Botswana data protection act

CHAPTER 42:17
DATA PROTECTION

ARRANGEMENT OF SECTIONS

PART I
Preliminary

PART II
Information and Data Protection Commission

4. Establishment of Information and Data Protection Commission

5. Functions and powers of Commission

6. Staff of Commission

7. Powers of Commissioner

8. Oath of secrecy

9. Direction by Minister

PART III
Information and Data Protection Commission’s Specific Powers in Relation to Processing of Personal Data

10. Right of access to information by Commissioner

11. Commissioner to seek rectification

12. Order to delete personal data

13. Collaboration with other bodies

PART IV
Requirements and Criteria for Processing Data

14. Requirements for processing

15. Limitation to processing

16. Criteria for processing

17. Processing for other purposes

18. Processing for direct marketing

19. Revocation of consent

PART V
Processing of Sensitive Personal Data

20. Prohibition for processing of sensitive personal data

21. Safeguards for processing sensitive personal data

22. Processing by bodies or entities

23. Processing for health or medical purposes

24. Processing for research, scientific and statistics purposes

25. Processing of genetic and biometric data

26. Processing for legal purposes or by Government

27. Processing of identity card

PART VI
Data Collection, Right to Access and Duties of Data Controller

28. Information for data subject

29. Data collected from other sources

30. Rights of data subject

31. Authorisation to process

32. Safeguards for processing of personal data

33. Notification of breach to safeguards

34. Obligation to notify Commissioner

35. Exemption from notification

36. Data protection representative

37. Register maintained by data protection representative

39. Register maintained by Commissioner

40. Information provided by data controller or data protection representative

PART VII
Investigations and Enforcement

41. Investigation by Commissioner

44. Variation or revocation of enforcement notice

47. Proceedings of Tribunal

PART VIII
Miscellaneous Provisions

48. Transborder flow of personal data

49. Transfer of personal data to third country

50. Protection from personal liability

51. Offences and penalties

52. Compensation for damages

Act 32, 2018,
S.I. 86, 2021,
Act 33, 2022.

An Act to regulate the protection of personal data and to ensure that the privacy of individuals in relation to their personal data is maintained; to establish the Information and Data Protection Commission; and to provide for all matters incidental thereto.

[Date of Commencement: 15th October, 2021]

PART I
Preliminary

This Act may be cited as the Data Protection Act.

In this Act, unless the context otherwise requires—

"biometric data" means any information stemming from the statistical analysis of biological data;

"block" in relation to personal data, means the operation to suspend modification of data or suspend or restrict the provision of information to a third party when such provision is suspended or restricted in accordance with this Act;

"Commission" means the Information and Data Protection Commission established under section 4;

"Commissioner" means the Commissioner of the Information and Data Protection Commission appointed under section 6;

"consent" means any freely given, specific and informed expression of the wishes of the data subject, by which the data subject agrees to the processing of personal data relating to him or her;

"data controller" means a person who alone or jointly with others, determines the purposes and means of which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf;

"data processor" means a person who processes data on behalf of the data controller;

"data protection representative" means a person who is appointed by the data controller, which person shall independently ensure that personal data is processed in a correct and lawful manner;

"data subject" means an individual who is the subject of personal data;

"direct marketing" means directly reaching a market, customers or potential customers on a personal basis or mass media basis, and it includes attempting to locate, contact, offer and make incentives to consumers, through communication medium such as phone calls, private meetings infomercials, magazines or advertisements;

"file" means any structured set of personal data which is accessible according to specific criteria, whether centralised or dispersed on a functional or geographical basis, regardless of its format or media;

"filing system" means a structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or disposed on a functional or geographical basis;

"genetic data" means personal data relating to the inherited or acquired characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

"identity card number" means the number that appears in the National Identity Card issued in accordance with the National Registration Act (Cap. 01:02);

"personal data" means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity; and "data" shall be construed accordingly;

"processing of personal data" means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data; and "processing" shall be construed accordingly;

"recipient" means a person to whom personal data is provided, but does not include—

(a) a person who received data in the framework of a particular legal proceeding; and

(b) the Commissioner, when the personal data is provided in order to perform the duty to supervise, control or audit;

"sensitive personal data" means personal data relating to a data subject which reveals his or her—

(a) racial or ethnic origin;

(b) political opinions;

(d) membership of a trade union;

(e) physical or mental health or condition;

(f) sexual life;

(g) filiation; or

(h) personal financial information,

(a) any commission or alleged commission by him or her of any offence;

(b) any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the sentence of any court in such proceedings; and

"third country" means a State that is not included in the Order made under section 48;

"third party" means a person other than the data subject, the data controller, the data processor, the data protection representative and such other person authorised by the data controller or data processor;

"transborder flow" means the international flow of personal data which can either be transmitted by electronic or other forms of transmission, including satellite; and

"Tribunal" means the Information and Data Protection Appeals Tribunal established under section 45.

(1) This Act shall apply to the processing of personal data entered in a file by or for a data controller—

(a) in Botswana; or

(b) where the data controller is not in Botswana, by using automated or non-automated means situated in Botswana, unless those means are used only to transmit personal data:

Provided that when the recorded personal data is processed by non-automated means, it forms part of a filing system or is intended to form part of a filing system.

(2) This Act shall not apply to the processing of personal data—

(a) in the course of a purely personal or household activity; and

(b) by or on behalf of the State where the processing—

(i) involves national security, defence or public safety,

(ii) is for the prevention, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures,

(iii) is for economic or financial interest, including monetary, budgetary and taxation matters, and

(iv) is for a monitoring, inspection or regulatory function connected with the exercise of functions under subparagraphs (i), (ii) and (iii).

(3) This Act is exempt from application to the processing of personal data specified under subsection (2)(b), to the extent that adequate security safeguards have been established in specific legislation for the protection of such personal data.

PART II
Information and Data Protection Commission

4. Establishment of Information and Data Protection Commission

(1) There is hereby established a body to be known as the Information and Data Protection Commission.

(2) The Commission shall be a public office, and the provisions of the Public Service Act (Cap. 26:01) shall apply to the Commission and its officers.

5. Functions and powers of Commission

(1) The Commission shall do all such things as are necessary to protect the personal rights of individuals with regard to their personal data, and shall ensure the effective application of and compliance with this Act, in particular, to the right to protection of personal data, access, rectification, objection and cancellation of such data.

(2) Without derogating from the generality of subsection (1), the Commission shall—

(a) ensure compliance with the provisions of the Statistics Act (Cap. 17:01)—

(i) with regard to the collection of statistical data and statistical secrecy, and

(ii) to issue precise instructions and give opinions on the security safeguards in place, for files set up for purely statistical purposes;

(b) instruct a data controller to take such measures which are necessary to ensure that the processing of personal data is in accordance with this Act;

(d) conduct research and studies, and promote educational activities relating to protection of personal data;

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.