Resources
The Bahamas has established a comprehensive framework for data protection through the Data Protection (Privacy of Personal Information) Act, 2003. The Act provides the legal framework for safeguarding individuals' personal data and ensures that personal information is collected, processed, stored, and disclosed in a lawful and secure manner, with a strong emphasis on protecting the rights of data subjects while imposing obligations on data controllers. At the core of the Act are eight fundamental data protection principles, which require that personal data be collected fairly and lawfully, used for explicit and legitimate purposes, kept accurate and up to date, and retained only as long as necessary. Additionally, data must be processed in accordance with the rights of individuals, protected through appropriate security measures, and not transferred to jurisdictions that lack adequate data protection safeguards. To uphold these protections, the Act grants individuals key rights over their personal information. Data subjects have the right to access their data, request corrections, object to processing that may cause harm, and prevent their data from being used for direct marketing. These rights empower individuals to have greater control over how their personal information is handled.
To enforce compliance, the Act establishes the Office of the Data Protection Commissioner, which has the authority to investigate complaints, issue enforcement and prohibition notices, and conduct assessments to ensure adherence to data protection standards. Non-compliance with the Act carries significant penalties, with fines reaching up to $100,000 Bahamian Dollars for serious violations. The Act also imposes strict obligations on data controllers, who are required to register with the Data Protection Commissioner, ensure compliance with the established data protection principles, and implement robust security measures to prevent unauthorised access, alteration, or loss of personal data. In cases of data breaches, controllers must notify both the Commissioner and affected individuals.
