissioner about the extension.
14. Denial of access to personal data
(1) A public body or a private body is not obliged to comply with a request for access to personal data–
(a) unless it is supplied with such information as it may reasonably require in order to satisfy itself as to the identity of the person making the request and to locate the personal data which that person seeks;
(b) if compliance with the request will be in contravention of the exemptions contained in
Part IV or of any duty of confidentiality recognised by law;
(c) where another person who can be identified from the personal data consents to the disclosure of his or her personal data tothe person making the request; or
(d) where the body obtains the written approval of the Information Commissioner.
(2) Where a public body or a private body refuses to give access to personal data, its Chief
Executive Officer shall state in the notice given pursuant to section 13 (2)(a)–
(a) that the personal data does not exist; or
(b) the specific provision of this Act on which refusal was based or the provision on which a refusal could reasonably beexpected to be based if the personal data existed, and that the person who made the request has the right to make a complaint tothe Information Commissioner about the refusal.
(3) Where a Chief Executive Officer fails to give access to personal data requested under section 14 within the time limits set out inthis Act, he or she shall, for the purposes of this Act, be deemed to have refused to give access.
15. Form of access
(1) Where a data subject is granted access to personal data requested pursuant to section 14, the public body or private body shall–
(a) permit the data subject to examine the personal data; or
(b) provide the data subject with a copy of the personal data.
(2) Where access to personal data is given under this Act and the data subject to whom access is granted has a sensory disability and requests that access be given in an alternative format, access shall be given in an alternative format if –
(a) the personal data already exists under the control of a public body or a private body in an alternative format that is acceptable to theperson; or
(b) the Chief Executive Officer considers it to be reasonable to cause the personal data to be converted to an alternative format.
16. Right of rectification of personal data
(1) Where personal data that is processed by a public body or a private body to which access has been given, contains personal data whichthe data subject claims–
(a) is incomplete, incorrect, misleading, or excessive;
(b) is not relevant to the purpose for which the document is held; the body shall, upon application of the data subject, cause the data tobe amended upon being satisfied of the claim.
(2) An application under subsection (1) shall–
(a) be in writing; and
(b) as far as practicable, specify–
(i) the document containing the record of personal data that is claimed to require the amendment;
(ii) the personal data that is claimed to be incomplete, incorrect, misleading or irrelevant
(iii) the reasons for the claim; and
(iv) the amendment requested by the data subject.
(3) To the extent that it is practicable to do so, the public body or private body shall, when making an amendment to personal data in adocument pursuant to this section, ensure that it does not obliterate the text of the document as it existed prior to the amendment.
(4) Where a public body or a private body is not satisfied with the reasons for an application pursuant to subsection (1), it may refuse tomake an amendment to the personal data and inform the data subject of its refusal and the reasons for the refusal and inform the data subject thathe/she may lodge a complaint in writing to the Information Commissioner.
(5) A data subject who is aggrieved by a decision of a public body or a private body pursuant to subsection (4) may lodge a complaint in writing to the Information Commissioner within twenty–eight days of the date of the receipt of the communication of refusal.
17. Extent of disclosure of personal data
Notwithstanding section 7, personal data of a data subject may be disclosed by a data user for any purpose other than the purpose for which thepersonal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances the–
(a) data subject has given his or her consent to the disclosure;
(b) disclosure –
(i) is necessary for the purpose of preventing or detecting a crime, or for the purpose of investigations; or
(ii) was required or authorized by or under any law or by the order of a court;
(c) data user acted in the reasonable belief that he had in law the right to disclose the personal data to the other person;
(d) data user acted in the reasonable belief that he or she would have had the consent of the data subject if the data subject had known of thedisclosing of the personal data and the circumstances of such disclosure; or
(e) disclosure was justified as being in the public interest in circumstances as determined by the Minister.
18. Processing of sensitive personal data
(1) Subject to subsection (2) and Part II, a data user shall not process any sensitive personal data of a data subject except in accordance withthe following conditions–
(a) the data subject has given his or her explicit consent to the processing of the personal data;
(b) the processing is necessary–
(i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user inconnection with employment;
(ii) in order to protect the vital interests of the data subject or another person, in a case where–
(A) consent cannot be given by or on behalf of the data subject; or
(B) the data user cannot reasonably be expected to obtain the consent of the data subject;
(iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has beenunreasonably withheld;
(iv) for medical purposes and is undertaken by–
(A) a healthcare professional; or
(B) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if thatperson were a healthcare profession for;
(v) the purpose of, or in connection with, any legal proceedings; (vi) the purpose of obtaining legal advice;
(vii) the purposes of establishing, exercising or defending legal rights; (viii) the administration of justice;
(ix) the exercise of any functions conferred on any person by or under any written law; or
(x) any other purposes as the Minister thinks fit; or
(c) the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
(2) The Minister may by Order published in the Gazette exclude the application of subparagraph (1)(b)(i), (viii) or (ix) in suchcases as may be specified in the order, or provide that, in such cases as may be specified in the order, the condition in subparagraph (1)(b)(i), (viii)or (ix) is not to be regarded as satisfied unless such further conditions as may be specified in the Order are also satisfied.
(3) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand dollars or to imprisonment for a term not exceeding three years or to both.
