Home
| Databases
| WorldLII
| Search
| Feedback
Bahamas Numbered Acts |
No. 3 of 2003 |
|||||||||
AN ACT TO PROTECT THE PRIVACY OF |
|||||||||
INDIVIDUALS IN RELATION TO PERSONAL |
|||||||||
DATA AND TO REGULATE THE |
|||||||||
COLLECTION, PROCESSING, KEEPING, |
|||||||||
USE AND DISCLOSURE OF CERTAIN |
|||||||||
INFORMATION RELATING TO |
|||||||||
INDIVIDUALS AND TO PROVIDE FOR |
|||||||||
MATTERS INCIDENTAL THERETO OR |
|||||||||
CONNECTED THEREWITH. |
|||||||||
[Date of Assent : - 11th April, 2003] |
|||||||||
Enacted by the Parliament of The Bahamas. |
|||||||||
PART I |
|||||||||
PRELIMINARY |
|||||||||
1.(1)
This Act may be cited as the
Data Protection (Privacy of Personal Information) Act, 2003.
|
Short title and commencement. |
||||||||
(2)
This Act shall come into
operation on such day as the Minister may, by notice published in
the Gazette, appoint.
|
|||||||||
2.(1)
In this Act -
|
Interpretation. |
||||||||
"back-up data" means data kept only for the purpose of replacing other data in the event of their being altered, lost, destroyed or damaged; |
|||||||||
"the Commissioner" means the Data Protection Commissioner established under section 14; |
|||||||||
"company" has the meaning assigned to it by the Companies Act, 1992 or an International Business Company under the International Business Companies Act, 2000; |
|||||||||
"the Court" means the Supreme Court or a judge thereof; "data" means information in a form in which it can be processed; |
|||||||||
"data controller" means a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed; |
|||||||||
"data equipment" means equipment for processing data; |
|||||||||
"data material" means any document or other material used in connection with, or produced by, data equipment; |
|||||||||
"data processor" means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment; |
|||||||||
"data subject" Means an individual who is the subject of personal data; |
|||||||||
"days" means working days; |
|||||||||
"direct marketing" includes direct mailing; |
|||||||||
"disclosure", in relation to personal data, includes the disclosure of information extracted from such data but does not include a disclosure made directly or indirectly by a data controller to an employee or agent of his or to a data processor for the purpose of enabling the employee, agent or data processor to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed; |
|||||||||
"enforcement notice" means a notice issued by the Commissioner under section 16; |
|||||||||
"government agency" means any Ministry or department of Government, or any body or office specified in the First Schedule, which Schedule may be amended by the Minister by Order from time to time; |
First Schedule. |
||||||||
"head" means in respect of a government agency, the designated officer appearing in the second column corresponding with the government agency in the first column, of the First Schedule; |
First Schedule. |
||||||||
"information notice" means a notice issued by the Commissioner under section 18; |
|||||||||
"the Minister" means the Minister with responsibility for Information Privacy and Data Protection; |
|||||||||
"personal data" means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller; |
|||||||||
"processing" , in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including - |
|||||||||
(a)
organisation, adaptation or
alteration of the information or data;
|
|||||||||
(b)
retrieval, consultation or use
of the information or data;
|
|||||||||
(c)
transmission of data;
|
|||||||||
(d)
dissemination or otherwise
making available; or
|
|||||||||
(e)
alignment, combination,
blocking, erasure or destruction of the information or data;
|
|||||||||
"prohibition notice" means a notice served under section 17; |
|||||||||
"public officer" has the meaning assigned to it by the Public Service Act; |
Ch. 31. |
||||||||
"sensitive personal data" means personal data relating to - |
|||||||||
(a)
racial origin;
|
|||||||||
(b)
political opinions or religious
or other beliefs;
|
|||||||||
(c)
physical or mental health (other
than any such data reasonably kept by them in relation to the
physical or mental health of their
employees in the ordinary course
of personnel administration and not used or disclosed for any other
purpose);
|
|||||||||
(d)
trade union involvement or
activities;
|
|||||||||
(e)
sexual life; or
|
|||||||||
(f)
criminal convictions, the
commission or alleged commission of any offence, or any proceedings
for any offence committed, the disposal
of such proceedings or the
sentence of any court in such proceedings.
|
|||||||||
(2)
For the purposes of this Act,
data are inaccurate if they are incorrect or misleading as to any
matter of fact:
|
|||||||||
Provided that this section shall not have been contravened by a data controller as respects any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in any case where - |
|||||||||
(a)
having regard to the purpose or
purposes for which the data were obtained and further processed,
the data controller has taken reasonable
steps to ensure the
accuracy of the data; and
|
|||||||||
(b)
if the data subject has notified
the data controller of the data subject's view that the data are
inaccurate, the data indicate that
fact.
|
|||||||||
3.(1)
This Act binds the
Crown.
|
Crown to be bound. |
||||||||
(2)
Where a government agency,
satisfies the conditions for being a data controller or a data
processor under this Act, the head of such
institution shall be
deemed, for the purposes of this Act, to be a data controller or,
as the case may be, a data processor.
|
|||||||||
(3)
For the purposes of this Act,
as respects any personal data, all other public officers or
employees, as the case may be, within the
same institution, shall
be deemed to be employees of the designated head in the case of a
designation provided for in subsection
(2).
|
|||||||||
4.(1)
Except as otherwise provided
for herein, this Act applies to a data controller in respect of any
data only if -
|
Application of Act. |
||||||||
(a)
the data controller is
established in The Bahamas and the data are processed in the
context of that establishment; or
|
|||||||||
(b)
the data controller is not
established in The Bahamas but uses equipment in The Bahamas for
processing the data otherwise than for
the purpose of transit
through The Bahamas.
