The Bahamas (Government) has not implemented legislation to protect personal data that was passed two years ago because it has yet to appoint a Commissioner to oversee the Data Protection Act 2003.
This failure to implement legislation already enacted was pointed out by Nigel Brown, of IBM, who was a speaker at the “New Approaches to Crime” conference organised by his company and the Bahamas Chamber of Commerce.
The Data Protection Act 2003, part of a package of legislation passed by Parliament to develop an e-commerce platform in the Bahamas, was designed to protect the privacy of personal information on individuals, particularly consumers, in the Bahamas and outside.
Under its provisions, persons collecting and using personal data on individuals are required to observe and abide by specific standards of confidentiality, and are prohibited from transferring personal data to jurisdictions with less stringent data protection legislation, without the consent of the person from whom the data is obtained.
Mr. Brown said that under the Bahamian legislation, members of the public were able to make requests of companies, asking what personal data they held on them, and giving them the right to check whether this was correct and make changes.
This was consistent with international standards, Mr Brown said, but the 40 days given to Bahamian companies in which they had to respond to such requests was “not long” if the firm was large.
The IBM executive said the Bahamas “did quite well” when it came to drafting its legislation for protecting personal privacy in the electronic world, having visited other countries and evaluated their practices and experience.
Mr Brown, though, warned Bahamian companies that a California law, which obligated companies that held personal data to inform everyone they held data on if there was a suspected security breach, was going to become “the global standard”.
He explained that the law was intended to prevent identity theft, but had caused enormous problems for multinational corporations that conducted business in California, as they could not restrict the security breach disclosure to that state, but had to do it for all US states.
Some very well-known names, including banks and insurance companies, had been forced to inform customers after security breaches, the largest being a company that processed 40 million credit cards.
Warned
Mr Brown warned that the cost of security breaches for companies that held personal data was the loss of customers to competitors when breaches had to be disclosed. As a result, it was critical that firm not hold on to data they did not need.
He added that companies needed to “minimise the sensitivity of data”, restricting access to customers’ personal information on a need-to-know basis.
By NEIL HARTNELL, Tribune Business Editor
