The purpose of the Act is to give effect to Article 31(c) and
(d) of the Constitution that contains the right to privacy which is a
fundamental human right. Data protection is the process of safeguarding
personal information, in accordance with a set of principles laid down by law.
The Data Protection Bill which has been a subject of discussion for a number of
years was passed into law on 8th November 2019. There has been an increase in
the adoption and implementation of data protection laws and frameworks by
countries at large.
The Data Protection Act 2019, has in many ways drawn from the General Data
Protection Regulation of Europe.
The frameworks and laws have developed mainly in response to technological
advances which increase the collection, holding and dissemination of personal
information as well as surveillance of people.
PROVISIONS OF THE ACT & APPLICATION
The Act is extremely broad based and covers all persons and
entities who deal with or store data.
Key Definitions
|
personal data |
information relating to an identified or identifiable |
|
data controller |
a natural or legal person, public authority, agency or |
|
data processor |
a natural or legal person, public authority, agency |
|
sensitive personal data |
data revealing the natural person's race, health |
The Act imposes a number of obligations on data processors
and data controllers in respect of the manner in which personal data is
processed and sets out their duties to the data subjects.
The Act establishes the office of the Data Protection Commissioner and mandates
that any data controller or data processor be registered with the Data
Commissioner.
The Data Commissioner will be required to maintain a register of the registered
data controllers and data processors, which register shall be a public document,
available for inspection by any person.
Collection of personal data
The Act provides that every data controller or data
processor shall ensure that personal data is:-
- processed
lawfully, fairly and transparently in accordance with the right to privacy;
- collected
for specified and legitimate purposes;
- limited
to what is necessary;
- collected
only where a valid explanation is provided whenever information relating
to family or private affairs is required;
- accurate
and, where necessary, up to date, with every reasonable step being taken
to ensure that any inaccurate personal data is erased or rectified without
delay; and
- kept
in a form which identifies the data subjects for no longer than is
necessary.
As a rule, a data controller or data processor ought to
collect personal data directly from the data subject.
Notwithstanding the general rule on collection of data directly, the Act
provides that personal data may be collected indirectly where the-
- data
is contained in a public record, or the data subject has deliberately made
the data public;
- data
subject or their duly appointed guardian has consented to the collection
from another source;
- collection
from another source would not prejudice the interests of the data subject;
- collection
of data from another source is necessary for the-
a) prevention, detection, investigation, prosecution and punishment of crime;
b) enforcement of a law which imposes a pecuniary penalty; or
c) protection of the interests of the data subject or another person.
Duties of data controllers and data processors
Before collecting personal data, in so far as practicable,
data controllers or data processors are required to inform the data subject of
-
- the
rights of the data subject (specified under section 26 of the Act);
- the
fact that personal data is being collected;
- the
purpose for collection;
- the
third parties whose personal data has or will be transferred to and
details of safeguards adopted;
- their
contacts and on whether any other entity may receive the collected
personal data;
- their
contacts and on whether any other entity may receive the collected
personal data;
- the
data being collected pursuant to any law and whether such collection is
voluntary or mandatory; and
- the
consequences if any, where the data subject fails to provide all or any
part of the requested data.
The Act imposes stringent conditions for processing of
sensitive personal data which is distinguished from personal data.
The burden of proof for establishing a data subject's consent to the processing
of their personal data for a specified purpose is borne by a data controller or
data processor.
The Act provides that a data controller who, without lawful excuse, discloses
personal data in any manner that is incompatible with the purpose for which
such data has been collected or a data processor who, without lawful excuse,
discloses personal data processed by the data processor without the prior
authority of the data controller, commits an offence under the Act.
Rights of a data subject
Section 26 of the Act provides that a data subject has a
right to-
- be
informed of the use to which their personal data is to be put;
- access
their personal data which is in the custody of data controller or data
processor;
- object
to the processing of all or part of their personal data;
- correction
of false or misleading data; and
- deletion
of false or misleading data about them.
Further, a data subject shall have the right to withdraw
consent at any time. However, the such withdrawal of consent shall not affect
the lawfulness of processing based on prior consent before its withdrawal.
A right conferred on a data subject may be exercised-
- If a
minor, by a person who has parental authority or by a guardian;
- where
the data subject has a mental or other disability, by a person duly
authorised to act as their guardian or administrator; or
- in
any other case, by a person duly authorised by the data subject.
Processing of personal data relating to children.
Data controllers or data processors are prohibited from
processing personal data relating to a child except where consent is given by
the child's parent or guardian and the processing is in such a manner that
protects and advances the rights and best interests of the child.
Data controllers or data processors shall be required to incorporate
appropriate mechanisms for age verification and consent in order to process
personal data of a child, determined on the basis of-
- available
technology;
- volume
of personal data processed;
- proportion
of such personal data likely to be that of a child;
- possibility
of harm to a child arising out of processing of personal data; and
- such
other factors as may be specified by the Data Commissioner.
However, the Act provides that a data controller or data
processor that exclusively provides counselling or child protection services to
a child, may be exempted from the requirement to obtain parental consent.
Exemptions
The processing of personal data is exempt from the
provisions of the Act if the same is necessary for national security or its
disclosure is required under any written law or an order of the court or for
the prevention or detection of a crime.
Further, the Act prohibits cross-border transfer of personal data, except where
there is proof of adequate data protection safeguards or consent from the data
subject.
CONCLUSION
It is essential for data controllers or processors to familiarise
themselves with the provisions of the Act and to develop policies and systems
that are compliant with the requirements of the Act.
Many organisations will require a Data Protection Officer whose main function
will be to ensure compliance with the Act, failure to which organisations may
be exposed to hefty fines.
Data controllers and processors are required to process data lawfully whilst
minimise its collection and ensuring that there are sufficient safeguards in
place to protect personal data.