MAKING SENSE OF IT:- WHAT IS DATA PROTECTION? Presented by the Data Protection Commissioner (Mrs D. Madhub) To the Truth and Justice Commission on 9.03.11.

MAKING SENSE OF IT:- WHAT IS DATA PROTECTION?

Presented by the Data Protection

Commissioner (Mrs D. Madhub)

To the Truth and Justice Commission on

9.03.11

Tel:- 201 36 04, [email protected], fax 201

39 76

tel:-

mailto:[email protected]

DATA PROTECTION OFFICE{PMO}

T

he Data Protection Office came into pre-existence with the

promulgation of the Data Protection Act of 2004, in February

2009, that is, 5 years after the enactment of the DPA and

through the appointment of the Commissioner assisted by a

confidential secretary.

In the middle of 2010, a small administrative personnel

consisting of 4 officers, was created to assist the Commissioner.


T

oday, the office consists of 11 officers including an Investigation

Unit of 3 investigators.

T

he office is mainly called upon to investigate complaints relating

to data protection incidents, to register all data controllers and

data processors in Mauritius, to sensitise the public on the

mission of the office and their obligations and rights, to carry

out security checks and data protection compliance audits, to

exercise control on all data protection issues, amongst others.


During 2009 and 2010, the office has concentrated on the

registration of about 10000-15000 data controllers in

Mauritius with a very limited personnel of 3 investigators,

together with the investigation of complaints and site visits,

the production of guidelines and codes of practice, the

submission of an annual report to the national assembly,

which perhaps explains why this office never had the time to

carry out massive sensitisation campaigns as it had to

prioritise its functions and activities.


However, the office did make many small

sensitisation campaigns which are posted on the

website of the office, including the sending by

mail and fax of registration information to about

12000 data controllers and various

communiques in the press.


The Data Protection Act 2004 (DPA) gives living

individuals the right to know what information is

held about them. It provides the legal framework to

ensure that personal information is handled

properly.

The mission of the office is quite clear:- the

protection of the processing of all personal data in

Mauritius to safeguard the privacy rights of living

individuals.


Are you a data controller?

If you, as an individual or an

organisation, public or private, collect,

store or process any data about living

people on any type of computer or in a

structured filing system, then you are

a data controller.


• Data controllers are thus, the natural or legal persons, who

determine the purposes and the means of the processing of

personal data, both in the public and in the private sector.

Who is a data processor?

• The data processor is the person, other than an employee of

the data controller, who has a written contract with the data

controller and who processes personal data on behalf of the

data controller.


P

ersonal data is defined under the DPA as data, whether

recorded electronically or otherwise, which relates to an

identified or identifiable living individual, i.e, whose

identity is apparent or can reasonably be ascertained from

the data.

T

he definition in the Act is a compendious one and it is

difficult to envisage any action involving data which is not

personal data within this definition.


Oral data may fall within the definition of personal

data if it is information relating to a living individual.

O

ral data may further be sensitive if it relates to the:- racial or ethnic origin; political opinion or adherence; religious belief or other belief of a similar nature; membership to a trade union;


physical or mental health; sexual preferences or practices; the commission of an offence; or any proceedings for an offence

committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding;

of an individual.


What does processing, legally speaking,

mean?

"processing" means any operation or set of

operations which is performed on the data

wholly or partly by automatic means, or

otherwise than by automatic means, and

includes -


collecting, organising or altering the data;

retrieving, consulting, using, storing or adapting

the data;

disclosing the data by transmitting, disseminating

or otherwise making it available; or

aligning, combining, blocking, erasing or

destroying the data.


Can oral data be processed by a data controller or processor and under

what conditions?

P

rocessing of personal oral data may only be effected with the express

consent of the data subject, i.e, the owner of the data except if it falls

within the exceptions under section 24(2) of the DPA namely where it

relates to the execution of a contract between the data controller and

the data subject, the vital interests of the data subject, compliance with

a legal obligation by the data controller , the administration of justice

or in the public interest, where consent of the data subject is not

required.


For instance, oral data collected for the

purpose of protecting objectively the vital

interests of the data subject or compliance

with the law may be applicable to the Truth

and Justice Commission, depending on its

mandate.


Can sensitive data be processed by a data controller ?

No sensitive data can be processed without the consent of the data subject or where the latter has made the data public and subject to certain further exceptions as provided in the Act where consent is not required. The exceptions resemble those contained in section 24 (2).


However, oral data collected which falls within the

category of research, history and statistics are

exempt from the limited retention and the

compatibility principles and the right to access.

These exemptions will not apply in the case where

the research is not related to living individuals or

where the processing cannot be potentially harmful

to a data subject or the data is anonymised.


Exemptions:-

1. Section 28 of the DPA provides that a data controller

has the duty to destroy personal data as soon as is

reasonably practicable once the purpose for keeping the

data has lapsed. Thus, the data controller must keep the

data for a definite period of time which is determined

with regard to the justifications for keeping the

information and on a case-to-case basis by the DPO.


2. The principle of compatibility as

explained in section 26 (a) relates to the

collection of data only for specified and

lawful purposes. Unspecified or unrelated

purposes are deemed to be incompatible.


3. The right to access personal data is

guaranteed under Part VI of the DPA. It is the

right of the individual to request in writing to the

data controller, by filling in the request for access

to personal data form accompanied by a fee of Rs

75, to be informed of the purposes for which the

data has been kept and the recipients of the data.


T

he data controller has 28 days to comply

or if not possible, to comply in a

reasonably practicable time after having

informed the individual of his

predicament.


The Eight Data Protection Principles which may be termed the mantras of data protection are as follows-

Personal data shall be processed fairly and lawfully.

Personal data shall be obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose.

Personal data shall be accurate and, where necessary, kept up to date.


Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes.

Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection Act.

Appropriate security and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


P

ersonal data shall not be transferred to another

country, unless that country ensures an adequate

level of protection for the rights of data subjects in

relation to the processing of personal data. Transfers

of personal data abroad have to be effected with the

authorisation of the Commissioner.


Does the data controller have to be

registered with the DPO?

It is an offence not to register or renew

registration each year or to provide false

information in the registration form.


T

he DPO can prosecute data controllers before the

Intermediate Court for offences committed under the

DPA and it can also serve enforcement notices upon

data controllers/processors not complying with the

DPA. The enforcement notice will specify a time period

of not less than 21 days for compliance with the

measures recommended. Non compliance is an offence.


C

onclusion:-

T

he DPO is in favour of the adoption of a research protocol to be

applicable for all relevant organisations, the creation of a

national oral data centre, provided compliance is effected with all

the relevant provisions of the DPA and the enactment of a

Freedom of Information Act is also welcomed by the DPO. This

office also has the legal duty to publish guidelines every year and

will be glad to assist any organisation wishing to adopt relevant

guidelines and codes of practices.


MAKING SENSE OF IT:- WHAT IS DATA PROTECTION? Presented by the Data Protection Commissioner (Mrs D. Madhub) To the Truth and Justice Commission on 9.03.11.

Documents

data protection office

data controllers

data protection act

data processors

data protection incidents

data protection issues

processing of personal

personal information