Global Data Privacy Guide |
|
Turks & Caicos Islands |
|
| (Caribbean) Firm Misick & Stanbrook Updated 08 Aug 2025 | |
| 1. What is the key legislation? | The Constitution Section 9(1) of the Constitution provides that every person has the right to respect his or her private and family life, his or her home and his or her correspondence. Under Section 4 of the Confidentiality Relationship Act (“CRA”), it is an offence for any person, who possesses confidential information, however obtained, to divulge it to any person not entitled to it, or to attempt to offer, or threaten to divulge it to any person not entitled to it. Under Section 4 of the Confidential Relationship (“CRA”), it is an offence for any person, who possesses confidential information, however obtained, to divulge it to any person not entitled to it, or to attempt to offer, or threaten to divulge it to any person not entitled to it. It is also an offence for a person to obtain, or attempt to obtain, confidential information, to which he or she is not entitled. Confidential information includes information concerning any property, or relating to any business of a professional nature, or commercial transaction, which has taken place, or which a party contemplates may take place, which the recipient thereof is not otherwise entitled, in the normal course of professional practice, authorised by the principle to divulge. The CRA is not concerned with civil liability for the disclosure of confidential information and expressly provides in Section 5, that it does not affect, or derogates from, any rule of law on the rights of a person, with regard to civil liability for breach of any express or implied confidentiality. The purpose of the CRA, is to protect sensitive commercial information, given to professional persons in the course of professional business. Electronic Transaction Act |
| 2. What are the key decisions applying that legislation? | There are no specific judicial decisions related to data protection. |
| 1. How are “personal data” and “sensitive data” defined? | Except for the purposes of the ETA, there is no definition of “personal data” The ETA defines personal data as any information which relates to an identified or identifiable natural person. There is no specific definition of sensitive data which is generally understood to be data which if compromised would cause harm to an individual or organization. |
| 2. How is the defined data protected? | Under the ETA, regulation may be made for the standards for processing data, but no regulations have been made. |
| 3. Who is subject to privacy obligations? | Organizations that collect, process, or store personal data and/or come into possession of privacy data are under an obligation of common law. |
| 4. How is “data processing” defined? | Not defined. |
| 5. What are the principles applicable to personal data processing? | Not applicable. |
| 6. How is the processing of personal data regulated? | Not regulated. |
| 7. How are storage, security and retention of personal data regulated? | Not regulated. |
| 8. What are the data subjects' rights under the data legislation? | The right against disclosure and use of personal data. |
| 9. What are the consent requirements for data subjects? | Consent required by common law. |
| 10. How is authorization for use of data handled? | Authorization for data use should be based on explicit consent or consent implied by law. |
| 11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers? | No. |
| 12. How are data "incidents" and "breaches" defined? | Not defined. |
| 13. Are there any notification requirements for incidents and/or data breaches? | No. |
| 14. Who is/are the privacy regulator(s)? | None. |
| 15. What are the consequences of a data breach? | In the case of breach of confidential information by a professional, this could give rise to criminal liability. Disclosure may also result in civil liability for breach of confidence, which is an equitable civil cause of action and breach of privacy which is a tort at common law. |
| 16. How is electronic marketing regulated? | Not regulated. |
| 17. Are there sector-specific or industry-specific privacy requirements? | Certain professional persons, such as, lawyers and accountants, bankers, trust companies, officers and advisers, may not disclose confidential information, except by consent or when permitted by law. |
| 18. What are the requirements for appointing Data Protection Officers or similar roles? | None. |
| 19. What are the record-keeping and documentation obligations? | None. |
| 20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)? | None. |
| 21. What are the requirements for third-party vendor management and data sharing? | Not regulated. |
| 22. What are the penalties and enforcement mechanisms for non-compliance? | None. |
| 23. What are the ongoing compliance and audit requirements? | None. |
| 24. Are there any recent developments or expected reforms? | As of now, there are discussions regarding the need for comprehensive data protection legislation. |
Global Data Privacy Guide
The Constitution
As of now, the Turks and Caicos Islands (“the TCI”) do not have standalone comprehensive data protection legislation. The Constitution of the Turks and Caicos Islands (“the Constitution”) provides for privacy rights.
Section 9(1) of the Constitution provides that every person has the right to respect his or her private and family life, his or her home and his or her correspondence.
The CRA
Under Section 4 of the Confidentiality Relationship Act (“CRA”), it is an offence for any person, who possesses confidential information, however obtained, to divulge it to any person not entitled to it, or to attempt to offer, or threaten to divulge it to any person not entitled to it.
Under Section 4 of the Confidential Relationship (“CRA”), it is an offence for any person, who possesses confidential information, however obtained, to divulge it to any person not entitled to it, or to attempt to offer, or threaten to divulge it to any person not entitled to it.
It is also an offence for a person to obtain, or attempt to obtain, confidential information, to which he or she is not entitled.
Confidential information includes information concerning any property, or relating to any business of a professional nature, or commercial transaction, which has taken place, or which a party contemplates may take place, which the recipient thereof is not otherwise entitled, in the normal course of professional practice, authorised by the principle to divulge.
The CRA is not concerned with civil liability for the disclosure of confidential information and expressly provides in Section 5, that it does not affect, or derogates from, any rule of law on the rights of a person, with regard to civil liability for breach of any express or implied confidentiality. The purpose of the CRA, is to protect sensitive commercial information, given to professional persons in the course of professional business.
Electronic Transaction Act
The Electronic Transaction Act (“ETA”) allows for the establishment of regulations regarding personal data processing, in connection with electronic transactions but no such regulations have yet been implemented. The ETA is not concerned with the protection of data outside electronic transactions and is directed at identification of persons who sign documents electronically.
Other Regulatory Legislation
There are a number of statutes, which make provision for the protection of confidential information. Most of these statutory provisions are concerned with the protection of sensitive, commercial and personal information provided to, or obtained by government departments and statutory bodies during and for the purpose of carrying out their regulatory or supervisory functions. They impose criminal liabilities on public officers who engage in unauthorized disclosure. They do not create civil liability.
There are no specific judicial decisions related to data protection.
Except for the purposes of the ETA, there is no definition of “personal data” The ETA defines personal data as any information which relates to an identified or identifiable natural person. There is no specific definition of sensitive data which is generally understood to be data which if compromised would cause harm to an individual or organization.
Under the ETA, regulation may be made for the standards for processing data, but no regulations have been made.
Organizations that collect, process, or store personal data and/or come into possession of privacy data are under an obligation of common law.
Not defined.
Not applicable.
Not regulated.
Not regulated.
The right against disclosure and use of personal data.
Consent required by common law.
Authorization for data use should be based on explicit consent or consent implied by law.
No.
Not defined.
No.
None.
In the case of breach of confidential information by a professional, this could give rise to criminal liability.
Disclosure may also result in civil liability for breach of confidence, which is an equitable civil cause of action and breach of privacy which is a tort at common law.
Not regulated.
Certain professional persons, such as, lawyers and accountants, bankers, trust companies, officers and advisers, may not disclose confidential information, except by consent or when permitted by law.
None.
None.
None.
Not regulated.
None.
None.
As of now, there are discussions regarding the need for comprehensive data protection legislation.