Presentation on theme: "International Telecommunication Union HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Tanzanian ICT."— Presentation transcript:
International Telecommunication Union HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Meeting with the Tanzanian ICT Ministry PRESENTATION ON DATA PROTECTION BILL Pria Chetty, International Legal Expert on Data Protection
Overview of Session Why enact Data Protection Law? Data Protection Model Law Development Process Key Provisions for Data Protection Law Key Frames of Inquiry for Transposition of the Model Law Key Provisions of the Data Protection Bill Part I, II, III, IV, V, VI, VIII Discussion
Why Enact Data Protection Law? Harmonised approaches Give effect to right to privacy ICT technology developments impacts right to the protection of personal data in commercial activities and electronic government (eGov) activities Illegitimate and unlawful use of individual’s information Automated decision making Direct marketing practices Data protection regulation - ensure that the benefits of using information and communication technologies is not met with weakened protection of personal data
Model Law Development Scan of international and regional approaches to data protection Questionnaires to Member States Desktop Research Review Review of International and Regional Policies, Laws, Conventions Comparison of common and differentiated approaches Data Protection Policy and Legal Analysis Draft Model Law Deliberated at workshop with country representatives Incorporation of recommendations and requests for amendment Model Law adoption Data Protection Model Law
Provisions of SADC Model Law Give effect to principles of data protection Place limitations on the processing of personal data Provide for the rights of the data subject Describe the responsibilities of the Data Controller Establishment of the Data Protection Authority Combat violations of privacy likely to arise from the collection, processing, transmission, storage and use of personal dataactivities
Transposition Frames of Inquiry International and regional frameworks establish the primary themes, intent and functional requirements for data protection regulation. Within Tanzania, enquire: 1.Designated national data protection legislation 2.Prevalence of regulation that has a bearing on the right to privacy and protection of personal information in Tanzania.
TANZANIA DATA PROTECTION BILL
Part One 1Short Title 2Commencement 3Object of the Act 4Interpretation 5Savings
Object of the Act to promote the protection of personal information processed by public and private bodies; to introduce information protection principles so as to establish minimum requirements for the processing of personal information; and to provide for matters connected therewith
Interpretation Personal Information Processing Data Subject Data Processor Data Protection Officer Commissioner
Data Controller “data controller” or “controller” refers to any natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal information. Where the purpose and means of processing are determined by or by virtue of an act, decree or ordinance, the controller is the natural person, legal person or public body has been designated as such by or by virtue of that act, decree or ordinance.
Defining Personal Information information about an identifiable individual that is recorded in any form, including, without restricting the generality of the foregoing:- (a)information relating to the race, national or ethnic origin, religion, age or marital status of the individual; (b)information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; (c)any identifying number, symbol or other particular assigned to the individual; (d)the address, fingerprints or blood type of the individual; (e)the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual; (f)correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and (g)the views or opinions of any other person about the individual.
Processing of Personal Information processing: refers to any operation or set of operations which is performed upon personal information, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any operation or set of operations on data, including – (a) organization, adaptation or alteration of the data; (b) retrieval, consultation or use of the data; or (c) alignment, combination, blocking, erasure or destruction of the data
Savings (1)This Act shall not affect the operation of any law that makes provision with respect to the collection, holding, use, correction or disclosure of personal information and is capable of operating concurrently with this Act. If any other legislation provides for safeguards for the protection of personal information that are more extensive than those set out in the information protection principles, the extensive safeguards prevail. (2)This Act shall not restrict the ways of processing and production of information which are legally sanctioned under this Act, including such processing and procedures set out in Schedule One.
Savings De-identified information Government departments – national security, defence, prosecution of offences, journalistic purposes, judicial processes, powers of judiciary Does apply to partial automated processing Territorial clarity Data Controller may appoint a representative
Part II 6Collection of personal information 7Source of personal information 8 Accuracy of personal information to be checked before use 9Limits on use of personal information 10Limits on disclosure of personal information 11 Condition for use or disclosure of personal information 12Storage and security of personal information
Part II (cntd…) 13Retention and disposal of personal information 14 Correction of personal information (public authority) 15Data Controller to ensure compliance 16Sensitive Personal Information 17 Limitations on above section accommodating national laws 18Commission to order exceptions 19Commission to establish conditions of processing sensitive personal information
Part VI 45 Data Protection Officers and Data Processors 46Data Controller Direction 47 Proceedings where disclosure was in good faith 48Regulations 49Code of Conduct
Part VII 50To a recipient in a Member State that has transposed the SADC data protection requirements 51To a Member state that has not transposed the SADC data protection requirements or to a non-Member State
CONCLUSION/ POINTS FOR INCLUSION IN DISCUSSION
Discussion Schedule of Exemptions for Consultation Process and Regulations Prescription of Court Duty of Correction of Personal Information (Public Bodies only) Promotion of Access to Information Act
Thank You Questions? Pria Chetty ITU International Expert: Data Protection Mobile: