TTCS comments on the Draft "National Policy on Data Protection" http://www.fastforward.tt/files/cms/DataProtectionPolicy.pdf -------------------------------------------------------------------- Below is the Trinidad and Tobago Computer Society comments on the aforementioned draft policy. Also, additional Issues raised at a recent Fastforward (www.fastforward.tt) open forum on December 2nd, 2004 were also listed. Dev Anand Teelucksingh Trinidad and Tobago Computer Society at http://www.ttcsweb.org/ "networking local computer users!" ***************************************************************************** Terms used in this document: GOTT: Government of the Republic of Trinidad and Tobago. MPAI: Ministry of Public Administration and Information. NPDP: National Policy on Data Protection "the Policy" : Draft National Policy on Data Protection General comments: * The policy emphasies how public data is collected by public or private sector organisations. Are the personal data of employees in such organisations treated similiarly to that of the public? * Many types of services companies provide (e.g. insurance, banks, purchasing of goods on hire purchase) require a great deal of information to be disclosed in order to obtain the service. For example, a store offering goods on hire purchase requires the names, addresses, and telephone numbers of five relatives and their neighbours. * Many persons are unaware of, or do not care about, privacy issues when information about them or other persons is being disclosed when given a benefit (perceived or otherwise) of doing so. Some examples in Trinidad and Tobago : - a supermarket discount shopping card - a competition requires your entry to be submitted by sending a text message from your cell phone - a electronic discount card issued to many people in the mail without prior consultation. - a newspaper publishing the names and addresses of persons infected with HIV/Aids from a report from the Ministry of Health. * how would Government enforce these data protection policies for public and private sector organisations in Trinidad and Tobago? Would it be similiar to the U.K with an Information Commissioner (http://www.informationcommissioner.gov.uk/) responsible for enforcing the UK's Data Protection and Freedom of Information Acts? - individuals should be able to access the data held by GOTT and private sector companies free of charge, or for a nominal fee. Why? A life ruined due to bad data is far more costly than the cost of providing the individual with the data. (Reference : clause 3.9.4) * Re: Consent 3.3.7 : ----------------------------------------------------------------------------- "Individuals can give consent in many ways. For example: (b) a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties; (c) consent may be given orally when information is collected over the telephone;" ----------------------------------------------------------------------------- Instead of assuming that persons automatically give consent by not checking the box, should it be that persons gives consent by checking the box (i.e. a company instead assumes that you do NOT want your data shared and would require you to give consent by ticking the box?) Re: (c), how would this be proven in a case of dispute between the individual and the company? Perhaps it would be better to not allow verbal consent to the transfer of personal data to third parties. ************************************************************************* Additional Issues raised at a recent Fastforward open forum on December 2nd, 2004 for : * Draft National Policy on Data Protection : - The Data Protection Policy as drafted does not state the core priniciples on which the policy is based on ; a purpose of the policy is stated and principles to satisfy that purpose are described. - Should the data protection policy apply for company data and not just individual's personal data? An example mentioned, a business which supplies data to the Inland Revenue Service would want such company data protected as such data could be used by competitors. - should the data collection policy be retroactive to existing collections of personal data by organisations? - does the data collection policy apply to organisations such as NGOs, NPOs to church groups or a chess club? (Comment : the Data Protection Policy should apply to all companies registered under the local Companies Act)