Global Data Privacy Guide |
|
Trinidad and Tobago |
|
| (Caribbean) Firm Hamel-Smith Updated 08 Aug 2025 | |
| 1. What is the key legislation? | The Data Protection Act, 2011 (DPA). |
| 2. What are the key decisions applying that legislation? | The DPA provides for the protection of personal privacy and information processed and collected by public bodies and private organizations. |
| 1. How are “personal data” and “sensitive data” defined? | The DPA defines personal data and sensitive personal data. Sensitive personal information may not be processed except where permitted by law. •The address and telephone number of the individual •Any identifying number, symbol or other particular identifier designed to identify the individual •Information relating to the individual's race, nationality or ethnic origin, religion, age or marital status •Information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual •The fingerprints, DNA, blood type or other biometric characteristics of the individual (b) Sensitive personal information is defined as personal information on a person's: •Racial or ethnic origins b. The purpose for which personal information is collected shall be identified by the organization before or at the time of collection. c. Knowledge and consent of the individual are required for the collection, use or disclosure of personal information. d. Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization. e. information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual. f. Personal information shall be accurate, complete and current, as is necessary for the purpose of collection. g. Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information. h. Sensitive personal information is protected from processing except where specifically permitted by written law. i. Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law. j. Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law. k. The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization. l. Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information. (d) The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. Nevertheless, they are: Public Bodies - Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met: • the collection of that information is expressly authorized by law and the information is collected for the purpose of law enforcement • The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection Private Entitles Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and the General Privacy Principles (which are currently in force). |
| 2. How is the defined data protected? | As set out in Section 6 of the DPA, (at item 2. Above) the DPA generally requires that personal information be protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law. |
| 3. Who is subject to privacy obligations? | As set out in Section 6 of the DPA which is in force, it states that all persons who handle, store or process personal information belonging to another person are subject to General Privacy Principles. An organization shall be responsible for the personal information under its control. |
| 4. How is “data processing” defined? | The DPA includes provisions on the collection and processing of personal information by public bodies and private entities but these are not yet in force. In keeping with the General Privacy Principles under Section 6, DPA, collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization. |
| 5. What are the principles applicable to personal data processing? | As set out in Section 6 of the DPA, The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection must be made in accordance with the purpose identified by the organization collecting the personal information. Sensitive personal information may not be processed except as specifically permitted by law. The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. |
| 6. How is the processing of personal data regulated? | As set out in Section 6 of the DPA , personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information. |
| 7. How are storage, security and retention of personal data regulated? | As set out in Section 6 of the DPA, there is a general requirement that personal information be protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law. |
| 8. What are the data subjects' rights under the data legislation? | As set out in Section 6 of the DPA, the individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization. |
| 9. What are the consent requirements for data subjects? | As set out in Section 6 of the DPA, the purpose for which personal information is collected shall be identified by the organization before or at the time of collection. |
| 10. How is authorization for use of data handled? | As set out in Section 6 of the DPA knowledge and consent of the individual are required for the collection, use or disclosure of personal information. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the personal information being requested will be regulated by safeguards comparable to Trinidad and Tobago in the jurisdiction receiving the Personal Information. In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago. Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates. |
| 12. How are data "incidents" and "breaches" defined? | The operative parts of the DPA which deal with the collection, protection and disclosure of information and prescribe penalties for non-compliance have not yet been proclaimed |
| 13. Are there any notification requirements for incidents and/or data breaches? | The operative parts of the DPA which deal with the collection, protection and disclosure of information and prescribe penalties for non-compliance have not yet been proclaimed |
| 14. Who is/are the privacy regulator(s)? | The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has broad authority, including to authorize the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act. |
| 15. What are the consequences of a data breach? | There is no provision in the DPA at this time. |
| 16. How is electronic marketing regulated? | The DPA has no specific provision regarding electronic marketing. |
| 17. Are there sector-specific or industry-specific privacy requirements? | Not at this time. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | There is no such requirement under the DPA. |
| 19. What are the record-keeping and documentation obligations? | There are no provisions in the DPA in force at this time. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | There are no provisions in the DPA in force at this time. |
| 21. What are the requirements for third-party vendor management and data sharing? | There are no provisions in the DPA in force at this time. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | The operative parts of the DPA which prescribe penalties for non-compliance have not yet been proclaimed. |
| 23. What are the ongoing compliance and audit requirements? | None at this time. |
| 24. Are there any recent developments or expected reforms? | None at this time. |
Global Data Privacy Guide
The Data Protection Act, 2011 (DPA).
