HIPSSAPROJECT

Support for Harmonization of the ICT Policies in Sub-Sahara Africa

Meeting with Data Protection Law Stakeholders28/29th August, 2013

PRESENTATION ON SWAZILAND DATA PROTECTION LAW (TRANSPOSITION)

Kuena Mophethe ITU International Legal Expert on Data Protection

Gcinaphi MndzebeleITU National Legal Expert: Data Protection

Summary of the Content

• Background to Data Protection Law and

Transposition (Mission 1)

• Overview of National Assessment(Mission 1)

• Transposition Process

• Overview of Data Protection Bill• Points for Discussion

Purpose of Data Protection Law• Harmonised approaches• Give effect to the right to privacy• ICT technology developments impacts on the right to the

protection of personal data.• Illegitimate and unlawful monitoring of individuals • Automated decision making • Data protection regulation - strike a balance in ensuring that the

benefits of using information and communication technologies do not translate into weakened protection of personal data

• Data Protection Authority establishment• Regulation of trans border flow

Objectives of SADC Model Law

• Give effect to principles of data protection• Place limitations on the processing of personal data• Provide for the rights of the data subject• Define the responsibilities of the Data Controller• Establishment of the Data Protection Authority Combat violations of privacy likely to arise from the

collection, processing, transmission, storage and use of personal dataactivities

National Assessment

• The local expert gave and overview of existing laws and policies

• Account taken that no specific legislation on data protection exists

Data Protection BillApproach to Transposition

• Drafting of a new Bill• Customised to Swaziland without departing

from the Model law• Harmonization• Clarity of definitions and concepts;• Modifications pertaining to the Authority;

PART I - PRELIMINARY• Citation and commencement• Interpretation

Application of the Act: To data controllers, to all forms of personal information

Exemptions:

The Act does not apply to the processing of personal information –

• in the course of a purely personal or household activity

• which has been de-identified to the extent that it cannot be re-

identified; or

• by or on behalf of the State and involves national security and defence

or public safety;

• which has been exempted under this Act or sector specific legislation

Part I Interpretation/Definitions• Defining personal information:• information about an identifiable individual that is recorded in any form, including, without restricting

the generality of the foregoing:-• information relating to the race, national or ethnic origin, religion, age or marital status of the individual;• information relating to the education or the medical, criminal or employment history of the individual or

information relating to financial transactions in which the individual has been involved;• any identifying number, symbol or other particular assigned to the individual;• the address, fingerprints or blood type of the individual;• the name of the individual where it appears with other personal information relating to the individual or

where the disclosure of the name itself would reveal information about the individual;• correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or

confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and

• the views or opinions of any other person about the individual.

•

Processing of personal information

processing: refers to any operation or set of operations which is performed upon personal information, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any operation or set of operations on data, including – • (a) organization, adaptation or alteration of the data;• (b) retrieval, consultation or use of the data; or • (c) alignment, combination, blocking, erasure or

destruction of the data

Sensitive personal information“sensitive personal information”

(a) refers to genetic data, data related to children, data related to offences, criminal sentences or, biometric data as well as, if they are processed for what they reveal, personal information revealing racial or ethnic origin,

political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and personal information concerning the health or sex

life of the individual (b) refers also to any personal information otherwise considered by Swaziland law as presenting a major risk to the rights and interests of the data subject,

in particular unlawful or arbitrary discrimination.

Part II Data Protection Authority

• Establishment of the Data Protection Authority• Disqualification from office• Functions of the Authority• Tenure of office• Allowances of the members of the Authority• Funds of the Authority• Audit of Accounts• Protection of the Authority• Duty of confidentiality

Part III Protection of personal information

• Processing of personal information• Minimality:• Personal information may only be processed if, given

the purpose for which it is processed, it is adequate, relevant and not excessive

• Collection directly from the data subject• Purpose specification and further processing limitation• Security measures on integrity of personal information• Information processed by an agent of the data

controller

Part III (continued)

Information processed by an agent of the data controller: • process such information only with the knowledge or authorisation of the data controller; and• treat such personal information as confidential .

Security measures regarding information processed by an agent:• A data controller ensures that a data processor processing for or on his behalf establishes and maintains the security

measures referred to in the Act• Contract exists between controller and processor

Notification to the Authority and to the data subject

Notification of security compromises: • To the Authority and the data subjectQuality of information:• personal information to be complete, accurate, not misleading and kept up to date;• Regard be had to the purpose for which personal information was collected .• Access to and challenges of personal information• Correction of personal information• Data controller to give effect to principles• Prohibition on processing of sensitive personal information

Part IV Exemptions from protection on processing of personal information

• Exemption on data subject’s spiritual, religious or philosophical beliefs

• Exemption on data subject’s race• Exemption on data subject’s trade union membership• Exemption on data subject’s political affiliation• Exemption on data subject’s health or sexual life• Exemption on data subject’s criminal behaviour• General exemption on sensitive personal information• Authorisation by the Authority• Exemption for processing of personal data for historical,

statistical and research purposes

Part V Enforcement• Complaints • Investigation by the Authority• No action by the Authority• Pre-investigations by the Authority• Investigation proceedings by the Authority• Matters exempt from search and seizure• Parties to be informed of developments during and as a result of the

investigation• Enforcement notice• Cancellation of an enforcement notice• Reviews and appeals • Civil remedies

Part VI General ProvisionsUnsolicited electronic communications: • A data subject is entitled any time by notice to a data controller to require the data controller

to cease, or not to begin, processing of personal data in respect of which he is the data subject for the purposes of direct marketing.

Automated decision making:• Subject to qualifications/exceptions, a person may not be subjected to a decision which has

legal effect on him, or which affects him significantly, based solely on the automated processing of personal information intended to provide a profile of certain aspects of his personality or personal habits/

• Notifications Codes of Conduct:• The Authority may, from time to time, issue, approve, amend or revoke a code of conduct.

• Offences and penalties• Regulations• Transitional arrangements

Limitations on Trans border flow

• Member State with Harmonised Law • recipient establishes that the data is necessary • for the performance of a task carried out in the

public interest • pursuant to the lawful functions of a data

controller• legitimate interests of data subject not

prejudiced • subject to conditions

Limitations on Trans border flow

• Non-Member State with Harmonised Law/ Third Countries

• adequate level of protection is ensured in the country of the recipient and the data is transferred solely to permit processing otherwise authorised to be undertaken by the controller

• subject to due diligence assessment and further conditions

Due diligence assessment

• assessed in the light of all the circumstances surrounding the relevant data transfer(s),

• particular consideration to be given to the nature of the data, the purpose and duration of the proposed processing, the recipient’s country, the relevant laws in force in the third country and the professional rules and security measures which are complied with in that recipient’s country

Authority’s discretion• The Authority may:• establish the categories of processing for which and the

circumstances in which the transfer of personal data to countries outside (i) Swaziland and (ii) SADC is not authorized

• authorize a transfer or a set of transfers of personal information to a recipient country outside Swaziland or SADC which does not in its laws ensure an adequate level of protection, if the controller satisfies the Authority that it shall ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of the data subjects concerned, and regarding the exercise of the data subject’s rights such safeguards can be appropriated through adequate legal and security measures and contractual clauses in particular

Thank you

Mrs. Kuena MophetheITU International Expert: Data Protection LawKmophethe@gmail.comMs. Gcinaphi MndzebeleITU National Expert: Data Protection Law