Grenada’s Data Protection Bill, 2023

February 2023

View the original document

National Regulations

The Data Protection Bill, 2023 is a legislative framework designed to regulate the processing of personal data in Grenada. It establishes principles, rights, and obligations regarding data privacy, ensuring compliance among both public and private entities. The bill also creates the Information Commission, which will oversee data protection measures, enforce compliance, and address violations.

Overview of the bill

The bill is structured into eight parts, each dealing with different aspects of data protection:

Part I – Preliminary

This section sets the foundation for the bill:

  • Clauses 1 – 6 cover definitions, the scope of the legislation, and its application to both public and private bodies.
  • It defines key terms such as “personal data”, “data user”, and “data processor”.
  • The law applies to any entity processing personal data within Grenada and extends to entities processing data from outside the country if they use Grenadian-based services.

Part II – Privacy and data protection principles

Clauses 7 – 14 outline seven core principles:

  1. General principle – Personal data should only be processed with the subject’s consent or under legal necessity.
  2. Notice and choice principle – Data subjects must be informed about data collection, purposes, and their rights.
  3. Disclosure principle – Data cannot be shared without explicit consent unless legally required.
  4. Security principle – Organisations must ensure data security and protection against unauthorised access.
  5. Retention principle – Data should not be stored longer than necessary.
  6. Data Integrity principle – Data must be accurate, complete, and up to date.
  7. Access principle – Data subjects have the right to access and rectify their personal data.

Part III – Rights of data subjects

Clauses 15 – 21 focus on individual rights:

  • Right to access personal data.
  • Right to request rectification of inaccurate or misleading data.
  • Provisions on the processing of sensitive personal data, such as health information and biometric data.

Part IV – Exemptions

Clauses 22 – 23 outline exemptions, allowing data processing without full compliance under certain conditions:

  • Personal or household use.
  • Law enforcement (crime prevention and tax collection).
  • Journalistic, literary, or artistic purposes, provided public interest is justified.

Part V – Information Commission

Clauses 24 – 28 establish the Information Commission, which is responsible for:

  • Overseeing compliance with the Act.
  • Investigating complaints regarding data misuse.
  • Educating organisations and individuals about data rights.

Part VI – Enforcement

Clauses 29 – 38 outline enforcement mechanisms:

  • The Commission has the power to investigate complaints and issue notices.
  • It can search premises suspected of data breaches.
  • Whistleblower protections are included, preventing employers from retaliating against employees reporting data violations.

Part VII – Offences and penalties

Clauses 39 – 42 define offences:

  • Unauthorised disclosure of personal data.
  • Failure to comply with confidentiality obligations.
  • Corporate liability for breaches.
  • Penalties include fines of up to $500,000 and prison terms of up to five years.

Part VIII – Miscellaneous provisions

Clauses 43 – 49 cover additional matters:

  • Appeals process to the High Court.
  • Regulations and amendments to keep the law adaptable to new developments in data protection.