hipssa project
DESCRIPTION
HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Tanzanian ICT Ministry. PRESENTATION ON DATA PROTECTION BILL Pria Chetty, International Legal Expert on Data Protection 07.03.12. Why enact Data Protection Law? - PowerPoint PPT PresentationTRANSCRIPT
InternationalTelecommunicationUnion
HIPSSA ProjectSupport for Harmonization of the ICT Policies
in Sub-Sahara Africa, Meeting with the Tanzanian ICT Ministry
PRESENTATION ON DATA PROTECTIONBILL
Pria Chetty, International Legal Expert on Data Protection
07.03.12
Overview of Session Why enact Data Protection Law? Data Protection Model Law Development Process Key Provisions for Data Protection Law Key Frames of Inquiry for Transposition of the Model
Law Key Provisions of the Data Protection Bill
Part I, II, III, IV, V, VI, VIII
Discussion
Why Enact Data Protection Law? Harmonised approaches Give effect to right to privacy ICT technology developments impacts right to the
protection of personal data in commercial activities and electronic government (eGov) activities
Illegitimate and unlawful use of individual’s information
Automated decision making Direct marketing practices Data protection regulation - ensure that the benefits
of using information and communication technologies is not met with weakened protection of personal data
Model Law Development
• Scan of international and regional approaches to data protection
• Questionnaires to Member States
• Desktop Research
Review
• Review of International and Regional Policies, Laws, Conventions
• Comparison of common and differentiated approaches
Data Protection Policy and Legal
Analysis• Draft Model Law• Deliberated at workshop
with country representatives
• Incorporation of recommendations and requests for amendment
• Model Law adoption
Data Protection Model Law
Provisions of SADC Model Law
Give effect to principles of data protection Place limitations on the processing of personal
data Provide for the rights of the data subject Describe the responsibilities of the Data
Controller Establishment of the Data Protection Authority Combat violations of privacy likely to arise from
the collection, processing, transmission, storage and use of personal dataactivities
Transposition Frames of InquiryInternational and regional frameworks establish the primary themes, intent and functional requirements for data protection regulation.
Within Tanzania, enquire:
1. Designated national data protection legislation
2. Prevalence of regulation that has a bearing on the right to privacy and protection of personal information in Tanzania.
TANZANIA DATA PROTECTION BILL
Part One
1 Short Title 2 Commencement3 Object of the Act4 Interpretation5 Savings
Object of the Actto promote the protection of personal
information processed by public and private bodies; to introduce information protection
principles so as to establish minimumrequirements for the processing of personal
information; and to provide formatters connected therewith
Interpretation Personal Information Processing Data Subject Data Processor Data Protection Officer Commissioner
Data Controller“data controller” or “controller” refers to any natural
person, legal person or public body which alone or jointly with others determines the purpose and means of
processing of personal information. Where the purpose and means of processing are determined by or by virtue of an
act, decree or ordinance, the controller is the natural person, legal person or public body has been designated as such by or by virtue of that act, decree or ordinance.
Defining Personal Informationinformation about an identifiable individual that is recorded in any form, including, without restricting the generality of the foregoing:-
(a) information relating to the race, national or ethnic origin, religion, age or marital status of the individual;
(b)information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
(c) any identifying number, symbol or other particular assigned to the individual;
(d)the address, fingerprints or blood type of the individual;(e)the name of the individual where it appears with other personal
information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
(f) correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and
(g)the views or opinions of any other person about the individual.
Processing of Personal Information
processing: refers to any operation or set of operations which is performed upon personal information, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any operation or set of operations on data, including – (a) organization, adaptation or alteration of the data; (b) retrieval, consultation or use of the data; or (c) alignment, combination, blocking, erasure or
destruction of the data
Savings(1)This Act shall not affect the operation of any law that makes provision with respect to the collection, holding, use, correction or disclosure of personal information and is capable of operating concurrently with this Act. If any other legislation provides for safeguards for the protection of personal information that are more extensive than those set out in the information protection principles, the extensive safeguards prevail.
(2)This Act shall not restrict the ways of processing and production of information which are legally sanctioned under this Act, including such processing and procedures set out in Schedule One.
Savings De-identified information Government departments – national security,
defence, prosecution of offences, journalistic purposes, judicial processes, powers of judiciary
Does apply to partial automated processing Territorial clarity Data Controller may appoint a representative
Part II6 Collection of personal information7 Source of personal information8 Accuracy of personal information to be
checked before use9 Limits on use of personal information10 Limits on disclosure of personal information11 Condition for use or disclosure of personal
information12 Storage and security of personal information
Part II (cntd…)
13 Retention and disposal of personal information
14 Correction of personal information(public authority)
15 Data Controller to ensure compliance16 Sensitive Personal Information17 Limitations on above section accommodating
national laws18 Commission to order exceptions19 Commission to establish conditions of
processing sensitive personal information
Part VI45 Data Protection Officers and
Data Processors46 Data Controller Direction47 Proceedings where disclosure was in
good faith48 Regulations49 Code of Conduct
Part VII50 To a recipient in a Member State that has
transposed the SADC data protection requirements
51 To a Member state that has not transposed the SADC data protection requirements or to a non-Member State
CONCLUSION/ POINTS FOR INCLUSION IN DISCUSSION
Discussion Schedule of Exemptions for Consultation
Process and Regulations Prescription of Court Duty of Correction of Personal
Information (Public Bodies only) Promotion of Access to Information Act
Thank You Questions?
Pria ChettyITU International Expert: Data Protection
Mobile: 083 384 4543Email: [email protected]