/

/

/

/

/

Revised Laws of Saint Lucia (2021)

Back to Revised Laws of Saint Lucia (2021)

Back to Table of Contents

Schedule 2

(Section 32(1))

DATA PROTECTION PRINCIPLES

(a) First Principle – Collection Limitation Principle: Personal data shall be processed fairly and lawfully in accordance with section 33.

(b) Second Principle – Purpose Specification Principle: Personal data shall be obtained only for one or more specified and lawful purposes, which purpose shall be specified not later than at the time of data collection, and such personal data shall not be further processed in any manner incompatible with that purpose or those purposes in accordance with sections 33 and 41.

(c) Third Principle – Data Quality Principle: Personal data shall be relevant and not excessive in relation to the purposes for which they are to be processed and, to the extent necessary for those purposes, shall be accurate, complete and up-to-date in accordance with sections 40 and 41.

(d) Fourth Principle – Use Limitation Principle: Personal data shall not be disclosed, made available or otherwise used for purposes other than those specified under this Act and such personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes in accordance with sections 41, 42 and 44.

(e) Fifth Principle – Security Safeguard Principle: Personal data shall be protected by reasonable security safeguards and appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against such risks as accidental loss, unauthorized access, use, modification, or destruction of data in accordance with section 33.

(f) Sixth Principle – Accountability Principle: A data controller shall be accountable for complying with measures which give effect to the data protection principles and shall ensure that personal data is processed in accordance with the rights of the data subject under this Act in accordance with section 33.

(g) Seventh Principle – Individual Participation Principle: A data subject shall have the right to know what data is held about him by a data controller and shall have a right to ensure that all reasonable measures are taken to complete, correct, block, erase or annotate data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed in accordance with sections 33 and 56.

(h) Eighth Principle – Transfer of Data Principle: Personal data shall not be transferred to a country or territory outside the State unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data in accordance with section 45.

CHAPTER 8.18
DATA PROTECTION ACT

SUBSIDIARY LEGISLATION

No Subsidiary Legislation

Previous

1. Short title and commencement

2. Interpretation

4. State to be bound

5. Appointment of Data Protection Commissioner

6. Resources of the office of the Commissioner

7. Restriction on employment

8. Tenure of office

9. Functions of the Commissioner

10. Independence of functions

11. Oath and confidentiality

12. Powers of the Commissioner

12A. Privacy impact assessment

13. Delegation of functions of the Commissioner

14. Power of the Commissioner to obtain information

15. Contents of information notice

16. Failure or refusal to comply with information notice

17. Insufficient information UNDER the information notice

18. Powers of investigation

19. Form of complaint

20. Notice of investigation

21. Power to request assistance

22. Powers of entry and search

23. Warrant to enter and search premises

24. Obstruction of Commissioner or authorized officer

25. Power of Commissioner to issue enforcement notice

26. Contents of enforcement notice

27. Failure to comply with enforcement notice an offence

28. Investigations in private

29. Referral to Director of Public Prosecutions

30. Instruments of the Commissioner

31. Protection of the Commissioner and staff

32. Data Protection Principles

33. Collection of personal data

34. Consent for processing of personal data

35. Criteria for processing sensitive personal data

36. Processing of sensitive personal data

37. Processing concerning health or medical purposes

38. Processing and disclosure for research and statistical purposes

39. Processing concerning legal offences

40. Accuracy of personal data

41. Use of personal data

42. Security of personal data

43. Duty to destroy personal data

44. Unlawful disclosure of personal data

45. Transfer of personal data

46. Requirement to register

47. Registration as a data controller

48. Duration of registration

49. Register of Data Controllers

50. Inspection of Register

51. Certificate issued by Commissioner

52. Right to access personal data

53. Compliance with request for access to personal data

54. Discretion in relation to access to personal data

55. Denial of access to personal data

56. Right of rectification, etc., of inaccurate personal data

57. Right to prohibit processing of personal data for direct marketing

57A. Employee's protection

58. National Security

59. Crime and taxation

60. Health and social work

61. Regulatory activities

62. Journalism, literature and art

63. Research, history and statistics

64. Information available to the public under an enactment

65. Disclosure required by law or in connection with legal proceedings

66. Legal professional privilege

67. Domestic purposes

68. Written authorization of Commissioner in certain cases

69. Appeals to Court

70. Hearing of proceedings

71. Offences and penalties

72. Offences by directors, etc., of bodies corporate

73. Annual Report

74. Regulations