Jamaican digital privacy expert Chukwuemeka Cameron published this assessment of procurement specification issues in Trinidad and Tobago’s identity platform strategy on his LinkedIn profile on July 07, 2026. It is reproduced here with his permission.
Trinidad is building a national face database but its privacy law is two-thirds inoperative
On July 3rd, at 2:00pm, three companies stopped competing to build Trinidad and Tobago’s next national biometric database.
That’s what an Expression of Interest deadline is, stripped of the press-release language: a closing bell. Whoever wins will spend the next five years building and running the system that issues, personalizes, and controls every Trinidadian passport — a facial recognition platform, a back-end server holding the biometric record of a nation, and 750,000 booklets produced to order.
The Ministry of Homeland Security calls it the e-Passport Issuing and Control System. Read the 4-page procurement notice, and there is exactly one governance standard named in it: ICAO’s technical specification for travel documents.
There is no mention of a privacy impact assessment. No mention of data residency. No mention of the Data Protection Act. No mention, anywhere, of the regulator whose job this is supposed to be.
That regulator exists. It has an appointed Commissioner, a staff, even a seal of office. What it does not have — and has not had since the Act was passed fourteen years ago — is the power to do very much about any of this.
What’s actually being built
Minister of Homeland Security Roger Alexander went on the record this week to knock down a rumour that Trinidad and Tobago was running low on machine-readable passport stock. In the same breath, he confirmed the real story: the country is moving to e-passports, three vendors have submitted Expressions of Interest, and — in his words — “digitising passport services and introducing e-passports would strengthen national security and enhance data-sharing both regionally and internationally.”
That quote is doing a lot of work. It is the only place in the entire public record, primary document included, where anyone connected to this project uses the word “data” in a sentence about what happens to it.
The procurement document itself, read in full rather than taken on faith from press summaries, spells out exactly what the winning vendor will build: a facial recognition system for “personalization” of the new passports; a process that runs a citizen’s application through Reception, Scanning, Data Entry, Supervisory Review, Print, Quality Assurance, Online Application Verification and Issuance; a public-facing web application with online payment processing; and interoperability with the country’s Integrated Border Management System.
All of it new hardware, all of it run by a private company, for five years, with a service-level agreement to be worked out later. The bidding window — originally set to close June 19 — was quietly extended to July 3, four days before this was written. Whoever the ministry shortlists is, right now, being reviewed.
Nowhere in that document is a vendor asked to describe how it will protect the biometric data of a nation. Nowhere is a vendor asked whether it can point to an independent security certification beyond ISO 9001, a quality standard that has nothing to do with data protection. The addendum issued to answer bidders’ questions is blunter still: at this stage, the ministry wrote, “no responses to technical questions… will be provided.
All relevant details of the project will be provided within the Request for Proposal (RFP) stage.” Whatever data-handling terms eventually exist — if any do — will be negotiated in private, after the field has already been narrowed to a shortlist, with no public draft to react to.
Specific issues with the procurement notice
- At the EOI stage, the only accreditation required is ISO 9001 — a quality-management standard, not an information security or data protection one. The notice’s own security language is limited to ICAO passport-document specifications; no ISO 27001 or equivalent data-security certification appears anywhere. Whether the RFP later adds one is unknown — the addendum defers “all relevant details” to that stage — but as things stand, a vendor reaches the shortlist having demonstrated nothing beyond quality-management certification and ICAO document security.
-  The notice describes only where hardware is physically installed, for operational reasons — it never engages “data residency” as a policy question at all. And the locations aren’t even confined to Trinidad and Tobago: the system “may also include external consular sites,” with back-end servers required equipment there too. Nothing addresses remote vendor access, offshore technical support, cloud backup, or replication outside those sites.
- Bidders must disclose if they’re using a consortium, joint venture, or subcontractors — but nothing requires specifying which party in that chain would handle the biometric data. Only the legally binding documents are deferred to the RFP stage; the disclosure obligation that exists today carries no data-handling detail. (The RFP may address this — the EOI is silent on whether it will.)
