At the time of writing, the government has introduced the Interception of Communications Act, 2025, in Parliament for debate. So far, it has received bipartisan support, clearing the way for law enforcement to add another powerful tool to its crime-fighting arsenal.
This is a welcome initiative—one that signals a shift towards modern policing and the embrace of digital transformation. The Bill seeks to establish a clear legal framework for the lawful interception of communications in serious cases, including matters of national security and a list of grave offences such as murder, treason, terrorism, human trafficking, kidnapping, corruption, drug trafficking, and money laundering.
Balancing power with safeguards
While the intent is clear and the potential benefits tangible, the Bill does not simply grant new powers without checks. It embeds privacy safeguards that require judicial oversight for each interception, restricts warrants to a defined timeframe, and mandates the destruction of any material that is irrelevant, privileged, or no longer needed. These provisions are essential to balance public safety with constitutional rights.
A question of readiness
The way the Act is written assumes a level of organisational readiness within law enforcement that warrants reflection. If that capacity exists, the transition should be seamless; if it does not, the gap will be significant.
The duties around custody, retention, and destruction of intercepted material point to the need for a structured governance framework—complete with a designated Data Protection Officer (DPO), which our well-entrenched Data Protection Act, 2019, explicitly requires under Section 67. That section mandates designation of a DPO for public authorities or bodies, especially where processing involves monitoring or sensitive data at scale.
In Barbados, if such structures are not yet embedded in policing, the challenge may lie less in the legality of interception and more in the operational framework required to meet these obligations in practice.
The UK model: Independence and accountability
This is standard in jurisdictions such as the United Kingdom, where every police force operates under the Data Protection Act with an independent DPO to ensure compliance.
In the UK, appointing a DPO for police forces is far from a token gesture. It is a statutory requirement under Article 37 of the UK GDPR and Section 69 of the Data Protection Act, 2018, both of which apply to all public authorities, including law enforcement. Every police force has an independent DPO who operates outside the operational chain of command, reports directly to the chief constable or equivalent, and is legally protected from dismissal or penalisation for performing their duties.
A June 2020 UK Information Commissioner’s Office (ICO) review of police mobile phone extraction tools—systems capable of copying vast amounts of personal data from devices—required forces to involve their DPOs from the earliest planning stages, which led to tighter limits on data collection, stronger destruction protocols, and better audit documentation. This shows how a DPO can actively reshape policy to ensure that powerful investigative tools operate within both legal and ethical limits—a safeguard directly relevant to the proposed lawful interception powers in Barbados.
The role of the DPO
This independence is intentional. The DPO’s mandate covers monitoring compliance, advising on lawful processing, and guiding Data Protection Impact Assessments (DPIAs) — a formal process to identify and minimise privacy risks before undertaking high-risk data processing.
Under Barbados’ Data Protection Act, 2019, interception of communications would almost certainly qualify as such an activity, given its direct effect on individuals’ fundamental rights and freedoms. The DPO also oversees data retention and destruction, ensuring these functions remain separate from the hierarchy that conducts interceptions.
In practice, UK police DPOs act as the formal liaison with the Information Commissioner’s Office (ICO), making sure compliance is subject to independent regulatory oversight rather than solely internal review.
Penalties and the case for a DPO
Failure to comply with the Act’s destruction requirements carries serious consequences. An authorised officer — defined as the Commissioner of Police or the Director General of the Anti-Corruption and Anti-Terrorism Agency — who fails to destroy intercepted material when required faces penalties of up to $100 000, one year’s imprisonment, or both.
The same liability can extend to any officer formally delegated to handle intercepted data, as well as technical staff or contractors who knowingly retain or misuse such material.
This is precisely why an independent DPO is essential: high command may be unaware that records are not being properly disposed of, yet still face personal and institutional liability if those failures come to light.
Oversight gaps in Barbados
The rationale is clear: law enforcement should not be left to police itself on matters that directly affect citizens’ rights and privacy. An independent DPO brings impartial oversight, a clear line of accountability, and an unimpeded channel for raising concerns.
While the UK model benefits from strong institutional support — namely the College of Policing’s Code of Practice and the National Police Freedom of Information and Data Protection Unit (NPFDU) — to make oversight visible, structured, and enforceable, it is unclear whether any equivalent governance framework currently operates within the Barbados Police Service. Such a framework, if it exists, has not been publicly detailed or widely referenced in the context of data protection or information governance for law enforcement.
Moving forward
If Barbados were to adopt a similar framework, the appointment of an independent DPO within law enforcement — separate from operational command and directly accountable to senior leadership and the regulator — would significantly reinforce the privacy safeguards envisioned by the Interception of Communications Act, 2025, while closing the governance gap the legislation currently assumes has already been addressed.
Ultimately, the success of the Interception of Communications Act, 2025, will not be measured solely by its ability to empower law enforcement, but by its capacity to do so without eroding public trust.
The power to intercept communications is among the most intrusive tools available to the State, and with such authority comes an equally high standard of accountability. By embedding independent oversight through a dedicated DPO, supported by transparent governance and clear operational safeguards, Barbados can ensure that this modernisation of policing is not just about crime-fighting efficiency, but also about protecting the very rights and freedoms it seeks to defend.
Anything less risks undermining both the intent of the law and the confidence of the people it is meant to serve.
Steven Williams is the executive director
of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB).
Steven can be reached at Mobile: 246-233- 0090; Email: steven@dataprivacy.bb
The post Interception & Accountability: Can Barbados’ new surveillance law protect both security and privacy? appeared first on Barbados Today.
