Data protection & privacy laws in Trinidad and Tobago (2026)

The Data Protection Act, 2011 (Ch. 22:04) was passed by Parliament but only Parts I–II and s.42(a)(b) have been brought into force (January 2012 and August 2021 respectively). Provisions covering controller obligations, data-subject rights, breach notification, and penalties remain unproclaimed.

The Act designates the Office of the Information Commissioner (OIC) as the data protection supervisory authority. The OIC is still being established; the government was actively advertising the Information Commissioner position as of 2025, meaning the regulator has not yet assumed full operational oversight.

The Ministry of Digital Transformation indicated in November 2023 that full proclamation would occur by late 2024. The Trinidad Guardian reported a January 2025 target date. Neither deadline was met; as of early 2025 the bulk of the Act's operative provisions remain dormant.

Parliament has debated a specific motion calling on the government to proclaim the remaining sections of the Data Protection Act, reflecting legislative-branch concern that the 2011 law has stalled without meaningful enforcement for over a decade.

A government review in 2018 found the Act inconsistent with international best practices, including the EU GDPR, citing gaps in electronic marketing rules, online privacy, and breach-notification requirements. Stakeholder consultations were held in 2019 but no amending legislation has been enacted.

The Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) publishes guidance on the DPA's general privacy principles to promote awareness, reflecting that compliance culture is being built even while enforcement provisions are not yet legally operative.