PART 6: SIGNIFICANT CONSIDERATIONS IN A DATA PROTECTION AND PRIVACY FRAMEWORK
(By Edith Michael Mtweve)
6.1 Key Considerations in a Data Protection and Privacy Legal Framework
Despite the obvious fact that enactment of law takes into consideration the prevailing circumstances of the state in question, there are some key issues that ought to be considered and incorporated in a data protection and privacy law in order to better regulate the latter.
6.1.1 Establishment of a regulator’s office;
Personal data protection and privacy ought to be regulated by a distinct body or office established purposely for such regulation. Jurisdictions with data protection and privacy Legislation have established the regulator’s office in different ways. The GDPR stresses on the establishment of a completely distinct and independent regulator one which does not have ties with pre-existing bodies which could fetter it autonomy.[i]
The Ghanaian Data Protection Act[ii] establishes the Data Protection Commission as a data regulatory body, the governing board of the commission is composed of various members most of which are government officials, also the members are appointed by the president.[iii]
The Kenyan Data Protection Act[iv]establishes the office of the Data Protection Commissioner as a body corporate with the basic features of a body corporate. The Data Commissioner as the head of the Commission is appointed through a recruitment process by the Public Service Commission where the position is vacant.[v]
The Ugandan Data Protection and Privacy Act[vi] establishes the personal data protection office headed by a national personal data protection director, the office is under National information Technology Authority-Uganda (NITA-U) which is under the Ministry of Information Technology as established under the National Information Technology Authority, Uganda Act.[vii]
The South African Protection of Personal Information Act[viii]establishes the Information Regulator who is a juristic person, the regulator is independent and to the Constitution and the Legislation of South Africa only. Additionally, the regulator is accountable to the National Assembly.
The GDPR[ix]directs member state to provide for one or more independent public authorities for monitoring the application of the Regulation. The Malabo Convention[x] directs AU member states for the establishment of an independent administrative authority responsible for protecting personal data pursuant to the text of the Convention. The SADC Model Law[xi] directs SADC member states for the establishment of an independent administrative authority.
6.1.2 Regulation of data control and processing
This a very essential part of data protection and privacy regulation. A good legislation ought to have provisions that are meant to cater for data protection regulation of all categories of data (sensitive data and data which is not sensitive) without prejudicing data controllers and processors from functioning. These important provisions include the following amongst others;[xii]
- Mandatory registration and certification of data processors and controllers by the regulator’s office
- Establishment and maintenance of a Data Protection Register containing names and details of the registered and certified data controllers and processors
- Access to the Data Protection Register
- Prohibition of Processing Data without Registration
- Obligation of a Data Processor
- Data Processing for Marketing Purpose
- Anonymisation of Personal Data for Commercial Use
- Processing of Biometric Data
- Processing of Child Personal Data
- Data Processing Subjected to Evaluation
- Data Protection Impact Assessments
- Unauthorized Processing of Personal Data
6.1.3 Data protection and privacy principles
The regulation of data protection and privacy stems from a set of principles from which such regulation can be made possible, the principles determine the manner and extent of data protection, in a jurisdiction[i];
(a) Purpose specification;
(b) Process limitation;
(c) Further processing limitation;
(e) Data subject participation;
(g) Integrity and confidentiality;
(h) Accountability; and
(i) Security safeguards;
6.1.4 Data security measures
This is an essential part of regulating the accountability of data processors and controllers in the protection and maintenance of their data subjects’ data and privacy. The law ought to address some key data security measures issues such as;
i Data System Integrity
ii Security Measures for data protection breach prevention and mitigation
iii Notification of Breach
iv Confidentiality Measures
v Compliance with the Security Measures
6.1.5 Data subjects’ rights
Great consideration has to be made on the inclusivity of data subjects on the regulation of data protection and privacy. This can be done through the incorporation of data subjects’ rights;
i Right to be Informed
ii Right of Access
iii Right of Rectification
iv Right of Restriction
v Right to be Forgotten
vi Right of Objection
vii Right to Data Portability
viii Right to Complain
6.1.6 Cross-border data transfer
Principally, data protection law must aim at addressing data within a state promulgating such Legislation and outside the borders of such a country in an effort to protect data and privacy of data subjects with data transfer. Guarantee of cross border data protection and privacy is usually guarantee din the circumstances where the country to which data is being transferred has in place effective data protection and privacy Legislation. An effective law must at least address;
- Prerequisites for Transfer of Data
- Safeguards for Transfer of Sensitive Personal data
- Categories of Data not to be Transferred
6.1.7 Complaint and enforcement mechanisms
An effective law must put in place complaint resolution mechanisms with the regulator’s office. This goes hand in hand with vesting the regulator’s office with requisite powers to receive and resolve complaints by data subjects against data controllers and processors.
