MAKING SENSE OF IT:- WHAT IS DATA PROTECTION? Presented by the Data Protection Commissioner (Mrs D. Madhub) To the Truth and Justice Commission on 9.03.11 Tel:- 201 36 04, [email protected] , fax 201 39 76
Dec 14, 2015
MAKING SENSE OF IT:- WHAT IS DATA PROTECTION?
Presented by the Data Protection
Commissioner (Mrs D. Madhub)
To the Truth and Justice Commission on
9.03.11
Tel:- 201 36 04, [email protected], fax 201
39 76
DATA PROTECTION OFFICE{PMO}
T
he Data Protection Office came into pre-existence with the
promulgation of the Data Protection Act of 2004, in February
2009, that is, 5 years after the enactment of the DPA and
through the appointment of the Commissioner assisted by a
confidential secretary.
In the middle of 2010, a small administrative personnel
consisting of 4 officers, was created to assist the Commissioner.
DATA PROTECTION OFFICE{PMO}
T
oday, the office consists of 11 officers including an Investigation
Unit of 3 investigators.
T
he office is mainly called upon to investigate complaints relating
to data protection incidents, to register all data controllers and
data processors in Mauritius, to sensitise the public on the
mission of the office and their obligations and rights, to carry
out security checks and data protection compliance audits, to
exercise control on all data protection issues, amongst others.
DATA PROTECTION OFFICE{PMO}
During 2009 and 2010, the office has concentrated on the
registration of about 10000-15000 data controllers in
Mauritius with a very limited personnel of 3 investigators,
together with the investigation of complaints and site visits,
the production of guidelines and codes of practice, the
submission of an annual report to the national assembly,
which perhaps explains why this office never had the time to
carry out massive sensitisation campaigns as it had to
prioritise its functions and activities.
DATA PROTECTION OFFICE{PMO}
However, the office did make many small
sensitisation campaigns which are posted on the
website of the office, including the sending by
mail and fax of registration information to about
12000 data controllers and various
communiques in the press.
DATA PROTECTION OFFICE{PMO}
The Data Protection Act 2004 (DPA) gives living
individuals the right to know what information is
held about them. It provides the legal framework to
ensure that personal information is handled
properly.
The mission of the office is quite clear:- the
protection of the processing of all personal data in
Mauritius to safeguard the privacy rights of living
individuals.
DATA PROTECTION OFFICE{PMO}
Are you a data controller?
If you, as an individual or an
organisation, public or private, collect,
store or process any data about living
people on any type of computer or in a
structured filing system, then you are
a data controller.
DATA PROTECTION OFFICE{PMO}
• Data controllers are thus, the natural or legal persons, who
determine the purposes and the means of the processing of
personal data, both in the public and in the private sector.
Who is a data processor?
• The data processor is the person, other than an employee of
the data controller, who has a written contract with the data
controller and who processes personal data on behalf of the
data controller.
DATA PROTECTION OFFICE{PMO}
P
ersonal data is defined under the DPA as data, whether
recorded electronically or otherwise, which relates to an
identified or identifiable living individual, i.e, whose
identity is apparent or can reasonably be ascertained from
the data.
T
he definition in the Act is a compendious one and it is
difficult to envisage any action involving data which is not
personal data within this definition.
DATA PROTECTION OFFICE{PMO}
Oral data may fall within the definition of personal
data if it is information relating to a living individual.
O
ral data may further be sensitive if it relates to the:- racial or ethnic origin; political opinion or adherence; religious belief or other belief of a similar nature; membership to a trade union;
DATA PROTECTION OFFICE{PMO}
physical or mental health; sexual preferences or practices; the commission of an offence; or any proceedings for an offence
committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding;
of an individual.
DATA PROTECTION OFFICE{PMO}
What does processing, legally speaking,
mean?
"processing" means any operation or set of
operations which is performed on the data
wholly or partly by automatic means, or
otherwise than by automatic means, and
includes -
DATA PROTECTION OFFICE{PMO}
collecting, organising or altering the data;
retrieving, consulting, using, storing or adapting
the data;
disclosing the data by transmitting, disseminating
or otherwise making it available; or
aligning, combining, blocking, erasing or
destroying the data.