|
|||||||||
(2)
A data controller falling
within subsection (1)(b) must nominate for the purposes of this Act
a representative established in The
Bahamas.
|
|||||||||
(3)
For the purposes of
subsections (1) and (2), each of the following is to be treated as
established in The Bahamas -
|
|||||||||
(a)
an individual who is ordinarily
resident in The Bahamas;
|
|||||||||
(b)
a body incorporated or registered
under the laws of The Bahamas;
|
|||||||||
(c)
a partnership or other
unincorporated association formed under the laws of The Bahamas;
and
|
|||||||||
(d)
any person who does not fall
within paragraph (a), (b) or (c) but, maintains in The Bahamas an
office, branch or agency through which
he carries on any business
activity or a regular practice.
|
|||||||||
5.
This Act shall not apply to
personal data -
|
Exclusions to Act. |
||||||||
(a)
that in the opinion of the
Minister or the Minister for National Security are, Or at any time
were, kept for the purpose of safeguarding
the security of The
Bahamas;
|
|||||||||
(b)
consisting of information that
the person keeping the data is required by law to make available to
the public;
|
|||||||||
(c)
kept by an individual and
concerned only with the management of his personal, family or
household affairs or kept by an individual
only for recreational
purposes;
|
|||||||||
(d)
deliberations of Parliament and
Parliamentary committees; or
|
|||||||||
(e)
pending civil, criminal or
international legal assistance procedures.
|
|||||||||
PART II |
|||||||||
PROTECTION OF PRIVACY OF INDIVIDUALS WITH REGARD TO PERSONAL DATA |
|||||||||
6.(1)
A data controller shall comply
with the following provisions in relation to personal data kept by
him -
|
Collection, processing, keeping, use and disclosure of personal data. |
||||||||
(a)
the data or the information
constituting the data shall have been collected by means which are
both lawful and fair in the circumstances
of the case;
|
|||||||||
(b)
the data is accurate and, where
necessary, kept up to date, (except in the case of back-up
data);
|
|||||||||
(c)
the data -
|
|||||||||
(i)
shall be kept only for one or
more specified and lawful purposes,
|
|||||||||
(ii)
shall not be used or disclosed
in any manner incompatible with that purpose or those
purposes,
|
|||||||||
(iii)
shall be adequate, relevant and
not excessive in relation to that purpose or those purposes,
and
|
|||||||||
(iv)
shall not be kept for longer
than is necessary for that purpose or those purposes, except in the
case of personal data kept for historical,
statistical or research
purposes; and
|
|||||||||
(d)
appropriate security measures
shall be taken against unauthorised access to, or alteration,
disclosure or destruction of, the data
and against their accidental
loss or destruction.
|
|||||||||
(2)
In determining for the
purposes of subsection (1)(a) of this section, whether personal
data or information constituting such data
are fair in the
circumstances of the case, regard is to be had to the method by
which they are obtained, including in particular
whether any person
from whom they are obtained is deceived or misled as to the purpose
or purposes for which they are to be processed:
|
|||||||||
Provided however that the data or the information constituting such data shall not be regarded for the purposes of subsection (1)(a) of this section as having been obtained unfairly by reason only that its use for any such purpose was not' disclosed when it was obtained, if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject. |
|||||||||
(3)
A data processor shall, as
respects personal data processed by him, comply with subsection
(1)(d) of this section.
|
|||||||||
7.
Subsection (1)(a) of section 6
shall not apply to information intended for inclusion in data, or
to data, kept for a purpose mentioned
in paragraph (a) of section
9, in any case in which the application of that paragraph to the
data would be likely to prejudice any
of the matters mentioned in
paragraph (a) of section 9.
|
Exceptions to section 6. |
||||||||
8.(1)
Subject to the provisions of
this Act, any individual who makes a written request to a data
controller has a right, within forty days
after complying with the
provisions of this section, to -
|
Right of access. |
||||||||
(a)
be informed by the data
controller whether the data kept by him include personal data
relating to the individual;
|
|||||||||
(b)
be supplied by the data
controller with a copy of the information constituting any such
data; and
|
|||||||||
(c)
where any of the information is
expressed in terms that are not intelligible to the average person
without explanation, the information
shall be accompanied by an
explanation of those terms.
|
|||||||||
(2)
A request for the information
specified in subsection (1)(a) shall, in the absence of any
indication to the contrary, be treated as
including a request for a
copy of the information specified in subsection (1)(b).
|
|||||||||
(3)
The Minister may by
regulations prescribe the fee to be charged by a data controller in
respect of such a request as aforesaid, and
any fee so paid shall
be reimbursed where the request is not complied with or the data
controller rectifies, supplements, or erases
part of, the data
concerned (and thereby materially modifies the data) or erases all
of the data on the application of the individual
or in accordance
with an enforcement notice hereunder or court order.
|
|||||||||
(4)
An individual making a request
under this section shall supply the data controller concerned with
such information as he may reasonably
require in order to satisfy
himself of the identity of the individual and to locate any
relevant personal data or information.
|
|||||||||
(5)
Nothing in subsection (1)
obliges a data controller to disclose to a data subject personal
data relating to another individual unless
that other individual
has consented to the disclosure:
|
|||||||||
Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars. |
|||||||||
(6)
Information supplied pursuant
to a request under subsection (1) may take account of any amendment
of the personal data concerned made
since the receipt of the
request by the data controller (being an amendment that would have
been made irrespective of the receipt
of the request) but not of
any other amendment.
|
|||||||||
(7)
A notification of a refusal of
a request made by an individual under the preceding provisions of
this section shall be in writing
and shall include a statement of
the reasons for the refusal and an indication that the individual
may complain to the Commissioner
about the refusal.
|
|||||||||
(8)
Where a data controller has
previously complied with a request made under subsection (1) by an
individual, the data controller is
not obliged to comply with a
subsequent, identical or similar request under that subsection by
that individual unless a reasonable
interval has elapsed between
compliance with the previous request and the making of the current
request.
|
|||||||||
(9)
In determining for the
purposes of subsection (8) whether requests under subsection (1)
are made at reasonable intervals, regard shall
be had to the nature
of the data, the purposes for which the data are processed and the
frequency with which the data are altered.
|
|||||||||
9.
