DATA PROTECTION ACT, 2013
No. 10 of 2013
[Published in the Official Gazette Vol. XXXIII No. 64
dated 7th November, 2013]
________
Printed at the Government Printing Office, Antigua and Barbuda,
by Ralph George, Government Printer
— By Authority, 2013.
600— 11.13 [Price $7.15]
Data Protection Act, 2013 2 No. 10 of 2013
No. 10 of 2013 3 Data Protection Act, 2013
DATA PROTECTION ACT, 2013
ARRANGEMENT OF SECTIONS
Sections
PART I
PRELIMINARY
1. Short title.
2. Interpretation
3. Objectives of Act
4. Savings
PART II
PRIVACY AND DATA PROTECTION PRINCIPLES
5. General Principle
6. Notice and Choice Principle
7. Disclosure Principle
8. Security Principle
9. Detention Principle
10. Data Integrity Principle
11. Access Principle
PART III
RIGHTS OF DATA SUBJECTS
12. Right of access to personal data
13. Notice and time where access is requested
14. Denial of access to personal data
15. Form of access
16. Right of rectification of personal data
17. Extent of disclosure of personal data
18. Processing of sensitive personal data
PART IV
EXEMPTIONS
19. Exemption
20. Power to make further exemptions
Data Protection Act, 2013 4 No. 10 of 2013
PART V
INFORMATION COMMISSIONER AND MISCELLANEOUS PROVISIONS
21. Information Commissioner and data protection
22. Intentional disclosure of information
23. General penalty
24. Appeals to Court
25. Protection from criminal or civil proceedings
26. Confidentiality
27. Report to Parliament
No. 10 of 2013 5 Data Protection Act, 2013
[ L.S.]
I Assent,
Louise Lake-Tack,
Governor-General.
28th October, 2013
ANTIGUA AND BARBUDA
DATA PROTECTION ACT, 2013
No. 10 of 2013
AN ACT to promote the protection of personal data processed by public and private bodies
and for incidental and connected purposes.
ENACTED by the Parliament of Antigua and Barbuda as follows:
PART I
PRELIMINARY
1. Short title
This Act may be cited as the Data Protection Act, 2013.
2. Interpretation
In this Act, unless the context otherwise requires:
“alternative format” means, with respect to personal data, a format that allows a person with
a sensory disability to read or listen to the personal data;
Data Protection Act, 2013 6 No. 10 of 2013
“Chief Executive Officer” means the officer for the time being exercising the highest level of
administrative functions within a public body or private body;
“commercial transaction” means any transaction of a commercial nature, whether contractual
or not, which includes any matters relating to the supply or exchange of goods or services,
agency, investments, financing, banking and insurance;
“correct” means, in relation to personal data, to alter the data by way of amendment, deletion,
or addition;
“Court” means the Eastern Caribbean Supreme Court;
“data subject” means a natural or legal person who is the subject of personal data;
“data user” means a person who either alone or jointly or in common with other persons
processes any personal data or has control over or authorizes the processing of any personal
data, but does not include a data processor;
“document” means any medium in which data is recorded, whether printed or on tape or film
or by electronic means or otherwise and also means any map, diagram, photograph, film,
microfilm, video-tape, sound recording, or machine readable record or any record which is
capable of being produced from a machine-readable record by means of equipment or a
program, or a combination of both, which is used for that purpose by the public body or
private body which holds the record; equipment or a program, or a combination of both,
which is used for that purpose by the public body or private body which holds the record;
“Information Commissioner” means the Commissioner appointed pursuant to section 35 of
the Freedom of Information Act 2004;
“local authority” means a city council, a village council, or a town council;
“Minister” means the Minister with responsibility for public information;
“personal data” means any information in respect of commercial transactions, which–
(a) is being processed wholly or partly by means of equipment operating
automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by
means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should
form part of a relevant filing system, that relates directly or indirectly to a data
subject, who is identified or identifiable from that information or from that and
other information in the possession of a data user, including any sensitive personal
data and expression of opinion about the data subject;
“private body” means a body, excluding a public body, that–
No. 10 of 2013 7 Data Protection Act, 2013
(a) carries on any trade, business or profession, but only in that capacity; or
(b) has legal personality;
