The Data Protection Act 2004 was repealed on 8 December 2017 by the National Assembly of Mauritius and replaced with the “new” Data Protection Act 2017 (the “Act”) on 22 December 2017. The Act came into force on 15 January 2017.
The objective of the Act is to strengthen the control and personal autonomy of data subjects (e.g., you and I) over their personal data in line with current relevant international standards:
Some key definitions as per the Act:
Data Controller
A person who or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision-making power with respect to the processing.
Data Processor
A person who, or public body which, processes personal data on behalf of a controller.
Personal Data
Any information relating to a data subject.
Sensitive Data
Special categories of personal data refer to personal data which is sensitive in nature, for example, the racial or ethnic origin of the data subject or the genetic data or biometric data uniquely identifying the data subject.
Health Data
Includes information on the provision of health care services to the individual, which reveals their health status.
Biometric Data
Any personal data relating to the physical, physiological, or behavioural characteristics of an individual which allow their unique identification including facial images or fingerprint data.
Pseudonymisation
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
Let’s look at the principles of how the Data Controller and Data Processor must process personal data:
1. Lawfulness, fairness and transparency:
Data must be collected for legitimate purposes, and processed lawfully, fairly and in a transparent manner
2. Purpose limitation:
Personal data collected for a specified purpose(s) must not be further processed in a manner incompatible with the purpose(s)
3. Data minimisation:
Data that are processed must be limited to what is necessary – data must not be held more than needed for the purpose(s) the data have been collected
4. Accuracy:
Data must be accurate and, where necessary, kept up to date and steps must be taken to erase or rectify inaccurate data without delay
5. Storage limitation:
Data must not be kept longer than is necessary for the purpose(s) for which the data are processed
6. Security:
Appropriate security measures must be implemented to protect personal data that are held
By virtue of clause 15 of the Act, both the Data Controller and Data Processor need to be registered with the Data Protection Office and such registration is valid for three years.
As such, from a company perspective, it is important to understand who the decision maker is, who is receiving the data and who is processing the same. With this assessment to be carried out by the appointed Data Protection Officer, the correct form of registration is therefore required to be made with the Data Protection Office in Mauritius.
Furthermore, it is important to note that personal data may be processed for the legitimate interests of the controller except if the processing is not warranted having regard to the harm and prejudice to the rights or interests of the data subject. Hence, the controller must balance their interests against the data subject’s interest.
What does a data subject have right to?
Under the Act, a data subject has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning them or significantly affects them.
If a data subject has concerns about how the processing of his/her data is being processed, such data subject may lodge a complaint with the Data Protection Commissioner who will thereafter investigate the matter.
Not adhering to the Act leads to what?
In certain circumstances breach of the terms of the Act can constitute a criminal offence punishable by a fine or a term of imprisonment or both.
Key Take-aways
- Assess the company to know which registration is required
- Appoint a Data Protection Officer and ensure that the officer is properly trained and knows his/her responsibilities
- Ensure there’s a Data Protection Policy in place
- Ensure to constant training is given to the staffs and also the Data Protection Officer is well trained
- Carry out an internal audit
- Ensure the renewal every 3 years
- Investigate on matter if there’s a breach
- Report to the Data Protection Commissioner in event of breach for further investigation
- If not a breach, report same through a notification letter