Section 8 shall not apply to
personal data -
|
Exceptions to right of access. |
||||||||
(a)
kept for the purpose of
preventing, detecting or investigating an offence or a breach of
agreement, apprehending or prosecuting offenders
or assessing or
collecting any tax, duty or other moneys owed or payable to the
Government, a local authority, a statutory corporation,
or a public
body, in any case in which the application of that section to the
data would be likely to prejudice any of the matters
aforesaid;
|
|||||||||
(b)
to which, by virtue of paragraph
(a) section 8 does not apply and which are kept for the purpose of
discharging a function conferred
by or under any enactment and
consisting of information obtained for such a purpose from a person
who had it in his possession for
any of the purposes mentioned in
paragraph (a);
|
|||||||||
(c)
in any case in which the
application of section 8 would be likely to prejudice the security
of, or the maintenance of good order and
discipline in a prison, a
place of detention provided under the Prisons Act, or any other
enactment under the laws of The Bahamas;
|
Ch. 193. |
||||||||
(d)
kept for the purpose of
performing such functions conferred by or under any enactment as
may be specified by regulations made by the
Minister, being
functions that, in the opinion of the Minister, are designed to
protect members of the public against financial loss
in any case in
which the application of that section to the data would be likely
to prejudice the proper performance of any of those
functions,
occasioned by -
|
|||||||||
(i)
dishonesty, incompetence or
malpractice on the part of persons concerned in the provision of
banking, insurance, investment or other
financial services or in
the management of companies or similar organisations, or
|
|||||||||
(ii)
the conduct of persons who have
at any time been adjudicated bankrupt;
|
|||||||||
(e)
in respect of which the
application of that section would be contrary to the interests of
protecting the international relations of
The Bahamas;
|
|||||||||
(f)
consisting of an estimate of, or
kept for the purpose of estimating, the amount of the liability of
the data controller concerned
based on a claim for the payment of a
sum of money, whether in respect of damages or compensation, in any
case in which the application
of section 8 would be likely to
prejudice the interests of the data controller in relation to the
claim;
|
|||||||||
(g)
in respect of which a claim of
privilege could be maintained in proceedings in a court in relation
to communications between a client
and his. professional legal
advisers or between those advisers;
|
|||||||||
(h)
kept only for the purpose of
preparing statistics or carrying out research if the data are not
used or disclosed (other than to a
person to whom a disclosure of
such data may be made in the circumstances specified in section 13)
for any other purpose and the
resulting statistics or the results
of the research are not made available in a form that identifies
any of the data subjects;
|
|||||||||
(i)
in any case in which the
application of that section would reveal confidential commercial
information which cannot be severed from
the record containing the
personal information for which access is requested; or
|
|||||||||
(j)
that. are back-up data.
|
|||||||||
10.(1)
An individual shall, upon
submission of a written request to a data controller who keeps
personal data relating to him, be entitled
to have rectified or,
where appropriate, erased any such data in relation to which there
has been a contravention of subsection (1)
of section 6 by the data
controller and the data controller shall comply with the request
within forty days after it has been given
or sent to him:
|
Right of rectification or erasure. |
||||||||
Provided that the data controller shall, as respects data that are inaccurate or not kept up to date, be deemed - |
|||||||||
(a)
to have complied with the request
if he supplements the data with a statement (to the terms of which
the individual has agreed) relating
to the matters dealt with by
the data; and
|
|||||||||
(b)
if he supplements the data as
aforesaid, not to be in contravention of subsection (1) (b) of
section 6.
|
|||||||||
(2)
In complying with a request
under subsection (1) of this section, a data controller shall,
within forty days after the request has
been given or sent to him,
notify the individual making the request of such compliance.
|
|||||||||
11.
Where a data subject makes a
written request for the data controller to cease using, for the
purpose of direct marketing, any data
which was kept for that
purpose, the data controller shall, as soon as may be and in any
event not more than forty days after the
request has been given or
sent to him -
|
Right to prohibit processing for purposes of direct marketing. |
||||||||
(i)
erase all data as was kept for
the purpose aforesaid, or
|
|||||||||
(ii)
if the data are kept for that
purpose and other purposes, cease using the data for that purpose,
and
|
|||||||||
(iii)
notify the data subject in
writing accordingly.
|
|||||||||
12.(1)
A person, being a data
controller shall, so far as regards the collection by him of
personal data or information intended for inclusion
in such data or
his dealing with such data, owe a duty of care to the data subject
concerned:
|
Duty of care owed by data controllers. |
||||||||
Provided that, for the purposes of this section, a data controller shall be deemed to have complied with the provisions of subsection (1)(b) of section 6 if and so long as the personal data concerned accurately record data or other information received or obtained by him from the data subject or a third party and include (and, if the data are disclosed, the disclosure is accompanied by) - |
|||||||||
(a)
an indication that the
information constituting the data was received or obtained as
aforesaid;
|
|||||||||
(b)
if appropriate, an indication
that the data subject has informed the data controller that he
regards the information as inaccurate
or not kept up to date;
and
|
|||||||||
(c)
any statement with which,
pursuant to this Act, the data are supplemented.
|
|||||||||
(2)
A data controller shall use
contractual or other legal means to provide a comparable level of
protection from any third party to whom
he discloses information
for the purpose of data processing.
|
|||||||||
13.
