Privacy Policy

Privacy Policy

How is the Barbados Revenue Authority accountable for your privacy?

As an individual subject to tax in Barbados, you entrust the Barbados Revenue Authority (“the Authority”) with your personal information and you rely on us to keep it safe and secure. As stated in the Barbados Data Protection Act 2019-29, you have the right to privacy and confidentiality. We also protect your information under other relevant pieces of legislation administered by the Authority which have confidentiality provisions. We are committed to protecting your privacy by making sure that the personal information you have supplied to us is appropriately managed and guarded, and that your right to access your information is at all times preserved and respected.

In protecting your personal information, we are guided by the following principles:

  • We value and respect the fact that you have entrusted us with your personal information, and we accept that it is our duty to enable you to clearly understand how it is being used and for what purpose;
  • We ensure that all of the Authority’s employees understand their respective responsibilities in handling personal information, as well as in responding to your requests in a timely and helpful manner;
  • We put you at the heart of all changes and improvements to our service delivery, by embedding privacy features into all that we do;
  • We combine effective and secure information management principles across the Authority; and
  • We make informed decisions about the way in which your personal information is handled based on ethical standards, and in alignment with legislative and policy obligations and leading privacy practices.
  • The following provisions apply to the Authority, its website, online forms and Tax Administration Management Information System (“TAMIS”). The Authority collects and processes personal data in accordance with the Barbados Data Protection Act 2019-29 and other enactments which contain confidentiality provisions, such as the Income Tax Act Cap. 73 and the Value Added Tax Act Cap. 87 among others. The Authority is committed to protecting your privacy and ensuring that the personal information which we collect and process is securely and responsibly managed, and that your right of access to your information is maintained.

For more information on our commitment to privacy, please read our Privacy Management Framework.


What is the role of our Data Privacy Officer?

The Authority’s Data Privacy Officer (DPO) is appointed by the Revenue Commissioner and Board of Directors and is responsible for defining, executing on and maintaining the Authority’s Privacy Commitment. The role of the DPO is to ensure that the Authority’s respect for privacy is reinforced and strengthened, and that confidentiality and the safeguarding of personal information are at all times maintained within the Authority.  As such, the DPO is responsible for:

  • overseeing decisions related to privacy, including assessing the privacy impacts of our programmes;
  • championing personal privacy rights according to the applicable legislation and policies, including managing internal and external privacy breaches;
  • reporting to the Authority’s senior executive management at least twice a year on the state of privacy management within the Authority;
  • developing tools, guidelines and resources so as to enable the Authority to comply with its privacy obligations;
  • reviewing and updating existing privacy policies and procedures;
  • developing new policies and procedures as needed;
  • developing the Annual Privacy Strategy and conducting annual operational effectiveness reviews;
  • educating and advising the Authority’s staff on their roles and responsibilities in protecting personal information;
  • responding to and managing privacy breaches, inquiries, and complaints;
  • processing, advising on, and evaluating initiatives, processes, technology, and new uses of data through privacy impact assessments and privacy protocol assessments;
  • conducting third-party risk assessments and risk management activities;
  • communicating with internal and external stakeholders about privacy at the Authority;
  • acting as a point of contact between the Authority and the Data Commissioner with respect to matters related to the protection of personal information;
  • developing and maintaining training materials for employees of the Authority; and
  • driving awareness, commitment, buy-in, and adoption from the Authority’s partners and key stakeholders.

What is personal information?

Personal Information is information which relates to an individual who can be identified: -

  • from that information; or
  • from that information together with other information which is in the possession of or is likely to come into the possession of the Authority.

What kind of personal information do we collect?

We have the authority to collect personal information related to our tax administration mandate and the legal authority given to us by our enabling legislation. We also administer a number of social benefit and tax credit programmes on behalf of the Government of Barbados. In executing our mandate therefore, we collect personal information such as names and addresses, dates of birth, personal contact information, national registration numbers, national insurance/social security numbers, employment information (including the names and addresses of employers, salary information etc.), other financial and/or banking information, as well as human resource information regarding all of the Authority’s employees.

Why do we collect your personal information, and how do we use it?

We collect personal information where it is lawful and directly related to fulfilling our mandate: to administer tax, benefits, and related programmes; and to ensure tax compliance on behalf of the Government of Barbados. Our work helps to protect Barbados’ tax base and supports the delivery of a number of important government initiatives which are essential to the economic and social well-being of Barbadians. For a full description of our function, programmes and activities, please see our Cookies Policy.