- The required-documents list — covering letter, letter of incumbency, company profile, incorporation certificate, financial capability, tax clearance — includes nothing on data governance or privacy practice. To be fair, no criterion of any kind is scored or disclosed in this document — this isn’t data protection being singled out, it’s consistent with the EOI’s overall silence on evaluation criteria. Bidders were free to volunteer such material under a catch-all “any other relevant information” clause; nothing required or invited it.
- A “system handover procedure” is listed as a deliverable, but the notice never specifies what it covers — no retention, deletion, or destruction requirement for the biometric data appears anywhere, at contract end or otherwise.
- The addendum states plainly that no technical questions will be answered until the RFP stage. This is standard two-stage procurement practice, not unique to this project. But it means this EOI is currently the only document with any public visibility at all, and there’s no indication the eventual RFP will itself be published for outside review.
- Nothing restricts foreign state-owned bidders, and nothing addresses what a foreign-owned or foreign-state-controlled winning vendor would mean for a national biometric system. This isn’t unusual — most governments procuring specialized e-passport technology draw from a small global vendor pool and don’t attach ownership conditions at the EOI stage. But the document gives no sign the question was considered, and since the three respondents aren’t publicly named, whether it matters here is currently unknown.
The law that never woke up
Here is the part that should stop any DPO in the room: Trinidad and Tobago has had a Data Protection Act since 2011. It has never been more than a third switched on.
Section 1(2) of the Act — its own commencement clause, read directly rather than summarized — states plainly that only “Part I and Sections 7–18, 22, 23, 25(1), 26 and 28” came into force, by Legal Notice in January 2012.
Translated out of statute-speak: Parliament turned on the general privacy principles, and it turned on the basic administrative existence of the Office of the Information Commissioner — an appointed Commissioner, a seal, a staff, some protections for the Commissioner’s own conduct.
Everything else is still turned off. The Commissioner’s power to actually audit a public body’s data handling under Part III, or a private company’s under Part IV — off. And Part III itself is where the specific tools for a project exactly like this one live: section 47, “privacy impact assessment and mitigation” — off.
Section 46, disclosure of personal information outside of Trinidad and Tobago — the precise clause that would govern the minister’s own promise of “enhanced data-sharing… internationally” — off. Section 49, information sharing, and section 50, data matching — the safeguards that would apply the moment this new passport system starts talking to the Integrated Border Management System — both off.
The entire part governing private-sector obligations, the one that would apply to whichever company wins this contract, including its own cross-border-disclosure rule at section 72 — off. And every offence and every penalty the Act creates for breaking any of it, sections 87 through 96 — off.
There is, right now, no enforceable data-protection obligation that governs the company that is about to become the custodian of a national facial-recognition database, and no penalty regime under this Act for anyone who mishandles it.
This is not a new observation, and that is the point. In August 2021, Rishi Maharaj, executive director of the EquiGov Institute, wrote in Newsday about the growing use of biometric verification in T&T banking, and noted, in a subject-to-correction aside that has aged into simple fact: “Trinidad and Tobago does have a data protection act that was passed in 2011. However, the act was never fully implemented… So, as it stands now… there are no laws to regulate the use of these technologies in TT.” Five years later, a national biometric passport system is going out to tender, and that sentence remains appallingly true, word for word.
Let’s be precise about what this is not. This is not a story about a government hiding something. Every fact above comes from a document the ministry itself published, and a law Parliament itself passed and partially proclaimed. The gap is not concealment; it is a decade and a half of waiting on a switch nobody has turned on and it’s on this partial infrastructure that the facial database is going to be built.
One more thing needs stating plainly, and then set aside, because it deserves its own scrutiny rather than a supporting role here: weeks before this procurement, Minister Alexander disclosed — in his own words, to the press, as part of handing documentation to the police — what he described as a long-running bribery racket inside the same Immigration Division that will operate this new system, with officials allegedly paid over years for passport appointments, work permits and residency documents.
That is the minister’s own disclosure, still under investigation, not a claim being made of anyone by name. It belongs in this piece for one reason only: a country building a biometric database with no enforceable data-protection law is a live risk in the abstract; a country building one inside a division it has just accused of running a bribery racket is the same risk, no longer abstract.