In this Act any restrictions
on or exceptions to the disclosure of personal data do not apply if
the disclosure is -
|
Disclosure of personal data in certain cases. |
||||||||
(a)
in the opinion of the Minister or
the Minister of National Security required for the purpose of
safeguarding the security of The Bahamas;
|
|||||||||
(b)
required for the purpose of
preventing, detecting or investigating offences, apprehending or
prosecuting offenders or assessing or
collecting any tax, duty or
other moneys owed or payable to the Government, statutory
corporation, public body, or a local authority,
in any case in
which the application of those restrictions would be likely to
prejudice any of the matters aforesaid;
|
|||||||||
(c)
required in the interests of
protecting the international relations of The Bahamas;
|
|||||||||
(d)
required urgently to prevent
injury or other damage to the health of a person or serious loss of
or damage to property;
|
|||||||||
(e)
required by or under any
enactment or by a rule of law or order of a court;
|
|||||||||
(f)
required for the purposes of
obtaining legal advice or for the purposes of, or in the course of,
legal proceedings in which the person
making the disclosure is a
party or a witness;
|
|||||||||
(g)
made to the data subject
concerned or to a person acting on his behalf; or
|
|||||||||
(h)
made at the request or with the
consent of the data subject or a person acting on his behalf.
|
|||||||||
PART III |
|||||||||
THE DATA PROTECTION COMMISSIONER |
|||||||||
14.(1)
For the purposes of this Act,
there shall be a person who shall be known as the Data Protection
Commissioner and who shall perform
the functions conferred on him
by this Act.
|
The Commissioner. |
||||||||
(2)
The Commissioner shall be a
corporation sole.
|
|||||||||
(3)
The provisions of the Second
Schedule shall have effect in relation to the Commissioner.
|
Second Schedule. |
||||||||
15.(1)
The Commissioner may
investigate, or cause to be investigated, whether any of the
provisions of this Act have been, are being or are
likely to be
contravened by a data controller or a data processor in relation to
an individual either where the individual complains
to him of a
contravention of any of those provisions or he is otherwise of the
opinion that there may be such a contravention.
|
Enforcement of data protection. |
||||||||
(2)
Where a complaint is made to
the Commissioner under subsection (1), the Commissioner shall
-
|
|||||||||
(a)
investigate the complaint or
cause it to be investigated, unless he is of the opinion that it is
frivolous or vexatious; and
|
|||||||||
(b)
as soon as may be, notify the
individual concerned in writing of his decision in relation to the
complaint and that the individual
may, if aggrieved by his
decision, appeal against the decision under section 24.
|
|||||||||
(3)
If the Commissioner is of the
opinion that a data controller or a data processor, has contravened
or is contravening a provision of
this Act (other than a provision
the contravention of which is an offence), the Commissioner may, by
notice in writing (referred
to in this Act as an enforcement
notice) served on the person, require him to take such steps as are
specified in the notice within
such time as may be so specified to
comply with the provision concerned.
|
|||||||||
(4)
Without prejudice to the
generality of subsection (3), if the Commissioner is of the opinion
that a data controller has contravened
section 6, the relevant
enforcement notice may require him -
|
|||||||||
(a)
to rectify or erase any of the
data concerned; or
|
|||||||||
(b)
to supplement the data with such
statement relating to the matters dealt with by them as the
Commissioner may approve; and as respects
data that are inaccurate
or not kept up to date, if he supplements them as aforesaid, he
shall be deemed not to be in contravention
of subsection (1)(b) of
section 6.
|
|||||||||
16.(1)
The Commissioner may issue an
enforcement notice which shall -
|
Enforcement notices. |
||||||||
(a)
specify any provision of this Act
that, in the opinion of the Commissioner, has been or is being
contravened and the reasons for his
having formed that opinion;
and
|
|||||||||
(b)
subject to subsection (2), state
that the person concerned may appeal to the Court under section 24
against the requirement specified
in the notice within twenty-one
days from the service of the notice on him.
|
|||||||||
(2)
Subject to subsection (3), the
time specified in an enforcement notice for compliance with a
requirement specified therein shall not
be expressed to expire
before the end of the period of twenty-one days specified in
subsection (1) (b) and, if an appeal is brought
against the
requirement, the requirement need not be complied with and
subsection (6) shall not apply in relation thereto, pending
the
determination or withdrawal of the appeal.
|
|||||||||
(3)
If the Commissioner -
|
|||||||||
(a)
by reason of special
circumstances, is of the opinion that a requirement specified in an
enforcement notice should be complied with
urgently; and
|
|||||||||
(b)
such enforcement notice includes
a statement to that effect,
|
|||||||||
subsections (1)(b) and (2) shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 24 (other than subsection (2)) and shall not require compliance with the requirement before the end of the period of seven days beginning on the date on which the notice is served. |
|||||||||
(4)
On compliance by a data
controller with a requirement under subsection (4) of section 15,
he shall, as soon as may be and in any event
not more than forty
days after such compliance, notify -
|
|||||||||
(a)
the data subject concerned;
and
|
|||||||||
(b)
any person (where the
Commissioner considers it reasonably practicable to do so) to whom
the data were disclosed during the period
beginning twelve months
before the date of the service of the enforcement notice concerned
and ending immediately before such compliance,
of the
rectification, erasure or statement concerned, if such compliance
materially modifies the data concerned.
