DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
Transcript of DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
1/64
UNITED REPUBLIC OF TANZANIA
MINISTRY OF COMMUNCATIONS, SCIENCE AND TECHNOLOGY
DATA PROTECTION BILL, 2013
1
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
2/64
Arrangeen! "# Se$!%"n&
PART I
PRELIMINARY
Section Title
1 Short Title
2 Commencement
3 Objective of the Act
4 Interpretation
5 Savings
PART II
COLLECTION, USE, DISCLOSURE AND RETENTION OF PERSONAL INFORMATION
6 Collection of personal information
So!rce an" notification of personal information
# Acc!rac$ of personal information to be chec%e" before !se
& 'imits on !se of personal information
1( 'imits on "isclos!re of personal information11 Con"ition for !se or "isclos!re of personal information
12 Storage an" sec!rit$ of personal information
13 )etention an" "isposal of personal information
14Correction of personal information
15 *ata Controller to ens!re compliance
16 +rocessing of Sensitive +ersonal Information
1 'imitations to accommo"ate national la,s
1# Commissioner to or"er e-ceptions
1& Commission to set con"itions for processing sensitive personal information
2
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
3/64
PART III
DATA PROTECTION COMMISSIONER
2( Office of "ata +rotection Commissioner
21 Ten!re of Office
22 .!alifications for appointment
23 /!nctions of the Commissioner
24 )estriction on emplo$ment
25 /illing of vacanc$
26 Staff an" /!n"s
PART I'
REGISTER OF DATA CONTROLLERS AND INFORMATION BUREAU
2 )egister of *ata Controllers an" Information b!rea!
2# Application for registration or amen"ment
2& Acceptance or )ef!sal
3( *!ration an" rene,al
31 Inspection
32 *eregistration
3
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
4/64
PART '
IN'ESTIGATION OF COMPLAINTS
33 )eceipt an" investigation of complaints
34 0o"e of complaint
35 otice of investigation
36 Commissioner to ma%e )eg!lations for investigation proce"!res
3 Investigations Confi"entialit$
3# +o,ers of Commissioner in carr$ing o!t investigations
3& /in"ings an" recommen"ations of Commissioner
4( )evie, of compliance ,ith the Act
41 )eport to +arliament42 Sec!rit$ re!irements
43 Confi"entialit$
44 +rotection from criminal or civil procee"ings
PART 'I
MISCELLANEOUS
45*ata +rotection Officers an"
*ata +rocessors
46 *ata Controller *irection
4 +rocee"ings ,here "isclos!re ,as in goo" faith
4# )eg!lations
4& Co"e of Con"!ct
5( histle blo,ing
4
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
5/64
PART 'II
TRANSBORDER DATA FLO(
51 Transfer to a state ,ith a"e!ate "ata protection frame,or%
52 Transfer to a state that "oes not have a"e!ate protection for "ata protection
SCHEDULE I
RIGHTS OF DATA SUB)ECTS
SCHEDULE II
E*CEPTIONS TO DATA PROCESSING PRINCIPLES
1 ational sec!rit$
2 Crime an" ta-ation
3 ealth an" social ,or%
4 )eg!lation of financial services etc
5 Appointment an" professional privilege
6 +a$rolls an" Acco!nts
Other e-emptions
5
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
6/64
SCHEDULE IIISANCTIONS
6
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
7/64
NOTICE
This 7ill to be s!bmitte" to the ational Assembl$ is p!blishe" for general information to the p!blic
together ,ith a statement of its objects an" reasons
*ar es Salaam8
2(13 Secretary to the Cabinet
A BILL
for
A B%++ #"r an A$! !" r""!e !-e r"!e$!%"n "# er&"na+ %n#"ra!%"n r"$e&&e. / /+%$ an. r%a!e
/".%e& !" %n!r".$e %n#"ra!%"n r"!e$!%"n r%n$%+e& &" a& !" e&!a/+%&- %n% re4%reen!& #"r
!-e r"$e&&%ng "# er&"na+ %n#"ra!%"n an. !" r"%.e #"r a!!er& $"nne$!e. !-ere5%!-6
7T" /e ena$!e. / !-e Par+%aen!8
7
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
8/64
PART I
PRELIMINARY
8
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
9/64
Short title1 This Act ma$ be cite" as the *ata +rotection Act8 2(13
Commencement 2 This Act shall come into operation on a "a$ to be appointe" b$ the 0inister8 b$ or"er
p!blishe" in the 9a:ette
Object of the
Act
3 The object of this Act is to ma%e provision for the protection of personal information8
collection8 hol"ing8 !se8 correction an" "isclos!re of personal information in a manner
that recogni:es the right of privac$ of in"ivi"!als ,ith respect to their personal
information
Interpretation 4 In this Act ;
her j!"icial or legall$ appointe"
representative accepts that his>her personal information be processe"
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
10/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
11/64
11
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
12/64
@a information relating to the race8 national or ethnic origin8 religion8 age or
marital stat!s of the in"ivi"!al?
@b information relating to the e"!cation or the me"ical8 criminal or
emplo$ment histor$ of the in"ivi"!al or information relating to
financial transactions in ,hich the in"ivi"!al has been involve"?@c an$ i"entif$ing n!mber8 s$mbol or other partic!lar assigne" to the
in"ivi"!al?
@" the a""ress8 fingerprints or bloo" t$pe of the in"ivi"!al?
@e the name of the in"ivi"!al ,here it appears ,ith other personal
information relating to the in"ivi"!al or ,here the "isclos!re of the
name itself ,o!l" reveal information abo!t the in"ivi"!al?
@f correspon"ence sent to a "ata controller b$ the in"ivi"!al that is e-plicitl$
or implicitl$ of a private or confi"ential nat!re8 an" replies to s!chcorrespon"ence that ,o!l" reveal the contents of the original
correspon"ence? an"
@g the vie,s or opinions of an$ other person abo!t the in"ivi"!al
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
13/64
personal information for ,hich a "ata controller is responsible is "isclose"
13
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
14/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
15/64
the prosec!tion of offen"ers or the e-ec!tion of sentences or sec!rit$
meas!res8 to the e-tent that a"e!ate safeg!ar"s have been establishe" in specific
legislation for the protection of the relevant personal information?
@c for e-cl!sivel$ jo!rnalistic p!rposes b$ responsible parties ,ho are s!bject to8
b$ virt!e of office8 emplo$ment or profession8 a co"e of ethics that provi"esa"e!ate safeg!ar"s for the protection of personal information?
@" relating to the j!"icial f!nctions an" proce"!res of a co!rt an" the po,ers of the
j!"iciar$? an"
@e b$ p!blic bo"ies that are e-empte" from the application of the "ata protection
principles in terms of reg!lations ma"e b$ the 0inister
@4 This la, is applicable
@a This Act is applicable to an$ processing of personal information performe"
,holl$ or partl$ b$ a!tomate" means
@b to the processing of personal information carrie" o!t in the conte-t of the
effective an" act!al activities of an$ controller "omicile" in Tan:ania or in a
territor$ ,here Tan:anian la, applies b$ virt!e of international p!blic la,? an"
@c to the processing of personal information b$ a controller ,ho is not "omicile" in
Tan:ania8 if the processing of the personal information is in Tan:ania an" s!ch
processing is not for the p!rposes of mere transit of personal information thro!gh
Tan:ania
@6 In the circ!mstances referre" in S!bsection 4@b8 the controller shall "esignate a
representative8 ,ho shall be the "ata controllerDs representative8 for the p!rposes of
compliance ,ith this Act8 ,itho!t prej!"ice to the obligations of the controller !n"er
this Act or legal procee"ings that ma$ be bro!ght against the controller
15
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
16/64
PART II
COLLECTION, USE, DISCLOSURE AND RETENTION OF PERSONAL DATA
16
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
17/64
Collection
of personal
"ata
6@1 A "ata controller shall not collect personal "ata !nless;
@a the information is collecte" for a la,f!l p!rpose "irectl$ relate" to a f!nction or
activit$ of the "ata controller? an"
@b the collection of the "ata is necessar$ for8 or "irectl$ relate" to8 that p!rpose
@2 A "ata controller shall not collect personal "ata;
@a b$ !nla,f!l means? or
@b b$ means that8 in the circ!mstances
@i are !na!thorise"? or
intr!"e to an !nreasonable e-tent !pon the privac$ of the "ata s!bject
concerne"
@ii
So!rce an"
notification
of personal
information
@1 A "ata controller shall8 s!bject to s!bsection @38 collect personal information "irectl$
from the "ata s!bject concerne"
@2 At or before the time8 or if that is not practicable8 as soon as practicable after8 a "ata
controller collects personal information !n"er s!bsection @18 the "ata controller shall ta%e
s!ch steps as are8 in the circ!mstances8 reasonable to ens!re that the "ata s!bject concerne"
is a,are of ;
@a the p!rposes for ,hich the information is being collecte"?