“processing”, in relation to personal data, means collecting, recording, holding or storing the
personal data or carrying out any operation or set of operations on the personal data, including
the–
(a) organization, adaptation or alteration of personal data;
(b) retrieval, consultation or use of personal data;
(c) disclosure of personal data by transmission, transfer, dissemination or otherwise
making available; or
(d) alignment, combination, correction, erasure or destruction of personal data;
“public body” includes–
(a) Parliament;
(b) the Cabinet;
(c) a ministry, a department or a division of the ministry or a constituency office of a
Minister, wherever located;
(d) a local authority;
(e) a statutory corporation or body;
(f) a body corporate or an incorporated public body established for a public purpose,
which is owned or controlled by the State;
(g) an embassy, consulate or mission of the Antigua and Barbuda or an office of the
Antigua and Barbuda situated outside Antigua and Barbuda whose functions
include the provision of diplomatic or consular services for or on behalf of Antigua
and Barbuda; and
(h) any other body designated by the Minister by Regulations made under this Act, to
be a public body for the purposes of this Act.
“sensitive personal data” means any personal data consisting of information as to the physical
or mental health or condition of a data subject, his or her sexual orientation, his or her
political opinions, his or her religious beliefs or other beliefs of a similar nature, the
commission or alleged commission by him or her of any offence or any other personal data as
the Minister may determine by Order published in the Gazette;
Data Protection Act, 2013 8 No. 10 of 2013
3. Objectives of Act
The objectives of this Act are to safeguard personal data processed by public bodies and private
bodies in an era in which technology increasingly facilitates the processing of personal data by
balancing the necessity of processing personal data and safeguarding personal data from unlawful
processing by public bodies and private bodies; to promote transparency and accountability in the
processing of personal data.
4. Savings of certain laws
This Act shall not affect the operation of any law of Antigua and Barbuda that makes provision for
the processing of personal data and is capable of operating concurrently with this Act.
PART II
PRIVACY AND DATA PROTECTION PRINCIPLES
5. General Principle
(1) A data user shall not–
(a) in the case of personal data other than sensitive personal data, process personal data
about a data subject unless the data subject has given his consent to the processing of
the personal data; or
(b) in the case of sensitive personal data, process sensitive personal data about a data
subject except in accordance with the provisions of section 18.
(2) Notwithstanding paragraph (1)(a) and subject to subsection (3), a data user may process
personal data about a data subject if the processing is necessary–
(a) for the performance of a contract to which the data subject is a party;
(b) for the taking of steps at the request of the data subject with a view to entering into a
contract;
(c) for compliance with any legal obligation to which the data user is the subject, other
than an obligation imposed by a contract;
(d) in order to protect the vital interests of the data subject;
(e) for the administration of justice; or
(f) for the exercise of any functions conferred on a person by or under any law.
(3) Personal data shall not be processed unless the–
(a) personal data is processed for a lawful purpose directly related to an activity of the
data user;
No. 10 of 2013 9 Data Protection Act, 2013
(b) processing of the personal data is necessary for or directly related to that purpose;
and
(c) personal data is adequate but not excessive in relation to that purpose.
6. Notice and Choice Principle
A data user shall inform a data subject upon a request for personal data–
(a) the purposes for which the personal data is being or is to be collected and further
processed;
(b) of any information available to the data user as to the source of that personal data;
(c) of the data subject’s right to request access to and to request correction of the
personal data and how to contact the data user with any inquiries or complaints in
respect of the personal data;
(d) of the class of third parties to whom the data user discloses or may disclose the
personal data;
(e) whether it is obligatory or voluntary for the data subject to supply the personal data;
and
(f) where it is obligatory for the data subject to supply the personal data, the
consequences for the data subject if he or she fails to supply the personal data.
