LINKAGE Q1 (2022) - BREAK THE BIAS
By Fanta Punch and Jeanelle Pran
We live in a world where online transactions dominate the way we do business – an even greater reality when considered in light of the changes brought about by the Covid-19 pandemic. Whether it is conducting banking activities, making purchases or communicating with others, the world wide web has both eased and complicated he way we interact with one another and facilitate commercial transactions.
There are no doubt serious challenges when dealing with the speed and transmission of personal information, particularly sensitive information and dealing with the fall out when data security measures fail.
An increase in online activity can bring with it an increase in data breaches and cybercrime. Recently, Aeropost Trinidad & Tobago, the courier and logistics company which facilitates the shipping of online purchases, was the subject of a data breach as a result of one of its safety systems being hacked. According to reports, this exposed approximately 6% of its customers and led to some customers having to cancel their credit cards to mitigate against any risk that they could be the subject of fraudulent transactions. Similarly, Massy Stores in Trinidad & Tobago confirmed that it was the target of a cybersecurity attack which resulted in technical difficulties in its operations (including the inability of customers to purchase items). These recent cyberattacks have, once again, brought data protection and cybersecurity to the forefront of Trinidad & Tobago.
This article will explore the status of Trinidad & Tobago’s data protection and cybersecurity regime and practical tips which can be used to mitigate against any fraudulent breaches.
The Data Protection Act 2011 (‘DPA’) is only partially proclaimed, with the majority of the operative provisions still unenforceable. This has been the case for quite some time and there is no clear indication as to when these operative parts will come into force, or whether it may be revised in light of the length of time which has elapsed since the DPA’s partial proclamation.
The DPA includes certain General Privacy Principles which are applicable to all persons who handle, store or process personal information belonging to another person. Personal information means information about an identifiable individual that is recorded in any form and including (but not limited to) information as to race, nationality, ethnic origin, religion, age or marital status.
The General Privacy Principles which are applicable to persons who handle, store or process personal information are as follows:
(a) an organisation should be responsible for the personal information under its control;
(b) the purpose for which personal information is collected should be identified by the organisation before or at the time of collection;
(c) knowledge and consent of the individual are required for the collection, use or disclosure of personal information;
(d) collection of personal information should be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organisation;
(e) personal information should only be retained for as long as is necessary for the purpose collected and should not be disclosed for purposes other than the purpose of collection without the prior consent of the individual;
(f) personal information should be accurate, complete and up-to-date as is necessary for the purpose of collection;
(g) personal information is to be protected by such appropriate safeguards having regard to the sensitivity of the information;
(h) sensitive personal information is protected from processing except where otherwise provided for by written law;
(i) organisations are to make available to individuals documents regarding their policies and practices related to the management of personal information except where otherwise provided by written law;
(j) organisations should, except where otherwise provided by written law, disclose at the request of the individual, all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information;
(k) the individual has the ability to challenge the organisation’s compliance with the above principles and receive timely and appropriate engagement from the organisation; and
(l) personal information which is requested to be disclosed outside of T&T should be regulated and comparable safeguards to those under the DPA should exist in the jurisdiction receiving the personal information.
These General Privacy Principles are essentially guidelines as to how personal information should be treated by persons who control or handle that information. Notably, while they are in force and should be adhered to, there are no penalties for failure to do so as the penal provisions of the DPA are not yet in force. Therefore, if a data handler fails to obtain the knowledge and consent of an individual to use or disclose their personal information, this is theoretically a violation of the DPA but strictly speaking, there are no accompanying sanctions under the DPA.
There are certain instances where a duty of confidentiality may arise. Usually this occurs where there is an express obligation in a contract which provides that certain information is to be treated as confidential and not disclosed (or disclosed only with consent).
In Trinidad & Tobago, the law of confidence protects secrets or confidential information from unauthorised disclosure. Generally, in order to establish a claim under the law of confidence, the following must be established:
i. The information must be confidential;
ii. The information must be imparted in circumstances importing an obligation of confidence; and
iii. There has to be an unauthorised use of the information.
There have been a number of attempts by the Trinidad & Tobago Government over the past few years to introduce a Cybercrime Bill but these attempts have not advanced and it has not been brought into law. As a result of this, there are currently no cybersecurity specific restrictions in Trinidad & Tobago. There are however other legislations which may touch on certain aspects of cybersecurity or be applicable depending on the circumstances (such as the Computer Misuse Act and Interception of Communications Act).
Trinidad & Tobago’s legal regime has a long journey ahead in tackling cybercrime and data breaches, so that we can hopefully move in tandem with the growth of the online world and the challenges it brings with it. While we do not have the strongest legislative regimes in place, there are practical tips which can be adopted when navigating the online world and when handling personal information. Some of these are discussed below.
1) Practice tips for persons who handle and process personal data
i. Be guided by the General Privacy Principles when treating with personal information. For instance, obtain the knowledge and consent of individuals before collecting, using or disclosing personal information. This knowledge and consent should be properly documented and recorded in writing and should specifically set out what the information will be used for. It is worth being mindful of ensuring that consent has been properly obtained.
ii. Store data for no longer than is absolutely necessary. While it may be easier to have data stored, where there are data breaches, this opens up the possibility of potential liability if personal information is disclosed without authorisation.
iii. Use encryption tools where possible. Organisations which handle and process bulks of personal information ought to invest in software and tools which will allow for the greatest protection of personal information. This not only protects the organisation against cybercrime but mitigates the risk of potential data violations.
1) Practical tips when navigating the online word
i. Be mindful of the online space where your personal information (for example credit card information) is being used and/ or accessed. When using your credit card on online platforms, consider whether you ought not to save the details for future use. If you opt for saving these details, only do so for credible, reputable and reliable websites.
ii. Password protect sensitive information before exchanging via email or social media and change passwords frequently.
iii. Be proactive in continually monitoring your online presence and be alert to any security breaches and take early steps to stop further breaches.
iv. Avoid connecting to public networks especially on devices containing sensitive information (e.g. work laptops).
While the age of technology is no doubt advantageous, we must be mindful of the way we interact with personal data, regardless of if we are the person inputting that personal data into an online website or handling and processing the personal data.
Indeed, T&T’s legislative regime has much development to do in the area of data protection and cybersecurity and action must be taken as a matter of priority, failing which we can become even more lagged behind other jurisdictions and their cybersecurity and data protection regimes than we already are.
The information provided in this article does not and is not intended to constitute legal advice. All information is provided for general information purposes only. Specific advice should be sought from your Attorney-at-Law on any issues raised herein, if thought necessary.
Jeanelle Pran is an Associate Attorney-at-Law at M. Hamel-Smith & Co.
Fanta Punch is an Attorney-At-Law and Partner at M. Hamel-Smith & Co.
62 Maraval Road,
Newtown, Port of Spain
T: (868) 622-0340, 622-4466,
F: (868) 628-9428
Email AMCHAM T&T
P.O. Bag 150, Newtown,
Port of Spain
Trinidad and Tobago.
HSE Excellence Awards
National Youth Productivity Forum
Copyright © AMCHAM T&T