How do we collect your personal information?

We collect your personal information directly from you or indirectly through other means as permitted by law, such as from:

  • other governments in information-sharing agreements
  • other local government entities
  • your authorized representative(s)
  • your employer
  • a financial institution
  • open sources

When we collect your personal information from you, we inform you at the point of collection as to the reason for collecting it, our legal authority to do so, and how your information will be used. We will ask for your consent when required, including for additional uses or disclosures of your information. Note that, contrary to the private sector, consent is (more often than not) in fact not required for the bulk of the personal information collected by the Authority.

How do we manage and protect your personal information?

We manage and protect your personal information by having all parts of the Authority work together and by adopting the Privacy Management Framework. We focus on measures which provide a set of mechanisms to enable us to protect your personal information.

We take the security of all taxpayer information very seriously. We keep a close watch to prevent unlawful attempts to access your tax information and to make sure that your privacy rights are protected. Personal information is kept physically and digitally secure, and all of our forms and documents containing taxpayer information are marked “Protected.” This helps us to make sure that sensitive information is handled securely.

All personal data collected and processed is stored indefinitely in order to ensure the efficient administration of our mandate of taxation, in accordance with the Barbados Revenue Authority Act 2014-1.

To reduce risks to privacy, we conduct data protection impact assessments so as to determine how our programs and services using personal information could affect the privacy of an individual and propose measures to reduce these risks.

Do we share your personal information?

We share your personal information with you, your authorized representative(s) and with other parties as legally necessary and duly documented. We may also disclose your personal information if it is authorized by law, for example, with other governments, authorized third-party service providers, and / or law enforcement agencies in the following circumstances: -

  • other governments/international jurisdictions: we may be required to share personal information with international jurisdictions with whom we have intergovernmental agreements for situations involving international tax laws and tax evasion
  • authorized third-party service providers and partners: to fulfill our tax mandate, we may share information with our authorized third-party service providers and partners
  • law enforcement agencies: as required by law, and to aid in ongoing investigations and public safety, we may share personal information with these agencies

 

 

When we share information, we abide by robust privacy protective measures and safeguards, such as:

  • stringent privacy and security clauses in our contracts with third-parties and with partners in information-sharing agreements (that is, with domestic or foreign governments);
  • where applicable, removing identification details in personal information before sharing it for instance, in aggregate statistical information, and employing stringent controls to prevent re-identification; and
  • ongoing monitoring of our information-sharing agreements and contracts.

What happens if there is a privacy breach?

The Authority’s employees must report any detected or suspected unauthorized access to or disclosure of personal information, any misconduct and/or fraud, as well as any processes which appear to be vulnerable to fraud. The Authority takes your privacy seriously, and as such commits to thoroughly investigating all allegations or suspicions of:

  • improper or unauthorized handling and/or exposure of personal information under its control: by any of our employees, or by a third-party including external threat actors; and
  • external incidents which indirectly affect taxpayer personal information or taxpayer interactions with us.

If the Authority confirms a privacy breach, it will act quickly to resolve the incident. Should a breach be deemed “material” the Authority will inform any and all affected individuals, as well as the Data Privacy Officer, the Revenue Commissioner and the Data Protection Commissioner.  The Authority is committed to reducing all risks in order to prevent privacy breaches from occurring, and if criminal activity is suspected, the Authority will co-operate fully with law enforcement authorities.

To report a suspected privacy breach, please contact us immediately at privacy@bra.gov.bb

A breach of personal information could include incidents such as theft or loss of data storage equipment, as well as improper or unauthorized collection, use, disclosure, access, retention or disposal of information. A breach could be the result of error or malicious action by one of the Authority’s employees, a third party, a partner in an information-sharing agreement or an intruder.

The Authority has developed Privacy Breach Procedures which outline the steps that its employees must take if there is a suspected or confirmed privacy breach. The Authority’s procedures follow the Data Privacy Act.

 

What are your rights under the Barbados Data Protection Act?

In accordance with the Barbados Data Protection Act, you have the right to request information about your personal data which is processed by the Authority.

In particular, you may request information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on the logic involved.

You also have the right to request a copy of your personal data undergoing processing. Any additional copies requested, may be subject to an administrative fee.

What happens when you interact with us online?

When you visit the web pages of the Authority, most web servers automatically collect information about that visit.