7. Disclosure Principle
Subject to section 17, no personal data shall, without the consent of the data subject, be disclosed–
(a) for any purpose other than–
(i) the purpose for which the personal data was to be disclosed at the time of
collection of the personal data; or
(ii) a purpose directly related to the purpose referred to in subparagraph (i);
(b) to any party other than a third party of the class of third parties as specified in
section 6 (d).
8. Security Principle
(1) A data user shall, when processing personal data, take practical steps to protect the
personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure,
alteration or destruction by having regard to–
Data Protection Act, 2013 10 No. 10 of 2013
(a) the nature of the personal data and the harm that would result from such loss, misuse,
modification, unauthorized or accidental access or disclosure, alteration or
destruction;
(b) the place or location where the personal data is stored;
(c) any security measures incorporated into any equipment in which the personal data is
stored;
(d) the measures taken for ensuring the reliability, integrity and competence of personnel
having access to the personal data; and
(e) the measures taken for ensuring the secure transfer of the personal data.
(2) Where processing of personal data is carried out by a data processor on behalf of the data
user, the data user shall, for the purpose of protecting the personal data from any loss, misuse,
modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that
the data processor–
(a) provides sufficient guarantees in respect of the technical and organizational security
measures governing the processing to be carried out; and
(b) takes reasonable steps to ensure compliance with those measures.
9. Retention Principle
(1) The personal data processed for any purpose shall not be kept longer than is necessary for
the fulfilment of that purpose.
(2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal
data is destroyed or permanently deleted if it is no longer required for the purpose for which it was
to be processed.
10. Data Integrity Principle
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not
misleading and kept up-to-date by having regard to the purpose, including any directly related
purpose, for which the personal data was collected and further processed.
11. Access Principle
A data subject shall be given access to his or her personal data held by a data user and be able to
correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-
to-date, except where compliance with a request to such access or correction is refused under this
Act.
No. 10 of 2013 11 Data Protection Act, 2013
PART III
RIGHTS OF DATA SUBJECTS
12. Right of access to personal data
Subject to the provisions of this Act, a public body or a private body shall, on the written request
of and the payment of the prescribed fee by a person for access to personal data–
(a) inform the person whether personal data of which that person is the data subject is
being processed by or on behalf of that body;
(b) if personal data is being processed by or on behalf of that body, communicate to the
person in an intelligible form a description of–
(i) the personal data of which that person is the data subject;
(ii) the purposes for which the personal data is being or will be processed;
(iii) the recipients or classes of recipients to whom personal data is or may be
disclosed; and
(iv) any information available to the body as to the source of the data.
13. Notice and time where access is requested
(1) Subject to section 14, where access to personal data is requested under section 12, the
public body or private body to which the request is made shall, subject to subsection (2), within
thirty days after the request is received –
(a) give written notice to the person who made the request as to whether or not access to
the personal data or a part thereof will be granted; and
(b) if access is granted, give to the person who made the request, access to the personal
data or a part thereof.
(2) A Chief Executive Officer may extend the time limit for compliance with a request for
access to personal data –
(a) by a maximum of thirty days if–
(i) meeting the original time limit would unreasonably interfere with the operations
of the public body or private body; or
(ii) consultations are necessary to comply with the request that cannot be reasonably
be completed within the original time limit, or
Data Protection Act, 2013 12 No. 10 of 2013
(b) by such period of time as is reasonable, if the additional time is necessary for
converting the personal data into an alternative format; by giving notice of the
extension and the length of the extension to the person who made the request within
thirty days after the request is received, and a statement that the person has a right to
make a complaint to the Information Commissioner about the extension.
14. Denial of access to personal data
(1) A public body or a private body is not obliged to comply with a request for access to
personal data–
(a) unless it is supplied with such information as it may reasonably require in order to
satisfy itself as to the identity of the person making the request and to locate the
personal data which that person seeks;
(b) if compliance with the request will be in contravention of the exemptions contained in
Part IV or of any duty of confidentiality recognised by law;
(c) where another person who can be identified from the personal data consents to the
disclosure of his or her personal data to the person making the request; or
(d) where the body obtains the written approval of the Information Commissioner.