6.1.8 Data protection and privacy exemptions
Data protection and privacy pursuant to its foundational principles can never be absolute, there are circumstances in which data protection and privacy Legislation and may not be applicable and circumstances where accessing personal data can be done without strict consideration of the data protection principles.
6.1.9 Offences provision
Data protection must be supplemented with a general offences and sanctions provisions catering for offences not mentioned under specific sections. Equally, the sanctions for the offences must be commensurate to the magnitude of the offences and they must strike a balance between promoting data protection and privacy and without greatly detrimenting the operations of data controllers and processors.
6.1.10 Financial provisions
In ensuring the efficacy and independence of a regulator’s office, the financial provisions under a data protection and privacy law must provide for means of financing the operations of the office without influencing the office’s operations.
6.2 Key Considerations in a Data Protection and Privacy Regulatory Framework
Drawing inspiration from the GDPR, Malabo Convention, SADC Model law and data protection Legislation from Kenya, Uganda, Ghana, and South Africa, the following must be taken into consideration in establishing an effective regulatory authority;
- Establishing an autonomous regulatory body with lesser affiliation to government or its agencies
- Designation of the head of the regulatory body with proper qualifications and a reasonable appointment or recruitment process
- Members of the data protection board/ committee with proper qualifications
- Powers and functions of the board appropriate for effective data protection and privacy, the powers should also aim at striking a balance between data protection and privacy and data commerce
6.4 Special Considerations with regard to Tanzania
6.4.1 The Question of Zanzibar
Almost all of twenty-two union matters between Tanganyika and Zanzibar in forming the United Republic of Tanzania involves a lot of issues revolving around personal data and privacy. These include amongst others; defense and security, citizenship and immigration, income tax, statistics.
Therefore, an effective legal and regulatory framework on data protection and privacy needs to take into consideration the question of Zanzibar and as such the law must cater for legal and regulatory requirements for Tanzania (Mainland) and Zanzibar.
This current article encompasses the sixth part of the data protection and privacy articles series. The next part which is titled the rights of data subjects will be released on 6th June 2022.
This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice first.
[i]Article 52 of the GDPR
[ii] Section 1(1) of the Ghanaian Data Protection Act, 2012
[iii] Ibid, Section 4(1) and 4(2)
[iv] Section 5(1) of the Kenyan Data Protection Act, 2019
[v] Ibid., Section 6(1)
[vi] Section 4 of the Ugandan Data Protection and Privacy Act, 2019
[vii] Section 24 of the National Information Technology Authority, Uganda Act, 2009
[viii] Section 39 of the South African Protection of Personal Information Act, 2013
[ix] Article 51 of the GDPR, 2016
[x] Article 11 of the Malabo Convention, 2014
[xi] Article 3 of the SADC Data Protection Model Law, 2013
[xii] These have drawn great inspiration from the GDPR, the Kenyan, Ugandan, Ghanaian and South African positions
[xiii] These principles have been expounded under (Chapter 2) Articles 5-11 of the GDPR, Part IV of the Kenyan Act, Part II of the Ugandan Act, Chapter 3 of the South African Act and Sections 17-34c of the Ghanaian Act.