Data Protection Act 2013

Link to law: http://laws.gov.ag/acts/2013/a2013-8.pdf

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now
DATA PROTECTION ACT, 2013



No. 10 of 2013



[Published in the Official Gazette Vol. XXXIII No. 64

dated 7th November, 2013]

























________

Printed at the Government Printing Office, Antigua and Barbuda,

by Ralph George, Government Printer

— By Authority, 2013.



600— 11.13 [Price $7.15]

Data Protection Act, 2013 2 No. 10 of 2013





























































































No. 10 of 2013 3 Data Protection Act, 2013



DATA PROTECTION ACT, 2013

ARRANGEMENT OF SECTIONS

Sections



PART I

PRELIMINARY



1. Short title.

2. Interpretation

3. Objectives of Act

4. Savings

PART II

PRIVACY AND DATA PROTECTION PRINCIPLES

5. General Principle

6. Notice and Choice Principle

7. Disclosure Principle
8. Security Principle
9. Detention Principle
10. Data Integrity Principle
11. Access Principle

PART III

RIGHTS OF DATA SUBJECTS

12. Right of access to personal data
13. Notice and time where access is requested
14. Denial of access to personal data
15. Form of access
16. Right of rectification of personal data
17. Extent of disclosure of personal data
18. Processing of sensitive personal data

PART IV

EXEMPTIONS

19. Exemption

20. Power to make further exemptions



Data Protection Act, 2013 4 No. 10 of 2013



PART V

INFORMATION COMMISSIONER AND MISCELLANEOUS PROVISIONS

21. Information Commissioner and data protection
22. Intentional disclosure of information
23. General penalty
24. Appeals to Court
25. Protection from criminal or civil proceedings
26. Confidentiality
27. Report to Parliament
































































No. 10 of 2013 5 Data Protection Act, 2013



[ L.S.]




I Assent,



Louise Lake-Tack,
Governor-General.





28th October, 2013



ANTIGUA AND BARBUDA

DATA PROTECTION ACT, 2013

No. 10 of 2013



AN ACT to promote the protection of personal data processed by public and private bodies

and for incidental and connected purposes.

ENACTED by the Parliament of Antigua and Barbuda as follows:



PART I

PRELIMINARY

1. Short title

This Act may be cited as the Data Protection Act, 2013.

2. Interpretation

In this Act, unless the context otherwise requires:

“alternative format” means, with respect to personal data, a format that allows a person with

a sensory disability to read or listen to the personal data;



Data Protection Act, 2013 6 No. 10 of 2013



“Chief Executive Officer” means the officer for the time being exercising the highest level of

administrative functions within a public body or private body;

“commercial transaction” means any transaction of a commercial nature, whether contractual

or not, which includes any matters relating to the supply or exchange of goods or services,

agency, investments, financing, banking and insurance;

“correct” means, in relation to personal data, to alter the data by way of amendment, deletion,

or addition;

“Court” means the Eastern Caribbean Supreme Court;

“data subject” means a natural or legal person who is the subject of personal data;

“data user” means a person who either alone or jointly or in common with other persons

processes any personal data or has control over or authorizes the processing of any personal

data, but does not include a data processor;

“document” means any medium in which data is recorded, whether printed or on tape or film

or by electronic means or otherwise and also means any map, diagram, photograph, film,

microfilm, video-tape, sound recording, or machine readable record or any record which is

capable of being produced from a machine-readable record by means of equipment or a

program, or a combination of both, which is used for that purpose by the public body or

private body which holds the record; equipment or a program, or a combination of both,

which is used for that purpose by the public body or private body which holds the record;

“Information Commissioner” means the Commissioner appointed pursuant to section 35 of

the Freedom of Information Act 2004;

“local authority” means a city council, a village council, or a town council;

“Minister” means the Minister with responsibility for public information;

“personal data” means any information in respect of commercial transactions, which–

(a) is being processed wholly or partly by means of equipment operating

automatically in response to instructions given for that purpose;