(2) Where a public body or a private body refuses to give access to personal data, its Chief
Executive Officer shall state in the notice given pursuant to section 13 (2)(a)–
(a) that the personal data does not exist; or
(b) the specific provision of this Act on which refusal was based or the provision on
which a refusal could reasonably be expected to be based if the personal data existed,
and that the person who made the request has the right to make a complaint to the
Information Commissioner about the refusal.
(3) Where a Chief Executive Officer fails to give access to personal data requested under
section 14 within the time limits set out in this Act, he or she shall, for the purposes of this Act, be
deemed to have refused to give access.
15. Form of access
(1) Where a data subject is granted access to personal data requested pursuant to section 14,
the public body or private body shall–
(a) permit the data subject to examine the personal data; or
(b) provide the data subject with a copy of the personal data.
No. 10 of 2013 13 Data Protection Act, 2013
(2) Where access to personal data is given under this Act and the data subject to whom
access is granted has a sensory disability and requests that access be given in an alternative
format, access shall be given in an alternative format if –
(a) the personal data already exists under the control of a public body or a private body
in an alternative format that is acceptable to the person; or
(b) the Chief Executive Officer considers it to be reasonable to cause the personal data
to be converted to an alternative format.
16. Right of rectification of personal data
(1) Where personal data that is processed by a public body or a private body to which access
has been given, contains personal data which the data subject claims–
(a) is incomplete, incorrect, misleading, or excessive;
(b) is not relevant to the purpose for which the document is held; the body shall, upon
application of the data subject, cause the data to be amended upon being satisfied of
the claim.
(2) An application under subsection (1) shall–
(a) be in writing; and
(b) as far as practicable, specify–
(i) the document containing the record of personal data that is claimed to require
the amendment;
(ii) the personal data that is claimed to be incomplete, incorrect, misleading or
irrelevant;
(iii) the reasons for the claim; and
(iv) the amendment requested by the data subject.
(3) To the extent that it is practicable to do so, the public body or private body shall, when
making an amendment to personal data in a document pursuant to this section, ensure that it does
not obliterate the text of the document as it existed prior to the amendment.
(4) Where a public body or a private body is not satisfied with the reasons for an application
pursuant to subsection (1), it may refuse to make an amendment to the personal data and inform
the data subject of its refusal and the reasons for the refusal and inform the data subject that he/she
may lodge a complaint in writing to the Information Commissioner.
Data Protection Act, 2013 14 No. 10 of 2013
(5) A data subject who is aggrieved by a decision of a public body or a private body pursuant
to subsection (4) may lodge a complaint in writing to the Information Commissioner within
twenty–eight days of the date of the receipt of the communication of refusal.
17. Extent of disclosure of personal data
Notwithstanding section 7, personal data of a data subject may be disclosed by a data user for any
purpose other than the purpose for which the personal data was to be disclosed at the time of its
collection or any other purpose directly related to that purpose, only under the following
circumstances the–
(a) data subject has given his or her consent to the disclosure;
(b) disclosure –
(i) is necessary for the purpose of preventing or detecting a crime, or for the purpose of
investigations; or
(ii) was required or authorized by or under any law or by the order of a court;
(c) data user acted in the reasonable belief that he had in law the right to disclose the
personal data to the other person;
(d) data user acted in the reasonable belief that he or she would have had the consent of the
data subject if the data subject had known of the disclosing of the personal data and the
circumstances of such disclosure; or
(e) disclosure was justified as being in the public interest in circumstances as determined by
the Minister.