@b the fact that the collection of the information is for a!thori:e" p!rposes8
p!rposes a!thori:e" in la,? an"
@c the inten"e" recipients of the information
@3 A "ata controller is not oblige"to compl$ ,ith s!bsection @1 ,here ;
@a the information is p!blicl$ available?
@b the "ata s!bject concerne" a!thorises the collection of the information from
thir" part$? or
@c non;compliance ,ill not prej!"ice the interests of the "ata s!bject concerne" in
the reasonable e-pectation of the "ata controller an" compliance is not
reasonabl$ practicable in the circ!mstances of the partic!lar case
@" non;compliance is necessar$ ;
@i for the prevention8 "etection8 investigation8 prosec!tion or8 p!nishment
of an$ offence or breach of la,?
@ii for the enforcement of a la, imposing a pec!niar$ penalt$?
17
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
18/64
@iii for the protection of p!blic reven!e?
@iv for the preparation for8 or con"!ct of8 procee"ings before an$ co!rt or
trib!nal8 or implementation of the or"ers of a co!rt or trib!nal? or
@v in the interests of national sec!rit$8 national "efence or international
relations relate" to international sec!rit$ or "efence? or
@e compliance ,o!l" prej!"ice the la,f!l p!rpose of the collectionAcc!rac$ of
personal
information
to be
chec%e"
before !se
# here "ata controller hol"s personal information8 having regar" to the p!rpose for ,hich
the information is propose" to be !se"8 it shall not !se that information ,itho!t ta%ing s!ch
steps as are8 in the circ!mstances8 reasonable to ens!re that8 the information is complete8
acc!rate8 !p to "ate8 relevant an" not mislea"ing
'imits on
!se of
personal
information
& S!bject to section 128 ,here "ata controller hol"s personal information that ,as collecte"
in connection ,ith a partic!lar p!rpose8 it shall not !se that information for an$ other
p!rpose !nless G
@a the in"ivi"!al concerne" a!thori:es the !se of the information for that other
p!rpose@s?
@b !se of the information for that other p!rpose is a!thori:e" or re!ire" b$ or
!n"er la,?
@c the p!rpose for ,hich the information is !se" is "irectl$ relate" to the p!rpose
for ,hich the information ,as collecte"?
@" the information is !se" ;
@i in a form in ,hich the in"ivi"!al concerne" is not i"entifie"? or
@ii for statistical or research p!rposes an" ,ill not be p!blishe" in a form
that co!l" reasonabl$ be e-pecte" to i"entif$ the in"ivi"!al concerne"?
@e the "ata controller believes on reasonable gro!n"s that !se of the information
for that other p!rpose is necessar$ to prevent or lessen a serio!s an" imminent
threat to the life or health of the in"ivi"!al concerne" or other person8 or to
p!blic health or safet$? or
@f !se of the information for that other p!rpose is necessar$ ;
@i for the prevention8 "etection8 investigation8 prosec!tion or p!nishment of
an$ offence or breach of la,?
@ii for the enforcement of a la, imposing a pec!niar$ penalt$?@iii for the protection of p!blic reven!e?
@iv for the preparation for8 or con"!ct of8 procee"ings before an$ co!rt or
trib!nal8 or implementation of the or"ers of a co!rt or trib!nal? or
@v in the interests of national sec!rit$8 national "efence or international
relations
18
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
19/64
'imits on
"isclos!re
of personal
information
1(@1 S!bject to section 128 ,here "ata controller hol"s personal information8 it shall not
"isclose the information to a person8 bo"$ or agenc$8 other than the "ata s!bject concerne"8
!nless;;
@a the "ata s!bject concerne" has e-pressl$ or implicitl$ consente" to the
"isclos!re?
@b the "isclos!re of the information is re!ire" or a!thorise" b$ or !n"er la,?
@c the "isclos!re of the information is one of the p!rposes in connection ,ith
,hich the information ,as collecte"8 or is "irectl$ connecte" to that p!rpose?
@" the "ata s!bject concerne" is reasonabl$ li%el$ to have been a,are or ma"e
a,are !n"er section @2@c that information of that nat!re is or"inaril$ passe"
on to that person8 bo"$ or agenc$?
@e the information is to be "isclose" ;
@i in a form in ,hich the "ata s!bject concerne" is not i"entifie"? or
@ii for statistical or research p!rposes an" ,ill not be p!blishe" in a form
that co!l" reasonabl$ be e-pecte" to i"entif$ the "ata s!bject concerne"?
or
@f the "ata controller believes on reasonable gro!n"s that "isclos!re of the
information is necessar$ ;
@i to prevent or lessen a serio!s an" imminent threat to the life or health of
the in"ivi"!al concerne" or other person8 or to p!blic health or safet$?
@ii for the prevention8 "etection8 investigation8 prosec!tion or p!nishment
of an$ offence or breach of la,?
@iii the enforcement of a la, imposing a pec!niar$ penalt$?
@iv the protection of p!blic reven!e?@v the preparation for8 or con"!ct of8 procee"ings before an$ co!rt or
trib!nal8 or implementation of the or"ers of a co!rt or trib!nal? or
@vi in the interests of national sec!rit$8 "efence or international relations
@2 An$ person8 bo"$ or agenc$ incl!"ing a thir" part$ processor to ,hom personal
information is "isclose" !n"er s!bsection @1 shall not !se or "isclose the information for a
p!rpose other than the p!rpose for ,hich the information ,as given to that person8 bo"$ or
agenc$
Con"ition
for !se or
"isclos!re
of personal
11 @1 A "ata controller shall onl$ !se or "isclose personal information !n"er section & or
section 1(8 ,here s!ch !se or "isclos!re ,o!l" not amo!nt to an !nreasonable invasion of
privac$ of the "ata s!bject concerne"8 ta%ing into acco!nt the specific nat!re of the personal
information an" the specific p!rpose for ,hich it is to be so !se" or "isclose"
19
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
20/64
information
Storage an"
sec!rit$ of
personal
information
12 here the "ata controller hol"s personal information8 he shall ens!re that;
@a the information is protecte"8 b$ s!ch sec!rit$ safeg!ar"s as is reasonable in the
circ!mstances to ta%e8 against loss8 !na!thori:e" access8 !se8 mo"ification or
"isclos!re8 an" against other mis!se? an"
@b ,here it is necessar$ for the information to be given to a "ata processor or
other recipient in connection ,ith the provision of a service to the "ata s!bject8
ever$thing reasonabl$ ,ithin the po,er of the "ata controller is "one to prevent
!na!thori:e" !se or "isclos!re of the information
)etention an"
"isposal of
personal
information
13@1 here a "ata controller !ses personal information for a specifie" p!rpose
incl!"ing an a"ministrative p!rpose8 it shall retain the information for s!ch perio" of
time as ma$ be prescribe" b$ reg!lation in or"er to ens!re that the "ata s!bject
concerne" has a reasonable opport!nit$ to obtain access to the information
@2 S!bject to s!bsection @1 the 0inister shall prescribe b$ reg!lation8 g!i"elines for
the retention an" "isposal of personal information hel" b$ a "ata controller in
accor"ance ,ith the p!rpose of retention
Correction of
personal
information
@p!blic a!thorit$
14 @1 here a "oc!ment of a p!blic a!thorit$ to ,hich access has been given !n"er
an$ enactment8 contains personal information of a "ata s!bject an" that person claims
that the information;
@a is incomplete8 incorrect or mislea"ing? or
@b not relevant to the p!rpose for ,hich the "oc!ment is hel"8
the p!blic a!thorit$ ma$8 s!bject to s!bsection @28 on the application of the "ata
s!bject8 amen" the information !pon being satisfie" of the claim
@2 An application !n"er s!bsection @1 shall;
@a be in ,riting? an"
@b as far as practicable8 specif$;
@i the "oc!ment or official "oc!ment containing the recor" of
personal information that is claime" to re!ire amen"ment?
@ii the information that is claime" to be incomplete8 incorrect or
mislea"ing?
@iii ,hether the information is claime" to be incomplete8 incorrect or
mislea"ing?
