The British Virgin Islands has a new data protection law. Below are the highlights.
The Act adopts similar definitions to those found in most EU data protection laws. Data subject: An individual who is the subject of the data, whether living or deceased.
Collecting personal data
When collecting personal data, data controllers must provide a description of the purposes for which the personal data is to be processed by or on behalf of the data controller. Best practice would suggest that this information be provided within a separate privacy notice, at each point of data capture.
Processing personal data
Data controllers must process personal data in a secure manner. ‘Processing’ in relation to personal data includes: obtaining, recording, holding, organising, adapting, or altering data. Other legal grounds for processing personal data include compliance with legal obligations.
Retention and destruction of personal
Data controllers and processors must ensure the personal data they hold is accurate. Prescribed data retention periods are not specified in the Act, but an analysis should be undertaken to determine for how long data should be kept.
Accessing personal data
Data subjects are entitled to request access to their personal data. The data access request must be made in writing to the data controller. Following receipt of the written request and fee, the controller is required to respond within 30 days. There is no requirement under the Act to disclose the document which holds the data.
International transfers of personal data
The BVI has not yet achieved ‘adequacy’ status from the EU. The Act does not refer to a mechanism for ensuring adequate safeguards.
How is direct marketing regulated?
Under the Act, direct marketing means the communication, by whatever means, of any advertising or marketing material directed to particular individuals. Prior express consent is not required, but data subjects have the right to unsubscribe from receiving direct marketing materials at any time.
CNN.com will feature iReporter photos in a weekly Travel Snapshots gallery. Please submit your best shots of our featured destinations for next week. Visit CNN iReport.com/Travel next Wednesday for a new gallery of snapshots.
Which authority enforces and oversees the law, and what are its powers?
The Information Commissioner (‘the Commissioner’) is responsible for overseeing the Act. Enforcement under the Act is generally administrative and consultative in nature. Data controllers are not required to register with the Commissioner.
What are the penalties for non-compliance with the Act?
Refusal or failure to comply with an order issued by the Commissioner is an offence. The data controller is liable on conviction to a fine of up to $100,000, or imprisonment for up to five years. Corporate bodies face fines of $500,000.
Do any specific technical or organisational security measures need to be implemented?
The Act requires that practical steps are taken to protect personal data from any loss, misuse, modification, unauthorised, or accidental access. Specific technical standards are not prescribed under the Act.
- There is no requirement under the Act for a data controller to report a data breach to anybody. Surprisingly, there is no need to report the breach to anyone else. The data controller is not required to report it to anybody else.