data protection act Bahamas

Working remotely and the Data Protection Act

Table of Contents

Capital Law Associates takes a cautionary look at data protection and the remote workforce in the era of COVID-19.

Data, the new oil

Data is said to be the oil of the 21st century!  It is the currency of the digital economy; and as humanity is plunged into an online existence where there is an even greater rise in transactions involving electronic transfer of information because of COVID-19 – (a reality that almost seems ripped from a Stephen King novel), data one can argue, is the currency!

Data Policy important in the remote environment

It is important that as companies organize their employees to work remotely by redeploying employees from their office spaces to working from home, where the environment may be less rigid and ICT infrastructure less secured, that there is a Data Protection Policy (DPP) in place. The DPP must be understood and adhered to by those employees dealing with Personal Data of other staff, customers and the general public at large.

Personal Data is defined by the Bahamas’ Data Protection Act (the Act) as “data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller”.  Personal data therefore can be one’s name, address, username and now, one’s IP address or one’s cell phone number.

Sensitive personal data is defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.

The Act defines data controller as “a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed”.  Essentially, a data controller has control over how the data collected is to be used – an example of a data controller is an employer who directs its payroll clerk to collect bank account information from staff in order to process direct deposits for staff salaries.

Multi-national Companies must be familiar with global data regulations

For those companies operating in The Bahamas that are multi-national companies or Bahamian companies that have clients and employees from other jurisdictions it is important that the data protection regulations of those other nations as well as that of The Bahamas be upheld.  In the United Kingdom (UK) the Data Protection Act 2018 which amended their 1998 Act and implemented the European Union (EU) General Data Protection Regulation (GDPR), controls how an individual’s personal data is used by organizations, businesses and the government.  The United States of America (USA) has a broad “tapestry” of privacy laws – and generally regulates privacy laws by industry on a sector by sector basis.  Understanding applicable Data Protection legislation in multiple jurisdictions can be daunting for any employer. However, there are some key universal data protection considerations that are a matter of good practice which are well stated under the Bahamian legislation.

Data Protection Principles to apply in your remote operations

Organizations making the adjustments to remote operations should follow these fundamental principles as provided under section 6 of the Act:

The starting point for companies (data controllers) is to adhere to the eight rules of data protection set out below:

  1. Ensure data is collected by means that are lawful and fair;
  2. Ensure data collected is accurate and remain current (where appropriate);
  3. Ensure that data is kept for specific and lawful purposes only;
  4. Ensure that the data collected is used only for the purposes for which it is collected and not disclosed for purposes other than the purpose for which it was collected;
  5. Minimize the collection of data – collect only the amount of data needed and that is relevant for the purpose;
  6. Keep data only as long as is necessary;
  7. Keep data safe and secure – free from access by those not authorized and free from accidental loss or damage;
  8. Ensure the data collected is not transferred to another country unless that country has an adequate level of protection.

Tips for applying the Data Protection Principles

Below is a non-exhaustive list that companies can implement to comply with the principles:

  • Create a Policy: Create an internal Data Protection Policy ASAP! Ensure your team knows their obligations under the policy.
  • Notices: To comply with these rules data controllers should have clear and concise procedures that allows for persons whose data is being collected (the data subject) to know the purpose for which the data is used, how it will be used and the timeframe it will be retained – there are several options companies can use to accomplish this, including preparing applicable Notices published on websites and in emails.
  • Prepare/Make available Data Update Forms: In your Notices provide the data subject the ability to provide updates to any information that is inaccurate.
  • Make your company’s contact available: The Data Subject should be able to reach a specified address to make inquiries concerning his/her data.
  • Secure ICT: Additionally, the data controller must have in place methods for securing data.  Secure ICT must be utilized in order to minimize the loss or damage of data.  Companies will no doubt migrate to cloud computing for their businesses (for those who were doing so pre- COVID-19, will increase the number of cloud based programs used).  This will present some real concerns for most.  Questions that must be posed to cloud software management companies should consider the data protection policy of the company and the vendor offering the services; at the foremost of the conversations should be the security of the cloud program utilized.  Companies should do their very own security tests (this will require 3rd party support in many cases).  The company’s vulnerabilities must be tested, and PEN or Penetration testing should be conducted to determine how easy it is for data to be stolen, inadvertently diverted to the wrong place or loss.
  • Agreement by 3rd parties: Companies must ensure that legal contracts that safeguard personal information disclosed are in place with those entities dealing with the personal data provided by the company.  These safeguards must be at or above the level of the company’s.
  • Imbed in your policies requirements for Reports from those staff collecting/using data on the company’s behalf: The GDPR provides an Accountability requirement.  Accountability requires that companies document and show how they are complying with the provisions of the data protection regulations.  This can be achieved by staff training, by documenting how personal data is handled and how only authorized access is maintained.

Data Subject’s Rights

The Rights of the Data Subject under the Act can be enforced subject to the provisions of the Act.

If a data controller does not comply with the requirements under section 6 of the Act, the data subject may write to the data controller who keeps his information and require the data controller to rectify or erase the information held.  The data controller may with respect to data that is inaccurate or not kept up to date rectify the issue and indicate this in a statement agreed to by the data subject.

Section 8 of the Act provides that subject to the provisions of the Act, within 40 days of making a request to the data controller the data subject may obtain information as to whether the information being kept contains personal data and may obtain copies of same; and if the information presented is not easily understood – the data controller must provide explanations that will help the data subject understand the information.  It is to be noted that there are exceptions to this right.

In conclusion

Data loss or miss use is detrimental to business and often can result in loss of customer, loss of good faith and brand and reputation diminishment. There are also legal implications for businesses; Bahamian legislation provides for fines of up to $100,0000. It is important that as companies operate remotely they consider the requirements of the Data Protection legislation, equip their team with the appropriate knowledge and do what is necessary to safeguard the personal data of individuals.

Also, we invite you to check tips for employers considering staff separations.

Please note this is not to be construed as legal advice. All cases are unique to some degree and should be reviewed by an attorney before being acted upon. Please contact us via email at [email protected] if you are seeking legal guidance concerning the above information. The author is an experienced Commercial Attorney who is dedicated toward providing pragmatic legal advice that is clear and easy to follow.