|
|||||||||
(5)
The Commissioner may cancel an
enforcement notice and, if he does so, shall notify in writing the
person on whom it was served accordingly.
|
|||||||||
(6)
A person who, without
reasonable excuse, fails or refuses to comply with a requirement
specified in an enforcement notice shall be
guilty of an
offence.
|
|||||||||
17.(1)
The Commissioner may, subject
to the provisions of this section, prohibit the transfer of
personal data from The Bahamas to a place
outside The Bahamas, in
such cases where there is a failure to provide protection either by
contract or otherwise equivalent to that
provided under this
Act.
|
Prohibition on transfer of personal data outside The Bahamas. |
||||||||
(2)
In determining whether to
prohibit a transfer of personal data under this section, the
Commissioner shall also consider whether the
transfer would be
likely to cause damage or distress to any person and have regard to
the desirability of facilitating international
transfers of
data.
|
|||||||||
(3)
A prohibition under subsection
(1) shall be effected by the service of a notice (referred to in
this Act as a prohibition notice)
on the person proposing to
transfer the data concerned.
|
|||||||||
(4)
A prohibition notice shall
-
|
|||||||||
(a)
prohibit the transfer concerned
either absolutely or until the person aforesaid has taken such
steps as are specified in the notice
for protecting the interests
of the data subjects concerned;
|
|||||||||
(b)
specify the time when it is to
take effect;
|
|||||||||
(c)
specify the grounds for the
prohibition; and
|
|||||||||
(d)
subject to subsection (6), state
that the person concerned may appeal to the Court under section 24
against the prohibition specified
in the notice within twenty-one
days from the service of the notice on him.
|
|||||||||
(5)
Subject to subsection (6), the
time specified in a prohibition notice for compliance with the
prohibition specified therein shall
not be expressed to expire
before the end of the period of the twenty-one days specified in
subsection (4) (d) and, if an appeal
is brought against the
prohibition, the prohibition need not be complied with and
subsection (10) shall not apply in relation thereto,
pending the
determination or withdrawal of the appeal.
|
|||||||||
(6)
If the Commissioner -
|
|||||||||
(a)
by reason of special
circumstances, is of the opinion that a prohibition specified in a
prohibition notice should be complied with
urgently; and
|
|||||||||
(b)
such prohibition notice includes
a statement to that effect,
|
|||||||||
subsections (4) (d) and (5) shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 24 (other than subsection (2)) and shall not require compliance with the prohibition before the end of the period of seven days beginning on the date on which the notice is served. |
|||||||||
(7)
The Commissioner may cancel a
prohibition notice and, if he does so, shall notify in writing the
person on whom it was served accordingly.
|
|||||||||
(8)
This section shall not apply
to a transfer of data if the transfer of the data or the
information constituting the data is required
or authorised by or
under any enactment, or required by any convention or other
instrument imposing an international obligation on
The Bahamas, or
otherwise made pursuant to the consent (express or implied) of the
data subjects.
|
|||||||||
(9)
This section applies, with any
necessary modifications, to a transfer of information from The
Bahamas to a place outside The Bahamas
for conversion into personal
data as it applies to a transfer of personal data from The Bahamas
to such a place; and in this subsection
"information" means
information (not being data) relating to a living individual who
can be identified from it.
|
|||||||||
(10)
A person who, without
reasonable excuse, fails or refuses to comply with a prohibition
specified in a prohibition notice shall be
guilty of an
offence.
|
|||||||||
18.(1)
The Commissioner may, by
notice in writing (referred to in this Act as an information
notice) served on a person, require the person
to furnish to him in
writing within such time as may be specified in the notice such
information in relation to matters specified
in the notice as 1 is
necessary or expedient for the performance by the Commissioner of
his functions.
|
Power to require information. |
||||||||
(2)
Subject to subsection (3)
-
|
|||||||||
(a)
an information notice shall state
that the person concerned may appeal to the Court under section 24
against the requirement specified
in the notice within twenty-one
days from the service of the notice on him; and
|
|||||||||
(b)
the time specified in the notice
for compliance with a requirement specified therein shall not be
expressed to expire before the end
of the period of twenty-one days
specified in paragraph (a) and, if an appeal is brought against the
requirement, the requirement
need not be complied with and
subsection (5) shall not apply in relation thereto, pending the
determination or withdrawal of the
appeal.
|
|||||||||
(3)
If the Commissioner -
|
|||||||||
(a)
by reason of special
circumstances, is of the opinion that a requirement specified in an
information notice- should be complied with
urgently; and
|
|||||||||
(b)
such information notice includes
a statement to that effect,
|
|||||||||
subsection (2) shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 24 (other than subsection (2)) and shall not require compliance with the requirement before the end of the period of seven days beginning on the date on which the notice is served. |
|||||||||
(4)
No enactment or rule of law
prohibiting or restricting the disclosure of information shall
preclude a person from furnishing to the
Commissioner any
information that is necessary or expedient for the performance by
the Commissioner of his functions and this subsection
shall not
apply to information that in the opinion of the Minister or the
Minister for National Security is, or at any time was,
kept for the
purpose of safeguarding the security of The Bahamas or information
that is privileged from disclosure in proceedings
in any
court.