(4) For the purposes of this section–
“medical purposes” includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation and the provision of care and treatment and the management of services relating to health care;
“healthcare professional” means a medical practitioner, dental practitioner, pharmacist, clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational therapist and other allied healthcare professionals and any other person involved in thegiving of medical, health, dental, pharmaceutical and any other healthcare services under the jurisdiction of the Ministry of Health.
PART IV
EXEMPTIONS
19. Exemption
(1) There shall be exempted from the provisions of this Act, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes.
(2) Subject to section 20, personal data–
(a) processed for the–
(i) prevention or detection of crime or for the purpose of investigations; (ii) apprehension or prosecution ofoffenders; or
(iii) assessment or collection of any tax or duty or any other imposition of a similar nature, shall be exempted from the GeneralPrinciple, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act;
(b) processed in relation to information of the physical or mental health of a data subject shall be exempted from the AccessPrinciple and other related provisions of this Act of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
(c) processed for preparing statistics or carrying out research shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act, provided that such personaldata is not processed for any other purpose and that the resulting statistics or the results of the research are not made availablein a form which identifies the data subject;
(d) that is necessary for the purpose of or in connection with any order or judgment of a court shall be exempted from the GeneralPrinciple, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act;
(e) processed for the purpose of discharging regulatory functions shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or
(f) processed only for journalistic, literary or artistic purposes shall be exempted from the General Principle, Notice and Choice Principle,Disclosure Principle, Retention Principle, Data Integrity Principle and Access Principle and other related provisions of this Act, provided that the–
(i) processing is undertaken with a view to the publication by a person of the journalistic, literary or artistic material;
(ii) data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest; and
(iii) data user reasonably believes that in all the circumstances, compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.
20. Power to make further exemptions
The Minister may, upon the recommendation of the Information Commissioner, by Order published in the Gazette exempt–
(a) the application of any of the Personal Data Protection Principles under this Act to any data user or class of data users; or
(b) any data user or class of data users from all or any of the provisions of this Act.
PART VI
THE INFORMATION COMMISSIONER AND MISCELLANEOUS PROVISIONS
21. Information Commissioner and data protection
For the purposes of this Act, the powers, functions and duties, conferred on the Information Commissioner pursuant to the Freedom ofInformation Act 2004, particularly under Parts V, VI and VII, shall be applicable as relevant for carrying out and enforcing the protection of data pursuant to the provisions of this Act.
22. Intentional disclosure of information
(1) A person who intentionally discloses personal information of another person in contravention of this Act commits anoffence.
(2) A person who collects, stores or disposes of personal information of another person in a manner that contravenes this Act, commits anoffence.
23. General Penalty
(1) A person who commits an offence under this Act for which a penalty is not specifically provided for is liable on–
(a) summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment for a term of three years; or
(b) conviction on indictment, to a fine of not more than one hundred thousand dollars or to imprisonment for a term of not more than fiveyears.
(2) Where the offences under this Act is committed by a body corporate, the body corporate shall be liable upon–
(a) summary conviction, to a fine not exceeding two hundred thousand dollars; and
(b) conviction on indictment, to a fine not exceeding five hundred thousand dollars.
24. Appeals to Court
An appeal lies to the Court against–
(a) a requirement specified in an enforcement notice or an information notice;
(b) a decision of the Information Commissioner in relation to a complaint; or
(c) any decision of the Information Commissioner in respect of the conduct of his duties and powers utilized pursuant to the provisions ofthis Act.
25. Protection from criminal or civil proceedings
(1) No criminal or civil proceedings shall lie against the Information Commissioner or against a person acting on behalf or under thedirection of the Information Commissioner, for anything done, reported or said in good faith in the course of the exercise or performance or purported exercise, discharge, or performance of any power, duty or function of the Information Commissionerunder this Act.
(2) For the purpose of any law relating to libel or slander–
(a) any words spoken, any information supplied or any document or thing produced in good faith in the course of an investigation carried out by or on behalf of the Information commissioner under this Act is absolutely privileged; and
(b) any report made in good faith by the Information Commissioner under this Act is absolutely privileged.
26. Confidentiality
Subject to this Act, the Information Commissioner and every person acting on behalf or under the direction of the Information Commissionershall not disclose any information that comes to their knowledge in the conduct of their functions under this Act.
27. Report to Parliament
The Information Commissioner shall include in his annual report to Parliament pursuant to section
39 of the Freedom of Information Act 2004, a report on the activities of the Information
Commissioner with respect to data protection under the provisions of this Act.
28. Regulations
(1) The Minister may make Regulations for giving effect to the provisions of this Act and for prescribing anything required or authorised bythis Act to be prescribed.
(2) Notwithstanding the generality of subsection (1), Regulations made under this section may prescribe –
(a) guidelines for the disposal of personal data held by a public body or a private body;
(b) special procedures for giving a person access to personal data pursuant to section 15; and
(c) codes of practice.
(3) All Regulations made under this Act shall be laid before Parliament and shall be subject to negative resolution.
Passed the House of Representatives on the 30th August, 2013.
Passed the Senate on the 12th September, 2013.
D. Gisele Isaac-Arrindell,
Speaker.
Hazlyn M. Francis,
President.
Ramona Small,
Clerk to the House of Representatives.
Ramona Small,
Clerk to the Senate.