Data Protection Principles
The Data Protection Act, 2012 (Act 843) is premised on the fundamental rule that all who process personal data must take into consideration the right of that individual to the privacy of his or her communications.
This recognition by a data controller or processer should lead to the application of the 8 basic principles for processing personal information. The Act sets out the 8 data principles under Section 17 as follows:
- Processing of Personal Data (Section 18)
(1) A person who processes personal data shall ensure that the personal data is processed;
(a) without infringing the privacy rights of the data subject;
(b) in a lawful manner; and
(c) in a reasonable manner.
(2) A data controller or processor shall in respect of foreign data subjects ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.
- Minimality (Section19)
Personal data may only be processed if the purpose for which it is to be processed, is necessary, relevant and not excessive.
- Consent, justification and objection (20)
(1) A person shall not process personal data without the prior consent of the data subject unless the purpose for which the personal data is processed is;
(a) necessary for the purpose of a contract to which the data subject is a party;
(b) authorised or required by law;
(c) to protect a legitimate interest of the data subject;
(d) necessary for the proper performance of a statutory duty; or
(e) necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
(2) Unless otherwise provided by law, a data subject may object to the processing of personal data.
(3) Where a data subject objects to the processing of personal data, the person who processes the personal data shall stop the processing of the personal data.
- Collection of personal data (Section 21)
(1) A person shall collect personal data directly from the data subject.
(2) Despite subsection (1), personal data may be collected indirectly where:
(a) the data is contained in a public record;
(b) the data subject has deliberately made the data public;
(c) the data subject has consented to the collection of the information from another source;
(d) the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject;
(e) the collection of the data from another source is necessary:
(i) for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law;
(ii) for the enforcement of a law which imposes a pecuniary penalty;
(iii) for the enforcement of a law which concerns revenue collection;
(iv) for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated;
(v) for the protection of national security; or
(vi) for the protection of the interests of a responsible or third party to whom the information is supplied;
(f) compliance would prejudice a lawful purpose for the collection; or
(g) compliance is not reasonably practicable.
- Retention of records (Section 24)
(1) Subject to subsections (2) and (3), a data controller who records personal data shall not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless
(a) the retention of the record is required or authorised by law,
(b) the retention of the record is reasonably necessary for a lawful purpose related to a function or activity,
(c) retention of the record is required by virtue of a contract between the parties to the contract, or
(d) the data subject consents to the retention of the record.
(2) Subsection (1) does not apply to records of personal data retained for
(b) statistical, or
(c) research purposes.
(3) A person who retains records for historical, statistical or research purposes shall ensure that the records that contain the personal data are adequately protected against access or use for unauthorised purposes.
(4) A person who uses a record of the personal data of a data subject to make a decision about the data subject shall
(a) retain the record for a period required or prescribed by law or a code of conduct, or
(b) where there is no law or code of conduct that provides for the retention period, retain the record for a period which will afford the data subject an opportunity to request access to the record.
(5) A data controller shall destroy or delete a record of personal data or de-identify the record at the expiry of the retention period.
(6) The destruction or deletion of a record of personal data shall be done in a manner that prevents its reconstruction in an intelligible form.
- Data processed by data processor or an authorised person (Section 29)
(1) A data processor or a person who processes personal data on behalf of a data controller shall
(a) process the data only with the prior knowledge or authorisation of the data controller, and
(b) treat the personal data which comes to the knowledge of the data processor or the other person as confidential.
(2) A data processor or a person who processes personal data on behalf of a data controller shall not disclose the data unless
(a) required by law, or
(b) in the course of the discharge of a duty.
- Collection of data for specific purpose (Section 22)
A data controller who collects personal data shall collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person.
- Data subject to be made aware of purpose of collection (Section 23)
A data controller who collects data shall take the necessary steps to ensure that the data subject is aware of the purpose for the collection of the data.
- Further processing to be compatible with purpose of collection (Section 25)
(1) Where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data shall be for that specific purpose.
(2) A person who processes data shall take into account;
(a) the relationship between the purpose of the intended further processing and the purpose for which the data was collected,
(b) the nature of the data concerned,
(c) the manner in which the data has been collected,
(d) the consequences that the further processing is likely to have for the data subject, and
(e) the contractual rights and obligations between the data subject and the person who processes the data.
(3) The further processing of data is considered to be compatible with the purpose of collection where
(a) the data subject consents to the further processing of the information,
(b) the data is publicly available or has been made public by the person concerned,
(c) further processing is necessary;
(i) for the prevention, detection, investigation, prosecution or punishment for an offence or breach of law,
(ii) for the enforcement of a law which imposes a pecuniary penalty,
(iii) for the enforcement of legislation that concerns protection of revenue collection,
(iv) for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated, or
(v) for the protection of national security;
(d) the further processing of the data is necessary to prevent or mitigate a serious and imminent threat to;
(i) public health or safety, or
(ii) the life or health of the data subject or another individual;
(e) the data is used for historical, statistical or research purposes and the person responsible for the processing ensures that
(i) the further processing is carried out solely for the purpose for which the data was collected, and
(ii) the data is not published in a form likely to reveal the identity of the data subject; or
(f) the further processing of the data is in accordance with this Act.
