Privacy Breach? When ‘Trusted’ Academics Mislead Us

“Dean of the Faculty of Law at the Cave Hill Campus of the University of the West Indies, Professor Eddy Ventose told Barbados TODAY that “the mere possession by the Government of information that might be confidential or private does not of itself suggest any breach of the constitutional right to privacy”. “The Government, through its various departments, including the Queen Elizabeth Hospital, possesses confidential information on many persons. It cannot and could not be suggested that that alone means that there exists a constitutional breach,” he said. “In this context, any breach of a constitutional right to privacy can only be engaged if there is the disclosure by the information of persons. The information and private information of students. Only if that information is used in a way that discloses the identity of the students would a constitutional infringement be arguable.” The constitutional expert said while there students having to identify themselves in the survey, that was not a constitutional argument. “Questions relating to the propriety of certain questions posed on the questionnaire are similarly not constitutional questions,” the law professor argued.”

The above is an extract from an article titled “Privacy Breach?” that was published in Barbados Today on Thursday, 13th October. Several comments were made by the Dean of the Faculty of Law at the Cave Hill Campus of the University of the West Indies, Professor Eddy Ventose that were quite misleading. I want to address these comments, providing adequate clarifications.

Point #1

Ventose makes several mentions of the constitutional right to privacy, which are highly misleading.

The Constitution of Barbados does not explain in any meaningful way the legal framework surrounding privacy rights in Barbados. It briefly states that the right to private life is protected, so long as it does not infringe upon the rights and freedoms of others. It makes no mention whatsoever of data protection, which is a contemporary legal matter that focuses on large scale processing of personal data (often by corporations for whom personal data collection, analytics, and monetisation of said data is their underlying business model).

The Data Protection Act (Barbados) 2019, which is modelled after the EU’s General Data Protection Regulations (GDPR), provides standardised data protection regulations that reflect the modern world we live in with regards to large scale data processing. It seeks to make it easier for Barbadians to understand how their data is being used, have more control over their personal data, and allows for them to raise complaints and seek economic redress if their data is misused or abused by organizations or individuals. A key mistake that Ventose makes is that he conflates privacy and data protection; whereby the former defines who has access to information and the latter is concerned with laws and other mechanisms for restricting access to information. Consequently, while the constitutional right to privacy is a key element of data protection, any discussion pertaining to the lawfulness of the Ministry of Education-IDB survey should be undertaken in the context of the Data Protection Act (Barbados) 2019.

Point #2

Ventose stated, “The Government, through its various departments, including the Queen Elizabeth Hospital, possesses confidential information on many persons. It cannot and could not be suggested that that alone means that there exists a constitutional breach.”

I explained the following in a previous blog post: “As per the Barbados Data Protection Act (“the Act”) and similar laws around the world, there are six (6) lawful grounds on which data can be processed: explicit consent, contractual obligations, legal obligations, vital interests of the data subjects, public interests, or for purposes of legitimate interests of the data controller. The only lawful basis which the Ministry of Education can use for administering the subject questionnaire is legitimate interests. However, that lawful basis does not pass the three-part test which requires a positive answer to these three (3): Is there a legitimate interest behind the process? Is the processing necessary for that purpose? Is the legitimate interest overridden by the data subject’s interests, rights, or freedoms?” It’s quite simple; data controllers and data processors need to have a legal basis for data processing, and this includes government departments.

Furthermore, the Act does not provide a blanket exemption for the public service from data processing rules. Under the Act Part V paragraphs 29-49, there are clear exemptions for categories such as “National Security”, “Crime and taxation”, “Health, education, and social work”, and “Research, history, and statistics”, among others. With regards to education, the Minister would need to order a special exemption for a set of personal data processed by an education institution. If this is the case, the Minister of Education would need to provide evidence of this formalized exemption from the Act for educational institutions and explain to the public why it is necessary that this data is not processed lawfully, fairly and in a transparent manner. Otherwise, the Ministry of Education and the IDB have no lawful basis for processing the data in the survey.

Point #3

Ventose stated, “In this context, any breach of a constitutional right to privacy can only be engaged if there is the disclosure by the information of persons. The information and private information of students. Only if that information is used in a way that discloses the identity of the students would a constitutional infringement be arguable.”

This is again very misleading. The matter of constitutional infringement is a distraction from the strict requirements of the Data Protection Act. It is a breach of the Act if there is no legal basis for processing of data. It is a breach of the Act if the consent of parents is not obtained to process the data of an individual under 18 years old (the definition of a “child”). It is a breach of the Act to share sensitive data with a third party without the consent of data subjects. It is a breach of the Act for the data processor (IDB) to process data other than under the instructions of the data controller (Ministry of Education). It is a breach of the Act whereby a data processor (IDB) is not registered, has not paid the requisite fee, and does not have a valid certificate for data processing. It is a breach of the Act whereby processing of sensitive data is not done using online tools, does not employ pseudonymisation or de-identification, and where strong safeguards are not in place (e.g., access controls, encryption, physical security, etc.), among other protective mechanisms. In addition to those just mentioned, there were other breaches of the Act in the recent survey debacle.

It is my opinion that the Data Protection Act was enacted under pressure from international partners and funders, as opposed to a commitment by the Government of Barbados to upholding the privacy rights of citizens and protecting their data – Otherwise the draft legislation would not have been lying in Parliament since 2005 (it took 16 years to pass data protection laws!). Successive governments have shown that the right to private life and the protection of individuals’ data is of little importance to them. A couple of examples in recent years would be the data leak of the full election list on to the global Internet during the 2022 elections and the numerous instances where hackers breached the online platforms of the 1-Year Welcome Stamp, Royal Barbados Police Force, Supreme Court of Barbados, Office of the Attorney General, Government Information Service, Small Business Development Unit, Immigration Department, and the National Insurance Scheme, among others.

Despite these numerous missteps, situations like the MoE-IDB “survey” continue to happen, the Office of the Data Protection Commissioner remains unable to fulfil its duties, and the government persists in barreling ahead with bringing more and more public services online without the requisite technical or legal talent to adequately and effectively protect the data of citizens. This should be of grave concern to everyone in Barbados.

Finally, It’s not surprising when government, whose apathy is clear and expertise is minimal, creates a legal mess as it pertains to matters of privacy and data protection. What is shocking and worrisome is when senior academics, whose careers are premised upon research, fail to engage in such or actively seek to mislead when commenting publicly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s