(b) is recorded with the intention that it should wholly or partly be processed by

means of such equipment; or

(c) is recorded as part of a relevant filing system or with the intention that it should

form part of a relevant filing system, that relates directly or indirectly to a data

subject, who is identified or identifiable from that information or from that and

other information in the possession of a data user, including any sensitive personal

data and expression of opinion about the data subject;

“private body” means a body, excluding a public body, that–

No. 10 of 2013 7 Data Protection Act, 2013



(a) carries on any trade, business or profession, but only in that capacity; or

(b) has legal personality;

“processing”, in relation to personal data, means collecting, recording, holding or storing the

personal data or carrying out any operation or set of operations on the personal data, including

the–

(a) organization, adaptation or alteration of personal data;

(b) retrieval, consultation or use of personal data;

(c) disclosure of personal data by transmission, transfer, dissemination or otherwise

making available; or

(d) alignment, combination, correction, erasure or destruction of personal data;

“public body” includes–

(a) Parliament;

(b) the Cabinet;

(c) a ministry, a department or a division of the ministry or a constituency office of a

Minister, wherever located;

(d) a local authority;

(e) a statutory corporation or body;

(f) a body corporate or an incorporated public body established for a public purpose,

which is owned or controlled by the State;

(g) an embassy, consulate or mission of the Antigua and Barbuda or an office of the

Antigua and Barbuda situated outside Antigua and Barbuda whose functions

include the provision of diplomatic or consular services for or on behalf of Antigua

and Barbuda; and

(h) any other body designated by the Minister by Regulations made under this Act, to

be a public body for the purposes of this Act.

“sensitive personal data” means any personal data consisting of information as to the physical

or mental health or condition of a data subject, his or her sexual orientation, his or her

political opinions, his or her religious beliefs or other beliefs of a similar nature, the

commission or alleged commission by him or her of any offence or any other personal data as

the Minister may determine by Order published in the Gazette;





Data Protection Act, 2013 8 No. 10 of 2013



3. Objectives of Act

The objectives of this Act are to safeguard personal data processed by public bodies and private

bodies in an era in which technology increasingly facilitates the processing of personal data by

balancing the necessity of processing personal data and safeguarding personal data from unlawful

processing by public bodies and private bodies; to promote transparency and accountability in the

processing of personal data.

4. Savings of certain laws

This Act shall not affect the operation of any law of Antigua and Barbuda that makes provision for

the processing of personal data and is capable of operating concurrently with this Act.

PART II

PRIVACY AND DATA PROTECTION PRINCIPLES

5. General Principle

(1) A data user shall not–

(a) in the case of personal data other than sensitive personal data, process personal data

about a data subject unless the data subject has given his consent to the processing of

the personal data; or

(b) in the case of sensitive personal data, process sensitive personal data about a data

subject except in accordance with the provisions of section 18.

(2) Notwithstanding paragraph (1)(a) and subject to subsection (3), a data user may process

personal data about a data subject if the processing is necessary–

(a) for the performance of a contract to which the data subject is a party;

(b) for the taking of steps at the request of the data subject with a view to entering into a

contract;

(c) for compliance with any legal obligation to which the data user is the subject, other

than an obligation imposed by a contract;

(d) in order to protect the vital interests of the data subject;

(e) for the administration of justice; or

(f) for the exercise of any functions conferred on a person by or under any law.

(3) Personal data shall not be processed unless the–

(a) personal data is processed for a lawful purpose directly related to an activity of the

data user;

No. 10 of 2013 9 Data Protection Act, 2013



(b) processing of the personal data is necessary for or directly related to that purpose;

and

(c) personal data is adequate but not excessive in relation to that purpose.

6. Notice and Choice Principle

A data user shall inform a data subject upon a request for personal data–

(a) the purposes for which the personal data is being or is to be collected and further

processed;

(b) of any information available to the data user as to the source of that personal data;

(c) of the data subject’s right to request access to and to request correction of the

personal data and how to contact the data user with any inquiries or complaints in

respect of the personal data;

(d) of the class of third parties to whom the data user discloses or may disclose the

personal data;

(e) whether it is obligatory or voluntary for the data subject to supply the personal data;

and

(f) where it is obligatory for the data subject to supply the personal data, the

consequences for the data subject if he or she fails to supply the personal data.

