An important element of demonstrating compliance with the Data Protection Act is compliance with the requirements for processing personal data included in the Act. These requirements guide how data processors should process people’s personal information.
1. Personal data (PD) shall only be processed fairly, lawfully and transparently in compliance with the provisions of the Act. We are expected to reference an existing law in our processing of personal data.
2. PD shall be adequate, relevant and not excessive concerning the purposes for which it is processed. This requires that data processors only obtain the necessary PD for their processing requirements.
3. PD shall be accurate and, where necessary, kept up to date. This requires the data processor to take steps to ensure that data subjects can provide updated information.
4. PD is collected for specific, explicitly stated and legitimate purposes. This requires that the data controller informs the data subject of the purpose/s of the processing.
5. PD shall not be further processed in any manner incompatible with those purposes. For example, in the case of Stanbic Bank, PD can be moved from People & Culture to Tech & Ops to ensure an employee has access to a laptop and other company systems as long as all these purposes are included in the notification to employees relating to the purpose for processing their PD.
6. Appropriate technical and organisational measures shall be taken to avoid unauthorised or unlawful processing of personal data and against accidental loss, unauthorised access or destruction, or damage, modification and disclosure of PD.
7. Where PD is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed.
8. PD processed for any purpose or purposes shall not be kept for longer than is necessary for those purposes.
9. PD shall be processed following good practice. This requires the data processors to keep themselves up to date with leading practices in this area.
By Boitumelo Motshobedi the Data Protection Officer, Stanbic Bank Botswana