Data protection integral to Guyana’s development
Given the value that is placed on data in a technological era, the recently passed Data Protection Act is an integral piece of legislation that seeks to ensure that data is not misused or stolen. It also seeks to safeguard the personal data of Guyanese.
The Attorney General’s Chambers has touted the value of data protection as Guyana forges ahead in building out a digital economy, and the importance of a legal framework to implement this.
Sunday’s episode of ‘Simplifying the Law’, saw contributions from Deputy Chief Parliamentary Counsel at the Ministry of Legal Affairs, Joann Bond, and State Counsel Ismat Bacchus who provided the insight into the provisions of the act.
According to the legislation, personal data is any data that can be used to identify a natural person. This can include data such as a person’s name, address, or identification number.
It provides that personal data must be processed lawfully, fairly, and in a transparent manner, and only collected for specified, explicit, and legitimate purposes. Moreover, this data must be accurate, kept up to date, and processed in a manner that ensures appropriate security.
According to Deputy Chief Parliamentary Counsel, the act safeguards the human right to privacy and autonomy, and creates the enabling environment for development.
She pointed out, “Once you have good legislation, investors would want to invest in your jurisdiction, because data is always being shared, particularly across borders. So, one of the important things for investors in ensuring that their data is secured. Also, based on the fact that we are now creating a digital economy, and we are now developing our digital infrastructure.”
While upholding an individual’s right to privacy and autonomy, the Data Protection Act also provides for exceptions to avoid infringing on other basic rights, such as access to information and freedom of expression.
Passage of the data protection legislation also allowed for the implementation of other pieces of legislation to facilitate the digital transition, such as the Planning and Development Single Window System Act, and the Electronic Communications and Transactions Act.
It identifies the key players in the data processing operation; the data controller, the data processor, and, in the enforcement aspect, the data protection commissioner.
Counsel Bond outlined that the data controller has the overall responsibility for the processing of the personal data, while the data processor is any person or group that processes the personal data on behalf of the controller.
In the enforcement aspect, the data protection office is the independent supervisory body for the law, and the data protection commissioner has extensive powers, such as investigating complaints from persons concerning abuses in the processing of personal data.
Meanwhile, State Counsel Bacchus noted that while the act covers an extensive assortment of personal data, there are several exemptions.
“Not all of the provisions under the act would apply to all types of data. In the case of data being collected by law enforcement, or the Guyana Revenue Authority, for example, that is data that is being collected to calculate tax or in the interest of national security, so under the act, this type of data is exempt from what we call the disclosure requirements, meaning that when being collected, this type of data doesn’t have to be disclosed to the data subject,” she said.
Disclosure requirements are applicable in many cases, except in the case of data that is collected for domestic or personal use, or data that is covered by either a legal professional privilege, such as attorney-client privilege.
She stressed that consent to data processing is only necessary in cases where there is no legal foundation to warrant the processing of the data.
“There are certain pieces of legislation that require certain data to be processed, so the data controller and the data processor would have to comply with these acts, so they wouldn’t require consent to go ahead and start that processing. However, if, for example, they intend to use that data in some way that would cause the data subject to suffer some form of intrusive aspect of their data being shared, then they would require consent,” she explained.
Along this vein, she added that the rights of the data subjects within the confines of the law are also enshrined in the legislation.
“If the data controller or the data processor’s actions harm the data subject in some way, then the data subject is entitled to compensation. Section 97 (1) states that any person who suffers damage or distress as a result of some sort of contravention to the act by a data controller or data processor, is entitled to some kind of compensation from that data controller or processor. So, persons shouldn’t be worried that they are left without a claim,” she relayed.
The duo made it clear that there are several systems that must be put in place to facilitate full implementation of the act, such as the appointment of a data protection commissioner. However, once implemented, the provisions of the act will effectively regulate the collection, keeping, processing, use, and dissemination of personal data.