7. Disclosure Principle

Subject to section 17, no personal data shall, without the consent of the data subject, be disclosed–

(a) for any purpose other than–

(i) the purpose for which the personal data was to be disclosed at the time of

collection of the personal data; or

(ii) a purpose directly related to the purpose referred to in subparagraph (i);

(b) to any party other than a third party of the class of third parties as specified in

section 6 (d).



8. Security Principle

(1) A data user shall, when processing personal data, take practical steps to protect the

personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure,

alteration or destruction by having regard to–



Data Protection Act, 2013 10 No. 10 of 2013



(a) the nature of the personal data and the harm that would result from such loss, misuse,

modification, unauthorized or accidental access or disclosure, alteration or

destruction;

(b) the place or location where the personal data is stored;

(c) any security measures incorporated into any equipment in which the personal data is

stored;

(d) the measures taken for ensuring the reliability, integrity and competence of personnel

having access to the personal data; and

(e) the measures taken for ensuring the secure transfer of the personal data.

(2) Where processing of personal data is carried out by a data processor on behalf of the data

user, the data user shall, for the purpose of protecting the personal data from any loss, misuse,

modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that

the data processor–

(a) provides sufficient guarantees in respect of the technical and organizational security

measures governing the processing to be carried out; and

(b) takes reasonable steps to ensure compliance with those measures.

9. Retention Principle

(1) The personal data processed for any purpose shall not be kept longer than is necessary for

the fulfilment of that purpose.

(2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal

data is destroyed or permanently deleted if it is no longer required for the purpose for which it was

to be processed.

10. Data Integrity Principle

A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not

misleading and kept up-to-date by having regard to the purpose, including any directly related

purpose, for which the personal data was collected and further processed.

11. Access Principle

A data subject shall be given access to his or her personal data held by a data user and be able to

correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-

to-date, except where compliance with a request to such access or correction is refused under this

Act.



No. 10 of 2013 11 Data Protection Act, 2013



PART III

RIGHTS OF DATA SUBJECTS

12. Right of access to personal data

Subject to the provisions of this Act, a public body or a private body shall, on the written request

of and the payment of the prescribed fee by a person for access to personal data–

(a) inform the person whether personal data of which that person is the data subject is

being processed by or on behalf of that body;

(b) if personal data is being processed by or on behalf of that body, communicate to the

person in an intelligible form a description of–

(i) the personal data of which that person is the data subject;

(ii) the purposes for which the personal data is being or will be processed;

(iii) the recipients or classes of recipients to whom personal data is or may be

disclosed; and

(iv) any information available to the body as to the source of the data.

13. Notice and time where access is requested

(1) Subject to section 14, where access to personal data is requested under section 12, the

public body or private body to which the request is made shall, subject to subsection (2), within

thirty days after the request is received –

(a) give written notice to the person who made the request as to whether or not access to

the personal data or a part thereof will be granted; and

(b) if access is granted, give to the person who made the request, access to the personal

data or a part thereof.

(2) A Chief Executive Officer may extend the time limit for compliance with a request for

access to personal data –

(a) by a maximum of thirty days if–

(i) meeting the original time limit would unreasonably interfere with the operations

of the public body or private body; or

(ii) consultations are necessary to comply with the request that cannot be reasonably

be completed within the original time limit, or



Data Protection Act, 2013 12 No. 10 of 2013



(b) by such period of time as is reasonable, if the additional time is necessary for

converting the personal data into an alternative format; by giving notice of the

extension and the length of the extension to the person who made the request within

thirty days after the request is received, and a statement that the person has a right to

make a complaint to the Information Commissioner about the extension.

14. Denial of access to personal data

(1) A public body or a private body is not obliged to comply with a request for access to

personal data–

(a) unless it is supplied with such information as it may reasonably require in order to

satisfy itself as to the identity of the person making the request and to locate the

personal data which that person seeks;

(b) if compliance with the request will be in contravention of the exemptions contained in

Part IV or of any duty of confidentiality recognised by law;

(c) where another person who can be identified from the personal data consents to the

disclosure of his or her personal data to the person making the request; or

(d) where the body obtains the written approval of the Information Commissioner.

