IS YOUR DATA PROTECTED IN T&T? WHAT YOU NEED TO KNOW

April 5, 2025
By Cari Chandler-Martin

CONTACT US HERE

Share This:

​As digital technologies continue to reshape the way we communicate, shop, work, and socialize, the protection of personal data has become increasingly critical. For years, Trinidad and Tobago has lagged behind global standards in data privacy. The Data Protection Act, 2011 (Act No. 13 of 2011), although enacted over a decade ago, has only been partially proclaimed. However, recent government movements signaled a renewed urgency to bring the law fully into force by late 2024. This article explores the contents of the Act, how it affects everyday citizens, the significance of its delayed proclamation, and what Trinidadians and Tobagonians need to know going forward.

Overview: What is the Data Protection Act, 2011?
The Data Protection Act (DPA) is Trinidad and Tobago’s central legislation aimed at safeguarding the personal information of individuals. Enacted in 2011, the law establishes guidelines for how personal data should be collected, processed, stored, and shared—particularly by public bodies and organizations.

Its primary objective, as outlined in the Act, is to protect the privacy rights of individuals by regulating the use of their personal information. The Act is structured across multiple parts, which include:

• Part I – Preliminary: Defines key terms like “personal information,” “sensitive personal information,” and “data controller.”
• Part II – Protection of Personal Privacy: Lays out principles for data handling.
• Part III – Public and Private Sector Responsibilities: Outlines obligations of entities that collect or process data.
• Part IV – The Office of the Information Commissioner: Establishes an independent oversight body.
• Part V – Offences and Penalties: Identifies violations and associated legal consequences, which may include fines and, in some cases, criminal liability.

Key Provisions Everyone Should Know
Here are some of the most important parts of the Act that both individuals and organizations should be aware of:
​
1. Section 6 – General Privacy Principles
Public bodies must ensure that information is:

• Collected lawfully
• Used for specific, legitimate purposes
• Protected against unauthorized access or disclosure
  
  

2. Section 22 – Protection of Sensitive Personal Information
This includes data like your racial origin, political opinions, religious beliefs, and medical records. Special safeguards are required for its collection and use.

3. Section 31 – Data Access Requests
You have the right to ask any organization what data they hold about you and receive a response within a specific timeframe.

4. Section 45 – Offences and Penalties
Includes fines and potential imprisonment for:

• Unauthorized disclosure of personal data
• Failure to protect data
• Obstructing the Information Commissioner’s investigations

​While the Act underscores the importance of safeguarding personal data—especially in online and electronic transactions—only limited parts of the legislation are currently in effect. Notably, these include the provisions that establish the Office of the Information Commissioner and a set of general privacy principles that guide how personal data should be managed.

These general principles serve as best practices for both public and private bodies, ensuring that personal information is handled responsibly. They include:

1. Accountability – Organizations that handle personal data are responsible for protecting it and must comply with the Act.
   
   
2. Identifying Purpose – Individuals must be informed of the reason their data is being collected.
   
   
3. Consent – Personal data should not be collected, used, or disclosed without the individual’s knowledge and consent.
   
   
4. Limiting Collection – Only the data necessary for the identified purpose should be collected.
   
   
5. Limiting Use, Disclosure, and Retention – Personal data must not be used or shared for any reason other than the stated purpose and should only be retained as long as necessary.
   
   
6. Accuracy – Reasonable steps must be taken to ensure that data is accurate, complete, and up to date.
   
   
7. Safeguards – Personal data must be protected with appropriate security measures against loss, theft, unauthorized access, disclosure, or destruction.
   
   
8. Openness – Policies and practices regarding personal data management must be transparent and accessible to the public.
   
   
9. Individual Access – Individuals have the right to access their personal information and request corrections if necessary.
   
   
10. Challenging Compliance – There should be procedures for individuals to challenge the organization’s compliance with the principles above.
    
    

While these principles provide important guidance, the key operative sections of the DPA—such as those dealing with enforcement, penalties for non-compliance, and rules for data collection, disclosure, and breach management—have not yet been proclaimed. As a result, there are currently no legal sanctions or mandatory frameworks in place to hold organizations accountable for violations, even in the event of a data breach.

