CHAPTER 22:04 DATA PROTECTION ACT Section 6: General Privacy Principles
The following principles are the General Privacy Principles which are applicable to all persons who handle, store or process personal information belonging to another person:
- (a) An organization shall be responsible for the personal information under its control;
- (b) The purpose for which personal information is collected shall be identified by the organization before or at the time of collection;
- (c) Knowledge and consent of the individual are required for the collection, use or disclosure of personal information;
- (d) Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the purpose identified by the organization;
- (e) Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual;
- (f) Personal information shall be accurate, complete and up-to-date as is necessary for the purpose of collection;
- (g) Personal information is to be protected by such appropriate safeguards having regard to the sensitivity of the information;
- (h) Sensitive personal information is protected from processing except where otherwise provided for by written law;
- (i) Organizations are to make available to individuals documents regarding their policies and practices related to the management of personal information except where otherwise provided by written law;
- (j) Organizations shall, except where otherwise provided by written law, disclose at the request of the individual, all documents relating to the existence, use and disclosure of personal information, such that the individual can challenge the accuracy and completeness of the information;
- (k) The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and appropriate engagement from the organization; and
- (l) Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.