18. Processing of sensitive personal data
(1) Subject to subsection (2) and Part II, a data user shall not process any sensitive personal
data of a data subject except in accordance with the following conditions–
(a) the data subject has given his or her explicit consent to the processing of the personal
data;
(b) the processing is necessary–
(i) for the purposes of exercising or performing any right or obligation which is
conferred or imposed by law on the data user in connection with employment;
(ii) in order to protect the vital interests of the data subject or another person, in a case
where–
(A) consent cannot be given by or on behalf of the data subject; or
No. 10 of 2013 15 Data Protection Act, 2013
(B) the data user cannot reasonably be expected to obtain the consent of the data
subject;
(iii) in order to protect the vital interests of another person, in a case where consent
by or on behalf of the data subject has been unreasonably withheld;
(iv) for medical purposes and is undertaken by–
(A) a healthcare professional; or
(B) a person who in the circumstances owes a duty of confidentiality which is
equivalent to that which would arise if that person were a healthcare profession
for;
(v) the purpose of, or in connection with, any legal proceedings;
(vi) the purpose of obtaining legal advice;
(vii) the purposes of establishing, exercising or defending legal rights;
(viii) the administration of justice;
(ix) the exercise of any functions conferred on any person by or under any written
law; or
(x) any other purposes as the Minister thinks fit; or
(c) the information contained in the personal data has been made public as a result of
steps deliberately taken by the data subject.
(2) The Minister may by Order published in the Gazette exclude the application of
subparagraph (1)(b)(i), (viii) or (ix) in such cases as may be specified in the order, or provide that,
in such cases as may be specified in the order, the condition in subparagraph (1)(b)(i), (viii) or (ix)
is not to be regarded as satisfied unless such further conditions as may be specified in the Order
are also satisfied.
(3) A person who contravenes subsection (1) commits an offence and shall, on conviction, be
liable to a fine not exceeding two hundred thousand dollars or to imprisonment for a term not
exceeding three years or to both.
(4) For the purposes of this section–
“medical purposes” includes the purposes of preventive medicine, medical diagnosis, medical
research, rehabilitation and the provision of care and treatment and the management of
services relating to health care;
“healthcare professional” means a medical practitioner, dental practitioner, pharmacist,
clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational
therapist and other allied healthcare professionals and any other person involved in the giving
of medical, health, dental, pharmaceutical and any other healthcare services under the
jurisdiction of the Ministry of Health.
Data Protection Act, 2013 16 No. 10 of 2013
PART IV
EXEMPTIONS
19. Exemption
(1) There shall be exempted from the provisions of this Act, personal data processed by an
individual only for the purposes of that individual’s personal, family or household affairs,
including recreational purposes.
(2) Subject to section 20, personal data–
(a) processed for the–
(i) prevention or detection of crime or for the purpose of investigations;
(ii) apprehension or prosecution of offenders; or
(iii) assessment or collection of any tax or duty or any other imposition of a similar
nature, shall be exempted from the General Principle, Notice and Choice Principle,
Disclosure Principle and Access Principle and other related provisions of this Act;
(b) processed in relation to information of the physical or mental health of a data subject
shall be exempted from the Access Principle and other related provisions of this Act of
which the application of the provisions to the data subject would be likely to cause
serious harm to the physical or mental health of the data subject or any other individual;
(c) processed for preparing statistics or carrying out research shall be exempted from the
General Principle, Notice and Choice Principle, Disclosure Principle and Access
Principle and other related provisions of this Act, provided that such personal data is not
processed for any other purpose and that the resulting statistics or the results of the
research are not made available in a form which identifies the data subject;
(d) that is necessary for the purpose of or in connection with any order or judgment of a court
shall be exempted from the General Principle, Notice and Choice Principle, Disclosure
Principle and Access Principle and other related provisions of this Act;
(e) processed for the purpose of discharging regulatory functions shall be exempted from the
General Principle, Notice and Choice Principle, Disclosure Principle and Access
Principle and other related provisions of this Act if the application of those provisions to
the personal data would be likely to prejudice the proper discharge of those functions; or
(f) processed only for journalistic, literary or artistic purposes shall be exempted from the
General Principle, Notice and Choice Principle, Disclosure Principle, Retention Principle,
Data Integrity Principle and Access Principle and other related provisions of this Act,
provided that the–
No. 10 of 2013 17 Data Protection Act, 2013
(i) processing is undertaken with a view to the publication by a person of the
journalistic, literary or artistic material;
(ii) data user reasonably believes that, taking into account the special importance of
public interest in freedom of expression, the publication would be in the public
interest; and
(iii) data user reasonably believes that in all the circumstances, compliance with the
provision in respect of which the exemption is claimed is incompatible with the
journalistic, literary or artistic purposes.
