Earlier this week, news broke that a questionnaire ‘sanctioned’ by the Ministry of Education (“MoE”) and overseen by the Inter-American Development Bank (“IDB”), was administered to mostly 11 year old children in Barbados. It has also come to light that a similar project was undertaken in Jamaica and Belize.
Misleadingly labelled as a “Computer Science Diagnostic Pre-Test”, it included questions on “social and emotional health” that were of a very sensitive nature. Below is a sampling of the more than 150 psycho-social questions:
- I drink alcohol without parents’ approval.
- I deliberately try to hurt or kill myself.
- I hear sounds or voices that other people think aren’t there.
- I am overweight.
- I physically attack people.
- I steal from home.
- I steal from places other than home.
- I think about killing myself.
- I think about sex too much.
- I wish I were of the opposite sex.
- I use drugs for non-medical purposes.
- I see things that other people think aren’t there.
- Physical problems without known medical cause:
- Aches of pains (not stomach or headache)
- Nausea, feels sick
- Problems with eyes (not if corrected by glasses)
- Rashes or other skin problems
- Stomach aches
- Vomiting, throwing up
The questionnaire was delivered using a paper form and required that students provide personal information such as their name, sex, and ethnicity. Also included were detailed questions about the education level and work status of parents (e.g., type of job, unemployed, homemaker, etc.).
There was swift and comprehensive social commentary accompanied by widespread public condemnation of the decision to administer this questionnaire. The political public relations machinery quickly sprung into action to contain the damage to the public perceptions of the current Barbados Labour Party (BLP) administration. The IDB immediately took responsibility for the melee, trying in vain to absolve the Ministry of Education of any wrongdoing. The Chief Education Officer, Deputy Chief Education Officer, Permanent Secretary, and the Director of Education Reform all embarked on a public apology tour. The Prime Minister set about with her usual articulate flare and penchant for press conferences to assure the masses that she was deeply outraged (while praising the IDB for their prompt action in shifting the blame from her government). However, it must be noted that the Minister of Education has been conspicuously silent amidst this public relations storm.
But now to the main reason behind this author’s musings…
So far, the public discourse around this fiasco has centered on the incompetence of the Ministry of Education staff, the arrogance of the IDB, the inappropriateness of the questions, and the mental stress inflicted on the children. What has been glaringly missing are the legal elements. So let me break it down.
- The subject questionnaire is for all intents and purposes scientific research. Questionnaires are popular in academic research for quick and easy collection of large amounts of data for analysis of subject behavior, preferences, intentions, attitudes, and opinions.
- To meet ethical and legal standards, and to protect the rights of data subjects, informed consent is an important legal basis for data processing as required by the Data Protection Act (Barbados), General Data Protection Regulations (European Union), Data Protection Act (United Kingdom), Personal Information Protection and Electronics Data Act (Canada), and other privacy and data protection laws across the world.
- As per the Barbados Data Protection Act (“the Act”) and similar laws around the world, there are six lawful grounds on which data can be processed: explicit consent, contractual obligations, legal obligations, vital interests of the data subjects, public interests, or for purposes of legitimate interests of the data controller. The only lawful basis which the MoE can use for administering the subject questionnaire is legitimate interests. However, that lawful basis does not pass the three-part test which requires a positive answer to these three (3) questions: Is there a legitimate interest behind the processing? Is the processing necessary for that purpose? Is the legitimate interest overridden by the data subject’s interests, rights, or freedoms?
- As per the definitions in the Act (and the other aforementioned laws), the students whose personal data have been collected are data subjects.
- As per the definitions in the Act, the Government of Barbados is the data controller who determines the purposes for which and the means by which personal data is processed. The Inter-American Development Bank (IDB) is the data processor who processes personal data only on behalf of the data controller.
- As per the definitions in the Act, a ‘child’ is a person under the age of 18.
- As per the Act Part II 8(1-2), “The processing of a child’s personal data shall be lawful only where and to the extent that consent is given or authorised by the parent or guardian of the child” and “The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the parent or guardian of a child, taking into consideration available technology.” From all accounts, neither the MoE nor the IDB obtained consent from parents to collect this personal data from children. This is a violation of the law.