20
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
21/64
@iv the applicantDs reasons for so claiming? an"
@v the amen"ment re!este" b$ the applicant
@3 To the e-tent that it is practicable to "o so8 the p!blic a!thorit$ shall8 ,hen
ma%ing an$ amen"ment !n"er this section to personal information in a "oc!ment8
ens!re that it "oes not permanentl$ "elete the recor" of the te-t of the "oc!ment as it
e-iste" prior to the amen"ment
@4 here a p!blic a!thorit$ is not satisfie" ,ith the reasons for an application
!n"er s!bsection @18 it ma$ ref!se to ma%e an$ amen"ment to the information an"
inform the "ata s!bject applicant of its ref!sal together ,ith its reasons for so "oing
@5 The p!blic a!thorit$ ma$ opt an application !n"er s!bsection @1 to be in a
"ata message or electronic form "epen"ing on agreement bet,een s!ch a!thorit$ an"
that "ata s!bject
*ata Controller to
ens!re compliance
15 @1 It shall be the responsibilit$ of the "ata controller to ens!re that8 the "ata
controller8 the "ata controllerDs representative or the "ata protection officers or an$
other persons ,or%ing !n"er the a!thorit$ of the "ata controller incl!"ing an$
emplo$ee or s!bcontractor an" the "ata processor to ens!re compliance to the
re!irements of this Act
+rocessing of
Sensitive +ersonal
Information
16 @1
@a The processing of sensitive personal information revealing racial or ethnic
origin8 political opinions8 religio!s or philosophical beliefs8 affiliation8 tra"e;
!nion membership8 the gen"er an" the processing of "ata concerning se- life
as ,ell as an$ personal information ,hich are consi"ere" b$ the Tan:anian
la, as presenting a major ris% to the rights an" interests of the "ata s!bject8 in
partic!lar !nla,f!l or arbitrar$ "iscrimination8 an" ,here processe" for ,hat
the$ reveal or contain8 is prohibite" !nless the "ata s!bject has given his
consent in ,riting for s!ch processing of personal information s!bject to a
limitation of s!ch consent ,here the la, "oes not permit that the prohibitionis able to be remove" ,ith the ,ritten consent of the "ata s!bject
@b The consent referre" to in @1 @a above can be ,ith"ra,n b$ the "ata s!bject
at an$ time an" ,itho!t an$ e-planation or charges
@c The Commissioner ma$ "etermine the cases in ,hich the prohibition to
process the "ata referre" to in this section cannot be remove" even ,ith the
21
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
22/64
"ata s!bjectBs consent
@" here the "ata s!bject from ,hom consent is so!ght for the p!rpose of this
Act8 is a minor8 a person of !nso!n" min" or an$ other person !nable to
consent8 s!ch personBs consent shall be so!ght from his parents8 g!ar"ian8
heirs8 attorne$s or an$ other person recogni:e" b$ la, to be acting on behalfof the person ,hose consent is to be so!ght
22
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
23/64
@2 S!b Section @1 above shall not appl$ ,here
@a the processing is necessar$ to carr$ o!t the obligations an" specific rights of the
controller in the fiel" of emplo$ment la,? or
@b the processing is necessar$ to protect the vital interests of the "ata s!bject or ofanother person8 ,here the "ata s!bject is ph$sicall$ or legall$ incapable of giving
his>her consent or is not represente" b$ his>her legal8 j!"icial or agree"
representative? or
@c the processing is carrie" o!t in the co!rse of its legitimate activities b$ a
fo!n"ation8 association or an$ other non;profit organi:ation ,ith a political8
philosophical8 religio!s8 health;ins!rance or tra"e;!nion aim an" on con"ition that the
processing relates solel$ to the members of the organi:ation or to persons ,ho have
reg!lar contact ,ith it in connection ,ith its p!rposes an" that the "ata is not"isclose" to a thir" part$ ,itho!t the "ata s!bjectsB consent? or
@" the processing is necessar$ to compl$ ,ith social sec!rit$ la,s? or
@e the processing is necessar$8 ,ith appropriate g!aranties8 for the establishment8
e-ercise or "efense of legal claims? or
@f the processing relates to "ata ,hich has apparentl$ been ma"e p!blic b$ the "ata
s!bject? or
@g the processing is necessar$ for the p!rposes of scientific research an" theCommissioner shall has specifie" the con"itions !n"er ,hich s!ch processing ma$ be
carrie" o!t? or
@h the processing is carrie" o!t accor"ing to the legislation on p!blic statistics? or
@i the processing is necessar$ for the p!rposes of preventive me"icine or me"ical
"iagnosis8 the provision of care or treatment to the "ata s!bject or one of his>her
relatives8 or the management of health;care services provi"e" in the interest of the
"ata s!bject8 an" the sensitive personal information concerne"8 is processe" !n"er the
s!pervision of a health professional in accor"ance ,ith the legislation governing s!ch
health care services? or
@j the processing of personal information referre" is a!thori:e" b$ a la, or an$
e!ivalent legislative act for another reason of s!bstantial p!blic interest? or
@% the processing is carrie" o!t b$ associations ,ith a legal personalit$ or
23
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
24/64
organi:ations of p!blic interest ,hose main objective is the protection an"
@l promotion of h!man rights an" f!n"amental free"oms8 ,ith a vie, to achieving
that objective8 provi"e" that the processing has been a!thori:e" b$ the Commission
24
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
25/64
'imitations to
accommo"ate
national la,s
1 @1 The 0inister ma$ ma%e reg!lations to limit the application of the provisions of
this Act ,hen s!ch limitation is necessar$ to
@a preserve national sec!rit$?
@b preserve p!blic safet$ @incl!"ing the economic ,ell;being or interest of the
co!ntr$ ,hen the processing operation relates to State sec!rit$ matters?
@c the prevention8 investigation8 or proof of criminal offences8 the prosec!tion of
offen"ers or the e-ec!tion of criminal sentences or sec!rit$ meas!res or violation to
professional co"es of con"!ct in the case of the legal profession
@" a monitoring8 inspection or reg!lator$ tas% connecte" ,ith the e-ercise of
official "!ties in the cases referre" to in this Section
@e the processing of personal "ata carrie" o!t for the sole p!rpose of
i literar$ an" artistic e-pression?
ii professional jo!rnalism8 accor"ing to the ethical r!les of this profession
@2 The reg!lations p!rs!ant to S!bsection @1 shall not prevent the application ofprovisions of the Civil +roce"!re Co"e8 the Criminal +roce"!re Co"e8 the la,s
relating to the me"ia an" an$ other la,s that provi"e for the con"itions of the e-ercise
of the right of repl$ an" that prevent8 limit8 compensate an"8 if necessar$8 sanctionviolations of privac$ an" attac%s on the rep!tation of in"ivi"!als
H-ceptions to
processing of
sensitive "ata
1# +!rs!ant to the provisions of this Act8 e-ceptions to the prohibitions on the
processing of sensitive personal information shall be as containe" in Sche"!le II to
this Act
Commission to setcon"itions for
processing
sensitive personal
information
1& The Commission shall set con"itions to be met for an$ processing of sensitivepersonal information a!thori:e" b$ or"er of the Commissioner
+A)T III
O//ICH O/ *ATA +)OTHCTIO CO00ISSIOH)
Office of *ata
+rotection
Commissioner
2( @1 /or the p!rposes of this Act8 there is hereb$ establishe" the office of the *ata+rotection Commissioner ,hich shall be an in"epen"ent bo"$ for ens!ring that
processing of personal "ata in private an" p!blic spheres a"here to the provisions of
this Act;
@2 The Commissioner shall be appointe" b$ the +resi"ent !pon the recommen"ation
of the 0inister8 s!bject to s!ch terms an" con"itions as ma$ be specifie" in the
25
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
26/64
instr!ment of appointment
26
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
27/64
Ten!re of office 21 @1 The Commissioner shall hol" office for a perio" of five $ears an" shall8 at the
e-piration of s!ch perio"8 be eligible for reappointment s!bject to a limitation to t,o
consec!tive terms of office
@2 A person appointe" as Commissioner ma$ resign from office b$ ,riting !n"er his
han" a""resse" to the +resi"ent
@3 The Commissioner ma$ be remove" from office for inabilit$ to "ischarge the
f!nctions of office !n"er this Act or for miscon"!ct
.!alifications for
appointment
22@1 o person shall be !alifie" for appointment to the office of *ata +rotection
Commissioner if that person;
@a is a 0ember of +arliament?
@b is a member of a local government a!thorit$?
@c is an insolvent?
@" has at an$ time been convicte" of an$ offence involving "ishonest$ or moral
t!rpit!"e?
@e has less than an aggregate of 1( $ears of ,or% e-perience in the p!blic service?
or
@f "oes not possess !alifications an" s%ills commens!rate ,ith the
responsibilities an" f!nctions of the Commissioner
@2 The Commissioner shall vacate office if an$ circ!mstances arise that8 if he ,ere
not a Commissioner8 ,o!l" ca!se him to be "is!alifie" for appointment as s!ch8 b$
virt!e of s!bsection @1 of this section
/!nctions of the
Commissioner
23@1 The f!nctions of the Commissioner shall be ;
@a to monitor compliance b$ "ata controllers of the provisions of this Act?
@b to provi"e a"vice to "ata controllers on their obligations !n"er the provisions8
an" generall$ on the operation8 of this Act?
@c to receive an" investigate complaints abo!t allege" violations of the
protection of personal information an" information privac$ of persons an" in
respect thereof ma$ ma%e reports to complainants?
