The Data Protection Act was assented to on June 22, 2011, and has partially come into force by Legal Notice No 2 of 2012. The Act provides for the protection of a person's right to privacy. It establishes the right to maintain sensitive personal information as private, confidential and personal, and applies to all individuals and organisations that handle, store or process personal information.
Personal information includes matters such as race, ethnicity, religion, age, marital status, education, medical or employment history, financial transactions, address, fingerprints, and DNA.
General privacy principles
The Act sets out several general privacy principles applicable to all individuals and organisations (public or private). Among these are that information must be collected for a specified purpose; must be accurate, complete and up-to-date; collected, used or disclosed only after consent is given; and collected fairly and legally and limited to what is necessary.
Information must not be kept longer than is necessary; must be secured, adequate, relevant and not excessive; and must not be transferred out of the jurisdiction without consent and adequate protection. Additionally, organisations are responsible for all personal data they collect and must implement policies and practices for the management of such data, particularly sensitive personal information. Individuals also have a right to access their information and challenge any organisation to observe the privacy principles.
Office of the Information Commissioner
The act also establishes the Office of the Information Commissioner. He or she is responsible for monitoring compliance with the act; conducting audits and investigations; receiving complaints from the public; receiving representations from organisations or persons accused of breaches; authorising the collection of personal data other than directly from the individual; making orders; publishing guidelines on industry codes of conduct; and providing advice on privacy and data protection issues.
Private & public sectors
There are specific rules relating to protection of data in the private and public sectors, but most of the provisions are similar. For example, both public and private organisations and their employees must comply with the general privacy principles above. Additionally, there are specific procedures to be followed for cross-border data flows, the right of access to one's own personal information, and the processing of sensitive personal information. In the private sector, the Information Commissioner must oversee and approve voluntary or mandatory industry or sector-specific codes of conduct prior to their use. Directors and officers of a company also have a duty of care in ensuring compliance with the Act.
Offences & penalties
The act creates several offences. For example, it is an offence to willfully disclose personal information in contravention of the act. The penalties for these offences include fines of up to $100,000 or up to five years imprisonment for individuals, and fines of up to ten per cent (10 per cent) of the annual returns for companies.
�2 This column is not legal advice. If you have a legal problem, you should consult a legal advisor.