The New Today
Local News

The controversial Data Protection Bill

Prime Minister Dickon Mitchell – is bent on going forward with the legislation

Pressure is mounting on the ruling National Democratic Congress (NDC) government of Prime Minister Dickon Mitchell not to proceed with the passage into law of a controversial Data Protection Bill until consultation is held with a number of stakeholder groups in the country.

The Grenada Bar Association (GBA) held an emergency meeting on Tuesday in which an estimated 43 local attorneys-at-law expressed their concerns about the bill which has already been debated in the Lower House of Parliament that is controlled by Congress.

The Bar is contending that it was not afforded the opportunity by government to comment on the Bill before it was introduced in the Parliament.

GBA is said to be putting together a position paper to send to Attorney-General Senator Claudette Joseph outlining several objections in the bill.

Prime Minister Dickon Mitchell has given assurances that he is prepared to revisit the bill and make amendments based on reservations made by stakeholders.

The bill is part of a regional initiative involving member states such as Grenada, St. Lucia, St Vincent & The Grenadines, Dominica, Antigua & Barbados, and St Kitts & Nevis.

As a public service, THE NEW TODAY has decided to serialise the bill that had been left dormant for several years by the former New National Party (NNP) administration of former Prime Minister Dr. Keith Mitchell during its 2013-22 period in office.

DATA PROTECTION BILL, 2023 GRENADA
ACT NO. OF 2023

AN ACT to promote the protection of personal data processed by public and private bodies, to provide for the establishment of the Information Commission and for related matters.

BE IT ENACTED by the King’s Most Excellent Majesty by and with the advice and consent of the Senate and the House of Representatives and by the authority of the same as follows—

PART I
PRELIMINARY

Short title and commencement

  1. (1) This Act may be cited as the

DATA PROTECTION ACT, 2023.

(2) This Act shall come into operation on a day to be appointed by the Minister by Order in the Gazette, and the Minister may appoint different dates for different provisions of this Act.

Interpretation

  1. In this Act—

“alternative format” means, with respect to personal data, a format that allows a person with a sensory disability to read or listen to the personal data;

“authorised officer” means an officer under section 44 who has been authorised in writing for the purposes of Part VI;

“Chief Executive Officer” means the officer for the time being exercising the highest level of administrative functions within a public body or private body;

“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance;

“Commission” or “Information Commission” means the Information Commission established under section 24;

“data” means any record, document, correspondence, memorandum, book, plan, map, drawing, pictorial or graphic work, photograph, film, microfilm, sound recording, videotape, machine‐readable record and any other documentary material, regardless of physical form or characteristics, and any copy of those things;

“data subject” means a natural or legal person who is the subject of personal data;

“data processor”, in relation to personal data, means any person other than an employee of the data user, who processes the data on behalf of the data user;

“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor;

“document” means any medium in which data is recorded, whether printed or on tape or film or by electronic means or otherwise and also means any map, diagram, photograph, film, microfilm, videotape, sound recording, or machine-readable record or any record which is capable of being produced from a machine-readable record by means of equipment or a programme, or a combination of both, which is used for that purpose by the public body or private body which holds the record;

“intelligible form” means a manner that can be reasonably understood by the person for which the data or information is intended and includes a written form and an audio format, as the case may be;

“Minister” means the Minister with responsibility for National Security;

“personal data” means, in respect of commercial transactions, any data that—

(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b) is recorded with the intention that it should wholly or partly be processed by means of equipment under paragraph (a); or

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject;

“private body” means a body, excluding a public body, that—

(a) carries on any trade, business or profession, but only in that capacity; or

(b) has legal personality;

“processing”, in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including—

(a) collection, recording, organisation, structuring or storage;

(b) adaptation or alteration;

(c) retrieval, consultation or use;

(d) disclosure by transmission, dissemination or otherwise making available;

(e) alignment or combination; or

(f) restriction, erasure or destruction;

“public body” means—

(a) a ministry, a department or a division of the ministry or a constituency office of a member of Parliament, wherever located;

(b) a statutory body for the purposes of the Public Finance Management Act, 2015;

(c) a State-Owned Enterprise for the purposes of the Public Finance Management Act, 2015;

(d) an embassy, consulate or mission of Grenada or an office of Grenada situate outside Grenada whose functions include the provision of diplomatic or consular services for or on behalf of Grenada;

(e) any other body designated by the Minister by Regulations made under this Act, to be a public body for the purposes of this Act;

“rectify” means, in relation to personal data, to alter the data by way of amendment, deletion, or addition;

“sensitive personal data” means any personal data of a data subject consisting of information as to—

(a) an individual’s physical or mental health or condition;

(b) an individual’s racial or ethnic origin, genetic data, biometric data that uniquely identifies an individual;

(c) an individual’s sex life;

(d) an individual’s political opinions;

(e) an individual’s religious or philosophical beliefs or other beliefs of a similar nature;

(f) the commission or alleged commission by an individual of any offence; or

(g) any other personal data as the Minister may determine by Order published in the Gazette.

Objects of Act

  1. The objects of this Act are to safeguard personal data processed by public bodies and private bodies in an era in which technology increasingly facilitates the processing of personal data by balancing the necessity of—

(a) processing personal data by public bodies and private bodies; and

(b) safeguarding personal data from unlawful processing by public bodies and private bodies,   to promote transparency and accountability in the processing of personal data.

Application of Act  

  1. (1) This Act applies to a person who processes or who has control over or authorises the processing of any personal data in respect of commercial transactions in Grenada.

