Data registration enforced for churches, unions, 36 others
MBABANE – Religious institutions, insurance providers and trade unions will, as from next month, be expected to pay a certain amount of money in order to be part of the mandatory data protection register.
This follows that the Eswatini Data Protection Authority (EDPA) has issued a final decision on the registration of data controllers and data processors as provided for in the Data Protection Act 2022.
The act designates the EDPA with the mandate to administer and foster compliance with Section 5, which enjoins the commission to maintain a register for all data controllers and data processors.
In the notice, there is a list of about 38 entities that need to register is annexed.
The entities include trade unions, credit bureaus, travel agencies, pension administration and childcare provision.
Also included are entities that are in sectors, such as gambling, genetic data processing childcare provision, private investigation, credit reference real estate or property management and health administration and provision of patient care.
FINANCIAL SERVICES
The list also includes entities involved in sectors such as, the provision of financial services, provision of insurance services and businesses that offers higher purchase.
Businesses that are wholly or mainly in the collection of debts will also be expected to register and so are those that offer vehicle hire services.
Others are those in the tax collection, internet service providers and those that deal with mobile money services.
The decision, according to a notice issued by Eswatini Communications Commission (ESCCOM) Chief Executive Officer (CEO) Mvilawemphi Dlamini has been taken after a public consultation process was conducted on the matter.
The EDPA, according to the notice by the CEO, considered comments received during the consultation period, after which it took the decision which shall come into effect on March 1, 2024.
An expert in the digital space commended ESCCOM for being among the first countries in the Southern African Development Community (SADC) region to enforce the provisions of the legislation that relates to data.
“We now live in a digital world, where data is like money. People can take information about a person and go open credit cards. They can get the credit cards successfully and cause that person to be in serious debt, leading to him or her being blacklisted,” he said.
He mentioned that, since entities had details of people including their addresses, signatures, identity numbers, such information could be used by criminals to create documents and use them for criminal activities.
“Also, there is a need to protect the health information of people. If data belonging to
patients is not protected, it can be leaked,” he mentioned.
Meanwhile, On Friday, January 26, 2024, Eswatini joined the world in commemorating the International Data Protection Day by hosting an event under the theme ‘Take Control of Your Data’.
The Data Protection Day is internationally celebrated each year on January 28, which marks the anniversary of the Council of Europe’s ‘Convention 108’ on the protection of personal information - the first legally binding international law on data protection, which was open for signature in 1981.
DATA PROTECTION
During the commemoration, the CEO mentioned that data protection concerned mainly individuals (the data subjects) whose personal information was processed by entities in their line of business.
The CEO said many people lacked knowledge about how their personal data
was being collected, used and shared.
“It is important to make informed and calculated decisions when sharing your personal data, especially with entities. Your personal data such as age, gender, data related to children, health records, national identity number, financial records, purchase history, location, have great value and may be used for unintended purposes. It is important to keep that in mind when deciding what you share and with whom,” he said.
He mentioned that entities, who in terms of the Act were data controllers and data processors on the other hand needed to make sure that they kept their customers’ data always protected and in accordance with the data protection principles and other applicable legal frameworks on data protection.
“Risk should always be managed, and to create trust, the entities should be transparent on how they are collecting, using, and sharing personal data. A data breach where an individual’s personal data is leaked or accessed by unauthorised persons can lead to a loss, in both reputation and customer trust, in addition to potential financial sanctions which may be imposed by the EDPA,” the CEO emphasised.
The Data Protection Act of 2022 provides for the collection, processing, disclosure and protection of personal data; balancing competing values of personal information privacy and sector-specific laws and other related matters.
The law applies to a data controller, data processor, whether or not domiciled or having its principal place of business in Eswatini, who uses automated or non-automated means in Eswatini for forwarding personal information; and processing of personal information performed wholly or partly, by automated means.
HOUSEHOLD ACTIVITY
But the law does not apply to the processing of personal information in the course of a purely personal or household activity; and which has been de-identified to the extent that it cannot be re-identified.
It also does not apply to processing of personal information by or on behalf of the State and involves national security and defence of public safety.
Further, it does not apply to the processing of personal information, solely for journalistic purposes or the purposes of artistic or literacy expression, where the artistic or literary expression are necessary to reconcile the right to privacy with the rules governing freedom of speech.
An individual’s personal information shall be processed if that person provides
explicit consent to the processing; or if the processing is necessary for the conclusion or performance of a contract to which the individual is a party.
The information can also be processed if processing is necessary for compliance with a legal obligation, to which the data controller is subject; or if the processing is necessary to protect the legitimate interests of the individual.
Also, the personal information can be processed if processing is necessary for the proper performance of public law duty by a public body; or if the processing is necessary for pursuing the legitimate interests of the data controller or of a third party, to whom the information is supplied.
A person may write to ESC
COM to make an objection to the processing of his or her personal information on the grounds that this does not comply with the conditions spelled out in the new law.
These conditions are that, personal information shall be processed and kept in a filing cabinet; and or electronic form.
PERSONAL INFORMATION
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
Another imitation is that personal data shall only be collected for specified, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes.
The prohibition on processing personal information concerning
the race of an individual shall not apply if the processing is carried out to identify that particular individual and only when this is essential for that purposes; and to comply with the law.
When it comes to trade unions, the law states: “The prohibition on processing personal information on trade union membership of a data subject, shall not apply to processing by the trade union to which the data subject belongs or the trade union federation to which the trade union belongs, where the processing is necessary to achieve the aims of the trade union or trade union federation.”
It is also stated that the personal information shall not be supplied to third parties without the consent of the concerned union member.