Every year, during the month of June, the LGBTQIA+ community celebrates Pride in various ways across the globe. These celebratory activities are also used to raise awareness and educate people by highlighting the need to do away with discrimination and violence towards anyone due to their sexual orientation, amongst other things.
As this Pride month draws to a close, I would like to also take this opportunity to teach and impart knowledge by highlighting certain privacy rights that people are often not aware of. When we celebrate, we must also take the opportunity to teach, engage and apprise one another, where we can, of things that may be too esoteric.
With that said, our legislation is becoming robust enough and inclusive enough that it makes me delight in writing about it in a more positive and encouraging light – the Botswana Data Protection Act (No.32 of 2018), (the Botswana DPA or the Act), specifically, section 2 of the Act, contains a “sensitive personal data” definition which definition includes " Sexual Life”. Sexual life is considered to be sensitive personal data, and as such, it should be processed within the prescripts of the Botswana DPA.
What exactly does it mean to categorize personal data as “sensitive”?
Personal data that is considered to be sensitive has additional conditions and a slightly higher threshold to be adhered to compared to personal data. This special category of personal data must be treated with extra security and care since it is more personal to an individual and wouldn’t be readily revealed to the public or to any other individual by the data subject.
The provisions set out in section 20 of the Botswana DPA make it almost an insurmountable task to process sensitive personal data. What stands out the most when it comes to this Act is that the definition of processing is so wide that it includes anything and everything that one can do with data/information whether physically or electronically, be it – storing it, amending it, sharing it, modifying it, gathering it, disclosing of it, erasing, and destroying it etc.…
Section 20, is prohibitive in nature when it comes to the processing of sensitive personal data unless certain requirements are met which include:
a) The processing is specifically provided for under the Botswana DPA;
b) The data subject has given his/her consent in writing;
c) The data subject has made the data public;
d) The processing is
- Necessary for national security;
- Necessary for purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment, or;
- Authorized by any other written law, for any reason of substantial interest to the public; or
e) The processing is necessary to protect the vital interest of a data subject or another person in a case where –
- Consent cannot be given by or on behalf of the data subject;
- The data controller cannot be reasonably expected to obtain the consent of the data subject; or
- Consent by or on behalf of the data subject has been unreasonably withheld.
When sensitive personal data is processed the data controller must at all times ensure that adequate and appropriate security safeguards are in place. Although the Botswana DPA does not specify what these “adequate” and “appropriate” security safeguards are – data controllers must ensure that these include organizational and technical measures. I’ll provide a quick example – Organizational (teaching, and training staff about data protection/privacy and practising data governance by keeping data safe and secure) Technical (installing up-to-date software which includes anti-virus software, firewall systems and access and authentication controls etc.).
As we continue to create awareness even beyond the month of Pride may we also be cognizant of our privacy rights and may everyone who identifies as LGBTQIA+ who feel that there has been interference or violation of their sensitive personal data in terms of section 20 or feel that they have had their sensitive personal data relating to their sexual orientation/life collected and processed without their written consent and not within the purview of section 20 shall report their grievances to the Commission. The Commission has the power to instruct a data controller to take such measures which are necessary to ensure that the processing of personal data, including sensitive personal data is processed in accordance with the Botswana DPA and in addition the Commission must take remedial action as is necessary or prescribed should they discover that indeed there has been a violation of the Act.
*Definitions*
Commission: means the Information and Data Protection Commission established under the Botswana DPA.
Data Controller: means a person who alone or jointly with others, determines the purposes and means of which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf.
Data Subject: means an individual who is the subject of the personal data.
Personal Data: means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual's physical, physiological, mental, economic, cultural, or social identity.
Sensitive Personal Data: Personal data relating to a data subject which reveals their:
- racial or ethnic origin;
- political opinions;
- religious beliefs or philosophical beliefs;
- membership of a trade union;
- physical or mental health or condition;
- sexual life;
- filiation; or
- personal financial information.
Sensitive Personal Data also includes:
- any commission or alleged commission by them of any offence;
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings, or the sentence of any court in such proceedings; and
- genetic data, biometric data, and the personal data of minors.
Lebogang George is an admitted attorney in Botswana and an associate in the Corporate Commercial Department at Desai Law Group. She spent more than a decade working in South Africa. It is in South Africa where she expanded her knowledge and focus on Corporate Commercial Law as well as Data Privacy and Data Protection Law, IT Governance as well as Cyber Security.
Lebogang's experience in Data Protection and Privacy Law spans across South Africa and the European Union and has advised clients in both public and private sectors. She has recently taken a keen interest in the Botswana Data Protection Act and provides advice on the Botswana DPA.
Image source: https://www.istockphoto.com/vector/happy-pride-month-rainbow-concept-on-white-gm1319327571-406225424