Data Protection Act, No. 3 of 2021 (Data Act) serves as the principal governing statute for data privacy and protection in the workplace. The Data Act provides a framework for how personal data can be used and protected. Additionally, it regulates how personal data should be collected, used, transmitted, stored and processed, among other functions. It also stipulates the rights that individuals have in relation to their personal data. Furthermore, the Data Act creates the office of the Data Protection Commissioner, sets out the office’s mandate and specifies the duties of data controllers and processors. This article highlights the salient features of the Data Act, insofar as they are a framework for data privacy in the workplace.
To begin with, the Data Act protects and regulates the processing of personal data of data subjects. This is achieved by imposing particular obligations on data processors, data controllers and natural persons. A data controller is an individual who, alone or with others, works with the personal data of individuals. Accordingly, the data controller handles, or “processes,” personal data under the direction of a data processor. According to Section 2 of the Data Act, a Data Subject refers to “an individual from, or in respect of whom, personal information is processed.” In contrast, personal data is data or knowledge pertaining to a person that enables the direct or indirect identification of that person from that data. Section 2 of the Data Act lists data types characterized as personal data which are “a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” As mentioned earlier, processing of personal data is regulated and Section 2 of the Data Act defines processing as:
“an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of the data or the carrying out of any operation or set of operations on data, including—
Where the handling of personal data constitutes processing, as defined in the abovementioned quotation, that activity is regulated and there are subsequent obligations imposed on any person processing information.
Section 12 of the Data Act lays out the principles that govern data processors’ and data controllers’ handling, storage, retention and sharing of personal data. Some of the notable principles include that personal data should only be collected for ascertained and legitimate purposes and not used in any way that is incompatible with the ascertained and legitimate purpose. Furthermore, it is a principle that personal data must not be kept for a period exceeding its usefulness in the context of the reason it was first lawfully collected. Finally, it is mandatory that the processing of personal data is done with regard to appropriate security measures that will prevent unauthorized or unlawful processing and also prevent loss, destruction or damage.
It is noteworthy that the Data Act provides for obligations on individuals and data processors in relation to the processing of personal data and sensitive personal data . In particular, Section 13 of the Data Act sets out the prerequisites that must be satisfied before the data controller may process personal data. The first stipulated prerequisite is that consent of the data subject must be obtained before their personal data is processed, or there must be a specified reason the personal data is being processed. In other words, the personal data must be collected for one of the following reasons:
Section 14 of the Data Act prohibits persons from processing sensitive personal data. This category of data as defined in Section 2 of the Data Act is data that, owing to its nature, may be utilized to suppress the fundamental rights and freedoms of a data subject. The Data Act proceeds to provide circumstances where processing sensitive personal data would be allowed, such as judicial reasons, medical, health, social service or public interest reasons.
A Data Controller is subject to requirements of obtaining consent and the Data Act stipulates the data subject’s rights, such as the right to give consent and even to withdraw it. There is an obligation for data controllers to obtain data from data subjects, although Section 16 of the Data Act provides exceptions, setting out the circumstances when information about a data subject may be obtained from other sources. Lastly, the Data Act makes it a criminal offence to fail to comply with its provisions.
The Data Act has many implications concerning the collection, use and disposal of both personal and sensitive personal information of data subjects or individuals. As it is a relatively new statute, there is a dearth of case law testing its provisions. However, employers are advised to critically read through the Data Act to ensure that their storage, retention and disposal policies respect its various provisions, as highlighted above.