HIPSSAPROJECT Support for Harmonization of the ICT Policies in Sub-Sahara Africa Meeting with Data Protection Law Stakeholders 28/29 th August, 2013 PRESENTATION ON SWAZILAND DATA PROTECTION LAW (TRANSPOSITION) Kuena Mophethe ITU International Legal Expert on Data Protection Gcinaphi Mndzebele ITU National Legal Expert: Data Protection

Summary of the Content Background to Data Protection Law and Transposition (Mission 1) Overview of National Assessment(Mission 1) Transposition Process Overview of Data Protection Bill Points for Discussion Points for Discussion

Purpose of Data Protection Law Harmonised approaches Give effect to the right to privacy ICT technology developments impacts on the right to the protection of personal data. Illegitimate and unlawful monitoring of individuals Automated decision making Data protection regulation - strike a balance in ensuring that the benefits of using information and communication technologies do not translate into weakened protection of personal data Data Protection Authority establishment Regulation of trans border flow

Objectives of SADC Model Law Give effect to principles of data protection Place limitations on the processing of personal data Provide for the rights of the data subject Define the responsibilities of the Data Controller Establishment of the Data Protection Authority  Combat violations of privacy likely to arise from the collection, processing, transmission, storage and use of personal dataactivities

National Assessment The local expert gave and overview of existing laws and policies Account taken that no specific legislation on data protection exists

Data Protection Bill Approach to Transposition Drafting of a new Bill Customised to Swaziland without departing from the Model law Harmonization Clarity of definitions and concepts; Modifications pertaining to the Authority;

PART I - PRELIMINARY Citation and commencement Interpretation Application of the Act: To data controllers, to all forms of personal information Exemptions: The Act does not apply to the processing of personal information – in the course of a purely personal or household activity which has been de-identified to the extent that it cannot be re-identified; or by or on behalf of the State and involves national security and defence or public safety; which has been exempted under this Act or sector specific legislation

Part I Interpretation/Definitions Defining personal information: information about an identifiable individual that is recorded in any form, including, without restricting the generality of the foregoing:- information relating to the race, national or ethnic origin, religion, age or marital status of the individual; information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; any identifying number, symbol or other particular assigned to the individual; the address, fingerprints or blood type of the individual; the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual; correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and the views or opinions of any other person about the individual.

Processing of personal information processing: refers to any operation or set of operations which is performed upon personal information, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any operation or set of operations on data, including – (a) organization, adaptation or alteration of the data; (b) retrieval, consultation or use of the data; or (c) alignment, combination, blocking, erasure or destruction of the data

Sensitive personal information “sensitive personal information” (a) refers to genetic data, data related to children, data related to offences, criminal sentences or, biometric data as well as, if they are processed for what they reveal, personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and personal information concerning the health or sex life of the individual (b) refers also to any personal information otherwise considered by Swaziland law as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.

Part II Data Protection Authority Establishment of the Data Protection Authority Disqualification from office Functions of the Authority Tenure of office Allowances of the members of the Authority Funds of the Authority Audit of Accounts Protection of the Authority Duty of confidentiality

Part III Protection of personal information Processing of personal information Minimality: Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive Collection directly from the data subject Purpose specification and further processing limitation Security measures on integrity of personal information Information processed by an agent of the data controller

Part III (continued) Information processed by an agent of the data controller: process such information only with the knowledge or authorisation of the data controller; and treat such personal information as confidential. Security measures regarding information processed by an agent: A data controller ensures that a data processor processing for or on his behalf establishes and maintains the security measures referred to in the Act Contract exists between controller and processor Notification to the Authority and to the data subject Notification of security compromises: To the Authority and the data subject Quality of information: personal information to be complete, accurate, not misleading and kept up to date; Regard be had to the purpose for which personal information was collected. Access to and challenges of personal information Correction of personal information Data controller to give effect to principles Prohibition on processing of sensitive personal information

Part IV Exemptions from protection on processing of personal information Exemption on data subject’s spiritual, religious or philosophical beliefs Exemption on data subject’s race Exemption on data subject’s trade union membership Exemption on data subject’s political affiliation Exemption on data subject’s health or sexual life Exemption on data subject’s criminal behaviour General exemption on sensitive personal information Authorisation by the Authority Exemption for processing of personal data for historical, statistical and research purposes

Part V Enforcement Complaints Investigation by the Authority No action by the Authority Pre-investigations by the Authority Investigation proceedings by the Authority Matters exempt from search and seizure Parties to be informed of developments during and as a result of the investigation Enforcement notice Cancellation of an enforcement notice Reviews and appeals Civil remedies

Part VI General Provisions Unsolicited electronic communications: A data subject is entitled any time by notice to a data controller to require the data controller to cease, or not to begin, processing of personal data in respect of which he is the data subject for the purposes of direct marketing. Automated decision making: Subject to qualifications/exceptions, a person may not be subjected to a decision which has legal effect on him, or which affects him significantly, based solely on the automated processing of personal information intended to provide a profile of certain aspects of his personality or personal habits/ Notifications Codes of Conduct: The Authority may, from time to time, issue, approve, amend or revoke a code of conduct. Offences and penalties Regulations Transitional arrangements

Limitations on Trans border flow Member State with Harmonised Law recipient establishes that the data is necessary for the performance of a task carried out in the public interest pursuant to the lawful functions of a data controller legitimate interests of data subject not prejudiced subject to conditions

Limitations on Trans border flow Non-Member State with Harmonised Law/ Third Countries adequate level of protection is ensured in the country of the recipient and the data is transferred solely to permit processing otherwise authorised to be undertaken by the controller subject to due diligence assessment and further conditions

Due diligence assessment assessed in the light of all the circumstances surrounding the relevant data transfer(s), particular consideration to be given to the nature of the data, the purpose and duration of the proposed processing, the recipient’s country, the relevant laws in force in the third country and the professional rules and security measures which are complied with in that recipient’s country

Authority’s discretion The Authority may: establish the categories of processing for which and the circumstances in which the transfer of personal data to countries outside (i) Swaziland and (ii) SADC is not authorized authorize a transfer or a set of transfers of personal information to a recipient country outside Swaziland or SADC which does not in its laws ensure an adequate level of protection, if the controller satisfies the Authority that it shall ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of the data subjects concerned, and regarding the exercise of the data subject’s rights such safeguards can be appropriated through adequate legal and security measures and contractual clauses in particular

Thank you Mrs. Kuena Mophethe ITU International Expert: Data Protection Law Ms. Gcinaphi Mndzebele ITU National Expert: Data Protection Law