Revised Laws of Saint Lucia (2023)

22.   Security and control measures

1.  

   (1)   A credit bureau shall, in respect of data subject information processed by it, have in place the appropriate, technical, and institutional data security measures and safeguards to protect the data subject information in its custody or control.

1.  

   (2)   Without limiting the generality of subsection (1), a credit bureau shall, in respect of data subject information processed by it —

   1.  

      (a)     put in place suitable physical and electronic data security and control measures;

   1.  

      (b)     implement the necessary managerial procedures and commercially reasonable data security safeguards for the purpose of safeguarding the data subject information against —

      1.  

         (i)     misuse or unauthorized access to, and disclosure of, the data subject information;

      1.  

         (ii)     illegal interception or interruption of the data subject information during exchange or otherwise processing of the information;

      1.  

         (iii)     loss, destruction, corruption, inappropriate alteration or modification, or inappropriate disclosure of the data subject information; or

      1.  

         (iv)     other misuse regarding the data subject information, including misuse by anyone with authorized access to the data subject information;

   1.  

      (c)     keep and maintain or cause to be maintained an access log regarding —

      1.  

         (i)     access by any person authorized to access the data subject information; and

      1.  

         (ii)     every procedure performed by any person referred to in subparagraph (i); and

   1.  

      (d)     make available, upon request, to the data subject the name of every subscriber who obtains access to the data subject information and the date of access.

1.  

   (3)   In accordance with subsection (2)(a) and (b), every credit bureau shall, for the purpose of safeguarding the data subject information which it processes against misuse or unauthorized access —

   1.  

      (a)     develop written policies and procedures, to be followed by its employees, agents and contractors, respecting the provision of credit reporting services under this Act and the Regulations;

   1.  

      (b)     ensure that a person accesses data subject information processed by that credit bureau only by using a password, credential token or other access authentication control mechanism;

   1.  

      (c)     ensure that data subject information is disclosed to a subscriber only in accordance with this Act and the terms of a subscriber agreement;

   1.  

      (d)     provide training to its employees, agents and contractors so as to ensure compliance with the policies and procedures referred to in paragraph (a);

   1.  

      (e)     monitor usage of, and regularly check compliance with —

      1.  

         (i)     the subscriber agreement, policies, procedures and control mechanisms under paragraphs (a), (b) and (c); and

      1.  

         (ii)     the requirements of this Act and the Regulations;

   1.  

      (f)     identify and investigate possible breaches of —

      1.  

         (i)     the subscriber agreement, policies, procedures and control mechanisms specified under paragraphs (a), (b) and (c), and

      1.  

         (ii)     the requirements of this Act and the Regulations;

   1.  

      (g)     take prompt and effective action in respect of any breach identified under paragraph (f); and

   1.  

      (h)     systematically review the effectiveness of the policies, procedures and authentication control mechanisms specified under paragraphs (a) and (b) and, where applicable, promptly remedy any deficiencies observed or detected.

1.  

   (4)   Subject to the approval of the Central Bank, every agreement between the credit bureau and a credit information provider or subscriber shall make provision with respect to —

   1.  

      (a)     the modalities for the submission of information by the credit information provider including the manner and form in which the information is submitted;

   1.  

      (b)     the delivery of credit reports and value added products by a credit bureau to a credit information provider or subscriber;

   1.  

      (c)     the type of information to be provided under section 27(9); and

   1.  

      (d)     the termination of the agreement.

1.  

   (5)   Notwithstanding the termination of an agreement referred to in subsection (4), the credit information provider shall, for such time as the Central Bank specifies but not to exceed one year, continue to supply to the credit bureau, data subject information regarding any data subject who was previously part of the periodic update under the terms and conditions of the agreement as if the agreement were not terminated.

1.  

   (6)   A credit bureau commits an offence if it fails to adopt security and control measures that are necessary to prevent the unauthorized access to, or wrongful use or management of information by its staff, technology provider or contractors and is liable, on summary conviction, to a fine not less than $10 000 but not exceeding $100 000.

1.  

   (7)   The Minister may, by Regulations, provide for the matters to be included in the provisions of a subscriber agreement.