Business
Understanding Barbados' Data Protection Act and Its Impact on Employee Rights: An Overview
Learn about the implications of Barbados' Data Protection Act on employee data privacy, including the importance of purpose limitation, storage limitation, and transparency. Compliance is not only a legal obligation but also a moral imperative for organizations. Contact Steven Williams for more information.
5 min read
Originally published by barbadostoday.bb (opens in new tab)
Disclaimer: The views and opinions expressed by the author(s) do not represent the official position of Barbados TODAY.
By Steven Williams
It’s a positive step that Barbados has proactively embraced data privacy by enacting the Data Protection Act four years ago. While the full potential of this law has yet to be realised, it’s important to underline that it serves as a binding framework for businesses, setting the stage for a more secure and responsible data environment.
Article 12 of the 1948 Universal Declaration of Human Rights pioneered the concept of privacy rights, setting the stage for modern laws like Germany’s 1970 Federal Data Protection Act and Barbados’ own 2019 Data Protection Act. These laws aim to harmonise an individual’s right to privacy with an organisation’s operational needs for data, striving to protect personal privacy without hindering organisational effectiveness.
However, what many organisations may not realise is that the Act treats employees just like any other data subjects covered by the legislation. In essence, this Act expands upon existing employee rights by regulating how employers can access and use employee information, as well as the legal basis for doing so.
In discussions with human resources managers, it’s clear that many are unaware of their new obligations under the Act and how it impacts their daily operations. A local case I often cite during Data Protection Act training sessions involves a business that, during the latter months of COVID-19 protocols, wanted all employees to return to work and was interested in identifying who among them was vaccinated.
In an effort to encourage employees to disclose their vaccination status, a company offered a $500 lottery as an incentive. While creative on the surface, this initiative opens up several important considerations within the context of data privacy laws. Unless vaccination is an explicit requirement in the employment contract, such personal health data is generally considered private information.
The potential pitfalls: A three-point review
- Purpose limitation
According to the Data Protection Act, the principle of “Purpose Limitation” mandates that personal data can only be kept and used for the specific purpose for which consent was initially obtained. In this case, the explicit reason for collecting vaccination data was to conduct the lottery. Retaining this data beyond the lottery date – unless explicitly communicated and consented to by the employees – would be a violation of this principle and the Act itself.
