In mid-2023, one of the island’s top legal minds on the Data Protection Act asserted that Barbados’ move towards affirming people’s rights to have their personal data protected would make the island more attractive to international investors.
Bartlett Morgan, the managing director of Chancery Advocates, was at the time speaking at a joint session hosted by the Barbados Bar Association and BIBA, the Association for Global Business.
His role was to examine the topic, Data Privacy, Cyber Security and Risks to the Financial Services Industry. Morgan believed that investors seeking a jurisdiction with a quality legal and regulatory environment would give Barbados an edge over others not so situated.
The attorney also suggested that additions to the local legal framework, frankly, added to the major pull factors of which the island could boast, particularly emerging from the post-COVID environment where the use of technology dramatically altered the way people do business and interact at the personal and corporate levels.
He was particularly enthusiastic about how the data privacy laws would be attractive for those digital nomads who came to Barbados during the pandemic on the popular Welcome Stamp visa programme.
He cemented his case this way. “If their bosses are from the metropoles . . . they probably already have rules that speak to how they use and process data. Under the Barbados Act, you don’t send the data out unless you are satisfied that it will enjoy a comparable level of protection in the foreign destination.”
Bartlett further noted: “If I am one of these corporations and I research Barbados where my employees want to work remotely, and I carry out my data impact assessment, . . . one of the factors I would look at is the degree to which there is a law that comprehensively protects personal data being processed in that jurisdiction.”
It has been more than a year since this event and despite the many provisions of the Data Protection Act and the appointment of a data protection commissioner, one is still left to wonder how effective this office has been.
There have been several major breaches occurring in state-owned and private sector entities in which the personal data of Barbadians has been exposed.
Ironically, at that June 2023 meeting, the data protection commissioner disclosed that specific complaints procedures were not yet in place. However, the assurance was given that even in the absence of those complaints procedures, anyone could still register a grievance regarding breaches of the data protection laws.
With little public education from the Office of Data Protection, there are very few citizens who can assert their rights. Barbadians generally do not know what protections exist, where the office of the data commissioner is located, and what power the commissioner has to satisfy an aggrieved person.
To date, the public is unaware of how many people were impacted by the recent data breach at the Barbados Revenue Authority. To make matters worse, it has been revealed that another consequential government office that carries the data of almost every citizen and resident in Barbados, was also breached. This is on top of the data breach at the Queen Elizabeth Hospital.
Citizens should stop for a moment and count how many places have their personal data, such as their names, national identification numbers, personal email addresses, passport numbers, telephone contacts, names and ages of their children and next of kin, addresses, complaints to the Barbados Police Service, bank account numbers and bank balances, National Insurance numbers, medical information including ailments, and diseases for which they are being treated.
With the shift away from paper filing to online activity, the risk of exposure to the actions of bad actors has increased astronomically.
For those individuals and companies collecting personal data, the responsibility is to protect that information from misuse by the people who have access to it; and from it being unlawfully accessed, copied or corrupted, or even sold.
Who is collecting personal data from Barbadians? The list is long and the risk of exposure is great. They include attorneys, police officers, accountants, your commercial bank or credit union that demand two pieces of identification which they copy and store, the medical practitioners in private offices and the hospitals who store the most personal of information about patients, medical insurance companies and those intermediaries who process medical insurance claim forms. And, of course, employers collect personal data on each employee.
This is just a sample, but it reveals just how exposed Barbadians are and the risk to their private data.
The post #BTEditorial: Too much personal data at risk of exposure appeared first on Barbados Today.