DATA PROTECTION OFFICE{PMO}
Can oral data be processed by a data controller or processor and under
what conditions?
P
rocessing of personal oral data may only be effected with the express
consent of the data subject, i.e, the owner of the data except if it falls
within the exceptions under section 24(2) of the DPA namely where it
relates to the execution of a contract between the data controller and
the data subject, the vital interests of the data subject, compliance with
a legal obligation by the data controller , the administration of justice
or in the public interest, where consent of the data subject is not
required.
DATA PROTECTION OFFICE{PMO}
For instance, oral data collected for the
purpose of protecting objectively the vital
interests of the data subject or compliance
with the law may be applicable to the Truth
and Justice Commission, depending on its
mandate.
DATA PROTECTION OFFICE{PMO}
Can sensitive data be processed by a data controller ?
No sensitive data can be processed without the consent of the data subject or where the latter has made the data public and subject to certain further exceptions as provided in the Act where consent is not required. The exceptions resemble those contained in section 24 (2).
DATA PROTECTION OFFICE{PMO}
However, oral data collected which falls within the
category of research, history and statistics are
exempt from the limited retention and the
compatibility principles and the right to access.
These exemptions will not apply in the case where
the research is not related to living individuals or
where the processing cannot be potentially harmful
to a data subject or the data is anonymised.
DATA PROTECTION OFFICE{PMO}
Exemptions:-
1. Section 28 of the DPA provides that a data controller
has the duty to destroy personal data as soon as is
reasonably practicable once the purpose for keeping the
data has lapsed. Thus, the data controller must keep the
data for a definite period of time which is determined
with regard to the justifications for keeping the
information and on a case-to-case basis by the DPO.
DATA PROTECTION OFFICE{PMO}
2. The principle of compatibility as
explained in section 26 (a) relates to the
collection of data only for specified and
lawful purposes. Unspecified or unrelated
purposes are deemed to be incompatible.
DATA PROTECTION OFFICE{PMO}
3. The right to access personal data is
guaranteed under Part VI of the DPA. It is the
right of the individual to request in writing to the
data controller, by filling in the request for access
to personal data form accompanied by a fee of Rs
75, to be informed of the purposes for which the
data has been kept and the recipients of the data.
DATA PROTECTION OFFICE{PMO}
T
he data controller has 28 days to comply
or if not possible, to comply in a
reasonably practicable time after having
informed the individual of his
predicament.
DATA PROTECTION OFFICE{PMO}
The Eight Data Protection Principles which may be termed the mantras of data protection are as follows-
Personal data shall be processed fairly and lawfully.
Personal data shall be obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose.
Personal data shall be accurate and, where necessary, kept up to date.
DATA PROTECTION OFFICE{PMO}
Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection Act.
Appropriate security and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
DATA PROTECTION OFFICE{PMO}
P
ersonal data shall not be transferred to another
country, unless that country ensures an adequate
level of protection for the rights of data subjects in
relation to the processing of personal data. Transfers
of personal data abroad have to be effected with the
authorisation of the Commissioner.
DATA PROTECTION OFFICE{PMO}
Does the data controller have to be
registered with the DPO?
It is an offence not to register or renew
registration each year or to provide false
information in the registration form.
DATA PROTECTION OFFICE{PMO}
T
he DPO can prosecute data controllers before the
Intermediate Court for offences committed under the
DPA and it can also serve enforcement notices upon
data controllers/processors not complying with the
DPA. The enforcement notice will specify a time period
of not less than 21 days for compliance with the
measures recommended. Non compliance is an offence.
DATA PROTECTION OFFICE{PMO}
C
onclusion:-
T
he DPO is in favour of the adoption of a research protocol to be
applicable for all relevant organisations, the creation of a
national oral data centre, provided compliance is effected with all
the relevant provisions of the DPA and the enactment of a
Freedom of Information Act is also welcomed by the DPO. This
office also has the legal duty to publish guidelines every year and
will be glad to assist any organisation wishing to adopt relevant
guidelines and codes of practices.
DATA PROTECTION OFFICE{PMO}