The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II, 42(a),(b) of Part III have come into operation. This includes general data privacy principles which apply to anyone who handles, stores or processes ‘personal information’ belonging to another person; including the processing of personal information under the control of a public body.
The operative parts of the DPA which deal with the collection, protection and disclosure of information and prescribe penalties for non-compliance have not yet been proclaimed.
The DPA provides for the protection of personal privacy and information processed and collected by public bodies and private organizations.
The DPA defines personal data and sensitive personal data. Sensitive personal information may not be processed except where permitted by law.
(a) Personal information is defined as information about an identifiable individual that is recorded in any form including:
•The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual
•The address and telephone number of the individual
•Any identifying number, symbol or other particular identifier designed to identify the individual
•Information relating to the individual's race, nationality or ethnic origin, religion, age or marital status
•Information relating to the education or the medical, criminal or employment history of the individual, or information relating to the financial transactions in which the individual has been involved or which refer to the individual
•Correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence
•The views and opinions of any other person about the individual
•The fingerprints, DNA, blood type or other biometric characteristics of the individual
(b) Sensitive personal information is defined as personal information on a person's:
•Racial or ethnic origins
•Political affiliations or trade union membership
•Religious beliefs or other beliefs of a similar nature
•Physical or mental health or condition
•Sexual orientation or sexual life
•Criminal or financial record
(c ) Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to another person are subject to the following General Privacy Principles:
a. An organization shall be responsible for the personal information under its control.
b. The purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
c. Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
d. Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
e. information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual.
f. Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
g. Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
h. Sensitive personal information is protected from processing except where specifically permitted by written law.
i. Organizations are to make available documents regarding their policies and practices related to the management of personal information to individuals, except where otherwise provided by written law.
j. Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information, except where otherwise provided by written law.
k. The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
l. Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.
(d) The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force. Nevertheless, they are:
Public Bodies - Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met:
• the collection of that information is expressly authorized by law and the information is collected for the purpose of law enforcement
• The information relates directly to and is necessary for an operating program or activity of the public body when the collection of personal information is collected directly from the individual:
o Another method of collection is authorized by the individual, Information Commissioner or law
o The information is necessary for medical treatment
o The information is required for determining the suitability of an award
o The information is collected for judicial proceedings
o The information is required for the collection of a debt or fine, or
o It is required for law enforcement purposes
• The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting it and contact details of the official or employee of the public body who can answer the individual's questions about the collection
Private Entitles Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in consultation with the private sector) and the General Privacy Principles (which are currently in force).
As set out in Section 6 of the DPA, (at item 2. Above) the DPA generally requires that personal information be protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.
As set out in Section 6 of the DPA which is in force, it states that all persons who handle, store or process personal information belonging to another person are subject to General Privacy Principles. An organization shall be responsible for the personal information under its control.
The DPA has no specific provision regarding online privacy.
The DPA includes provisions on the collection and processing of personal information by public bodies and private entities but these are not yet in force. In keeping with the General Privacy Principles under Section 6, DPA, collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization.
As set out in Section 6 of the DPA, The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection must be made in accordance with the purpose identified by the organization collecting the personal information.
Sensitive personal information may not be processed except as specifically permitted by law.
The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and private enterprises, however, these are not yet in force.
As set out in Section 6 of the DPA , personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.
As set out in Section 6 of the DPA, there is a general requirement that personal information be protected by appropriate safeguards based on the sensitivity of the information. Sensitive personal information may not be processed except where permitted by law.
As set out in Section 6 of the DPA, the individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization.
As set out in Section 6 of the DPA, the purpose for which personal information is collected shall be identified by the organization before or at the time of collection.
Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
As set out in Section 6 of the DPA knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the personal information being requested will be regulated by safeguards comparable to Trinidad and Tobago in the jurisdiction receiving the Personal Information.
In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in Trinidad and Tobago.
Where personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction, the organization must inform the individual to whom the information relates.
The operative parts of the DPA which deal with the collection, protection and disclosure of information and prescribe penalties for non-compliance have not yet been proclaimed
The operative parts of the DPA which deal with the collection, protection and disclosure of information and prescribe penalties for non-compliance have not yet been proclaimed
The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has broad authority, including to authorize the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.
There is no provision in the DPA at this time.
The DPA has no specific provision regarding electronic marketing.
Not at this time.
There is no such requirement under the DPA.
There are no provisions in the DPA in force at this time.
There are no provisions in the DPA in force at this time.
There are no provisions in the DPA in force at this time.
The operative parts of the DPA which prescribe penalties for non-compliance have not yet been proclaimed.
None at this time.
None at this time.