20. Power to make further exemptions
The Minister may, upon the recommendation of the Information Commissioner, by Order
published in the Gazette exempt–
(a) the application of any of the Personal Data Protection Principles under this Act to any
data user or class of data users; or
(b) any data user or class of data users from all or any of the provisions of this Act.
PART VI
THE INFORMATION COMMISSIONER AND
MISCELLANEOUS PROVISIONS
21. Information Commissioner and data protection
For the purposes of this Act, the powers, functions and duties, conferred on the Information
Commissioner pursuant to the Freedom of Information Act 2004, particularly under Parts V, VI
and VII, shall be applicable as relevant for carrying out and enforcing the protection of data
pursuant to the provisions of this Act.
22. Intentional disclosure of information
(1) A person who intentionally discloses personal information of another person in
contravention of this Act commits an offence.
(2) A person who collects, stores or disposes of personal information of another person in a
manner that contravenes this Act, commits an offence.
23. General Penalty
(1) A person who commits an offence under this Act for which a penalty is not specifically
provided for is liable on–
Data Protection Act, 2013 18 No. 10 of 2013
(a) summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment
for a term of three years; or
(b) conviction on indictment, to a fine of not more than one hundred thousand dollars or to
imprisonment for a term of not more than five years.
(2) Where the offences under this Act is committed by a body corporate, the body corporate
shall be liable upon–
(a) summary conviction, to a fine not exceeding two hundred thousand dollars; and
(b) conviction on indictment, to a fine not exceeding five hundred thousand dollars.
24. Appeals to Court
An appeal lies to the Court against–
(a) a requirement specified in an enforcement notice or an information notice;
(b) a decision of the Information Commissioner in relation to a complaint; or
(c) any decision of the Information Commissioner in respect of the conduct of his duties and
powers utilized pursuant to the provisions of this Act.
25. Protection from criminal or civil proceedings
(1) No criminal or civil proceedings shall lie against the Information Commissioner or against
a person acting on behalf or under the direction of the Information Commissioner, for anything
done, reported or said in good faith in the course of the exercise or performance or purported
exercise, discharge, or performance of any power, duty or function of the Information
Commissioner under this Act.
(2) For the purpose of any law relating to libel or slander–
(a) any words spoken, any information supplied or any document or thing produced in good
faith in the course of an investigation carried out by or on behalf of the Information
commissioner under this Act is absolutely privileged; and
(b) any report made in good faith by the Information Commissioner under this Act is
absolutely privileged.
26. Confidentiality
Subject to this Act, the Information Commissioner and every person acting on behalf or under the
direction of the Information Commissioner shall not disclose any information that comes to their
knowledge in the conduct of their functions under this Act.
No. 10 of 2013 19 Data Protection Act, 2013
27. Report to Parliament
The Information Commissioner shall include in his annual report to Parliament pursuant to section
39 of the Freedom of Information Act 2004, a report on the activities of the Information
Commissioner with respect to data protection under the provisions of this Act.
28. Regulations
(1) The Minister may make Regulations for giving effect to the provisions of this Act and for
prescribing anything required or authorised by this Act to be prescribed.
(2) Notwithstanding the generality of subsection (1), Regulations made under this section
may prescribe –
(a) guidelines for the disposal of personal data held by a public body or a private body;
(b) special procedures for giving a person access to personal data pursuant to section 15; and
(c) codes of practice.
(3) All Regulations made under this Act shall be laid before Parliament and shall be subject
to negative resolution.
Passed the House of Representatives on
the 30th August, 2013.
Passed the Senate on the 12th September, 2013.
D. Gisele Isaac-Arrindell,
Speaker.
Hazlyn M. Francis,
President.
Ramona Small,
Clerk to the House of Representatives.
Ramona Small,
Clerk to the Senate.
