information security: the trinidad & tobago legal context
TRANSCRIPT
Information Security:
The Local Legal Context
Jason NathuAttorney-at-Law | Tutor | Hugh Wooding Law School
@jasonnPOS
Reading and Resources
Throughout and after this presentation, I will be posting links to resource material via my Twitter account @jasonnpos (http://www.twitter.com/jasonnpos).
#ISLawTT
What is Information
Security?
The term ‘information security’ refers to the theory and practice of defending data or information systems against:
• unauthorised or unintended access• destruction• disruption• tampering
What is Information
Security?
Main concepts of ‘information security’:
confidentiality - the assurance that information is not disclosed to individuals or systems that are not authorised to receive it;
integrity - the assurance that information can’t be modified by those who are not authorised to modify it, or that any such modifications will not pass undetected; and
availability - the assurance that information is available when it’s needed, and that mishap or malice cannot affect the ability of systems to provide information when requested.
The ‘right’ to privacy
Constitution of Trinidad and Tobago Chap. 1:01
Sec. (4). It is hereby recognised and declared that in Trinidad and Tobago there have existed and shall continue to exist, without discrimination by reason of race, origin, colour, religion or sex, the following fundamental human rights and freedoms, namely:
(c) the right of the individual to respect for his private and family life
Information Security
and the Law
Acts of Parliament
• Data Protection Act Chap. 22:04
• Computer Misuse Act Chap. 11:17
• Electronic Transactions Act Chap. 22:05
• Telecommunications Act Chap. 47:31
• Electronic Transfer of Funds Crime Act Chap. 79:51
• Offences Against The Persons Act Chap. 11:08
• Children's Act No. 12 of 2012
Data Protection Act
Chap. 22:04
The Data Protection Act Chap. 22:04 , provides for the protection of personal information processed and collected by public bodies and private organisations.
The Act was partially proclaimed in 2012 and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II have come into operation.
No timeline has been set for the proclamation of the remainder of the Act. It is possible that there may be changes to the remainder of the legislation before it is proclaimed.
Personal Information
“Personal Information” is defined in section 2 of the Act as information about an identifiable individual that is recorded in any form including:
• the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
• the address and telephone number of the individual;
• any identifying number, symbol or other particular identifier designed to identify the individual;
Data Protection Act Chap. 22:04
Personal Information
• Information relating to the individual’s race, nationality or ethnic origin, religion, age or marital status;
• Information relating to the education or the medical, criminal or employment history of the individual or information relating to the financial transactions in which the individual has been involved or which refer to the individual;
• Correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that would reveal the contents of the original correspondence;
Data Protection Act Chap. 22:04
Personal Information
• the views and opinions of any other person about the individual;
• the fingerprints, DNA, blood type or other biometric characteristics of the individual.;
Data Protection Act Chap. 22:04
“Sensitive personal information” is defined as personal information on a person’s:
• racial or ethnic origins:• political affiliations or trade union membership;• religious beliefs or other beliefs of a similar nature;• physical or mental health or condition;• sexual orientation or sexual life; or• criminal or financial record.
Sensitive Personal Information
Data Protection Act Chap. 22:04
Collecting and Processing
There must be compliance with the general privacy principles as set-out in section 6 of the Act.
The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection is required to be undertaken in accordance with the purpose identified, must be accurate, complete and up-to-date, must not be kept longer than is necessary; must be secured and must not be transferred out of T&T unless there are regulatory safeguards in the country to which the data is being sent.
Individuals have a right to access and challenge the validity of personal information collected.
Data Protection Act Chap. 22:04
Miscellaneous Notes
INFORMATION COMMISSIONERThe Office of the Information Commissioner is the entity responsible for the oversight, interpretation and enforcement of the Act.
BREACHES OF SECURITYThere is no provision in the Act for notifying data subjects or the Information Commissioner of a security breach.
ONLINE PRIVACYThe DPA has no specific provision regarding online privacy, including cookies or location data.
