Resources
As of February 2025, the Data Protection Act, 2011, in Trinidad and Tobago remains partially proclaimed, with significant portions yet to be enforced. In 2018, the Government undertook a comprehensive review of the Act, identifying inconsistencies with international best practices, notably the European Union's General Data Protection Regulation (GDPR). This review highlighted deficiencies in areas such as electronic marketing, online privacy, and breach notification. Subsequently, in November 2019, the Ministry of Communications held stakeholder consultations to discuss potential amendments, including the structure of the Office of the Information Commissioner and protections for minors. Despite these efforts, there has been no official announcement regarding the enactment of the remaining provisions or further amendments to the Act. Therefore, the legislation continues to be only partially operational, leaving certain aspects of data protection unregulated.
Only Parts I and II of the Act have been proclaimed, which primarily establish the Office of the Information Commissioner and outline broad principles of privacy rights. However, the provisions detailing specific obligations for data controllers, enforcement mechanisms, and penalties have yet to be brought into force. The Act applies to all entities that collect and process personal data within Trinidad and Tobago. It applies to both public bodies and private organisations, ensuring that personal data is handled with transparency and accountability. The Act defines "personal information" broadly, covering any information that can identify an individual, including names, addresses, identification numbers, financial data, and sensitive health records. The Act grants individuals several rights over their personal information, however, since the sections enforcing these rights have not yet been proclaimed, individuals currently lack formal legal avenues to enforce these rights under the Act. The lack of full implementation of the Act has resulted in gaps in data protection enforcement, leaving individuals and businesses uncertain about their rights and obligations. As data privacy concerns continue to grow globally, there is increasing pressure on the government to fully proclaim and enforce the Data Protection Act. Until the Act is fully implemented, organisations are encouraged to adopt best practices voluntarily.