|
|||||||||
(5)
A person who, without
reasonable excuse, fails or refuses to comply with a requirement
specified in an information notice or who in
purported compliance
with such a requirement furnishes information to the Commissioner
that the person knows to be false or misleading
in a material
respect shall be guilty of an offence.
|
|||||||||
19.(1)
In this section "authorised
officer" means a person authorised in writing by the Commissioner
to exercise the powers conferred by
this section, for the purposes
of this Act.
|
Powers of authorised officer. |
||||||||
(2)
Where a Magistrate is
satisfied by evidence on oath that there is reasonable cause to
believe that for the purpose of obtaining any
information that is
necessary or expedient for the performance by the Commissioner of
his functions, he may grant a warrant directed
to an authorised
officer to -
|
|||||||||
(a)
enter, at all reasonable times,
premises that he reasonably believes to be occupied by a data
controller or a data processor, inspect
the premises and any data
therein (other than data consisting of information specified in
subsection (4) of section 18) and inspect,
examine, operate and
test any data equipment therein;
|
|||||||||
(b)
require any person on the
premises, being a data controller, a data processor or an employee
of either of them, to disclose to the
officer any such data and
produce to him any data material (other than data material
consisting of information so specified) that
is in that person's
power or control and to give to him such information as he may
reasonably require in regard to such data and
material;
|
|||||||||
(c)
either on the premises or
elsewhere, inspect and copy or extract information from such data,
or inspect and copy or take extracts
from such material; and
|
|||||||||
(d)
require any person mentioned in
paragraph (b) to give to the officer such information as he may
reasonably require in regard to the
procedures employed for
complying with the provisions of this Act, the sources from which
such data are obtained, the purposes for
which they are kept, the
persons to whom they are disclosed and the data equipment in the
premises.
|
|||||||||
(3)
A person who obstructs or
impedes an authorised officer in the exercise of a power, or
without reasonable excuse does not comply with
a requirement under
this section, or who in purported compliance with such a
requirement gives information to an authorised officer
that he
knows to be false or misleading in a material respect shall be
guilty of an offence.
|
|||||||||
20.(1)
The Commissioner may encourage
trade associations and other bodies representing categories of data
controllers to prepare codes of
practice to be complied with by
those categories in dealing with personal data.
|
Codes of practice. |
||||||||
(2)
The Commissioner may approve
of any code of practice so prepared (referred to subsequently in
this section as a code) if he is of
opinion that it provides for
the data subjects concerned protection with regard to personal data
relating to them that conforms with
that provided for by sections
6, 8 (other than subsection (9)) and 10 and shall encourage its
dissemination to the data controllers
concerned.
|
|||||||||
(3)
Any such code that is approved
by the Commissioner shall be laid by the Minister before each House
of Parliament and shall be subject
to affirmative resolution of
each House.
|
|||||||||
(4)
In subsection (3),
"affirmative resolution of each House" means that such code shall
not come into operation unless and until affirmed
by a resolution
of each House of Parliament.
|
|||||||||
(5)
This section shall apply in
relation to data processors as it applies in relation to categories
of data controllers with the modification
that the references in
this section to the said sections shall be construed as references
to subsection (1)(d) of section 6 and with
any other necessary
modifications.
|
|||||||||
21.(1)
The Commissioner shall in each
year after the year in which the first Commissioner is appointed
prepare a report in relation to his
activities under this Act in
the preceding year and cause copies of the report to be laid before
each House of Parliament.
|
Annual report. |
||||||||
(2)
Notwithstanding subsection
(1), if, but for this subsection, the first report under that
subsection would relate to a period of less
than six months, the
report shall relate to that period and to the year immediately
following that period and shall be prepared as
soon as may be after
the end of that year.
|
|||||||||
PART IV |
|||||||||
MISCELLANEOUS |
|||||||||
22.(1)
Personal data processed by a
data processor shall not be disclosed by him, or by an employee or
agent of his, without the prior authority
of the data controller on
behalf of whom the data are processed.
|
Unauthorised disclosure by data processor. |
||||||||
(2)
A person who knowingly
contravenes subsection (1) shall be guilty of an offence.
|
|||||||||
23.(1)
A person who -
|
Disclosure of personal data obtained without authority. |
||||||||
(a)
obtains access to personal data,
or obtains any information constituting such data, without the
prior authority of the data controller
or data processor by whom
the data are kept; and
|
|||||||||
(b)
discloses the data or information
to another person , shall be guilty of an offence.
|
|||||||||
(2)
Subsection (1) shall not apply
to a person who is an employee or agent of the data controller or
data processor concerned.
