DATA PROTECTION OVERVIEW
There is currently no formal legislation regulating data protection in the British Virgin Islands (BVI). However, the BVI Government has recently prepared draft legislation for wider industry consultation. The legislation has been drafted around a set of EU-style data protection principles to which data controllers must adhere. Under the draft, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects. A timetable for implementation of the new law is not known at this stage but it is expected to be passed within the next 12 months.
In the meantime, the BVI courts recognise and subscribe to the common law duties of confidentiality and privacy. Under common law principles, a duty of confidentiality will be imposed where:
- there is an agreement between the parties that the information should be kept confidential;
- the relationship between the parties is is such that the law imposes a duty of confidentiality; and
- the nature and circumstances of the person obtaining the information make it such that the law will require that they keep the information confidential.
However, to establish a breach of confidence, something more is needed – a situation or relationship which imposes on the recipient an obligation to keep the information confidential. Where no such relationship exists, a commercial contract with a non-disclosure agreement or confidentiality clause can be effective in imposing such an obligation.
While there is currently no overriding personal data protection legislation in the BVI, all entities that manage and maintain personal data are subject to the common law duty of confidentiality.
From a fiduciary/trust perspective, certain licensees regulated by the BVI Financial Services Commission (FSC) – the principal regulatory authority in the jurisdiction – shall be under a general obligation to keep client’s personal data confidential, unless the individual has granted specific permission for its release or disclosure to third parties. This obligation may be limited where the licensee is obligated by other laws to disclose confidential information.
For corporate entities, the Registrar of Corporate Affairs is permitted to release only limited information regarding registered companies, including the company name, company type, registration/incorporation date, the registered office address and the company status. Details of individual shareholders, directors and company officers are not available for public inspection.
The Telecommunications Act 2006 regulates the telecommunications industry in the BVI and provides sanctions protecting the confidentially and disclosure of personal information without consent.
Sensitive personal and biometric data is not separately protected.
Collecting personal data
There is no requirement to notify data subjects at the time of data collection.
What constitutes valid consent?
Consent must be express. Best practice would require some form of affirmative action on the part of the data subject to confirm consent.
Processing and retention of personal data
The BVI Business Companies Act 2004 (BCA) requires every company to keep “records and underlying documentation”. These may be kept at the registered agent’s office or at such other places, within or outside of the BVI. If not kept at the registered agent’s office, a record of the location must be given to the registered agent.
The records must be retained for at least five years from either i) the completion date of the transaction the records relate to; or ii) the date the business relationship the records relate to was terminated. As the limitation period for most actions under contract law is six years, best practice in the BVI is to retain records for this longer period.
Accessing Personal data
There are no specific access rights under BVI law.
The BVI is a cooperative member of the international community in the fight against financial crime. Mutual legal assistance is generally offered between countries, including the BVI, in three principle areas:
- tax matters and investigations,
- anti-money laundering and other financial crime investigations, and
- in relation to enquiries related to financial services.
The FSC may accept information or documentation exchange requests from equivalent overseas authorities.
In addition, it is mandatory for registered agents to maintain up-to-date “know-your-client” information on all directors, shareholders and beneficial owners of BVI companies. In the event of a request for such information from the competent authorities, a registered agent must comply with the request within seven days. Failure to deliver the information can result in financial penalties and, possibly, the revocation of the agent’s operating licence.
International transfers of personal information
Transfers of personal data to third parties are subject to the common law duty of confidentiality. Express consent should be obtained before personal data is transferred within or outside of the BVI.
On 1 September 2014 the Computer Misuse and Cybercrime Act, 2014 came into force which regulates and penalises the unauthorised transfer and dissemination of information stored on a computer.
The FSC is under a general confidentiality obligation but has the power to disclose personal information in certain circumstances, including to foreign regulators. However, before doing so, the foreign regulator is required to undertake that the information will not be transmitted to any other person without the FSC’s prior written consent.
How is direct marketing regulated?
No restrictions are currently in place in the BVI.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring in the BVI. It is recommended that employers draft and communicate a written monitoring policy to affected employees explaining the purposes of the monitoring, and the kinds of personal data being collected. Other methods (less intrusive on privacy) should also be considered where possible.
Can telephone calls be recorded?
Yes but it is advisable that the caller is made aware at the start of the call of the possibility of personal data being collected during the call.
What rules apply to the recording of CCTV footage?
No specific regulations apply and no guidance has been issued. It would be prudent for BVI businesses to ensure that any personal data collected via CCTV is not excessive or goes beyond the collection purpose. Consideration should be given to camera location and the recording angles. Particular care should also be taken if CCTV is used as part of employee monitoring.
The FSC and the BVI Courts will be tasked with enforcing confidentiality-related matters, pending promulgation of appropriate data protection legislation.
Data controllers are not required to register with or notify the BVI authorities, and presently there is no requirement for the appointment of data protection officers, however it is recommended best practice.
What are the penalties for non-compliance?
Currently there is no formal legislation regulating data protection in the BVI.
A registered agent must comply with a know-your-client access request from the competent authorities within seven days. Failure to deliver the information can result in financial penalties and, possibly, the revocation of the agent’s operating licence.
The Computer Misuse and Cybercrime Act, 2014, prohibits, among other things, the unauthorised access and use of data held on a computer, or any computer service, and the knowing disclosure of passwords, or other means of access to a computer, with a view to cause loss, gain or for any unlawful purposes. Neither this legislation, nor any other legislation in the BVI contains any mechanism or requirement to report data security breaches. However, notification is recommended where there is a risk of harm to the data subject as a result of the breach, not least from a relationship-management perspective.