The Data Protection Act, Act 32 of 2018, (“the Act”) came into operation on 15 October 2021. This piece of legislation enacted to give individuals in Botswana comprehensive protection of their data within a single primary Act. Before its enactment, data privacy was inadequately protected in a peicemeal fashion mostly by the common law and other pieces of legislation. The Act establishes the Information and Data Protection Commission (“the Commission”), which is responsible for the implementation of the Act.
Scope of the Act
The Act applies to the processing of personal data entered in a file by or for a data controller either in Botswana or, where the data controller is not in Botswana, by using automated or non-automated means situated in Botswana, unless these means are used only to transmit personal data. The Act does not apply in circumstances where personal data is processed during a purely personal or household activity or on behalf of the State for national security, prosecution of offences, budgetary or tax matters and the like.
Personal Data and Sensitive Personal Data
The Act defines both personal data and sensitive personal data:
- Personal data is defined as “information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity and ‘data’ shall be construed accordingly.”
- Sensitive personal data on the other hand is personal data that reveals, among other things, an individual’s racial or ethnic origin, physical or mental health, membership of a trade union or personal financial information, political opinions, generic data, biometric data and personal data of minors, amongst others.
Regulation
The Act primarily focuses on three main parties to the processing of data: data controllers, data subjects and data processors. A data subject is the subject of personal data (the individual), a data controller is a person who determines the purposes and means of processing of personal data and a data processor, is a person who processes data on behalf of a data controller and can only process personal data as instructed by the data controller.
The Act indicates that a data subject can only be a natural person while data controllers and processors can be both natural and juristic persons. This means that rights conferred by the Act are enjoyable only by individuals and not companies/organisations, but the obligations are universal.
Processing of Data
Processing of data is subjected to different standards under the Act depending on whether it is simply personal data or sensitive personal data:
- Processing of sensitive personal data is generally prohibited except where it is specifically provided for by the Act or by other written law, the data subject has given written consent or made the data public, or processing is for purposes such as national security. Whenever sensitive personal information is processed, adequate safeguards must be adopted by the data controller and processor.
- Processing of personal data on the other hand is generally permitted. Generally, before personal data can be processed, a data subject must give his or her written consent, which consent may be revoked on legitimate grounds by the data subject. In addition, the data controller or processor is obliged to provide the data subject with information including the purpose for processing their personal data, their right to object to the intended processing, whether processing is purposes of direct marketing, etc.
Rights and Obligations Under the Act
The data subject has various rights under the Act such as the right to obtain confirmation on whether a data controller or processor has information relating to him or her and the accompanying right to demand that the information be deleted by the data controller or processor. A data subject also has the right to institute legal action for compensation against a data controller who processes data in contravention of the Act.
Data controllers have the responsibility to ensure that data is processed fairly, lawfully and in accordance with good practice, that data is obtained with the consent of data subjects and personal data is protected by reasonable safeguards against risks such as loss, unauthorised use and destruction.
Transfer of Personal Data
The transfer of personal data from Botswana to another country is generally prohibited. However, the Minister may, by order published in the government gazette, designate the transfer of personal data to any country listed in such order. Currently, no such order has been published. Personal data that is undergoing or is intended to undergo processing in another country may only be transferred if such country ensures an adequate level of protection as determined by the Commission.
Notwithstanding the above, data may be transferred to other countries in instances including, among others, where the data subject has consented to the proposed transfer or transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject’s request.
Penalties
The Act provides for stringent penalties for contraventions of its provisions such as, among others, processing personal data or sensitive personal data in contravention of the Act and failure by a data controller to implement security safeguards as contained in the Act. The penalties range from fines between BWP20,000.00 and BWP1,000,000.00 or to imprisonment for a term between one year and twelve years, or to both imprisonment and a fine.
Conclusion
Data controllers and processors should be taking steps to align their data protection policies with the Act during this one-year transitional period granted by the Act. This transitional period is due to lapse on 14 October 2022. Failure to regularise their operations to comply with the Act would result in penalties attaching to the non-compliant data controllers and processors.
If you have any questions or require any assistance with regularising your business operations, we are available to assist. Please feel free to contact Onalenna Otlaadisa at onalenna@otlaadisa.law, Andile Mthupha at andile@otlaadisa.law or Watipa Lesetedi at associate@otlaadisa.law, or contact us on our office line at (+267) 3111072.