The Botswana Data Protection Act (No.32 of 2018), (the “Data Protection Act”) recently came into effect on 15 October 2021. Persons processing personal data have been given a grace period of one year to get their ducks in a row.
The objective of the Data Protection Act is to regularize and provide protection of personal data by ensuring that those who process personal data do so in a lawful and reasonable manner. The key role of the Act is to empower individuals to take control of their personal data and have a say in how their personal data is used. The Data Protection Act creates transparency and provides the data subject with legal recourse where their personal data is collected or used in an unlawful manner.
The Data Protection Act has been discussed ad infinitum but with the end of the grace period fast approaching it is worth analyzing adnusea
While the Act is a much-welcomed legislative development, it is superfluous if not explained and not applied appropriately. To ensure that it is effectively applied after its commencement, the Data Protection Act establishes the Information and Data Protection Commission (the “Commission”). The Data Protection Act gives the Commission the power to do all things necessary to protect the personal rights of individuals with regards to their personal data and must investigate any complaints from individuals and respond accordingly.
Now, what are the salient features of this Act so Batswana can understand it and adhere to it?
The key definitions under Section 2 of the Data Protection Act are as follows:
Consent: means freely given, specific and informed expression of the wishes of the data subject, by which the data subject agrees to the processing of personal data relating to him/her.
Commission: means the Information and Data Protection Commission, a public office established by section 4 of the Data Protection Act.
Commissioner: means the Commissioner of the Information and Data Protection Commission appointed under section 6 of the Data Protection Act.
Data Controller: A person who alone or jointly with others determines the purposes and means by which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person's behalf.
Data processor: A person who processes data on behalf of the data controller.
Data protection representative: means a person who is appointed by the data controller, which person shall independently ensure that personal data is processed in a correct and lawful manner.
Data subject: means an individual who is the subject of personal data.
Personal data: Personal data means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual's physical, physiological, mental, economic, cultural, or social identity.
Processing of personal data: means any operation or set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organization, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data.
Sensitive data: Personal data relating to a data subject which reveals their:
- racial or ethnic origin;
- political opinions;
- religious beliefs or philosophical beliefs;
- membership of a trade union;
- physical or mental health or condition;
- sexual life;
- filiation;
- personal financial information
- any commission or alleged commission by them of any offence;
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings, or the sentence of any court in such proceedings; and
- genetic data, biometric data, and the personal data of minors.
Transborder flow: means the international flow of personal data which can either be transmitted by electronic or other forms of transmission, including satellite.
A data controller shall ensure that the following requirements for processing are adhered to:
- consent
- fair and lawful processing
- adequate and relevant information is collected and used
- personal data must be collected for a specific, explicitly stated and legitimate purpose
- personal data must be accurate, complete and kept up to date
- personal data collected will be protected by reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, modification, or disclosure
- personal data is not kept for a period longer than necessary
- personal data is processed in accordance with good practice
With all the above, how does one comply with the Data Protection Act to ensure that come the 15 October 2022 their ducks are in a row?
Data protection requires a holistic approach to system design that incorporates a combination of legal, administrative, and technical. Below are 5 practical steps that encapsulate this combination that will cost you little to nothing:
- Conduct a data inventory – basically a checklist of all data processed by the organization. Note down the reasons for collection, where it is stored (cloud or physical cupboard), which department keeps the largest volumes of data, and how long it is stored (look at the different legislation which gives an indication of how long data should be stored i.e., employee data – Employment Act, director information – Companies Act etc.…
- Appoint a data protection representative so they can be responsible for ensuring that your organization is consistently complying with the Data Protection Act
- Secure data – any data in an organization must be either physically secured i.e., locked up in a cupboard and stored in a cloud or ensure your computers/electronic devices have strong passwords which are regularly changed
- “The clean desk” habit – practice shredding unwanted or no longer used documents and always leave your desk empty when you’re not using it, so information is not laying around for any eye to catch
- Ensure that your software and anti-virus systems are updated regularly to limit the chances of hacking
An ordinary person processing personal data in contravention of the Data Protection Act is liable to a fine not exceeding BWP 300 000. A data controller, on the other hand, who processes personal data in contravention of the Act will be liable to a fine not exceeding BWP 500 000 or imprisonment not exceeding nine years. An ordinary person who processes sensitive personal data in contravention of the Data Protection Act will be liable to a fine not exceeding BWP 1 million.
Lebogang George is an admitted attorney in Botswana and an associate in the Corporate Commercial Department at Desai Law Group. She spent more than a decade working in South Africa. It is in South Africa where she expanded her knowledge and focus on Corporate Commercial Law as well as Data Privacy and Data Protection Law, IT Governance as well as Cyber Security.
Lebogang's experience in Data Protection and Privacy Law spans across South Africa and the European Union and has advised clients in both public and private sectors. She has recently taken a keen interest in the Botswana Data Protection Act and provides advice on the Botswana DPA.