By Fanta Punch and Akeem Lopez
Digitisation has developed to the point where the transfer of data globally—as well as the large volume of personal information or data generated about individuals—is not only enormous but also, in large part, integral to how we live and access systems around us.
As innovation and technology continue to shape these markets, the ability to protect data and personal information has become increasingly challenging.
Technological ecosystems, such as the Internet of Bodies or IoB, have developed an ever-growing industry of devices that monitor human bodies whose functionality rely, at least in part, on the internet and related technologies, Artificial Intelligence and transmit personal data collected from the internet.
IoB products and devices connect the body through technology that merges with the human body and are commonplace today. They include, for example, smartwatches (Apple Watch and Fitbit), smart rings (Oura Ring), smart glasses (Apple Vision Pro) and pacemakers. Even the implantable brain computer interface developed by Elon Musk’s Neuralink seeks to translate thought into action.
A key issue associated with the integration of technology in our daily lives is how it interacts with issues of data privacy and data protection. For example, while users of IoB devices enjoy many benefits such as seamless health and fitness monitoring, these devices enable manufacturers to gather, process and store personal information, for example fitness parameters, lifestyle choices and eating habits. This is valuable data that can then be exploited and used in targeted advertising models and marketing campaigns for new data-driven products.
In light of the pace of technological growth and intense competition among companies operating in the digital space, there is a compelling argument to be made for checks and balances in the use of personal data.
Whether the use of personal data is rights based or market driven, particularly in this jurisdiction, the importance of the free flow of information across borders to sustain economic activity cannot be underscored enough. Despite any potential benefits of personal data in facilitating commercial trade, the inclusion of appropriate safeguards to protect an individual’s personal data is important.
Data protection in T&T
Locally, the Data Protection Act Chap 22:04 (the ‘DPA’), which has been partially proclaimed, seeks to ensure that protection is afforded to an individual’s right to privacy and the right to maintain sensitive personal information as private and personal.
While there are general data privacy principles in force which provide guidance for handling, storing and processing of a person’s personal information, the operative parts of the DPA that govern how that information is collected, protected, disclosed and the applicable sanctions for contravention thereof, are yet to be proclaimed. It is hoped that the DPA may be fully proclaimed in 2024.
An individual’s personal information is understandably extensive and in its simplest form includes information in any recordable format, such as information relating to the race, nationality or ethnic origin, religion, age or marital status of the individual, education or the medical, criminal or employment history of the individual. Personal information may also include information relating to the financial transactions, any identifying number, symbol or other particular that can identify an individual, an individual’s name, address, telephone contact number and more detailed information such as fingerprints, DNA, blood type or other biometric characteristics. It can also include confidential correspondence sent by an individual and the views and opinions of a third party about the individual.
The general data privacy principles provide general guidelines to ensure that the handling, storage or processing of a person’s personal information is done in a manner that affords some measure of protection both by public and private entities.
These guidelines or principles include:
* An organisation shall be responsible for the personal information under its control;
* Before or at the time information is collected, the reason for collection should be made clear;
* An individual’s information should only be collected, used or disclosed with his full knowledge and consent, and should be as accurate and complete as is needed for purpose of collection;
* Collection of an individual’s personal information must be a legal undertaking and limited to what is necessary and in keeping with the reason or purpose for collection;
* Unless there is an exemption in law, an individual is entitled to request and obtain full disclosure of any documentation containing personal information about him, and to challenge the accuracy and completeness of that information and the extent to which the holder of that information has complied with these data privacy principles;
* An individual’s personal information has to be protected depending on the sensitivity of the information; and
* Except where an exemption exists, sensitive personal information is protected from being processed
The way forward
Data is now often referred to as “the new oil” and “the currency of the future”. While serious consideration should be given to us becoming compliant with international data frameworks such as the EU’s General Data Protection Regulations, once the DPA is fully proclaimed, it would be a positive step towards strengthening data protection and data privacy laws in the jurisdiction.
Fanta Punch is a partner and Akeem Lopez is an associate at M. Hamel-Smith & Co. They can be reached at mhs@trinidadlaw.com
Disclaimer: This column contains general information on legal topics and does not constitute legal advice.