After attending the Healthcare Sector Seminar on October 22, jointly hosted by the Ministry of Industry, Innovation, Science and Technology and the Office of the Data Protection Commission, I can reasonably say that healthcare practitioners were thoroughly briefed on their sector’s data protection and cybersecurity obligations. The well-attended session brought together a cross-section of stakeholders, including representatives from the Barbados Drug Service, private and public pharmacies, medical practitioners, and a range of ancillary healthcare providers.
Opening remarks: A personal perspective on privacy
The event was officially opened by Minister of Innovation, Industry, Science and Technology Senator Jonathan Reid, who delivered a grounded and personal reflection on the importance of safeguarding patient information. He recounted his own experience at a local hospital where, during the course of care, he and his family were required to repeatedly provide their personally identifiable information (PII) to multiple staff members. While seemingly routine, the minister’s example underscores a significant data protection risk: the unnecessary repetition and re-collection of personal information can increase exposure to human error, unauthorised disclosure, or data misuse.
Under the Barbados Data Protection Act (2019-29), such practices may amount to a breach of the data minimisation and purpose limitation principles outlined in Section 4(1)(b) and 4(1)(c), which require that personal data be collected only for specific, legitimate purposes and kept no longer or in greater quantity than is necessary. Repeatedly asking for the same information, particularly in a clinical setting where data should already exist in a patient’s file, reflects a breakdown in information governance and points to weaknesses in system integration and staff training. The minister’s remarks framed the day’s discussions in a relatable context, illustrating how weak data handling practices—often born from habit rather than malice—can erode public confidence and contravene the Act’s core principles of lawfulness, fairness, and accountability.
Building the compliance framework
The seminar formed part of the commission’s broader awareness campaign, which now appears to be shifting from public education to pre-enforcement preparedness. The underlying message was clear: organisations in the healthcare ecosystem must move from casual awareness to demonstrable compliance.
Data Commissioner Lisa Greaves delivered a detailed presentation on Building a Privacy Compliance Programme, outlining the statutory obligations placed on data controllers and processors under the Data Protection Act (2019-29). She emphasised that effective compliance requires written policies, risk assessments, documented accountability, and the appointment of a data Privacy Officer.
The commissioner clarified an important technical point about how the Act categorises personal information. The Data Protection Act applies to all personal data—any information identifying an individual, including medical records. However, the Act creates a subset called ‘sensitive personal data’ which includes genetic data, biometric data, sexual orientation, financial records, and criminal history, attracting stricter processing rules like data encryption under Section 9.
Importantly, healthcare information as a general category does not appear on that sensitive list, unlike under the EU’s GDPR or other international frameworks. However, this technical distinction should not create a false sense of security. Medical records remain deeply personal and often contain information that does fall within the Act’s sensitive categories, such as genetic test results or biometric identifiers. Even routine medical data, if mishandled, can cause significant harm to patients.
The commissioner’s message was clear: while healthcare data may not be labelled ‘sensitive’ in the statute, it must be treated as high-risk. Healthcare providers should adopt the highest standards of protection, not the minimum required by law.
Her remarks reinforced the principle that patient trust, once compromised, cannot be easily restored and that privacy protection must be built into every level of clinical and administrative operations. She reminded attendees that penalties for serious breaches can reach $500 000 – or three-years’ imprisonment, underscoring the seriousness of the enforcement climate.
Legal and Data Privacy specialist Jabarry Garnes (currently Communications Analyst at the United Nations Development Programme, and holding BSc, LLB, and LLM credentials) delivered a session titled Embedding Privacy by Design in Healthcare. He explained that Privacy by Design is a proactive framework for embedding privacy protections into systems, services, and business processes from the outset rather than as an afterthought. It ensures that privacy considerations are integrated into the very architecture of information systems, workflows, and digital platforms, making them a design feature rather than a bolt-on compliance measure.
Mr Garnes connected the seven foundational principles of Privacy by Design to the operational requirements of the Barbados Data Protection Act (2019-29). He demonstrated how privacy can be incorporated into electronic health systems, AI-driven diagnostics, and patient-management platforms, ensuring that digital transformation in the healthcare sector advances with both ethical responsibility and legal compliance at its core.
Closing out the speaker sessions was Patricia Rowe-Seale, the government’s chief information security officer, who examined Cybersecurity Risks in the Healthcare Sector and their intersection with the Data Protection Act (2019-29). She mapped the Act’s requirements to international frameworks such as NIST and ISO 27001, highlighting the increasing risks of ransomware, insider misuse, and third-party vulnerabilities within healthcare environments. Her presentation underscored the need for continuous monitoring, layered defence strategies, and tested incident response plans to ensure both data integrity and service continuity.
Collectively, the presentations and panel discussions reinforced that healthcare organisations in Barbados are entering a new phase of accountability, one in which compliance, system design, and cybersecurity resilience operate as a single continuum. As the commission continues its targeted sectoral awareness programme, the takeaway for this sector is unmistakable: govern through compliance, design for privacy, and defend through resilience, because the enforcement era is about to begin.
The road ahead: Challenges and opportunities
Reflecting on the session, I am confident that those who attended fully grasped the importance of the message delivered. However, attendance represented only a fraction of the healthcare community that needed to hear it. For the impact to extend beyond the seminar room, it is now incumbent on professional bodies such as the Barbados Association of Medical Practitioners and the Pharmaceutical Society to carry that message forward. They must ensure that data protection and privacy compliance remain a continuous conversation within their sectors rather than a one-day event.
The greatest challenge, in my view, lies in the adoption of formal privacy programmes. Many healthcare professionals already believe they operate within a culture of confidentiality and therefore see additional compliance measures as unnecessary bureaucracy. Yet, as the presentations made clear, privacy today is no longer defined solely by professional ethics or discretion. It is a regulated standard that demands documented controls, governance frameworks, and accountability mechanisms.
Looking ahead, I anticipate a period of frustration and adjustment. As the local saying goes, Barbados wants progress but hates change. Implementing the Data Protection Act will require both. Success will depend on whether institutions can move beyond tradition and embrace compliance as a pillar of modern healthcare. Real progress will take patience, education, and leadership, but if the seminar was any indication, the first steps towards that transformation have already begun.
The post Healthcare data protection in Barbados: Seminar signals shift from education to enforcement appeared first on Barbados Today.