IP addresses

Web servers may automatically collect information about a visit to a website, including the visitor's Internet Protocol (IP) address. An Internet Protocol (IP) address is a unique number assigned by an Internet service provider to any device used to access the Internet. A web server automatically logs the IP address of a visitor to its site. An IP address, on its own, does not identify an individual. However, in certain circumstances, such as with the co-operation of an Internet service provider, an IP address could be used to identify an individual using a site. For this reason, the Government of Barbados considers an IP address to be personal information.

The IP address is collected to identify unauthorized attempts to upload information, change information, or otherwise cause damage. 

Digital markers (including cookies)

We may use sessional and persistent digital markers on some web pages to better understand your preferences and provide you with the best possible web experience. A digital marker is a resource created by your browser to reference certain pieces of information during the same or a later visit to a web page. During your online session with the Authority, your browser exchanges data with our web server.

You can adjust your browser settings to reject digital markers, including cookies. However, doing so may affect your ability to interact with our web pages. For example, if you are accessing any secure services that require a username and password and if you disable any cookies, you may need to re-insert your username and password at every visit to a website.

Examples of digital markers are cookies and HTML5 web storage. Among other functions, digital markers:

  • let a website recognize a previous visit each time a visitor accesses a site. 
  • track the information viewed on a site, to help website administrators make sure visitors find what they are looking for. For example, the number of mouse clicks made by an individual can indicate whether or not content was easy to find.

Web analytics

Web analytics is the collection, analysis, measurement, and reporting of data about web visits to understand web usage and to maintain and improve web service. When your computer is directed to the Barbados Revenue Authority web page, we may collect information for analytics purposes, which may be used for IT related audits, evaluations, research, planning, and reporting, as well as communications and information technology statistics. The following types of information may be collected during a visit to our web pages:

  • part of the originating IP address
  • the date and time of a request
  • the type of browser used
  • the page(s) visited

As part of web analytics, information in digital markers may be used to remember your online interactions with our web pages.

Social media

The Authority’s use of social media is an extension of its presence on the web. Its social media account however is not hosted on the Authority’s servers. If you choose to interact with us through social media, you should consult the terms of service and privacy policies of the third-party service provider and those of any applications you use, so that you understand how personal information is used. We use the social media platforms Twitter, YouTube, LinkedIn, Facebook, WhatsApp and Instagram among others.

Protecting the security of our web pages

The Authority takes all necessary security measures to protect your personal information from loss or misuse. Your information is stored in a secure operating environment that is safeguarded from unauthorised access.

The Authority utilizes software programmes to monitor network traffic in order to identify and eradicate cyber threats, unauthorized attempts to upload information, change information, or otherwise cause damage. This software receives and records the IP address of the computer that has contacted our web pages, the date and time of the visit and the pages visited. The Authority makes no attempt to link these addresses with the identity of individuals visiting its pages, unless an attempt to undertake inappropriate activity as described above has been detected.

The Authority collects the network traffic information in accordance with the Data Protection Act, 2019.  The information may be shared with appropriate law enforcement authorities if suspected criminal activities are detected. Such information may be used for network security statistics, as well as for IT related audits, evaluations, research, planning, and reporting.

Google reCAPTCHA Policy

We are doing everything possible to stay protected and offer you the highest possible user friendliness. That is why we use google reCAPTCHA to determine whether the user is a real person and not a robot or a spam software. Using Google reCAPTCHA data is transmitted to Google to determine the user are genuinely human. Without reCAPTCHA it may be possible that a bot may register as many emails as possible when registering, in order to subsequently spam with unwanted advertising content. With reCAPTCHA we can avoid this.

Cookies Policy

To comply with the regulations governing cookies under the GDPR we must:

  • Receive users’ consent before you use any cookies except strictly necessary cookies.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received. Document and store consent received from users.
  • Allow users to access our services even if they refuse to allow the use of certain cookies.
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

Contact us

For questions, comments, concerns or complaints about our privacy practices, please contact:

 

The Data Privacy Officer

Barbados Revenue Authority

4th Floor Weymouth Corporate Centre

Roebuck Street

Bridgetown

St. Michael

BARBADOS BB11080

privacy@bra.gov.bb

 

If you are not satisfied with our response to your privacy concern, you may contact the Office of the Revenue Commissioner at louisa.lewis-ward@bra.gov.bb .

Report a problem or mistake on this page please email:  privacy@bra.gov.bb