Last week, waste from St Augustine Private Hospital was improperly disposed of. The waste, dumped in an abandoned lot in St Augustine, included syringes, gloves, various medical paraphernalia and patient information. The environmental and public health implications of the improper disposal are perhaps obvious. The Chief Medical Officer himself noted that legal redress could be had under the Litter Act, Public Health Ordinance and the Private Hospitals’ Act.
However, no mention was made of the prima facie breach of patient information and personal privacy. Given our lack of meaningful data protection laws, this is perhaps understandable. On January 6, 2012, the President partly proclaimed the Data Protection Act, 2011 (the Act) into force. His Excellency brought Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II of the Act into force. Essentially, the general privacy principles were brought into force along with the Office of the Information Commissioner. The powers of the information commissioner, however, were not proclaimed into force. In effect, there is a legislated information commissioner "on paper", without any actual powers of investigation.
Part III of the Act was also not brought into force. Part III governs the use and handling of personal information held by public bodies. It grants individuals the right to access and know what personal information is held about them by public bodies, and how it is being used. Public bodies are defined in the Act to include Parliament, the courts, state companies and bodies “supported, directly or indirectly by government funds and over which Government is in a position to exercise control”.
In turn, Part IV of the Act governs the use and handling of personal information held by the private sector. It too provides a right of access to know what personal information is held about us by the private sector, and how it is being used. Parts V and VI of the Act govern enforcement and other miscellaneous provisions. However, none of these parts – III, IV, V and VI – are in force.
So the question remains, what exactly is in force? Not much. The Act, as proclaimed, creates an information commissioner without any powers of investigation, and the provisions relating to public bodies and the private sector are not in force. Essentially, we have a data protection law that contains no actual protection for data.
Why does this all matter? It matters because we are several decades behind in our protection of personal information. Since 1995, the European Union’s Data Protection Directive (Directive 95/46/EC) (the Directive) was at the forefront of modern data privacy laws. That Directive has since been repealed by the General Data Protection Regulation (EU) 2016/679 (the GDPR). The Directive, and subsequent GDPR, recognise the importance of data protection and the need to protect personal information against unauthorised or excessive collection, processing, storage and transfer of such data (in fact, the first recital to the GDPR recognises data protection as a fundamental right).
Given that patient information is perhaps considered the most sensitive type of personal information, it is essential that Trinidad and Tobago implement comprehensive and meaningful data protection legislation. In doing so, legislators must be mindful of the need to balance personal privacy alongside other fundamental rights. As the fourth recital of the GDPR reminds us: “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality… in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
Indeed, when our Data Protection Bill was being debated in the Senate in 2011, then opposition senator Al-Rawi bemoaned the suggestion that it would take ten years of consultation to pass comprehensive data protection laws. Nearly a decade later, that timeline no longer seems far-fetched. As it stands, the partly proclaimed Data Protection Act, 2011 is a toothless piece of legislation that offers no meaningful protection for our personal information against breaches and misuse by the State, public bodies and the private sector.