@" to in!ire generall$ into an$ matter8 incl!"ing an$ enactment or la,8 or an$
practice8 or proce"!re8 ,hether governmental or non;governmental8 or an$
technical "evelopment8 if it appears to the Commissioner that the protection
of personal information an" information privac$ of the in"ivi"!al is being8 or
ma$ be8 infringe" thereb$?
@e for the p!rpose of promoting the protection of in"ivi"!al privac$8 partic!larl$
27
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
28/64
information privac$8 to !n"erta%e e"!cational programmes on the
CommissionerDs behalf or in co;operation ,ith other persons or a!thorities
acting on behalf of the Commissioner?
28
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
29/64
@f to ma%e p!blic statements in relation to an$ matter affecting the information
privac$ of the in"ivi"!al or of an$ class of in"ivi"!als?
@g to receive an" invite representations from members of the p!blic on an$
matter affecting the information privac$ of the in"ivi"!al?
@h to cons!lt an" co;operate ,ith other persons an" bo"ies concerne" ,ith the
information privac$ of the in"ivi"!al?
@i to ma%e s!ggestions to an$ person in relation to an$ matter that concerns the
nee" for8 or the "esirabilit$ of8 action b$ that person in the interests of the
information privac$ of the in"ivi"!al?
@j to !n"erta%e research into8 an" to monitor "evelopments in8 "ata processing
an" comp!ter technolog$ to ens!re that an$ a"verse effects of s!ch
"evelopments on the information privac$ of in"ivi"!als are minimi:e"8 an" to
report to the 0inister the res!lts of s!ch research an" monitoring?
@% to e-amine an$ propose" legislation @incl!"ing s!bsi"iar$ legislation or
propose" polic$ of the 9overnment that the Commissioner consi"ers ma$
affect the information privac$ of in"ivi"!als8 an" to report to the 0inister the
res!lts of that e-amination?
@l to report @,ith or ,itho!t re!est to the 0inister from time to time on an$
matter affecting the privac$ of the in"ivi"!al8 incl!"ing the nee" for8 or
"esirabilit$ of8 ta%ing legislative8 a"ministrative8 or other action to give
protection or better protection to the information privac$ of the in"ivi"!al?
@m to report to the 0inister from time to time on the "esirabilit$ of the
acceptance8 of an$ international instr!ment relating to the "ata protection an"
information privac$ of the in"ivi"!al?
@n to gather s!ch information as in the CommissionerDs opinion ,ill assist the
Commissioner in "ischarging the "!ties an" performing the f!nctions of the
Commissioner !n"er this Act?
@o to "o an$thing inci"ental or con"!cive to the performance of an$ of the
prece"ing f!nctions?
@p to e-ercise an" perform s!ch other f!nctions8 po,ers8 an" "!ties as are
conferre" or impose" on the Commissioner b$ or !n"er this Act or an$ other
enactment?
@ prono!nce a"ministrative sanctions as permitte" b$ the Act or ancillar$
reg!lations in the case of violation of the provisions of this la,?
@r create8 maintain an" !p"ate the register ,hich shall be accessible to an$
person ,ho re!ests access in accor"ance ,ith this Act?
@s receive notifications re!ire" in terms of this Act incl!"ing notifications from
"ata controllers an" notifications of sec!rit$ breaches?
29
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
30/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
31/64
)estriction on
emplo$ment
24 A person appointe" as a Commissioner shall be a f!ll;time officer an"shall not be
emplo$e" in an$ other capacit$ "!ring an$ perio" in ,hich the person hol"s office as
a Commissioner.
@,/illing of vacanc$
of the
CommissionerBs
post
25@1 here;
a a vacanc$ arises in the office of the Commissioner? or
b b$ reason of illness8 absence from the co!ntr$ or other s!fficient ca!se8 a
person appointe" as a Commissioner is !nable to perform his or her f!nctions
!n"er this Act8
@- the +resi"ent ma$8 !pon the recommen"ation of the 0inister8 appoint a
s!itable person to act in that office or perform those f!nctions8 as the case
ma$ be
@2 The +arliament shall arrange ann!all$8 for the !se of the Commissioner8 s!ch s!ms
of mone$ as ma$ be necessar$ for the proper e-ercise8 performance an" "ischarge8 b$
the Commissioner8 of his po,ers8 "!ties an" f!nctions !n"er this Act
@$
@3 The Commissioner shall8 a""itionall$ collect f!n"s from fees an" fines from
sanctions prono!nce" against breach of provisions of this Act b$ "ata controllers
p!rs!ant to this Act
Staff an" f!n"s 26 @1 There shall be appointe" s!ch officers an" emplo$ees as ma$ be necessar$
to enable the +rivac$ Commissioner to "ischarge the "!ties an" perform thef!nctions of s!ch Commissioner !n"er this Act
@2 +arliament shall appropriate ann!all$8 for the !se of the Commissioner8
s!ch s!ms of mone$ as ma$ be necessar$ for the proper e-ercise8 performance an"
"ischarge8 b$ the Commissioner8 of his po,ers8 "!ties an" f!nctions !n"er this
Act
@3 The Commissioner shall a""itionall$ collect the financial sanctions prono!nce"
against "ata controllers p!rs!ant to this Act
31
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
32/64
PART I'
REGISTER OF DATA CONTROLLERS AND INFORMATION BUREAUS
32
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
33/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
34/64
p!rposes
@3 A registere" person ma$ at an$ time appl$ to the Commissioner for the
alteration of an$ partic!lars incl!"e" in the entr$ or entries relating to that person
@4 here the alteration ,o!l" consist of the a""ition of a p!rpose for ,hich
personal information are to be hel"8 the person ma$8 instea" of ma%ing anapplication !n"er s!bsection @38 ma%e a fresh application for registration in
respect of the a""itional p!rpose
@5 A registere" person shall ma%e an application !n"er s!bsection @3 ,henever
necessar$ for ens!ring that the entr$ or entries relating to that person are c!rrent
an" acc!rate
34
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
35/64
Acceptance or
ref!sal
2& @1 S!bject to this section the Commissioner shall8 as soon as practicable an"
in an$ case ,ithin the perio" of three months after receiving an application for
registration or for the alteration of registere" partic!lars8 notif$ the applicant in
,riting ,hether his application has been accepte" or ref!se"? an" ,here the
Commissioner notifies an applicant that his application has been accepte"8 thenotification shall state;
@a the partic!lars entere" in the register8 or the alteration ma"e? an"
@b the "ate on ,hich the partic!lars ,ere entere" or the alteration ,as ma"e
@2 The Commissioner shall not ref!se an application meeting ,ith formalities
specifie" in this Act !nless the Commissioner
@a consi"ers that the partic!lars propose" for registration or8 as the case ma$ be8
the partic!lars that ,o!l" res!lt from the propose" alteration8 ,ill not give
s!fficient information as to the matters to ,hich the$ relate? or@b is satisfie" that the applicant is li%el$ to contravene an$ of the "ata protection
principles of this Act? or
@c consi"ers that the information available to him is ins!fficient to satisf$ him
that the applicant is !nli%el$ to contravene an$ of those principles
@3 S!bsection @2@a shall not be constr!e" as precl!"ing the acceptance b$ the
Commissioner of partic!lars e-presse" in general terms in cases ,here that is
appropriate8 an" the Commissioner shall accept partic!lars e-presse" in s!ch
terms in an$ case in ,hich he is satisfie" that more specific partic!lars ,o!l" beli%el$ to prej!"ice the p!rpose or p!rposes for ,hich the "ata are to be hel"
*!ration an"
rene,al
3(@1 o entr$ shall be retaine" in the register after the e-piration of the initial
perio" of registration e-cept in p!rs!ance of a rene,al application ma"e to the
Commissioner in accor"ance ,ith this section
@2 S!bject to s!bsection @18 the initial perio" of registration an" the perio" for
,hich an entr$ is to be retaine" in p!rs!ance of a rene,al shall be a perio" five
$ears beginning ,ith the "ate on ,hich the entr$ in !estion ,as ma"e or8 as the
case ma$ be8 the "ate on ,hich that entr$ ,o!l" fall to be remove" if the
application ha" not been ma"e
@3 here the Commissioner notifies an applicant for registration that his
application has been accepte"8 the notification shall state the "ate ,hen the initial
perio" of registration ,ill e-pire
@4 An$ person ,ho8 in connection ,ith a rene,al application8 %no,ingl$ or
35
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
36/64
rec%lessl$ f!rnishes the Commissioner ,ith information ,hich is false or
mislea"ing in a material respect shall be g!ilt$ of an offence
@5 Hver$ rene,al application shall be accompanie" b$ the prescribe" fee an" no
s!ch application shall be ma"e e-cept in the perio" of 6 months en"ing ,ith the
e-piration of@a the initial perio" of registration? or
@b if there have been one or more previo!s rene,al applications8 the c!rrent
rene,al perio"
@6 here a person ma%ing a rene,al application notifies the Commissioner in
,riting that no alteration of registere" partic!lars is so!ght8 no f!rther partic!lars
