Swaziland data protection law

advertisement
HIPSSAPROJECT
Support for Harmonization of the ICT Policies
in Sub-Sahara Africa
Meeting with Data Protection Law Stakeholders
28/29th August, 2013
PRESENTATION ON SWAZILAND DATA PROTECTION LAW
(TRANSPOSITION)
Kuena Mophethe
ITU International Legal Expert on Data Protection
Gcinaphi Mndzebele
ITU National Legal Expert: Data Protection
Summary of the Content
• Background to Data Protection Law and
Transposition (Mission 1)
• Overview of National Assessment(Mission 1)
• Transposition Process
• Overview of Data Protection Bill
• Points for Discussion
Purpose of Data Protection Law
• Harmonised approaches
• Give effect to the right to privacy
• ICT technology developments impacts on the right to the
protection of personal data.
• Illegitimate and unlawful monitoring of individuals
• Automated decision making
• Data protection regulation - strike a balance in ensuring
that the benefits of using information and communication
technologies do not translate into weakened protection of
personal data
• Data Protection Authority establishment
• Regulation of trans border flow
Objectives of SADC Model Law
•
•
•
•
•
Give effect to principles of data protection
Place limitations on the processing of personal data
Provide for the rights of the data subject
Define the responsibilities of the Data Controller
Establishment of the Data Protection Authority
 Combat violations of privacy likely to arise from the
collection, processing, transmission, storage and
use of personal dataactivities
National Assessment
• The local expert gave and overview of existing
laws and policies
• Account taken that no specific legislation on
data protection exists
Data Protection Bill
Approach to Transposition
• Drafting of a new Bill
• Customised to Swaziland without departing
from the Model law
• Harmonization
• Clarity of definitions and concepts;
• Modifications pertaining to the Authority;
PART I - PRELIMINARY
•
•
Citation and commencement
Interpretation
Application of the Act: To data controllers, to all forms of personal information
Exemptions:
The Act does not apply to the processing of personal information –
•
in the course of a purely personal or household activity
•
which has been de-identified to the extent that it cannot be re-identified; or
•
by or on behalf of the State and involves national security and defence or
public safety;
•
which has been exempted under this Act or sector specific legislation
Part I Interpretation/Definitions
• Defining personal information:
• information about an identifiable individual that is recorded in any form,
including, without restricting the generality of the foregoing:• information relating to the race, national or ethnic origin, religion, age or
marital status of the individual;
• information relating to the education or the medical, criminal or
employment history of the individual or information relating to financial
transactions in which the individual has been involved;
• any identifying number, symbol or other particular assigned to the
individual;
• the address, fingerprints or blood type of the individual;
• the name of the individual where it appears with other personal
information relating to the individual or where the disclosure of the name
itself would reveal information about the individual;
• correspondence sent to a data controller by the individual that is explicitly
or implicitly of a private or confidential nature, and replies to such
correspondence that would reveal the contents of the original
correspondence; and
• the views or opinions of any other person about the individual.
Processing of personal information
processing: refers to any operation or set of operations
which is performed upon personal information, whether
or not by automated means, such as obtaining, recording
or holding the data or carrying out any operation or set of
operations on data, including –
• (a) organization, adaptation or alteration of the data;
• (b) retrieval, consultation or use of the data; or
• (c) alignment, combination, blocking, erasure or
destruction of the data
Sensitive personal information
“sensitive personal information”
(a) refers to genetic data, data related to children, data related to offences,
criminal sentences or, biometric data as well as, if they are processed for
what they reveal, personal information revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, affiliation, trade-union
membership, gender and personal information concerning the health or sex
life of the individual
(b) refers also to any personal information otherwise considered by Swaziland
law as presenting a major risk to the rights and interests of the data subject,
in particular unlawful or arbitrary discrimination.