What Does the Act Mean for Ordinary Citizens?
For the average person in Trinidad and Tobago, this law—once fully enacted—has the potential to significantly impact how their personal information is handled by both public institutions and private businesses.

Why the Delay in Proclamation?
Although passed in 2011, the Act was never fully proclaimed—mostly due to administrative challenges and lack of digital infrastructure. Growing concerns about cybercrime, online fraud, and unauthorized data collection have accelerated efforts to enforce the law.​

In 2023, the government also obtained an 18-month extension to finalize the framework for operationalizing the Act, including the establishment of the long-overdue Office of the Information Commissioner. The Commissioner’s role will be vital: monitoring compliance, investigating complaints, and imposing penalties on violators.​ In late 2023, Acting Permanent Secretary in the Ministry of Digital Transformation, Cory Belfon, confirmed that full proclamation was expected by the end of 2024—a deadline that has now passed without implementation. 

​Recent Data Breaches Highlighting the Act's Importance
The absence of comprehensive data protection legislation has left Trinidad and Tobago vulnerable to cyberattacks, underscoring the urgent need for the full proclamation of the DPA. Notable incidents include:​
​

1. TSTT Cyberattack (October 2023)
   In October 2023, Telecommunications Services of Trinidad and Tobago (TSTT) experienced a significant cyberattack by the ransomware group RansomExx. The attackers claimed to have extracted up to six gigabytes of data, including personal information such as full names, email addresses, national identification numbers, and contact numbers of over 1.2 million customers. This data was subsequently posted on the dark web, raising serious concerns about customer privacy and data security. 
   
   
2. Attorney General’s Office Breach (July 2023)
   Operations at the Attorney General’s Office and Ministry of Legal Affairs were disrupted by a cybersecurity breach, affecting departments including the Solicitor General’s Office and the Office of the Director of Public Prosecutions. The breach led to significant operational delays and highlighted vulnerabilities in the government's digital infrastructure. 
   
   
3. South West Regional Health Authority Breach (October 2023)
   The South West Regional Health Authority’s communications and technology platform was compromised, rendering information databases inaccessible and forcing several functions to revert to manual operations. Services were gradually restored, but the incident emphasized the critical need for robust cybersecurity measures in the healthcare sector. 
   
   

These incidents illustrate the tangible risks and consequences of inadequate data protection, reinforcing the necessity for comprehensive legislation to safeguard personal information.​

The Road Ahead: Embracing a Data-Safe Future
The move toward full enforcement of the Data Protection Act reflects a global shift toward respecting digital rights. Trinidad and Tobago is catching up with countries that already have robust privacy laws such as the General Data Protection Regulation (GDPR) in the European Union or the Data Protection Act in Jamaica. Yet, for the legislation to be effective, there must be:

• Public education on rights and responsibilities
• Training for data-handling personnel
• Investment in digital infrastructure

With data breaches on the rise and digital services expanding, this legal framework will help restore public trust in both government and commerce.

Final Thoughts
The full proclamation and enforcement of the Data Protection Act remain crucial steps in ensuring that Trinidad and Tobago keeps pace with global data privacy standards. While the government had initially targeted the end of 2024 to bring the Act fully into effect, that deadline has come and gone with no clear public update. In the meantime, recent data breaches continue to expose the vulnerabilities of personal information in both public and private sectors. These incidents underscore the urgency of not only implementing robust legislation but also ensuring its continuous adaptation. As we move deeper into an age dominated by digital transformation, it remains to be seen whether Trinidad and Tobago’s legal framework can truly catch up—and, more importantly, keep up—with the accelerating pace of technological innovation and the growing need to protect every persons' data.

Cari Chandler-Martin is Managing Partner at Aurora Chambers. She can be reached at a[email protected]. ​​

​Important Notice: This article is for informational purposes only and does not constitute legal advice. Always seek consultation with an attorney for your specific legal concerns, as only a professional familiar with the details of your situation can provide proper guidance. ​

​This website is managed by AURORA Chambers; a law practice in Trinidad and Tobago.

Click HERE to receive updates straight to your inbox by subscribing to our newsletter.

---