ma$ be necessar$ in s!pport of the application
@ itho!t prej!"ice to the foregoing provisions of this section8 the
Commissioner ma$ at an$ time remove an entr$ from the register at the re!estof the person to ,hom the entr$ relates
36
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
37/64
Inspection of
registere"
partic!lars
31@1 The Commissioner shall provi"e facilities for ma%ing the information
containe" in the entries in the register available for inspection @in visible an"
legible form b$ members of the p!blic at all reasonable ho!rs on pa$ment of
s!ch fee if an$ as ma$ be prescribe"
@2 The Commissioner shall8 on pa$ment of s!ch fee8 if an$8 as ma$ beprescribe"8 s!ppl$ an$ member of the p!blic ,ith a cop$ in ,riting of the
partic!lars containe" in the entr$ ma"e in the register in p!rs!ance of an$
application for registration
*eregistration 32 @1 If the Commissioner is satisfie" that a registere" person has contravene"
or is contravening an$ of the "ata protection principles8 the Commissioner ma$
@a serve the person ,ith a "e;registration notice stating that the Commissioner
proposes8 at the e-piration of s!ch perio" as is specifie" in the notice8 to remove
from the register all or an$ of the partic!lars constit!ting the entr$ or an$ of the
entries containe" in the register in respect of that person? an"
@b s!bject to the provisions of this section8 remove those partic!lars from the
register at the e-piration of that perio"
@2 S!bject to s!bsection @18 the perio" specifie" in a "eregistration notice shall
not e-pire before the en" of the perio" ,ithin ,hich an appeal can be bro!ght
against the notice an"8 if s!ch an appeal is bro!ght8 the partic!lars shall not be
remove" pen"ing the "etermination or ,ith"ra,al of the appeal
@3 If b$ reason of special circ!mstances the Commissioner consi"ers that an$
partic!lars sho!l" be remove" from the register as a matter of !rgenc$ he ma$
incl!"e a statement to that effect in the "e;registration notice? an" in that event
s!bsection @4 shall not appl$ an" the partic!lars shall be remove" imme"iatel$
@4 The Commissioner ma$ cancel a "e;registration notice b$ ,ritten notification
to the person on ,hom it ,as serve"
@5 In "eci"ing ,hether to serve a "e;registration notice the Commissioner shall
consi"er ,hether the contravention has ca!se" or is li%el$ to ca!se an$ person
"amage or "istress8 an" the Commissioner shall not serve s!ch a notice !nless he
is satisfie" that compliance ,ith the principle or principles in !estion cannot be
a"e!atel$ sec!re" b$ the service of an enforcement notice
@6 A "e;registration notice shall contain a statement of the principle or principles
,hich the Commissioner is satisfie" have been or are being contravene" an" the
reasons for reaching that concl!sion?
37
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
38/64
PART '
IN'ESTIGATION OF COMPLAINTS
38
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
39/64
)eceipt an"
investigation of
complaints
33@1 S!bject to this Act8 the Commissioner shall receive an" investigate a
complaint from an$ person in respect of an$ matter relating to;
@a
@b
the collection8 retention or "isposal of personal information b$ a
"ata controller? or
the !se or "isclos!re of personal information hel" b$ a "ata
controller?
@2 othing in this Act precl!"es the Commissioner from receiving an"
investigating complaints of a nat!re "escribe" in s!bsection @1 that are
s!bmitte" b$ a person a!thori:e" b$ the complainant to act on behalf of the
complainant8 an" a reference to a complainant in an$ other section incl!"es a
reference to a person so a!thori:e"
@3 here the Commissioner is satisfie" that there are reasonable gro!n"s to
investigate a matter !n"er this Act8 the Commissioner ma$ initiate a complaint
in respect thereof
0o"e of
complaint
34 @1 A complaint !n"er this Act shall be ma"e to the Commissioner in
,riting !nless the Commissioner a!thori:es other,ise
@2 The Commissioner shall give s!ch reasonable assistance as is necessar$ inthe circ!mstances to enable an$ person ,ho ,ishes to ma%e a complaint to the
Commissioner8 to p!t the complaint in ,riting
otice of
investigation
35 7efore commencing an investigation of a complaint !n"er this Act8 the
Commissioner shall notif$ the chief e-ec!tive officer of the "ata controller
concerne" of the intention to carr$ o!t the investigation an" shall inform the
chief e-ec!tive officer of the s!bstance of the complaint
Commissioner
to ma%e
)eg!lations for
proce"!re
36 S!bject to the provisions of this Act8 the Commissioner ma$ ma%e
reg!lations to "etermine proce"!res to be follo,e" in the "ischarge of an$ "!t$
or the performance of an$ f!nction of the Commission !n"er this Act
Investigation
Confi"entialit$
3 @1 Hver$ investigation of a complaint !n"er this Act shall be con"!cte"
confi"entiall$
39
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
40/64
40
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
41/64
@2 In the co!rse of an investigation of a complaint !n"er this Act b$ the
Commissioner8 the person ,ho ma"e the complaint an" the chief e-ec!tive
officer of the "ata controller concerne" shall be given an opport!nit$ to ma%e
representations to the Commissioner8 b!t no one shall be "eeme" entitle" as of
right to be present "!ring8 to have access to8 or to comment on8 representationsma"e to the Commissioner b$ an$ other person
+o,ers of
Commissioner
in carr$ing o!t
investigations
3#@1 The Commissioner has8 in relation to carr$ing o!t of the investigation of
an$ complaint !n"er this Act8 po,er ;
@a to s!mmon an" enforce the appearance of persons before the
Commissioner an" compel them to give oral or ,ritten evi"ence
on oath an" to pro"!ce s!ch "oc!ments an" things as the
Commissioner "eems re!isite to the f!ll investigation an"
consi"eration of the complaint?
@b to receive an" accept s!ch evi"ence an" other information8
,hether on oath or b$ affi"avit or other,ise8 as the
Commissioner sees fit8 ,hether or not the evi"ence or
information is or ,o!l" be a"missible in a co!rt of la,?
@" to enter an$ premises occ!pie" b$ an$ "ata controller on
satisf$ing sec!rit$ re!irements of the premises?
@e to interrogate an$ person in an$ premises entere" p!rs!ant to
paragraph@" an" other,ise carr$ o!t therein s!ch in!iries
,ithin the po,er of the Commissioner !n"er this Act as the
Commissioner sees fit? an"
@f to e-amine or obtain copies of or e-tracts from boo%s or other
recor"s fo!n" in an$ premises entere" p!rs!ant to paragraph@"
containing an$ matter relevant to the investigation
@2 ot,ithstan"ing an$ other Act of +arliament or an$ privilege !n"er the la,
of evi"ence8 the Commissioner ma$8 "!ring the investigation of an$ complaint
!n"er this Act8 e-amine an$ information recor"e" in an$ form hel" b$ a p!blic
a!thorit$ an" no information shall be ,ithhel" from the Commissioner on an$
gro!n"s
41
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
42/64
@3 An$ "oc!ment or articles pro"!ce" p!rs!ant to this section b$ an$ person or
"ata controller shall be ret!rne" b$ the Commissioner ,ithin ten "a$s after a
re!est is ma"e to the Commissioner b$ that person or controller8 b!t nothing in
this s!bsection precl!"es the Commissioner from again re!iring its pro"!ction
in accor"ance ,ith this section
/in"ings an"
recommen"atio
ns of the
Commissioner
3&@1 If8 on investigating a complaint !n"er this Act in recommen"ations in
respect of personal information8 the Commissioner fin"s that the complaint is
,ell;fo!n"e"8 the Commissioner shall provi"e the chief e-ec!tive officer of the
"ata controller that has control of the personal information ,ith a report
containing;
@a the fin"ings of the investigation an" an$ recommen"ations that
the Commissioner consi"ers appropriate? an"
@b ,here appropriate8 an or"er that8 ,ithin a time specifie" therein8
notice be given to the Commissioner of an$ action ta%en or
propose" to be ta%en to implement the recommen"ations
containe" in the report or reasons ,h$ no s!ch action has been or
is propose" to be ta%en
@2 The Commissioner shall8 after investigating a complaint !n"er this Act8
report to the complainant the res!lts of the investigation8 b!t ,here a notice has
been re!este" !n"er paragraph @1 @b8 no report shall be ma"e !n"er this
s!bsection !ntil the e-piration of the time ,ithin ,hich the notice is to be given
to the Commissioner
@3 here a notice has been re!este" !n"er paragraph @1@b b!t no s!ch
notice is receive" b$ the Commissioner ,ithin the time specifie" thereof or the
action "escribe" in the notice is8 in the opinion of the Commissioner8
ina"e!ate or inappropriate or ,ill not be ta%en in a reasonable time8 the
Commissioner shall so a"vise the complainant in his report !n"er s!bsection @2
an" ma$ incl!"e in the report s!ch comments on the matter as he thin%s fit
)evie, of
compliance
,ith Act
4(@1 The Commissioner ma$8 from time to time at his "iscretion 8 carr$ o!t an
investigation in respect of personal information !n"er the control of a "ata
controller to ens!re compliance ,ith this Act