|
|||||||||
24.(1)
An appeal may be made to and
heard and determined by the Court against -
|
Appeals to Court. |
||||||||
(a)
a requirement specified in an
enforcement notice or an information notice;
|
|||||||||
(b)
a prohibition specified in a
prohibition notice; or
|
|||||||||
(c)
a decision of the Commissioner in
relation to a complaint under subsection (1) of section 15;
|
|||||||||
and such an appeal shall be brought within twenty-one days from the service on the person concerned of the relevant notice or, as the case may be, the receipt by such person of the notification of the relevant refusal or decision. |
|||||||||
(2)
Where -
|
|||||||||
(a)
a person appeals to the Court
pursuant to paragraph (a), (b) or (c) of subsection (1);
|
|||||||||
(b)
the appeal is brought within the
period specified in the notice; and
|
|||||||||
(c)
the Commissioner has included a
statement in the relevant notice or notification to the effect that
by reason of special circumstances
he is of opinion that the
requirement or prohibition specified in the notice should be
complied with, or the refusal specified in
the notification should
take effect, urgently,
|
|||||||||
then, notwithstanding any provision of this Act, if the Court, on application made to it in that behalf, so determines, non-compliance by the person with a requirement or prohibition specified in the notice during the period ending with the determination or withdrawal of the appeal or during such other period as may be determined as aforesaid shall not constitute an offence. |
|||||||||
25.(1)
In any proceedings -
|
Evidence in proceedings. |
||||||||
(a)
a certificate signed by the
Minister or the Minister for National Security and stating that in
his opinion personal data are, or at
any time were, kept for the
purpose of safeguarding the security of The Bahamas shall be
evidence of that opinion; or
|
|||||||||
(b)
a certificate -
|
|||||||||
(i)
signed by an officer on behalf
of the Minister or Minister of National Security, and
|
|||||||||
(ii)
stating that in the opinion of
the officer a disclosure of personal data is required for the
purpose aforesaid,
|
|||||||||
shall be evidence of that opinion; and |
|||||||||
(c)
A document purporting to be a
certificate under paragraph (a) or (b) and signed by, a person
specified i0n the said paragraph (a)
or (b) shall be deemed to be
such a certificate and to be so signed unless the contrary is
proved.
|
|||||||||
(2)
Information supplied by a
person in compliance with a request made under section 6 or
subsection (1) of section 8, a requirement under
this Act or a
direction of a court in proceedings under this Act shall not be
admissible in evidence against him or his spouse in
proceedings for
an offence under this Act.
|
|||||||||
26.
The whole or any part of any
proceedings under this Act may, at the discretion of the Court, be
heard otherwise than in public.
|
Hearing of proceedings. |
||||||||
27.(1)
Where an offence under this
Act has been committed by a body corporate and is proved to have
been committed with the consent or connivance
of or to be
attributable to any neglect on the part of a person, being a
director, manager, secretary or other officer of that body
corporate, or a person who was purporting to act in any such
capacity, that person, as well as the body corporate, shall be
guilty
of that offence and be liable to be proceeded against and
punished accordingly.
|
Offences by directors, etc. of bodies corporate. |
||||||||
(2)
Where the affairs of a body
corporate are managed by its members, subsection (1) shall apply in
relation to the acts and defaults
of a member in connection with
his functions of management as if he were a director or manager of
the body corporate.
|
|||||||||
28.(1)
Summary proceedings for an
offence under this Act may be brought and prosecuted by the
Commissioner.
|
Prosecution of summary offences by Commissioner. |
||||||||
(2)
Notwithstanding any provision
in any enactment prescribing the period within which summary
proceedings may be commenced, summary proceedings
for an offence
under this Act may be instituted within one year from the date of
the offence.
|
|||||||||
29.(1)
A person guilty of an offence
under this Act shall be liable -
|
Penalties. |
||||||||
(a)
on summary conviction, to a fine
not exceeding two thousand dollars; or
|
|||||||||
(b)
on conviction on information, to
a fine not exceeding one hundred thousand dollars.
|
|||||||||
(2)
Where a person is convicted of
an offence under this Act, the court may order any data material
which appears to the court to be connected
with the commission of
the offence to be forfeited or destroyed and any relevant data to
be erased.
|
|||||||||
(3)
The court shall not make an
order under subsection (2) in relation to data material or data
where it considers that some person other
than the person convicted
of the offence concerned may be the owner of, or otherwise
interested in, the data unless such steps as
are reasonably
practicable have been taken for notifying that person and giving
him an opportunity to show cause why the order should
not be
made.
|
|||||||||
30.(1)
The Minister may, from time to
time make regulations for all or any of the following purposes
-
|
Regulations. |
||||||||
(a)
providing additional safeguards
in relation to sensitive personal data;
|
|||||||||
(b)
modifying the application of
section 8 to personal data in such manner and in such
circumstances, subject to such safeguards and to
such extent as may
be specified therein, where such data -
|
|||||||||
(i)
relates to physical or mental
health, or
|
|||||||||
(ii)
is kept for, or obtained in the
course of, carrying out social work by a government agency, a
statutory corporation, or a specified
voluntary organisation or
other body;
|
|||||||||
(c)
prescribing circumstances for the
purposes of section 9 in which a prohibition, restriction or
authorisation in relation to any information
ought to prevail in
the interests of the data subjects concerned or any other
individuals;
|
|||||||||
(d)
prescribing fees to be paid in
respect of matters arising under or provided for or authorised by
this Act;
|
|||||||||
(e)
prescribing offences and
penalties in respect of contravention of or non-compliance with any
provision of any regulations made under
this section;
|
|||||||||
(f)
providing for such matters as are
contemplated by or necessary for giving full effect to the
provisions of this Act and for their
due administration.
|
|||||||||
(2)
Regulations made under
paragraph (a) of subsection (1) are subject to affirmative
resolution of each House of Parliament and shall
be made only after
consultation with any other Minister of the Government who, having
regard to his functions, ought, in the opinion
of the Minister, to
be consulted.
|
|||||||||
(3)
In subsection (2),
"affirmative resolution of each House" means that such regulations
shall not come into operation unless and until
affirmed by a
resolution of each House of Parliament.
|
|||||||||
31.(1)
Within one year after the
coming into force of this Act data controllers shall have the
necessary measures in place that would allow
the exercise of a
request for access, pursuant to section 8.
|
Transitional provisions. |
||||||||
(2)
Notwithstanding any other
provision contained herein to the contrary, Government agencies and
other bodies specified in the First
Schedule may continue for a
period of five years from the date of entry into force of this Act,
to use and process existing files
that contain personal data
including sensitive personal data which were acquired in
circumstances in which it is not possible to
determine if such was
obtained in pursuance of a legal obligation or with the consent of
the data subjects.
|
|||||||||
FIRST SCHEDULE |
|||||||||
1.