(2) Where a public body or a private body refuses to give access to personal data, its Chief

Executive Officer shall state in the notice given pursuant to section 13 (2)(a)–

(a) that the personal data does not exist; or

(b) the specific provision of this Act on which refusal was based or the provision on

which a refusal could reasonably be expected to be based if the personal data existed,

and that the person who made the request has the right to make a complaint to the

Information Commissioner about the refusal.

(3) Where a Chief Executive Officer fails to give access to personal data requested under

section 14 within the time limits set out in this Act, he or she shall, for the purposes of this Act, be

deemed to have refused to give access.

15. Form of access

(1) Where a data subject is granted access to personal data requested pursuant to section 14,

the public body or private body shall–

(a) permit the data subject to examine the personal data; or

(b) provide the data subject with a copy of the personal data.





No. 10 of 2013 13 Data Protection Act, 2013



(2) Where access to personal data is given under this Act and the data subject to whom

access is granted has a sensory disability and requests that access be given in an alternative

format, access shall be given in an alternative format if –

(a) the personal data already exists under the control of a public body or a private body

in an alternative format that is acceptable to the person; or

(b) the Chief Executive Officer considers it to be reasonable to cause the personal data

to be converted to an alternative format.

16. Right of rectification of personal data

(1) Where personal data that is processed by a public body or a private body to which access

has been given, contains personal data which the data subject claims–

(a) is incomplete, incorrect, misleading, or excessive;

(b) is not relevant to the purpose for which the document is held; the body shall, upon

application of the data subject, cause the data to be amended upon being satisfied of

the claim.

(2) An application under subsection (1) shall–

(a) be in writing; and

(b) as far as practicable, specify–

(i) the document containing the record of personal data that is claimed to require

the amendment;

(ii) the personal data that is claimed to be incomplete, incorrect, misleading or

irrelevant;

(iii) the reasons for the claim; and

(iv) the amendment requested by the data subject.

(3) To the extent that it is practicable to do so, the public body or private body shall, when

making an amendment to personal data in a document pursuant to this section, ensure that it does

not obliterate the text of the document as it existed prior to the amendment.

(4) Where a public body or a private body is not satisfied with the reasons for an application

pursuant to subsection (1), it may refuse to make an amendment to the personal data and inform

the data subject of its refusal and the reasons for the refusal and inform the data subject that he/she

may lodge a complaint in writing to the Information Commissioner.



Data Protection Act, 2013 14 No. 10 of 2013



(5) A data subject who is aggrieved by a decision of a public body or a private body pursuant

to subsection (4) may lodge a complaint in writing to the Information Commissioner within

twenty–eight days of the date of the receipt of the communication of refusal.

17. Extent of disclosure of personal data

Notwithstanding section 7, personal data of a data subject may be disclosed by a data user for any

purpose other than the purpose for which the personal data was to be disclosed at the time of its

collection or any other purpose directly related to that purpose, only under the following

circumstances the–

(a) data subject has given his or her consent to the disclosure;

(b) disclosure –

(i) is necessary for the purpose of preventing or detecting a crime, or for the purpose of

investigations; or

(ii) was required or authorized by or under any law or by the order of a court;

(c) data user acted in the reasonable belief that he had in law the right to disclose the

personal data to the other person;

(d) data user acted in the reasonable belief that he or she would have had the consent of the

data subject if the data subject had known of the disclosing of the personal data and the

circumstances of such disclosure; or

(e) disclosure was justified as being in the public interest in circumstances as determined by

the Minister.