Data Protection Act Chap. 22:04
Miscellaneous Notes
OFFENCESThe act creates several offences. For example, it is an offence to wilfully disclose personal information in contravention of the act, or to collect, store or dispose of personal information in a manner that contravenes the Act. The penalties for these offences include fines of up to $100,000 or up to five years imprisonment for individuals, and fines of up to 10% of the annual returns for companies.
WHISTLEBLOWING PROTECTIONThe Act, if proclaimed as is, will offer whistleblowing protection to employees, only in relation to breaches of the Act.
Data Protection Act Chap. 22:04
Computer Misuse Act
Chap. 11:17
The Computer Misuse Act. 11:17, was designed to prohibit any unauthorised access, use, or interference with a computer.
The Act came into force in 2000.
Broadly and vaguely protects against hacking, data misuse, deliberately causing computer viruses,and destruction of property (the computer).
Offences
• Unauthorised access to computer program or data.• Access with intent to commit or facilitate commission of offence.• Unauthorised modification of computer program or data.• Unauthorised use or interception of computer service.• Unauthorised obstruction of use or use of computer.• Unauthorised disclosure of access code.• Enhanced punishment for offences involving protected computers.• Unauthorised receiving or giving access to computer program or
data.• Causing a computer to cease to function.
Computer Misuse Act Chap. 11:17
Miscellaneous Notes
PENALTIESThe penalties for offences range from fines of between $15,000 and $35,000 and terms of imprisonment between 2 to 5 years for first offenders.
INVESTIGATIONSThe Act gives the police the power to investigate, including access to computer programmes or data during an investigation.
LIMITATION PERIODProsecution must be commenced within 12 months from the date of commission of the offence.
Computer Misuse Act Chap. 11:17
Electronic Transactions Act
Chap. 22:05
The Electronic Transactions Act Chap. 22:05 , is aimed at facilitating and providing a legal framework for electronic transactions and commerce, to give legal effect to electronic signatures, electronic documents and electronic records, and to help establish standard rules regarding the verification and integrity of electronic records.
The Act was partially proclaimed in 2012 and only Parts I, II, III,IV and VII have come into operation.
No timeline has been set for the proclamation of the remainder of the Act. Like the Data Protection Act, it is possible that there may be changes to the remainder of the legislation before it is proclaimed.
Legal Recognition and Requirements
The Act gives legal recognition to information/records in electronic form and provides that such documents shall not be denied legal effect solely because they are in electronic form.
Electronic records shall generally be considered equivalent to records required to be in writing.
The Act further provides that the legal requirements for keeping information and requests for copies are satisfied if done in the form of electronic records.
Electronic Transactions Act Chap. 22:05
Formation of Contracts
Any negotiation or other dealing that goes to the formation of a contractual relationship between parties can be validly done by electronic means.
The use of electronic agents (automated programs) to assist in forming a contractual relationship with a party shall be valid, unless certain errors occur while dealing with the electronic agent.
Electronic Transactions Act Chap. 22:05
Electronic Signatures
Electronic signatures are recognised under the Act as being valid, provided that there is agreement between the parties for its use. The signature must meet minimum standards of reliability and integrity.
Does NOT apply to the making, execution or revocation of a will or testamentary instrument; the conveyance of real or personal property or the transfer of any interest in real or personal property; the creation, performance or enforcement of a declaration of trust or power of attorney; the production of documents relating to immigration, citizenship or passport matters; or the recognition or endorsement of a promissory note.
Electronic Transactions Act Chap. 22:05
Public Bodies
All public bodies are generally authorised to conduct their activities related to filing, retaining, producing or issuing of documents (including licenses and permits) by electronic means.
Public bodies must however have a procedure specifying how this is to be done.
Documents required by a public body for inspection can be produced in electronic form.
The Act does not REQUIRE a public body to accept or issue any document in electronic form.
Electronic Transactions Act Chap. 22:05
Investigation
and Enforcement
Investigation
• Traditional TTPS divisions: Fraud Squad, Criminal Investigations Department, Criminal Records Office, Inter Agency Task Force and Special Branch.
• TTPS “Cybercrime Unit”?
Enforcement
• Although these Acts have been proclaimed or partly proclaimed, many remain untested before the courts.
• Clear need for further consultation with stakeholders and legislative reform.