42
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
43/64
@2 If8 follo,ing an investigation !n"er s!bsection @18 the Commissioner
consi"ers that a "ata controller has not complie" ,ith this Act8 the
Commissioner shall provi"e the chief e-ec!tive officer of the controller ,ith a
report containing the fin"ings of the investigation an" an$ recommen"ations
that the Commissioner consi"ers appropriate
@3 An$ report ma"e b$ the Commissioner !n"er s!bsection @2 ma$ be
incl!"e" in a report ma"e to the +arliament p!rs!ant to this Act
)eport to
+arliament
41 The Commissioner shall8 as soon as practicable after the thirt$;first "a$ of
*ecember of each $ear8 prepare a report on the activities of the office "!ring
that $ear an" ca!se a cop$ of the report to be lai" before +arliament
Sec!rit$
re!irements
42 The Commissioner an" ever$ person acting on behalf or !n"er the "irection
of the Commissioner ,ho receives or obtains information relating to an$
investigation !n"er this Act or an$ other Act of +arliament shall8 ,ith respect to
the !se of that information8 satisf$ an$ sec!rit$ re!irements applicable to8 an"
ta%e an$ oath of secrec$ re!ire" to be ta%en b$8 persons ,ho normall$ have
access to an" !se of that information
Confi"entialit$ 43 S!bject to this Act8 the Commissioner an" ever$ person acting on behalf or
!n"er the "irection of the Commissioner shall not ma%e an$ !na!thori:e"
"isclos!res of information that comes to their %no,le"ge in carr$ing o!t "!ties
an" performing f!nctions !n"er this Act
+rotection from
criminal or civil
procee"ings
44 @1 o criminal or civil procee"ings shall be instit!te" against the
Commissioner8 or an$ person acting on behalf or !n"er the "irection of the
Commissioner8 for an$thing "one8 reporte" or sai" in goo" faith in the co!rse of
the e-ercise or performance or p!rporte" e-ercise8 "ischarge8 or performance of
an$ po,er8 "!t$ or f!nction of the Commissioner !n"er this Act
@2 /or the p!rposes of an$ la, relating to libel or slan"er8
@a an$thing sai"8 an$ information s!pplie" or an$ "oc!ment or thing
pro"!ce" in goo" faith in the co!rse of an investigation carrie"
o!t b$ or on behalf of the Commissioner !n"er this Act is
privilege"? an"
43
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
44/64
PART 'I
MISCELLANEOUS
44
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
45/64
*ata +rotection
Officers an"
*ata +rocessors
45 The hea" of a "ata controller ma$8 s!bject to this Act 8 b$ or"er8 "esignate one
or more officers or emplo$ees to be *ata +rotection Officers of that controller to
e-ercise8 "ischarge or perform an$ of the po,er8 "!ties or f!nctions of the hea" of
the "ata controller !n"er this Act that are specifie" in the or"er
*ata Controller
Instr!ctions
46 An$ person having access to the personal information an" acting !n"er the
a!thorit$ of the controller or of the "ata processor8 as ,ell as the "ata processor
himself>herself8 ma$ process personal information onl$ as instr!cte" b$ the
controller8 ,itho!t prej!"ice to an$ "!t$ impose" b$ la,
+rocee"ings
,here
"isclos!re ,as
in goo" faith
4 In an$ civil or criminal procee"ings against a "ata controller for the "isclos!re
of an$ personal information to the Commissioner or to a "ata s!bject8 or for an$
conse!ences that flo, from that "isclos!re8 s!ch "isclos!re shall be "eeme" to
have been ma"e in goo" faith
+o,er of the
0inister to
ma%e
)eg!lations
4# @1 The 0inister ma$ ma%e reg!lations for giving effect to the p!rpose of this
Act an" for prescribing an$thing re!ire" or a!thori:e" b$ this Act to be
prescribe"
@2 ot,ithstan"ing the generalit$ of s!bsection @18 reg!lations ma"e !n"er this
section ma$ prescribe ;
@a The g!i"elines for the "isposal of personal information hel" b$ a "ata
controller?
@b The "!ties of the "ata protection officer ,hen acting in the capacit$ as s!ch
for an" on behalf of a "ata controller?
@c The "!ties of the "ata controllerDs representative ,hen acting in the capacit$
as s!ch for an" on behalf of the "ata controller? an"
@" Sanctions that appl$ to offences an" violations of the Act
@3
Co"e of
Con"!ct
4& @1 The Commissioner shall or"er "ata controllers to "ra, !p of co"es of
con"!ct inten"e" to contrib!te to the proper implementation of this Act ta%ing
acco!nt of the specific feat!res of the vario!s in"!str$ sectors the relevant "ata
controllers
@2 S!ch co"es shall be s!bmitte" to the Commissioner for consi"eration
@3 The Commissioner shall ascertain8 among other things8 ,hether the "rafts
45
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
46/64
s!bmitte" to it are in accor"ance ,ith the national provisions a"opte" p!rs!ant to
this la, an" legitimate in"!str$ sector an" ,here it sees fit8 see% the vie,s of "ata
s!bjects or their representatives an" cons!lt ,ith the "ata controller@s an" relevant
in"!stries for the p!rposes of ascertaining necessar$ revisions prior to the approval
of the co"e of con"!ct b$ p!blication in the 9a:ette
histle
blo,ing
5( @1 The Commissioner shall establish r!les giving the a!thori:ation for an"
governing the ,histle blo,ing s$stem
@2 The governing ,histle blo,ing p!rs!ant to s!bsection @1 shall preserve
@a the principles of fairness8 la,f!lness an" p!rpose of the processing?
@b the principles relate" to the proportionalit$ as the limitation of the scope8
acc!rac$ of the "ata ,hich ,ill be processe"?
@c the principle of openness ,ith "elivering an a"e!ate collective an"
in"ivi"!al information on
i the scope an" p!rpose of the ,histle blo,ing?ii the processing of reporting?
iii the conse!ences of the j!stifie" an" !nj!stifie" reporting?
iv the ,a$ of e-ercising the rights of access8 to rectification8 "eletion
as ,ell as the competent a!thorit$ to ,hich a re!est can be ma"e?
v the thir" part$ ,hich ma$ receive personal "ata concerning the
informer an" the person ,ho is implicate" in the scope of the
processing of the reporting
@" the technical an" organi:ational r!les?
@e r!les concerning the rights of the "ata s!bject b$ ma%ing clear that the
right of access "oesnBt allo, to access to personal "ata lin%e" to a thir"
person ,itho!t his>her e-press an" ,ritten consent?
@f the r!les of notification to the A!thorit$?
46
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
47/64
PART 'II
TRANSBORDER DATA FLO(
47
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
48/64
Transfer to a state
,ith a"e!ate "ata
protection
frame,or%
51 @1 The Commissioner ma$8 s!bject to the provisions of this Act8 prohibit
the transfer of personal "ata from the State to a place o!tsi"e the State
@2 +ersonal information shall onl$ be transferre" to recipient co!ntr$ that
has a legal frame,or% that provi"es for a"e!ate "ata protection8 provi"e"
that;
@a the recipient establishes that the "ata is necessar$ for the
performance of a tas% carrie" o!t in the p!blic interest or p!rs!ant
to the la,f!l f!nctions of a "ata controller8 or
@b the recipient establishes the necessit$ of having the "ata
transferre" an" there is no reason to ass!me that the "ata s!bjectBs
legitimate interests might be prej!"ice" b$ the transfer or the
processing in the recipient co!ntr$
@3 The controller shall8 not,ithstan"ing @2 above8 be re!ire" to ma%e a
provisional eval!ation of the necessit$ for the transfer of the "ata
@4 The recipient shall ens!re that the necessit$ for the transfer of the "ata
can be s!bse!entl$ verifie"
@5 The "ata controller shall ens!re that the recipient shall process the
personal information onl$ for the p!rposes for ,hich the$ ,ere
transferre"
Transfer to a state
that "oes not have
a"e!ate "ata
protection
frame,or%
52 @1 +ersonal information shall onl$ be transferre" to recipients states8
other than those referre" to in Section 5(8 if an a"e!ate level of
protection is ens!re" in the co!ntr$ of the recipient an" the "ata is
transferre" solel$ to permit processing other,ise a!thorise" to be
!n"erta%en b$ the controller
@2 The a"e!ac$ of the level of protection affor"e" b$ the relevant thir"
co!ntr$ in !estion shall be assesse" in the light of all the circ!mstances
s!rro!n"ing the relevant "ata transfer@s8 partic!lar consi"eration shall be
given to the nat!re of the "ata8 the p!rpose an" "!ration of the propose"
processing8 the recipientDs co!ntr$8 the relevant la,s in force in the thir"
co!ntr$ an" the professional r!les an" sec!rit$ meas!res ,hich are
complie" ,ith in that recipientDs co!ntr$
@3 The Commissioner shall establish the categories of processing for
48
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
49/64
,hich an" the circ!mstances in ,hich the transfer of personal information
to co!ntries o!tsi"e Tan:ania is not a!thori:e"
49
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
50/64
@4 7$ ,a$ of "erogation from @3 above8 a transfer or a set of transfers of
personal information to a recipient in a co!ntr$ o!tsi"e Tan:ania or a
co!ntr$ ,hich "oes not ens!re an a"e!ate level of protection ma$ ta%e
place in one of the follo,ing cases
@a the "ata s!bject has !nambig!o!sl$ given his>her consent to
the propose" transfer?