(2) Subject to subsection (1), this Act applies to a person in respect of personal data if—

  • the person is established in Grenada and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or

(b) the person is not established in Grenada, but uses equipment or network services in Grenada for processing the personal data otherwise than for the purposes of transit through Grenada.

(3) A person falling within subsection (2) (b) shall nominate for the purposes of this Act a representative established in Grenada.

(4) For the purposes of subsections (2) and (3), a person is to be treated as established in Grenada as follows—

(a) an individual who is physically present in Grenada for not less than one hundred and eighty days in one calendar year;

(b) a body incorporated under the Companies Act, Chapter 58A;

Related:  Parliament approves stricter Gun Laws

(c) a partnership or other unincorporated association formed under any written laws in Grenada; and

(d) a person who does not fall within paragraph (a), (b) or (c) but maintains in Grenada—

(i) an office, branch or agency through which a person carries on any activity; or

(ii) a regular professional practice.

Application of Act to Parliament

  1. (1) Subject to this section, this Act applies to the processing of personal data by or on behalf of either House of Parliament as it applies to the processing of personal data by other persons.

(2) Where the purposes for which and the manner in which any personal data are, or are to be, processed are determined by or on behalf of either House of Parliament, the data user in respect of those personal data for the purposes of this Act shall be the Clerk to the Houses.

(3) Personal data are exempt from—

(a) section 15; and

(b) section 19 (1) and (4),

if the exemption is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Saving of certain laws

  1. This Act shall not affect the operation of an enactment that makes provision with respect to the processing of personal data and does not conflict with this Act.

PRIVACY AND DATA PROTECTION PRINCIPLES

General Principle

  1. (1) A data user shall not—

(a) process personal data about a data subject unless the data subject has given his or her consent to the processing of the personal data; or

(b) process sensitive personal data about a data subject except in accordance with section 21.

(2) Notwithstanding subsection (1) (a) and subject to subsection (3), a data user may process personal data about a data subject if the processing is necessary—

(a) to perform a contract to which the data subject is a party;

(b) to take steps at the request of the data subject with a view to entering into a contract;

(c) to comply with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;

(d) to protect the interests of the data subject;

(e) for the administration of justice;

(f) to exercise any functions conferred on a person by an enactment or rule of law; or

(g) for the exercise of a function of the State, a Minister of Government or a government department.

(3) Personal data shall not be processed unless—

(PART II)

(a) the personal data is processed for a lawful purpose directly related to an activity of the data user;

(b) the processing of the personal data is necessary for or directly related to that purpose; and

(c) the personal data is adequate but not excessive in relation to that purpose.

Notice and Choice Principle

  1. Upon a request by a data subject, a data user shall inform the data subject—

(a) of the purposes for which the personal data is being or is to be collected and further processed;

(b) of any information available to the data user as to the source of that personal data;

(c) of the data subject’s right to request access to and to request rectification of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;

(d) of the class of third parties to whom the data user discloses or may disclose the personal data;

(e) whether it is obligatory or voluntary for the data subject to supply the personal data; and

(f) where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he or she fails to supply the personal data.

Disclosure Principle

  1. Subject to section 20, no personal data shall, without the consent of the data subject, be disclosed—

(a) for any purpose other than—

(i) the purpose for which the personal data was disclosed at the time of collection of the personal data; or

(ii) a purpose directly related to the purpose referred to in subparagraph (i);

(b) to any party other than a third party of the class of third parties as specified in section 8 (d).

Security Principle

  1. (1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by having regard—

(a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction;

(b) to the place or location where the personal data is stored;

(c) to any security measures incorporated into any equipment in which the personal data is stored;

(d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and

(2) Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, ensure that the data processor—

(a) provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and

(b) takes reasonable steps to ensure compliance with those measures.

Retention Principle

  1. (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose.

(2) A data user shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

Data Integrity Principle

  1. A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

Access Principle

  1. A data subject shall be given access to his or her personal data held by a data user and be able to rectify that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or rectification is refused under this Act.

Data users to establish procedures for compliance

  1. (1) Every data user shall establish formal procedures and implement compliance with the principles of this Part.

(2) In establishing procedures under subsection (1), a data user may consult the Commission for recommendations on the best practice and appropriate code of conduct for the data user in consideration of the size and structure of the data user, the nature of the activities of the data user and any other relevant feature of the data user.

(3) At least once in every five years, the data user shall review the procedures and conduct a self-assessment to determine—

(a) the effectiveness of the procedures;

(b) the level of compliance of the data user with the procedures; and

(c) whether more efficient procedures may be adopted, particularly in relation to the processing of personal data.

(4) For the purposes of section 25, the Commission may request, from a data user, particulars as to the procedures implemented by the data user to comply with the principles of this Part.

PART III

RIGHTS OF DATA

SUBJECTS

Right of access to personal data

  1. (1) Subject to the provisions of this Act, a public body or a private body shall, on the written request of and the payment of a processing fee by a person for access to personal data of which the person is the data subject—

(a) inform the person whether personal data of which that person is the data subject is being processed by or on behalf of that body;

(b) if personal data is being processed by or on behalf of that body, communicate to the person in an intelligible form a description of—

(i) the personal data of which that person is the data subject;

(ii) the purposes for which the personal data is being or will be processed;

(iii) the recipients or classes of recipients to whom personal data is or may be disclosed; and

(iv) any information available to the body as to the source of the data.

(2) The Minister may prescribe the maximum processing fee for the purposes of subsection (1).

TO BE CONTINUED

If you are satisfied with the information provided by The New Today to our many readers, followers and supporters around the world, then you can show your appreciation by making a financial contribution to the effort of our team of dedicated workers.

Giving back is a way of saying thank you for our efforts

Support The New Today