Part II Data Protection Authority
•
•
•
•
•
•
•
•
•
Establishment of the Data Protection Authority
Disqualification from office
Functions of the Authority
Tenure of office
Allowances of the members of the Authority
Funds of the Authority
Audit of Accounts
Protection of the Authority
Duty of confidentiality
Part III Protection of personal information
• Processing of personal information
• Minimality:
• Personal information may only be processed if, given
the purpose for which it is processed, it is adequate,
relevant and not excessive
• Collection directly from the data subject
• Purpose specification and further processing limitation
• Security measures on integrity of personal information
• Information processed by an agent of the data
controller
Part III (continued)
Information processed by an agent of the data controller:
• process such information only with the knowledge or authorisation of the data controller;
and
• treat such personal information as confidential .
Security measures regarding information processed by an agent:
• A data controller ensures that a data processor processing for or on his behalf establishes
and maintains the security measures referred to in the Act
• Contract exists between controller and processor
Notification to the Authority and to the data subject
Notification of security compromises:
• To the Authority and the data subject
Quality of information:
•
personal information to be complete, accurate, not misleading and kept up to date;
• Regard be had to the purpose for which personal information was collected .
• Access to and challenges of personal information
• Correction of personal information
• Data controller to give effect to principles
• Prohibition on processing of sensitive personal information
Part IV Exemptions from protection on
processing of personal information
• Exemption on data subject’s spiritual, religious or
philosophical beliefs
• Exemption on data subject’s race
• Exemption on data subject’s trade union membership
• Exemption on data subject’s political affiliation
• Exemption on data subject’s health or sexual life
• Exemption on data subject’s criminal behaviour
• General exemption on sensitive personal information
• Authorisation by the Authority
• Exemption for processing of personal data for
historical, statistical and research purposes
Part V Enforcement
•
•
•
•
•
•
•
•
•
•
•
Complaints
Investigation by the Authority
No action by the Authority
Pre-investigations by the Authority
Investigation proceedings by the Authority
Matters exempt from search and seizure
Parties to be informed of developments during and as a
result of the investigation
Enforcement notice
Cancellation of an enforcement notice
Reviews and appeals
Civil remedies
Part VI General Provisions
Unsolicited electronic communications:
• A data subject is entitled any time by notice to a data controller to require the data
controller to cease, or not to begin, processing of personal data in respect of which
he is the data subject for the purposes of direct marketing.
Automated decision making:
• Subject to qualifications/exceptions, a person may not be subjected to a decision
which has legal effect on him, or which affects him significantly, based solely on
the automated processing of personal information intended to provide a profile of
certain aspects of his personality or personal habits/
• Notifications
Codes of Conduct:
• The Authority may, from time to time, issue, approve, amend or revoke a code of
conduct.
•
•
•
Offences and penalties
Regulations
Transitional arrangements
Limitations on Trans border flow
• Member State with Harmonised Law
• recipient establishes that the data is necessary
• for the performance of a task carried out in the
public interest
• pursuant to the lawful functions of a data
controller
• legitimate interests of data subject not prejudiced
• subject to conditions
Limitations on Trans border flow
• Non-Member State with Harmonised Law/
Third Countries
• adequate level of protection is ensured in the
country of the recipient and the data is
transferred solely to permit processing
otherwise authorised to be undertaken by the
controller
• subject to due diligence assessment and
further conditions
Due diligence assessment
• assessed in the light of all the circumstances
surrounding the relevant data transfer(s),
• particular consideration to be given to the
nature of the data, the purpose and duration
of the proposed processing, the recipient’s
country, the relevant laws in force in the third
country and the professional rules and
security measures which are complied with in
that recipient’s country
Authority’s discretion
• The Authority may:
• establish the categories of processing for which and the
circumstances in which the transfer of personal data to countries
outside (i) Swaziland and (ii) SADC is not authorized
• authorize a transfer or a set of transfers of personal information to
a recipient country outside Swaziland or SADC which does not in its
laws ensure an adequate level of protection, if the controller
satisfies the Authority that it shall ensure adequate safeguards with
respect to the protection of privacy and fundamental rights and
freedoms of the data subjects concerned, and regarding the
exercise of the data subject’s rights such safeguards can be
appropriated through adequate legal and security measures and
contractual clauses in particular
Thank you
Mrs. Kuena Mophethe
ITU International Expert: Data Protection Law
Kmophethe@gmail.com
Ms. Gcinaphi Mndzebele
ITU National Expert: Data Protection Law
Download