The Data Protection (Privacy of Personal Information) Act of The Bahamas

July 2003

View the original document

National Regulations

The Data Protection (Privacy of Personal Information) Act of The Bahamas, enacted in 2003 and brought into force in 2007, is the foundational legal framework governing the handling of personal data in the country. Its primary purpose is to safeguard the privacy of individuals by regulating how personal data is collected, processed, stored, used, and disclosed. The Act establishes clear rules and standards for both private and public entities that handle personal information, ensuring that individuals retain control over their personal data.

At its core, the Act reflects a balance between privacy protection and the need for lawful data usage, particularly in sectors such as finance, security, and public administration. It also sets up an independent oversight authority, the Data Protection Commissioner, who is empowered to monitor compliance, investigate breaches, and enforce the law.

Overview

The Act is divided into four parts:

Part I – Preliminary

This section defines key terms such as personal data, data subject, data controller, and data processor. It makes the Act applicable to data controllers operating within the Bahamas or those using Bahamian equipment to process data. It explicitly binds the government and provides certain exemptions, such as national security data, household affairs, and parliamentary deliberations.

Part II – Protection of privacy of individuals

This is the heart of the Act. It mandates that personal data must be:

  • Collected fairly and lawfully.
  • Accurate and up-to-date.
  • Used only for specified, legitimate purposes.
  • Stored securely and not retained longer than necessary.

It grants individuals rights to:

  • Access their personal data.
  • Request correction or deletion of inaccurate data.
  • Prohibit use for direct marketing.
  • Be notified of data disclosures under certain conditions.

However, there are exceptions, particularly in cases involving national security, law enforcement, taxation, or legal proceedings.

Part III – The Data Protection Commissioner

The Act creates the office of the Data Protection Commissioner, an independent authority empowered to:

  • Investigate complaints and possible breaches.
  • Issue enforcement and prohibition notices.
  • Approve industry codes of practice.
  • Publish annual reports to Parliament.

The Commissioner can also prohibit the transfer of personal data to other countries if they lack adequate data protection laws.

Part IV – Miscellaneous

This section addresses offenses, penalties, and appeals. Unlawful disclosure or unauthorised access to personal data can result in fines up to $100,000. It also allows for appeals to the Supreme Court and includes transitional provisions, giving agencies time to adjust their practices.