A data controller who processes personal data shall ensure that the data is complete, accurate, up to date and not misleading having regard to the purpose for the collection or processing of the personal data.
- Registration of data controller (Section 27)
(1) A data controller who intends to process personal data shall register with the Commission.
(2) A data controller who intends to collect personal data shall ensure that the data subject is aware of
(a) the nature of the data being collected;
(b) the name and address of the person responsible for the collection;
(c) the purpose for which the data is required for collection;
(d) whether or not the supply of the data by the data subject is discretionary or mandatory;
(e) the consequences of failure to provide the data;
(f) the authorised requirement for the collection of the information or the requirement by law for its collection;
(g) the recipients of the data;
(h) the nature or category of the data; and
(i) the existence of the right of access to and the right to request rectification of the data collected before the collection.
(3) Where the data is collected from a third party, the data subject shall be given the information specified in subsection (2) before the collection of the data or as soon as practicable after the collection of the data.
(4) Subsection (2), shall not apply in the following situations where it is necessary:
(a) to avoid the compromise of the law enforcement power of a public body responsible for the prevention, detection, investigation, prosecution or punishment of an offence;
(b) for the enforcement of a law which imposes a pecuniary penalty;
(c) for the enforcement of legislation which concerns revenue collection;
(d) for the preparation or conduct of proceedings before a court or tribunal that have been commenced or are reasonably contemplated;
(e) for the protection of national security;
(f) to avoid the prejudice of a lawful purpose;
(g) to ensure that the data cannot be used in a form in which the data subject is identified; or
(h) because the data is to be used for historical, statistical or research purposes.
- Security measures (Section 28)
(1) A data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organisational measures to prevent
(a) loss of, damage to, or unauthorised destruction; and
(b) unlawful access to or unauthorised processing of personal data.
(2) To give effect to subsection (1), the data controller shall take reasonable measures to
(a) identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;
(b) establish and maintain appropriate safeguards against the identified risks;
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure that the safeguards are continually updated in response to new risks or deficiencies.
(3) A data controller shall observe
(a) generally accepted information security practices and procedure, and
(b) specific industry or professional rules and regulations.
- Data processor to comply with security measures (Section 30)
(1) A data controller shall ensure that a data processor who processes personal data for the data controller, establishes and complies with the security measures specified under this Act.
(2) The processing of personal data for a data controller by a data processor shall be governed by a written contract.
(3) A contract between a data controller and a data processor shall require the data processor to establish and maintain the confidentiality and security measures necessary to ensure the integrity of the personal data.
(4) Where a data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the relevant laws of this country.
- Notification of security compromises (Section 31)
(1) Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall notify the
(a) Commission, and
(b) the data subject of the unauthorised access or acquisition.
(2) The notification shall be made as soon as reasonably practicable after the discovery of the unauthorised access or acquisition of the data.
(3) The data controller shall take steps to ensure the restoration of the integrity of the information system.
(4) The data controller shall delay notification to the data subject where the security agencies or the Commission inform the data controller that notification will impede a criminal investigation.
(5) The notification to a data subject shall be communicated by
(a) registered mail to the last known residential or postal address of the data subject;
(b) electronic mail to the last known electronic mail address of the data subject;
(c) placement in a prominent position on the website of the responsible party;
(d) publication in the media; or
(e) any other manner that the Commission may direct.
(6) A notification shall provide sufficient information to allow the data subject to take protective measures against the consequences of unauthorised access or acquisition of the data.
(7) The information shall include, if known to the data controller, the identity of the unauthorised person who may have accessed or acquired the personal data.
(8) Where the Commission has grounds to believe that publicity would protect a data subject who is affected by the unauthorised access or acquisition of data, the Commission may direct the data controller to publicise in the specified manner, the fact of the compromise to the integrity or confidentiality of the personal data.
- Access to personal information (Section 32)
(1) A data subject who provides proof of identity may request a data controller to
(a) confirm at reasonable cost to the data subject whether or not the data controller holds personal data about that data subject,
(b) give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information, and
(c) correct data held on the data subject by the data controller.
(2) The request shall be made
(a) within a reasonable time;
(b) after the payment of the prescribed fee, if any;
(c) in a reasonable manner and format; and
(d) in a form that is generally understandable.
- Correction of personal data (Section 33)
(1) A data subject may request a data controller to
(a) correct or delete personal data about the data subject held by or under the control of the data controller that is inaccurate,
(b) irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or
(c) destroy or delete a record of personal data about the data subject held by the data controller that the data controller no longer has the authorisation to retain.
(2) On receipt of the request, the data controller shall comply with the request or provide the data subject with credible evidence in support of the data.
(3) Where the data controller and the data subject are unable to reach an agreement and if the data subject makes a request, the data controller shall attach to the record an indication that a request for the data has been made but has not been complied with.
(4) Where the data controller complies with the request, the data controller shall inform each person to whom the personal data has been disclosed of the correction made.
(5) The data controller shall notify the data subject of the action taken as a result of the request.