@b the transfer is necessar$ for the performance of a contract
bet,een the "ata s!bject an" the controller or the
implementation of pre;contract!al meas!res ta%en in response
to the "ata s!bjectBs re!est?
@c the transfer is necessar$ for the concl!sion or performance of a
contract concl!"e" or to be concl!"e" bet,een the controller
an" a thir" part$ in the interest of the "ata s!bject?
@" the transfer is necessar$ or legall$ re!ire" on important
p!blic interest gro!n"s8 or for the establishment8 e-ercise or
"efense of legal claims?
@e the transfer is necessar$ in or"er to protect the legitimate
interests of the "ata s!bject? an"
@f the transfer is ma"e from a register ,hich8 accor"ing to acts or
reg!lations8 is inten"e" to provi"e information to the p!blic
an" ,hich is open to cons!ltation either b$ the p!blic in
general or b$ an$ person ,ho can "emonstrate a legitimate
interest8 to the e-tent that the con"itions lai" "o,n in la, for
cons!ltation are f!lfille" in the case at han"
@5 itho!t prej!"ice to the provisions of the previo!s paragraph8 the
Commissioner ma$ a!thori:e a transfer or a set of transfers of personal
information to a recipient co!ntr$ o!tsi"e Tan:ania or an$ other co!ntr$
,hich "oes not in its la,s ens!re an a"e!ate level of protection8 if the
controller satisfies the Commissioner that it shall ens!re a"e!ate
safeg!ar"s ,ith respect to the protection of privac$ an" f!n"amental
rights an" free"oms of the "ata s!bjects concerne"8 an" regar"ing the
e-ercise of the "ata s!bjectDs rights s!ch safeg!ar"s can be appropriate"
thro!gh a"e!ate legal an" sec!rit$ meas!res an" contract!al cla!ses in
partic!lar
)eco!rse to the @1 An$ person aggrieve" b$ the "ecision of the Commissioner !n"er this Act8
50
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
51/64
J!"icial A!thorit$ shall be entitle" to appeal to the CommissionBs appeal committee
@2 S!bject to the e-ha!stion of the appeal offere" thro!gh the Commission
!n"er this Act8 an$ person ,ho is "issatisfie" b$ the "ecision thereof shall
be entitle" to p!rs!e appeals ,ith j!"icial a!thorities
SCHEDULE I
RIGHTS OF DATA SUB)ECTS
)ight of access
to personal "ata
1 @1 S!bject to the follo,ing provisions of this section an" to other provisions of
this act8 an in"ivi"!al is entitle";
@a to be informe" b$ an$ "ata controller ,hether personal "ata of ,hich that
in"ivi"!al is the "ata s!bject are being processe" b$ or on behalf of that "ata
controller8
@b if that is the case8 to be given b$ the "ata controller a "escription of;
@i the personal "ata of ,hich that in"ivi"!al is the "ata s!bject8
@ii the p!rposes for ,hich the$ are being or are to be processe"8 an"
@iii the recipients or classes of recipients to ,hom the$ are or ma$ be "isclose"8
@c to have comm!nicate" to him in an intelligible form;
@i the information constit!ting an$ personal "ata of ,hich that in"ivi"!al is
the "ata s!bject8 an"
@ii an$ information available to the "ata controller as to the so!rce of those "ata8
an"
@" ,here the processing b$ a!tomatic means of personal "ata of ,hich that
in"ivi"!al is the "ata s!bject for the p!rpose of eval!ating matters relating to him
s!ch as8 for e-ample8 his performance at ,or%8 his cre"it,orthiness8 his reliabilit$or his con"!ct8 has constit!te" or is li%el$ to constit!te the sole basis for an$
"ecision significantl$ affecting him8 to be informe" b$ the "ata controller of the
logic involve" in that "ecision;ta%ing
@2 A "ata controller is not oblige" to s!ppl$ an$ information !n"er s!bsection @1
!nless he has receive";
51
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
52/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
53/64
@2 If the co!rt is satisfie"8 on the application of an$ person ,ho has given a notice
!n"er s!bsection @18 that the "ata controller has faile" to compl$ ,ith the notice8
the co!rt ma$ or"er him to ta%e s!ch steps for compl$ing ,ith the notice as the
co!rt thin%s fit
@3 In this section
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
54/64
)ight to
Compensation
for fail!re to
compl$ ,ith
certainre!irements
5 @1 An in"ivi"!al ,ho s!ffers "amage b$ reason of an$ contravention b$ a "ata
controller of an$ of the re!irements of this Act is entitle" to compensation from
the "ata controller for that "amage
@2 An in"ivi"!al ,ho s!ffers "istress b$ reason of an$ contravention b$ a "ata
controller of an$ of the re!irements of this Act is entitle" to compensation from
the "ata controller for that "istress if;
@a the in"ivi"!al also s!ffers "amage b$ reason of the contravention8 or
@b the contravention relates to the processing of personal "ata for the special
p!rposes
@3 In procee"ings bro!ght against a person b$ virt!e of this section it is a "efence
to prove that he ha" ta%en s!ch care as in all the circ!mstances ,as reasonabl$
re!ire" to compl$ ,ith the re!irement concerne"
)ectification8
bloc%ing8
eras!re an"
"estr!ction
6 @1 If a co!rt is satisfie" on the application of a "ata s!bject that personal "ata of
,hich the applicant is the s!bject are inacc!rate8 the co!rt ma$ or"er the "ata
controller to rectif$8 bloc%8 erase or "estro$ those "ata an" an$ other personal "ata
in respect of ,hich he is the "ata controller an" ,hich contain an e-pression of
opinion ,hich appears to the co!rt to be base" on the inacc!rate "ata
@2 S!bsection @1 applies ,hether or not the "ata acc!ratel$ recor" information
receive" or obtaine" b$ the "ata controller from the "ata s!bject or a thir" part$
@3 here the co!rt;
@a ma%es an or"er !n"er s!bsection @18 or
@b is satisfie" on the application of a "ata s!bject that personal "ata of ,hich he
,as the "ata s!bject an" ,hich have been rectifie"8 bloc%e"8 erase" or "estro$e"
,ere inacc!rate8 it ma$8 ,here it consi"ers it reasonabl$ practicable8 or"er the "ata
controller to notif$ thir" parties to ,hom the "ata have been "isclose" of the
rectification8 bloc%ing8 eras!re or "estr!ction
@4 If a co!rt is satisfie" on the application of a "ata s!bject;
@a that he has s!ffere" "amage b$ reason of an$ contravention b$ a
"ata controller of an$ of the re!irements of this Act in respect of an$ personal
"ata8 in circ!mstances entitling him to compensation !n"er this Act8 an"
@b that there is a s!bstantial ris% of f!rther contravention in respect of those
"ata in s!ch circ!mstances8
the co!rt ma$ or"er the rectification8 bloc%ing8 eras!re or "estr!ction of an$ of
those "ata
54
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
55/64
@5 here the co!rt ma%es an or"er !n"er s!bsection @4 it ma$8 ,here it consi"ers
it reasonabl$ practicable8 or"er the "ata controller to notif$ thir" parties to ,hom
the "ata have been "isclose" of the rectification8 bloc%ing8 eras!re or "estr!ction
@6 In "etermining ,hether it is reasonabl$ practicable to re!ire s!ch notification
as is mentione" in s!bsection @3 or @5 the co!rt shall have regar"8 in partic!lar8 to
the n!mber of persons ,ho ,o!l" have to be notifie"
55
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
56/64
SCHEDULE II
E*CEPTIONS TO DATA PROCESSING PRINCIPLES
56
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
57/64
ational
sec!rit$
1 @1 The processing of personal information is e-empt from the provisions of this
Act ,here the processing is re!ire" for the p!rpose of safeg!ar"ing national
sec!rit$
@2 An$ !estion ,hether the e-emption mentione" in s!bsection @1 is or at an$time ,as re!ire" for the p!rpose there mentione" in respect of an$ personal
information shall be "etermine" b$ the 0inister an" a certificate signe" b$ the
0inister cel1if$ing that the e-emption is or at an$ time ,as so re!ire" shall be
concl!sive evi"ence of that fact
@3 The processing of personal information ,hich is not e-empt !n"er s!bsection
@1 is e-empt from the non;"isclos!re provisions in an$ case in ,hich the
"isclos!re of the "ata is for the p!rpose of safeg!ar"ing national sec!rit$
@4 /or the p!rposes of s!bsection @3 a certificate signe" b$ the 0inister certif$ing
that personal information is or has been "isclose" for the p!rpose mentione" in that
s!bsection shall be concl!sive evi"ence of that fact
Crimes an"
ta-ation
2 @1 The processing of personal information hel" for the p!rpose of
@a the prevention or "etection of crime?
