MAKING SENSE OF IT:- WHAT IS DATA PROTECTION? Presented by the Data Protection Commissioner (Mrs D. Madhub) To the Truth and Justice Commission on Tel:-Tel: , fax

DATA PROTECTION OFFICE{PMO}  The Data Protection Office came into pre-existence with the promulgation of the Data Protection Act of 2004, in February 2009, that is, 5 years after the enactment of the DPA and through the appointment of the Commissioner assisted by a confidential secretary.  In the middle of 2010, a small administrative personnel consisting of 4 officers, was created to assist the Commissioner.

DATA PROTECTION OFFICE{PMO}  Today, the office consists of 11 officers including an Investigation Unit of 3 investigators.  The office is mainly called upon to investigate complaints relating to data protection incidents, to register all data controllers and data processors in Mauritius, to sensitise the public on the mission of the office and their obligations and rights, to carry out security checks and data protection compliance audits, to exercise control on all data protection issues, amongst others.

DATA PROTECTION OFFICE{PMO}  During 2009 and 2010, the office has concentrated on the registration of about data controllers in Mauritius with a very limited personnel of 3 investigators, together with the investigation of complaints and site visits, the production of guidelines and codes of practice, the submission of an annual report to the national assembly, which perhaps explains why this office never had the time to carry out massive sensitisation campaigns as it had to prioritise its functions and activities.

DATA PROTECTION OFFICE{PMO}  However, the office did make many small sensitisation campaigns which are posted on the website of the office, including the sending by mail and fax of registration information to about data controllers and various communiques in the press.

DATA PROTECTION OFFICE{PMO}  The Data Protection Act 2004 (DPA) gives living individuals the right to know what information is held about them. It provides the legal framework to ensure that personal information is handled properly.  The mission of the office is quite clear:- the protection of the processing of all personal data in Mauritius to safeguard the privacy rights of living individuals.

DATA PROTECTION OFFICE{PMO} Are you a data controller?  If you, as an individual or an organisation, public or private, collect, store or process any data about living people on any type of computer or in a structured filing system, then you are a data controller.

DATA PROTECTION OFFICE{PMO} Data controllers are thus, the natural or legal persons, who determine the purposes and the means of the processing of personal data, both in the public and in the private sector.  Who is a data processor? The data processor is the person, other than an employee of the data controller, who has a written contract with the data controller and who processes personal data on behalf of the data controller.

DATA PROTECTION OFFICE{PMO}  Personal data is defined under the DPA as data, whether recorded electronically or otherwise, which relates to an identified or identifiable living individual, i.e, whose identity is apparent or can reasonably be ascertained from the data.  The definition in the Act is a compendious one and it is difficult to envisage any action involving data which is not personal data within this definition.

DATA PROTECTION OFFICE{PMO}  Oral data may fall within the definition of personal data if it is information relating to a living individual.  Oral data may further be sensitive if it relates to the:-  racial or ethnic origin;  political opinion or adherence;  religious belief or other belief of a similar nature;  membership to a trade union;

DATA PROTECTION OFFICE{PMO}  physical or mental health;  sexual preferences or practices;  the commission of an offence; or  any proceedings for an offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding; of an individual.

DATA PROTECTION OFFICE{PMO}  What does processing, legally speaking, mean? "processing" means any operation or set of operations which is performed on the data wholly or partly by automatic means, or otherwise than by automatic means, and includes -

DATA PROTECTION OFFICE{PMO}  collecting, organising or altering the data;  retrieving, consulting, using, storing or adapting the data;  disclosing the data by transmitting, disseminating or otherwise making it available; or  aligning, combining, blocking, erasing or destroying the data.

DATA PROTECTION OFFICE{PMO}  Can oral data be processed by a data controller or processor and under what conditions?  Processing of personal oral data may only be effected with the express consent of the data subject, i.e, the owner of the data except if it falls within the exceptions under section 24(2) of the DPA namely where it relates to the execution of a contract between the data controller and the data subject, the vital interests of the data subject, compliance with a legal obligation by the data controller, the administration of justice or in the public interest, where consent of the data subject is not required.

DATA PROTECTION OFFICE{PMO}  For instance, oral data collected for the purpose of protecting objectively the vital interests of the data subject or compliance with the law may be applicable to the Truth and Justice Commission, depending on its mandate.

DATA PROTECTION OFFICE{PMO}  Can sensitive data be processed by a data controller ?  No sensitive data can be processed without the consent of the data subject or where the latter has made the data public and subject to certain further exceptions as provided in the Act where consent is not required. The exceptions resemble those contained in section 24 (2).

DATA PROTECTION OFFICE{PMO} However, oral data collected which falls within the category of research, history and statistics are exempt from the limited retention and the compatibility principles and the right to access. These exemptions will not apply in the case where the research is not related to living individuals or where the processing cannot be potentially harmful to a data subject or the data is anonymised.

DATA PROTECTION OFFICE{PMO} Exemptions:- 1. Section 28 of the DPA provides that a data controller has the duty to destroy personal data as soon as is reasonably practicable once the purpose for keeping the data has lapsed. Thus, the data controller must keep the data for a definite period of time which is determined with regard to the justifications for keeping the information and on a case-to-case basis by the DPO.

DATA PROTECTION OFFICE{PMO} 2. The principle of compatibility as explained in section 26 (a) relates to the collection of data only for specified and lawful purposes. Unspecified or unrelated purposes are deemed to be incompatible.

DATA PROTECTION OFFICE{PMO} 3. The right to access personal data is guaranteed under Part VI of the DPA. It is the right of the individual to request in writing to the data controller, by filling in the request for access to personal data form accompanied by a fee of Rs 75, to be informed of the purposes for which the data has been kept and the recipients of the data.

DATA PROTECTION OFFICE{PMO}  The data controller has 28 days to comply or if not possible, to comply in a reasonably practicable time after having informed the individual of his predicament.

DATA PROTECTION OFFICE{PMO}  The Eight Data Protection Principles which may be termed the mantras of data protection are as follows-  Personal data shall be processed fairly and lawfully.  Personal data shall be obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose.  Personal data shall be accurate and, where necessary, kept up to date.

DATA PROTECTION OFFICE{PMO}  Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes.  Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection Act.  Appropriate security and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

DATA PROTECTION OFFICE{PMO}  Personal data shall not be transferred to another country, unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data. Transfers of personal data abroad have to be effected with the authorisation of the Commissioner.

DATA PROTECTION OFFICE{PMO} Does the data controller have to be registered with the DPO? It is an offence not to register or renew registration each year or to provide false information in the registration form.

DATA PROTECTION OFFICE{PMO}  The DPO can prosecute data controllers before the Intermediate Court for offences committed under the DPA and it can also serve enforcement notices upon data controllers/processors not complying with the DPA. The enforcement notice will specify a time period of not less than 21 days for compliance with the measures recommended. Non compliance is an offence.

DATA PROTECTION OFFICE{PMO}  Conclusion:-  The DPO is in favour of the adoption of a research protocol to be applicable for all relevant organisations, the creation of a national oral data centre, provided compliance is effected with all the relevant provisions of the DPA and the enactment of a Freedom of Information Act is also welcomed by the DPO. This office also has the legal duty to publish guidelines every year and will be glad to assist any organisation wishing to adopt relevant guidelines and codes of practices.

DATA PROTECTION OFFICE{PMO}