The Government.
|
|||||||||
2.
A Government Ministry.
|
|||||||||
3.
A local government authority,
and any other body (other than the Royal Bahamas Police and Defence
Forces) established -
|
|||||||||
(a)
by or under any enactment (other
than the Companies Acts, 1992), or
|
|||||||||
(b)
under the Companies Acts, 1992 in
pursuance of powers conferred by or under another enactment, and
financed wholly or partly by means
of moneys provided, or loans
made or guaranteed, by the Government or the issue of shares held
by or on behalf of the Government;
and a subsidiary of any such
body.
|
|||||||||
4.
A company the majority of the
shares in which are held by or on behalf of the Government.
|
|||||||||
5.
A body (other than a body
mentioned in paragraph 3 or 4) appointed by the Government or a
Minister of the Government.
|
|||||||||
6.
An individual (other than an
individual remunerated by a body mentioned in paragraph 3,'4 or 5
or in relation to whom the Government
or a Minister of the
Government is the appropriate authority) who is appointed by the
Government or a Minister of the Government
to an office established
by or under any enactment.
|
|||||||||
7.
Any other public authority,
body or person prescribed for the time being and financed or
remunerated wholly or partly out of moneys
provided from the
consolidated fund.
|
|||||||||
|
|||||||||
SECOND SCHEDULE |
|||||||||
THE DATA PROTECTION COMMISSIONER |
|||||||||
1.
The Commissioner shall be a
corporation sole and shall be independent in the performance of his
functions.
|
|||||||||
2.(1)
The Commissioner shall be
appointed in writing by the Governor-General acting on the advice
of the Prime Minister after consultation
with the Leader of the
Opposition.
|
|||||||||
(2)
The Commissioner -
|
|||||||||
(a)
may at any time resign his office
as Commissioner by letter addressed to the Governor-General and the
resignation shall take effect
on and from the date of receipt of
the letter;
|
|||||||||
(b)
may at any time be removed from
office by the Governor-General on the advice of the Prime Minister
after consultation with the Leader
of the Opposition if, in the
opinion of the Prime Minister, he has become incapable of
effectively performing his functions or has
committed a
misbehaviour; and
|
|||||||||
(c)
shall, in any case, vacate the
office of Commissioner on reaching the age of sixty-five
years.
|
|||||||||
3.
The term of office of a person
appointed to be the Commissioner shall be such term not exceeding
five years and, subject to the provisions
of this Schedule, he
shall be eligible for re-appointment to the office.
|
|||||||||
4.(1)
Where the Commissioner is
-
|
|||||||||
(a)
nominated as a member of the
Senate;
|
|||||||||
(b)
elected as a member of the House
of Assembly or a local authority,
|
|||||||||
he shall thereupon cease to be the Commissioner. |
|||||||||
(2)
A person who is for the time
being -
|
|||||||||
(a)
a member of either House of
Parliament;
|
|||||||||
(b)
an elected local government
member, shall, while he is so entitled or is such a member, be
disqualified from holding the office of
Commissioner.
|
|||||||||
5.
The Commissioner shall not
hold any other office or employment in respect of which emoluments
are payable.
|
|||||||||
6.
There shall be paid to the
Commissioner, out of moneys provided from the Consolidated Fund,
such remuneration and allowances for expenses
as the Minister, with
the consent of the Minister for Finance, may from time to time
determine.
|
|||||||||
7.
The Minister -
|
|||||||||
(a)
shall, with the consent of the
Minister for Finance, make and carry out, in accordance with its
terms, a scheme or schemes for the
granting of pensions, gratuities
or other allowances on retirement or death to or in respect of
persons who have held the office
of Commissioner;
|
|||||||||
(b)
may, with the consent of the
Minister for Finance, at any time make and carry out, in accordance
with its terms, a scheme or schemes
amending or revoking a scheme
under this paragraph,
|
|||||||||
and a scheme under this paragraph shall be laid before each House of Parliament as soon as may be after it is made and, if a resolution annulling the scheme is passed by either such House within the next twenty-one days on which that House has sat after the scheme is laid before it, the scheme shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder. |
|||||||||
8.(1)
The Minister may appoint to be
members of the staff of the Commissioner such number of persons as
may be determined from time to time
by the Minister, with the
consent of the Minister for Finance.
|
|||||||||
(2)
Members of the staff of the
Commissioner shall be public officers.
|
|||||||||
(3)
The functions of the
Commissioner under this Act may be performed during his temporary
absence by such member of the staff of the
Commissioner as he may
designate for that purpose.
|
|||||||||
9.(1)
The Commissioner shall keep in
such form as may be approved of by the Minister, with the consent
of the Minister for Finance, all
proper and usual accounts of all
moneys received or expended by him and all such special accounts
(if any) as the Minister, with
the consent of the Minister for
Finance, may direct.
|
|||||||||
(2)
Accounts kept in pursuance of
this paragraph in respect of each year shall be submitted by the
Commissioner in the following year
on a date (not later than a date
specified by the Minister) to the Auditor-General for audit and, as
soon as may be after the audit,
a copy of those accounts, or of
such extracts from those accounts as the Minister may specify,
together with the report of the Auditor-General
on the accounts,
shall be presented by the Commissioner to the Minister who shall
cause copies of the documents presented to him
to be laid before
each House of Parliament.
|
CommonLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.commonlii.org/bs/legis/num_act/dpopia2003489