18. Processing of sensitive personal data

(1) Subject to subsection (2) and Part II, a data user shall not process any sensitive personal

data of a data subject except in accordance with the following conditions–

(a) the data subject has given his or her explicit consent to the processing of the personal

data;

(b) the processing is necessary–

(i) for the purposes of exercising or performing any right or obligation which is

conferred or imposed by law on the data user in connection with employment;

(ii) in order to protect the vital interests of the data subject or another person, in a case

where–

(A) consent cannot be given by or on behalf of the data subject; or



No. 10 of 2013 15 Data Protection Act, 2013



(B) the data user cannot reasonably be expected to obtain the consent of the data

subject;

(iii) in order to protect the vital interests of another person, in a case where consent

by or on behalf of the data subject has been unreasonably withheld;



(iv) for medical purposes and is undertaken by–

(A) a healthcare professional; or

(B) a person who in the circumstances owes a duty of confidentiality which is

equivalent to that which would arise if that person were a healthcare profession

for;

(v) the purpose of, or in connection with, any legal proceedings;

(vi) the purpose of obtaining legal advice;

(vii) the purposes of establishing, exercising or defending legal rights;

(viii) the administration of justice;

(ix) the exercise of any functions conferred on any person by or under any written

law; or

(x) any other purposes as the Minister thinks fit; or

(c) the information contained in the personal data has been made public as a result of

steps deliberately taken by the data subject.

(2) The Minister may by Order published in the Gazette exclude the application of

subparagraph (1)(b)(i), (viii) or (ix) in such cases as may be specified in the order, or provide that,

in such cases as may be specified in the order, the condition in subparagraph (1)(b)(i), (viii) or (ix)

is not to be regarded as satisfied unless such further conditions as may be specified in the Order

are also satisfied.

(3) A person who contravenes subsection (1) commits an offence and shall, on conviction, be

liable to a fine not exceeding two hundred thousand dollars or to imprisonment for a term not

exceeding three years or to both.

(4) For the purposes of this section–

“medical purposes” includes the purposes of preventive medicine, medical diagnosis, medical

research, rehabilitation and the provision of care and treatment and the management of

services relating to health care;

“healthcare professional” means a medical practitioner, dental practitioner, pharmacist,

clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational

therapist and other allied healthcare professionals and any other person involved in the giving

of medical, health, dental, pharmaceutical and any other healthcare services under the

jurisdiction of the Ministry of Health.

Data Protection Act, 2013 16 No. 10 of 2013



PART IV

EXEMPTIONS

19. Exemption

(1) There shall be exempted from the provisions of this Act, personal data processed by an

individual only for the purposes of that individual’s personal, family or household affairs,

including recreational purposes.

(2) Subject to section 20, personal data–

(a) processed for the–

(i) prevention or detection of crime or for the purpose of investigations;

(ii) apprehension or prosecution of offenders; or

(iii) assessment or collection of any tax or duty or any other imposition of a similar

nature, shall be exempted from the General Principle, Notice and Choice Principle,

Disclosure Principle and Access Principle and other related provisions of this Act;

(b) processed in relation to information of the physical or mental health of a data subject

shall be exempted from the Access Principle and other related provisions of this Act of

which the application of the provisions to the data subject would be likely to cause

serious harm to the physical or mental health of the data subject or any other individual;

(c) processed for preparing statistics or carrying out research shall be exempted from the

General Principle, Notice and Choice Principle, Disclosure Principle and Access

Principle and other related provisions of this Act, provided that such personal data is not

processed for any other purpose and that the resulting statistics or the results of the

research are not made available in a form which identifies the data subject;

(d) that is necessary for the purpose of or in connection with any order or judgment of a court

shall be exempted from the General Principle, Notice and Choice Principle, Disclosure

Principle and Access Principle and other related provisions of this Act;

(e) processed for the purpose of discharging regulatory functions shall be exempted from the

General Principle, Notice and Choice Principle, Disclosure Principle and Access

Principle and other related provisions of this Act if the application of those provisions to

the personal data would be likely to prejudice the proper discharge of those functions; or

(f) processed only for journalistic, literary or artistic purposes shall be exempted from the

General Principle, Notice and Choice Principle, Disclosure Principle, Retention Principle,

Data Integrity Principle and Access Principle and other related provisions of this Act,

provided that the–



No. 10 of 2013 17 Data Protection Act, 2013



(i) processing is undertaken with a view to the publication by a person of the

journalistic, literary or artistic material;

(ii) data user reasonably believes that, taking into account the special importance of

public interest in freedom of expression, the publication would be in the public

interest; and

(iii) data user reasonably believes that in all the circumstances, compliance with the

provision in respect of which the exemption is claimed is incompatible with the

journalistic, literary or artistic purposes.

