Policy 2018 Online

Electronic Communications and Transactions Act



Data Governance

Definitions of Data:

Data is not defined

Main Focus of Document:

This Act ensures the protection of persons' data that is held with someone or an institution.

Target Beneficiaries or Sectors:

citizens, international persons

Key Elements:

This Act regulates the protection of data and ensures that the privacy of individuals in relation to their data is maintained. Key details include:

  • Information and Data Protection Commission
  1. (1) There is hereby established a body to be known as the Information and Data Commission. (2) The Commission shall be a public office, and the provisions of the Public Service Act shall apply to the Commission and its officers.

  2. (1) The Commission shall do all such things as are necessary to protect the personal rights of individuals with regard to their personal data, and shall ensure the effective application of and compliance with this Act, in particular, to the protection of personal data, access, rectification, objection and cancellation of such data. (2) without derogating from the generality of subsection (1), the Commission shall: (a) ensure compliance with the provisions of the Statistics Act (i) with regard to the collection of statistical data and statistical secrecy and (ii) to issue precise instructions and give opinions on the security safeguards in place for files set up for purely statistical purposes (b) to instruct a data controller to take such measures which are necessary to ensure that the processing of personal data is in accordance with this Act (c) provide guidance and instructions on appropriate measures to ensure the security of personal data (d) conduct research and studies, and promote educational activities relating to protection of personal data (e) provide information to persons on their rights connected to the processing of personal data (f) receive reports and claims from a data subject or his or her representative in regard to a violation of this Act, and to take such remedial action as is necessary or as may be prescribed (g) investigate complaints from data subjects and respond to queries of such complaints (h) monitor and adopt any authorisation for transborder flow of personal data, and to facilitate international cooperation on the protection of personal data (i) create and maintain a public register of all data controllers (j) obtain information from data controllers, where information is necessary for the exercise of its functions (k) prepare and disseminate a code of practice for data controllers (l) issue, where applicable, instructions required to bring processing operations in line with the principles of this Act (m) publicise the existence of personal data files, and regularly publish a list of such files and any other information that the Commission deems necessary (n) record all directions received for the Minister in the course of the year (o) perform any other functions that may be conferred on it by the Minister

  3. (1) A data controller, a data processor or a person acting under authorisation of the data controller or the data processor, shall, in order to safeguard the security of personal data, take appropriate technical and organisational security measures necessary to protect personal data from:

  1. Negligent or unauthorised destruction;
  2. Negligent loss; or
  3. Alteration, unauthorised access and any other unauthorised processing of personal data (2) A data controller, a data processor or a person acting under authorisation of the data controller or the data processor, shall when undertaking the measures under subsection (1), ensure an appropriate level of security by taking into account:
  4. Technological development of processing personal data, and the costs for implementing the security measures; and
  5. The nature of the personal data to be protected and the potential risks involved. (3) Where the data controller or data processor outsources the processing of personal data, the data controller or data processor shall choose a data processor who gives sufficient guarantees regarding the technical and organisational security measures in place for the processing to be done, and shall ensure that the measures are complied with. (4) The commissioner may issue appropriate standards relating to information for security safeguards for all categories of processing personal data

Data Data controller Data privacy Data processing Data protection Data subject Personal data

Policy/regulation mirrored:

Data Protection Acts





Antigua and Barbuda