The region isn’t waiting
None of this is happening in isolation, and the timing is almost too on-the-nose. Since July 1st — two days before Trinidad and Tobago’s own bidding window closed — Barbadian and Guyanese citizens have been crossing the border between their two countries on a national ID card alone, no passport required.
It is the first time any two CARICOM states have accepted each other’s domestic ID as a travel document, announced by Prime Minister Mia Mottley and President Irfaan Ali during Guyana’s 60th-anniversary celebrations.
There is no published bilateral data-sharing agreement. No published privacy impact assessment. No named authority responsible for the joint arrivals-and-departures data the arrangement necessarily creates.
Trinidad and Tobago, meanwhile, is running two biometric identity build-outs at once. Alongside the e-passport tender, the country launched VerifyTT in April — a separate digital-credentials platform letting institutions verify identity electronically, part of the same “digital public infrastructure” push, under the same unproclaimed Act.
St Lucia has its own National Authentication Framework. St Kitts and Nevis now collects biometric data as part of its Citizenship by Investment programme. Every one of these systems is being built by a government that would, on paper, tell you it takes data protection seriously — and not one of them is being built with a live, enforceable data-protection regime standing behind it.
The Jamaica angle nobody should skip
It would be comfortable, from Kingston, to read all of this as somebody else’s problem. It isn’t. Jamaica’s own Office of the Information Commissioner — the body that administers a Data Protection Act that, unlike Trinidad’s, is actually in force — has had its data-controller registration portal offline since March of this year, “to facilitate administrative and technical enhancements.”
“Jamaica has its own biometric national identification system in motion, its own facial-recognition-adjacent surveillance infrastructure question with JamaicaEye, and its own history of digitisation projects announced with security and efficiency at the front of the sentence and governance somewhere after the full stop, if it appears at all.
The lesson Trinidad and Tobago is demonstrating this week is not that its law is unusually weak. It’s that a data-protection statute that exists on the books does very little for anyone unless someone can point to a specific section that is switched on, name the office that can enforce it, and show that an audit that has actually happened.
That test travels. It travels to Jamaica’s own registry. It travels to every accidental DPO in the region who has been told their country “has a data protection law” and has never been shown which parts of it actually work.
What a real answer would look like
None of this requires inventing new machinery. Section 47 already exists on paper — the ministry could commission and publish a privacy impact assessment for ePICS voluntarily, before the RFP is issued, the same way a controller in a fully-proclaimed jurisdiction would be required to. The RFP itself could require bidders to cite a security standard that actually addresses data protection — ISO 27001, not just ISO 9001 — and to state, in writing, where the biometric data will sit and who besides the ministry can reach it.
None of that needs Part IV of the Act to be proclaimed first; it only needs someone at the table to ask for it. The addendum’s own words — “no responses to technical questions… at this stage” — mean that window, if it exists, is the RFP, not the EOI that just closed. Whether the ministry uses it is now the only question worth watching.
The line that should outlast this news cycle
Three companies spent five weeks competing for the right to hold the biometric identity of every person in Trinidad and Tobago who will ever need a passport. Not one of them was asked, anywhere in the official record, how they will protect it. That isn’t a gap in the reporting. It’s a gap in the law — read directly, section by section, and still open.
Four days after the bidding closed, that’s still the only question that matters, and it’s still nobody’s job to ask it.
About the author

Chukwuemeka Cameron is the founder and CEO of Design Privacy Limited, Jamaica’s leading data protection consultancy, and Design Privacy Academy (DPA), which licenses ISO 17024-aligned certification curricula that prepare professionals to sit the International Privacy Certification Authority (IPCA) assessment. DPA’s competency-based programmes are delivered through institutional partners across the Commonwealth, equipping Data Protection Officers with skills grounded in local law. An ISO 27001 and ISO 27701 Lead Implementer,
Chukwuemeka holds a Master’s in Information Technology and Management. He hosts Data Protection Matters on Nationwide News Network, and was a panelist at the 3rd Annual CDA Digital Caribbean Conference in Curaçao. He is based in Kingston, Jamaica.



