Core data controller obligations under the Bahamian Data Protection Act

In-house counsel based outside The Bahamas frequently query about the data protection regime within the jurisdiction given the complexity of navigating cross-border data protection and transfer rules. With new data protection legislation and regulations being implemented around the world, it is often the case that businesses/entities who have no physical and/or corporate nexus to The Bahamas want to know what their obligations are should they collect or seek to collect data deriving from Bahamian data subjects. This article seeks to provide a brief overview of the core obligations of data controllers once certain criteria are met as explained below.

Data Protection (Privacy of Personal Information) Act 2003 (‘DPA’ or the ‘Act’)

The DPA is primary legislation governing data protection and privacy in The Bahamas. The Act was drafted in accordance with the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and, while there has been no amendments or regulations implemented pursuant to the same, it is expected that it will be revised (if not repealed and replaced) in the near future to adequately provide for new and emerging technologies not contemplated at the time the legislation was drafted. The privacy risks associated with artificial intelligence, Web3, cryptocurrencies and 5G in particular will inevitably have to be addressed in order to best protect the data of data subjects within the jurisdiction – given the potential for misuse of the same.

Data controller and personal data

A ‘data controller’ is defined in the DPA as a person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed. This should be read alongside the definition provided for ‘personal data’ under DPA – data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller (eg name, weight, financial information, address, etc). It is important to note that while ‘sensitive personal data’ is defined under the Act as data relating to, inter alia, racial origin, political opinions, sexual life and physical or mental health, there is no requirement under DPA to treat such data any differently than standard personal data as no regulations have been laid down providing for the same.

Applicability

As stated previously, in-house counsel commonly want to understand whether their organisation or business is subject to the provisions of DPA. Note that DPA only applies to ndividuals/entities once the prescribed threshold has been met, where either:

  • The data controller is established in The Bahamas and the data is processed in the context of that establishment; or,
  • The data controller is not established in The Bahamas but uses equipment in The Bahamas for processing the data (otherwise than for the purpose of transit through The Bahamas).

Note further that if a data controller falls within the latter category as provided for above they are obligated to nominate a representative established in The Bahamas.
With regard to understanding what ‘established in The Bahamas’ means in the context of the Act, section 4(3) DPA provides that any of the following will be deemed established data controllers:

  • Individuals ordinarily resident in The Bahamas;
  • A body incorporated or registered under the laws of The Bahamas;
  • A partnership or other unincorporated association formed under the laws of The Bahamas; and,
  • Any person who does not fall within the above categories but maintains an office, branch or agency in The Bahamas through which he carries on any business activity or a regular practice.

Individuals and entities that meet all of the above described physical and/or corporate nexus criteria will be thus subject to the DPA.

Core data controller obligations

With regard to the general collection of personal data, data controllers are statutorily obligated via section 6 DPA to ensure:

  • Data has been collected by means which are both lawful and fair in the circumstances of the case;
  • Data is kept accurate and, where necessary, kept up to date (except in the case of back-up data);
  • Data is only kept for one or more specified and lawful purposes;
  • Data is not used/disclosed in any manner incompatible with that purpose/those purposes;
  • Data collected is adequate, relevant and not excessive in relation to that purpose or those purposes;
  • Data is not kept for longer than is necessary for that purpose/those purposes; and,
  • Appropriate security measures are taken against unauthorised access to, or alteration, disclosure or destruction of data and against their accidental loss or destruction.

If sharing/disclosing the data with third parties (including affiliates), a data controller must pay particular attention to section 12 DPA which states that a data controller, in the collection of personal data, owes a duty of care to the data subject(s) concerned and must use contractual or other legal means to provide a comparable level of protection from any third party to whom they disclose information for the purpose of data processing (eg to an external cloud service provider).

Disclosure obligations and exceptions

Data controllers have, in some cases, certain disclosure obligations to observe under DPA – namely pursuant to a valid data subject access request (subject to exceptions). Disclosure in relation to personal data includes the disclosure of information extracted from that data. Where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.

Ordinarily, consent of the data subject is needed to disclose personal data in relation to the same to a third party. However, section 13 DPA lists certain circumstances in which disclosure of personal data can be made without the consent of the data subject, namely, inter alia:

  • To safeguard the security of The Bahamas, to prevent or detect an offence (in the opinion of the Minister of National Security);
  • For the purpose of apprehending or prosecuting offenders, or assessing or collecting any tax, duty of other moneys owed to the government;
  • To urgently prevent injury, death, or loss or damage to property;
  • If required by any other enactment, rule of law or order of a court;
  • Where made at the request or with the consent of the data subject (or someone acting on their behalf).