20. Power to make further exemptions

The Minister may, upon the recommendation of the Information Commissioner, by Order

published in the Gazette exempt–

(a) the application of any of the Personal Data Protection Principles under this Act to any

data user or class of data users; or

(b) any data user or class of data users from all or any of the provisions of this Act.

PART VI

THE INFORMATION COMMISSIONER AND

MISCELLANEOUS PROVISIONS

21. Information Commissioner and data protection

For the purposes of this Act, the powers, functions and duties, conferred on the Information

Commissioner pursuant to the Freedom of Information Act 2004, particularly under Parts V, VI

and VII, shall be applicable as relevant for carrying out and enforcing the protection of data

pursuant to the provisions of this Act.

22. Intentional disclosure of information

(1) A person who intentionally discloses personal information of another person in

contravention of this Act commits an offence.

(2) A person who collects, stores or disposes of personal information of another person in a

manner that contravenes this Act, commits an offence.

23. General Penalty

(1) A person who commits an offence under this Act for which a penalty is not specifically

provided for is liable on–

Data Protection Act, 2013 18 No. 10 of 2013



(a) summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment

for a term of three years; or

(b) conviction on indictment, to a fine of not more than one hundred thousand dollars or to

imprisonment for a term of not more than five years.

(2) Where the offences under this Act is committed by a body corporate, the body corporate

shall be liable upon–

(a) summary conviction, to a fine not exceeding two hundred thousand dollars; and

(b) conviction on indictment, to a fine not exceeding five hundred thousand dollars.

24. Appeals to Court

An appeal lies to the Court against–

(a) a requirement specified in an enforcement notice or an information notice;

(b) a decision of the Information Commissioner in relation to a complaint; or

(c) any decision of the Information Commissioner in respect of the conduct of his duties and

powers utilized pursuant to the provisions of this Act.

25. Protection from criminal or civil proceedings

(1) No criminal or civil proceedings shall lie against the Information Commissioner or against

a person acting on behalf or under the direction of the Information Commissioner, for anything

done, reported or said in good faith in the course of the exercise or performance or purported

exercise, discharge, or performance of any power, duty or function of the Information

Commissioner under this Act.

(2) For the purpose of any law relating to libel or slander–

(a) any words spoken, any information supplied or any document or thing produced in good

faith in the course of an investigation carried out by or on behalf of the Information

commissioner under this Act is absolutely privileged; and

(b) any report made in good faith by the Information Commissioner under this Act is

absolutely privileged.

26. Confidentiality

Subject to this Act, the Information Commissioner and every person acting on behalf or under the

direction of the Information Commissioner shall not disclose any information that comes to their

knowledge in the conduct of their functions under this Act.



No. 10 of 2013 19 Data Protection Act, 2013



27. Report to Parliament

The Information Commissioner shall include in his annual report to Parliament pursuant to section

39 of the Freedom of Information Act 2004, a report on the activities of the Information

Commissioner with respect to data protection under the provisions of this Act.

28. Regulations

(1) The Minister may make Regulations for giving effect to the provisions of this Act and for

prescribing anything required or authorised by this Act to be prescribed.

(2) Notwithstanding the generality of subsection (1), Regulations made under this section

may prescribe –

(a) guidelines for the disposal of personal data held by a public body or a private body;

(b) special procedures for giving a person access to personal data pursuant to section 15; and

(c) codes of practice.

(3) All Regulations made under this Act shall be laid before Parliament and shall be subject

to negative resolution.







Passed the House of Representatives on

the 30th August, 2013.



Passed the Senate on the 12th September, 2013.





D. Gisele Isaac-Arrindell,

Speaker.







Hazlyn M. Francis,

President.







Ramona Small,

Clerk to the House of Representatives.





Ramona Small,

Clerk to the Senate.