The Botswana Data Protection Act, initially assented to by Parliament in August of 2018, will finally commence into an enforceable law this month, October 2021.
The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor. Further, the Data Protection Act establishes the Information and Data Protection Commission, which will be responsible for ensuring the effective application of the Data Protection Act after its commencement.
The Act defines data subject, personal data, sensitive personal data, processing, and data controller referred to above, in the following terms;
(a) The data subject- an individual who is the subject of personal data.
(b) Personal data- information relating to an identified or identifiable individual, who can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual's physical, physiological, mental, economic, cultural or social identity.
(c) Sensitive personal data- personal data relating to a data subject which reveals his or her (a) racial or ethnic origin; (b) political opinions; (c) religious beliefs or philosophical beliefs; (d) membership of a trade union; (e) physical or mental health or condition; (f) sexual life; (g) filiation; or (h) personal financial information, and includes - any commission or alleged commission by him or her of any offence; any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the sentence of any Court in such proceedings; and genetic data, biometric data and the personal data of minors.
(d) Processing- means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data; and
(e) Data controller- a person who alone or jointly with others, determines the purpose and means of which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person's behalf.
In terms of the Act, a data controller is required, inter alia, to ensure that: -
(a) personal data is processed fairly and lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject.
(b) personal data is collected for specific, explicitly stated and legitimate purposes.
(c) personal data is not processed for any purpose that is incompatible with the specified, explicitly stated and legitimate purposes.
(d) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; and
(e) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed.
In terms of the Act, personal data may be processed, inter alia, where: -
(a) the data subject has given his or her consent in writing;
(b) processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of an official authorization vested in the data controller or in a third party to whom the data is disclosed; or
(c) processing is necessary for a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.
The Act further provides that personal data shall not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject; or as may be authorised by any written law. Furthermore, the data subject has a right in terms of the Act to revoke, in writing, his/her consent for the processing of his personal data.
With regards to sensitive personal data, the Act prohibits its processing, except in certain circumstances, including the data subject’s consent, where the data subject made the data public, or for national security, authorised by written law, for legal purposes, research and statistics purposes, or health purposes.
The Act further provides that a person may submit a complaint in writing, to the Commissioner, alleging interference with the protection of personal data or against a decision made under the Act.
The Act also establishes an Information and Data Protection Appeals Tribunal to adjudicate over matters involving the breach of any of the provisions of the Act and to adjudicate appeals of the decisions taken by the Commissioner in terms of the Act.
In terms of non-compliance, Section 51 provides for offences and penalties under the Data Protection Act. It provides different punishments for data controllers and for ordinary persons who possess personal data in contravention of the Data Protection Act.
In terms of ordinary persons, Section 51 details that:
An ordinary person who processes personal data in contravention of the Act is liable to a fine not exceeding BWP 300,000. A data controller, on the other hand, who processes personal data in contravention of the Act will be liable to a fine not exceeding BWP 500,000, or imprisonment for a term not exceeding nine years.
An ordinary person who processes sensitive personal data in contravention of the Data Protection Act will be liable to a fine not exceeding BWP 500,000 or imprisonment for a term not exceeding nine years. A data controller, on the other hand, will be liable to a fine not exceeding BWP 1 million , or imprisonment for a term not exceeding 12 years.
In terms of data controllers, Section 51 provides that:
- a data controller who processes personal data in contravention of the Data Protection Act is liable to a fine not exceeding BWP 500,000, or to imprisonment for a term not exceeding nine years, or to both;
- a data controller who processes sensitive personal data in contravention of the Data Protection Act is liable to a fine not exceeding BWP 1 million, or to imprisonment for a term not exceeding 12 years, or to both;
- a data controller who does not inform a data subject of the rights conferred on the data subject under the Data Protection Act is liable to a fine not exceeding BWP 100,000, or to imprisonment for a term not exceeding three years, or to both.
- where a data controller does not implement the security safeguards under Section 32 of the Data Protection Act, the data controller is liable to a fine of BWP 500,000, or to imprisonment for a term not exceeding nine years, or to both.
Other penalties:
Section 10(3) of the Data Protection Act provides that any person who does not comply with a request made by the Commissioner under Section 10 is liable to a fine not exceeding BWP 100,000, or to imprisonment for a term not exceeding three years, or to both.
Section 18(3) of the Data Protection Act provides that where a data controller who processes data despite the objection of the data subject for direct marketing purposes is liable to a fine not exceeding BWP 500,000, or to imprisonment for a term not exceeding nine years, or to both