Financial Crime World

Botswana’s Data Protection Act: Key Provisions

The Botswana Data Protection Act outlines the key provisions related to personal data processing, including definitions, principles, notification requirements, subject rights, and breach notifications. This article highlights these essential aspects of the Act.

Personal Data Definition

  • The Act defines personal data as any information from which a living individual can be identified.
  • This broad definition encompasses various types of data, such as names, addresses, contact details, and other identifying information.

Data Protection Principles

  • The Act requires that personal data must be processed in accordance with six data protection principles:
    • Transparency: Data controllers must clearly communicate how personal data will be used.
    • Lawfulness: Data processing must comply with the law or have a legitimate basis for processing.
    • Fairness: Personal data must not be collected without the consent of the individual or on unfair terms.
    • Storage limitation: Data must only be stored for as long as necessary and in accordance with the purpose for which it was collected.
    • Integrity and confidentiality: Data controllers must implement measures to ensure the security, accuracy, and integrity of personal data.
    • Accountability: Data controllers are responsible for ensuring compliance with these principles.

Notification Requirements

  • Data controllers are required to notify the Commissioner of their processing activities, including:
    • Name and address of the data controller
    • Purpose of the processing
    • Description of the category or categories of personal data

Data Subjects’ Rights

The Act provides several rights for data subjects, including:

  • Right to access: Data subjects have the right to obtain a copy of their personal data.
  • Right to correct: Data subjects can request corrections to their personal data if it is inaccurate or incomplete.
  • Right to erase: Data subjects have the right to request the erasure of their personal data in certain circumstances.
  • Right to restrict processing: Data subjects can request that their personal data be restricted from being processed in specific situations.
  • Right to object to processing: Data subjects have the right to object to the processing of their personal data for direct marketing purposes or on grounds related to their particular situation.
  • Data portability: Data subjects have the right to transfer their personal data from one data controller to another.

Data Protection Impact Assessment (DPIA)

The Act does not provide for DPIAs, which are assessments conducted by data controllers to identify and mitigate potential risks associated with processing personal data.

Data Breach Notification

  • Data controllers are required to notify the Commissioner of any breach of security safeguards of personal data in their custody.
  • This notification must be made within a reasonable time frame after becoming aware of the breach.

Data Retention

The Act does not specify time frames for data retention, but data controllers must assess data records and delete any data that no longer requires processing.

Children’s Data

Personal data relating to minors is classified as sensitive personal data and requires additional protections.

Special Categories of Personal Data

Sensitive personal data may be processed on specific grounds, including with the data subject’s consent or for national security purposes.

Controller and Processor Contracts

The Act does not provide for any requirements for a contract to be in place between a data controller and a processor.