- As per the Act Part II 9(1-4), the data collected is personal sensitive data, which requires greater safeguards to protect the rights of the data subjects. Sensitive data includes data on ethnicity, health, and sexual orientation or sexual life. Collection of this type of personal data requires strong security and consent is required to share with third parties. From all accounts, the data controller (MoE) did not obtain consent from parents to share this sensitive personal data with a third party. This is a violation of the law.
- As per the Act Part IV 58(1-10), the MoE (data controller) is required to have a Data Protection Agreement in place with the IDB (data processor) to ensure that the rights of the individual are being protected and that legal compliance with the Act is achieved. The public deserves to know whether a Data Protection Agreement exists between the two entities and to examine if it is fit for purpose.
- As per the Act Part IV 55(1-6), the IDB must be registered as a data processor, pay a fee, be in possession of a certificate to conduct data processing activities, and nominate a representative who is resident in Barbados. Failing to do any of these things makes their representative liable for a “fine of $10,000 or to a term of imprisonment of 2 months or to both.” Is the IDB compliant with the law in this area? The government should present the general public with evidence to verify this compliance.
- As per the Act Part IV 59(1-2), it is stated that “The data processor and any person acting under the authority of the data controller or of the data processor, who has access to personal data, shall not process those data except on instructions from the data controller, unless required to do so by any enactment” and “A person who contravenes subsection (1) is guilty of an offence and is liable on summary conviction to a fine of $500,000 or to a term of imprisonment of 3 years or to both.” In their public statement, the IDB asserts that their administering of the questionnaire was against the objections of the MoE. This is a violation of the law.
- The Act Part IV 62 (1-3) requires that data processing of this sensitivity and high risk be conducted using online tools. Moreover, it states that the data is pseudonymized (not contain information that could identify a living person), which means that the names of individuals should not have been required on the document. Finally, it demands that strong security protections be in place to protect against unauthorized access. Given that the questionnaire was administered by paper, it is virtually impossible to guarantee that this very sensitive personal data on children was adequately protected from unauthorized access, misuse, and abuse. Moreover, it also attributed the sensitive and potentially harmful information to living, identifiable children and their parents. This is a violation of the law.
- The Act Part IV 67(1-7) and 68(1-6) requires that both the data controller (MoE) and the data processor (IDB) designate an individual as a data privacy officer to advise them on the legal, technical, and administrative elements of processing personal data. A data privacy officer should be an individual qualified in privacy law and compliance. To the best of my knowledge, neither organization is compliant with this legal requirement with regards to data processing in Barbados. Given the number of violations of the law, this is not surprising.
- One of the most alarming things about this matter is the eerie silence of the Data Protection Commissioner.As per the Act Part VII 70(1) and 71, the Data Protection Commissioner is “responsible for the general administration of this Act” and whose functions are to monitor and enforce the Act (including issue fines), organize activities to educate children (and parents) on the risks of processing their data, and monitor and audit data processing by data controllers and data processors, among other things. The individual in this role was equally silent during the February 2022 elections when the government leaked the entire voters’ list on the public Internet, which has, based on my discussions with officials at financial institutions in Barbados, resulted in several citizens being victims of fraud and identity theft. This seriously brings into the question the qualifications, capabilities, and independence of the Commissioner, and the ability of the individual to effectively serve in this important role.
- As data protection laws are generally extraterritorial, the MoE and IDB have more than likely violated the General Data Protection Regulations (European Union) and other privacy/data protection laws from across the world. For example, there are many expats living in Barbados, and if European Union citizens were required to take the questionnaire, then that is a clear violation of EU laws. This also applies to citizens from other countries where robust data protection laws have been enacted.
- There are numerous other areas of the Act that the MoE and IDB violate in their relationship (e.g., consultation with the Data Protection Commissioner, performing data protection impact assessments, records of data processing activities, etc.). Sadly, this is just the tip of the iceberg. There are several public agencies, educational institutions, financial organizations (including fintechs), retail companies, telecoms operators, and other businesses in Barbados who are in clear violation of privacy and data protection laws.
The “right to private life” is enshrined in the Constitution of Barbados and the Universal Declaration of Human Rights (UDHR). The rights of data subjects (including children) are legally protected by the Data Protection Act (Barbados). The Government of Barbados, its development partners, and private corporations need to do so much better as it pertains to upholding the rights of citizens. I shudder to think of what similar privacy rights abuses are happening in other Caribbean countries and across the broader developing world.