Understanding Data Protection Rights: Exploring the Impact of the DPA 2019 on Human Resources Management in Barbados

Last Wednesday, I had the honour of representing the Human Resources Management Association of Barbados (HRMAB) on the Caribbean Broadcasting Corporation’s (CBC) Morning Barbados show. The topic was the Data Protection Act (DPA) 2019 and its impact on Human Resources Management.

It’s not difficult to understand that the DPA is one of the most significant Acts that has received little national recognition. When the host and I began our discussion, it became clear that the average person has little awareness of their basic Data Protection Rights. These rights are considered fundamental and are closely related to human rights, particularly the right to privacy. This right is recognised in international human rights law, including the Universal Declaration of Human Rights (Article 12) and the International Covenant on Civil and Political Rights (Article 17), which protect individuals from arbitrary interference with their privacy.

To illustrate the general lack of awareness, one needs only to observe how many citizens sign up for raffles or membership programmes by filling out forms that disclose a lot of personal data, often without any attached Data Privacy Notice or information on where such a notice could be found. A privacy notice is a statement provided to individuals (data subjects) that explains how their personal data is collected, used, shared and protected by an organisation.

The greater offenders, I believe, are to be found in the retail and hospitality sectors, including supermarkets and hotels. These establishments use customer management systems that track a lot of personal data but have not published their Data Privacy policies.

The fact is, no rewards programme or customer profiling system should be implemented without the requisite Data Privacy Programme in place to ensure the rights of Data Subjects are safeguarded.

Whether you are a customer/client or an employee, what are your rights and how should they be respected?

The Barbados DPA 2019 enshrines several key rights for data subjects to ensure their personal data are handled with care and respect. These rights are designed to empower individuals and provide them with control over their personal information:

1. Right to Information: At the time of data collection, data subjects (whether customers or employees) must be clearly informed about how their personal data will be used. This is typically communicated through a privacy notice or on the back of an application form. Transparency is key, ensuring that individuals understand the purposes for which their data is being collected and processed. In an HR setting, the time of collection may be during a job application process.

2. Right to Access: Individuals have the right to request and obtain a copy of all personal data held about them by the data controller. This right ensures that data subjects can review and verify the accuracy of their information. Requests for access must be fulfilled in a timely manner, promoting transparency and accountability. For customers, this simply means no business organisation should have data on you that you’re not allowed to access or know about.

3. Right to Rectification: In cases where personal data are inaccurate or incomplete, data subjects have the right to request corrections. This ensures that any erroneous information is promptly updated, therefore maintaining the integrity and accuracy of personal data held by organisations. For employees, this would mean having an up-to-date employee file.

4. Right to Erasure (‘Right to Be Forgotten’): Data subjects can request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or if they withdraw their consent. This right is crucial in empowering individuals to control their data and have this removed from databases when it is no longer needed.

5. Right to Restrict Processing: Individuals have the right to request that their personal data not be used for certain processing activities, such as marketing. Organisations must comply with such requests, ensuring that data subjects have control over how their information is used.

6. Right to Data Portability: This right allows individuals to receive their personal data in a structured, commonly-used format such as Adobe PDF or have it transferred to another data controller if they choose. This facilitates the easy movement of data across different service providers, enhancing user autonomy.

7. Right to Object: Data subjects can object to the processing of their personal data for specific purposes, such as direct marketing or other new uses that were not originally communicated. Organisations must respect these objections and provide individuals with greater control over their personal information.

While these seven legal principles may seem simple, their operationalisation is often complex. Most times, it takes a corporate cultural shift to treat personal data as something that has a fundamental right to be protected. This protection must come from the boards of management and executive leadership, which I know hasn’t truly sunk in yet.

That’s why today’s article isn’t targeted at corporate leadership but at customers and employees who bear the risk. If your data are as important to you as mine are to me, maybe it’s time we hold the leading organisations who process high-risk volumes of data, accountable.

Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at: Mobile: 246-233-0090; Email: steven@dataprivacy.bb