DATA PROTECTION ACT
No. 32 of 2018
This Act was passed in August 2018, however has not yet commenced. It introduces new laws In Botswana for the protection of personal data and to ensure the privacy of individuals in relation to their personal data. Prior to the introduction of this Act, there were no laws in Botswana that specifically protected personal data and in a day and age of significant technological advancements, these laws are necessary to ensure that the collection, processing and storage of personal data belonging to other individuals is regulated.
The driving force behind the Data Protection Act was the Maitlamo, Botswana’s National Information and Communications Policy approved by the National Assembly in August 2007. The policy was aimed at increased use of technology to effectively drive social, economic, cultural and political development in the country by making government services predominantly available online through e-service platforms. In order to achieve this goal, it was acknowledged that legal reforms would be necessary including the introduction of data protection laws, since personal data would be stored and processed through electronic means.
The Act clearly defines what constitutes personal data, which definition includes not only information by which persons can be identified, but even that which makes them potentially identifiable whether directly or indirectly. The Act establishes the Information and Data Protection Commission, which will be responsible for ensuring effective application of and compliance with the Act after its commencement. All complaints and investigations pertaining to the Act will be dealt with by the Commission and in the event any parties to proceedings before the Commission are dissatisfied with the decision of the Commission, these can be appealed to the Information and Data Protection Appeals Tribunal. The duties of the Commission are widely crafted and include providing guidance and instructions on appropriate measures to ensure the security of personal data, informing individuals of their rights in relation to data protection and conducting research and studies and promoting educational activities relating to the protection of personal data.
The jurisdiction of the Act extends to data controllers situated outside Botswana where the data is processed using means situated in Botswana, although the transfer of personal data outside Botswana is limited severely. Some of the key provisions of the Act include requirements for data to be processed, privacy protection of personal data and set criteria for processing of data for various different purposes. There are also additional safeguards for dealing with “Sensitive Personal Data”. The Act prescribes hefty penalties in the form of monetary fines and imprisonment for violations of its provisions. Although the Act has not yet commenced, there is a transition period of 12 months from commencement within which all processing of personal data must be made compliant with the Act.
This Act is a welcome addition to the current laws in force in Botswana, and collectively with other laws in the process of being promulgated on other affected areas of information and communications technology and e-commerce, will increase the effectiveness of Government departments and encourage investor confidence in the country.