@b the apprehension or prosec!tion of offen"ers? or
@c the assessment or collection of an$ ta- or "!t$8
are e-empt from the s!bject access provisions of this la, in circ!mstances ,here
the application of those provisions to the "ata ,o!l" be li%el$ to prej!"ice an$ of
the matters mentione" in this s!bsection
@2 The processing of personal information ,hich
@a are hel" for the p!rpose of "ischarging stat!tor$ f!nctions? an"
@b consist of information obtaine" for s!ch a p!rpose from a person ,ho ha" it in
his possession for an$ of the p!rposes mentione" in s!bsection @1 8 are e-empt
from the s!bject access provisions to the same e-tent as personal information hel"
for an$ of the p!rposes mentione" in that s!bsection
3 +ersonal information are e-empt from the non;"isclos!re provisions in an$ case
57
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
58/64
in ,hich
@a the "isclos!re is for an$ of the p!rposes mentione" in s!bsection @1? an"
@b the application of those provisions in relation to the "isclos!re ,o!l" be li%el$
to prej!"ice an$ of the matters mentione" in that s!bsection? an" in procee"ings
against an$ person for contravening sections8 it shall be a "efence to prove that heha" reasonable gro!n"s for believing that fail!re to ma%e the "isclos!re in !estion
,o!l" have been li%el$ to prej!"ice an$ of those matters
58
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
59/64
ealth an"
social ,or%
3 @1 The 0inister ma$ b$ or"er e-empt from the s!bject access provisions8 or
mo"if$ those provisions in relation to personal information consisting of
information as to the ph$sical or mental health of the "ata s!bject
@2 The 0inister ma$ b$ or"er e-empt from the s!bject access provisions8 ormo"if$ those provisions in relation to personal information of s!ch other
"escriptions as ma$ be specifie" in the or"er8 being information
@a hel" b$ government "epartments or vol!nteer organi:ations or other bo"ies
"esignate" b$ the or"er? an"
@b appearing to him to be hel" for or ac!ire" in the co!rse of carr$ing o!t social
,or% in relation to the "ata s!bject or other in"ivi"!als
b!t the 0inister shall not !n"er this s!bsection confer an$ e-emption or ma%e an$
mo"ification e-cept so far as he consi"ers that the application to the "ata of thoseprovisions @or of those provisions ,itho!t mo"ification ,o!l" be li%el$ to
prej!"ice the carr$ing o!t of social ,or%
@3 An or"er !n"er this section ma$ ma%e "ifferent provision in relation to "ata
consisting of information of "ifferent "escriptions
)eg!lation of
financial
services etc
4 @1 +ersonal information hel" for the p!rpose of "ischarging stat!tor$ f!nctions to
,hich this section applies are e-empt from the s!bject access provisions in an$
case in ,hich the application of those provisions to the "ata ,o!l" be li%el$ to
prej!"ice the proper "ischarge of those f!nctions
@2 This section applies to an$ f!nctions "esignate" for the p!rpose of this section
b$ an or"er ma"e b$ the 0inister8 being f!nctions conferre" b$ or !n"er an$
enactment appearing to him to be "esigne" for protecting members of the p!blic
against financial loss "!e to "ishonest$8 incompetence or malpractice b$ persons
concerne" in the provision of ban%ing8 ins!rance8 investment or other financial
services or in the management of companies or to the con"!ct of insolvents
Appointment
an" professional
privilege
5 @ 1 +ersonal information hel" b$ a government "epartment are e-empt from the
s!bject access provisions if the "ata consist of information ,hich has been
receive" from a thir" part$ an" is hel" as information relevant to the ma%ing of
appointments
@2 +ersonal information is e-empt from the s!bject access provisions if the "ata
59
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
60/64
consist of information in respect of ,hich a claim to legal professional privilege
co!l" be maintaine" in legal procee"ings
60
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
61/64
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
62/64
+art if s!bsection @4 ,ere incl!"e" among the non;"isclos!re provisions
@6 +ersonal information hel" onl$ for
@a preparing statistics? or
@b carr$ing o!t research8
are e-empt from the s!bject access provisions? b!t it shall be a con"ition of thee-emption that the "ata are not !se" for an$ other p!rpose or "isclose" for an$
other p!rpose8 an" the res!lting statistics or the res!lts of the research are not ma"e
available in a form ,hich i"entifies the "ata s!bjects or an$ of them
62
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
63/64
Other
e-emptions
@1+ersonal information hel" b$ an$ person are e-empt from the provisions of this
Act if the "ata consist of information ,hich that person is re!ire" b$ or !n"er an$
enactment to ma%e available to the p!blic8 ,hether b$ p!blishing it8 ma%ing it
available for inspection or other,ise an" ,hether grat!ito!sl$ or on pa$ment of
fee
@2 The 0inister ma$ b$ or"er e-empt from the s!bject access provisions "ata
consisting of information the "isclos!re of ,hich is prohibite" or restricte" b$ or
!n"er an$ enactment if he consi"ers that the prohibition or restriction o!ght to
prevail over those provisions in the interests of the "ata s!bject or of an$ other
in"ivi"!al
@3 +ersonal information are e-empt from the s!bject access provisions if the "ataare %ept onl$ for the p!rpose of replacing other "ata in the event of the latter being
lost8 "estro$e" or impaire"
@4 +ersonal information are e-empt from the non;"isclos!re provisions in an$ case
in ,hich the "isclos!re is
@a re!ire" b$ or !n"er an$ enactment8 b$ an$ r!le of la, or b$ the or"er of co!rt
or
@b ma"e for the p!rpose of obtaining legal a"vice or for the p!rposes of8 or in theco!rse of legal procee"ings in ,hich the person ma%ing the "isclos!re is a part$ or
a ,itness
@5 +ersonal information are e-empt from the non;"isclos!re provisions in an$ case
in ,hich
@a the "isclos!re is to the "ata s!bject or a person acting on his behalf? or
@b the "ata s!bject or an$ s!ch person has re!este" or consente" to the partic!lar
"isclos!re in !estion? or
@c the "isclos!re is b$ a "ata controller or a person carr$ing on an information
b!rea! to his servant or agent for the p!rpose of enabling the servant or agent to
perform his f!nctions as s!ch
6 +ersonal information are e-empt from the non;"isclos!re provisions in an$ case
63
Draft of Data Protection Bill, 2013
-
8/10/2019 DRAFT OF DATA PROTECTION ACT 2013_ 28 October 2013.doc
64/64
in ,hich the "isclos!re is !rgentl$ re!ire" for preventing inj!r$ or other "amage
to the health of an$ person or persons? an" in procee"ings against an$ person for
contravening sections of this Act it shall be a "efense to prove that he ha"
reasonable gro!n"s for believing that the "isclos!re in !estion ,as !rgentl$
re!ire" for that p!rpose
@ A person nee" not compl$ ,ith a notice8 re!est or or"er !n"er the s!bject
access provisions if compliance ,o!l" e-pose him to procee"ings for an$ offence
other than an offence !n"er this Act? an" information "isclose" b$ an$ person in
compliance ,ith s!ch notice8 re!est or or"er shall not be a"missible against him
in procee"ings for an offence !n"er this Act
SCHEDULE III
SANCTIONS
San$!%"n& @1 An$ member8 personnel8 cons!ltant8 contractor or other member of staff of the
Commission ,ho violates the obligation of secrec$ referre" to this Act shall be
liable for the pa$ment of a fine not e-cee"ing five million Shillings
@2 An$ person fo!n" to be g!ilt$ of an offence !n"er this la, shall be liable for
imprisonment for t,elve months or the pa$ment of a fine not e-cee"ing five
million Shillings8 or both
@3 Kpon conviction for an$ of the offences !n"er this Act8 the Co!rt shall or"er the
entire or partial p!blication of the j!"gment in one or more ne,spapers in the
manner it shall "etermine8 an" at the e-pense of the convicte" person
@4 Kpon conviction for an$ of the offences "escribe" in this section8 the co!rt ma$
or"er the sei:!re of the me"ia containing the personal information to ,hich the
offence relates8 s!ch as man!al filing s$stems8 magnetic "iscs or magnetic tapes8
an" an$ other relate" e!ipment or an$ other e!ipment8 or or"er the "eletion of
th " t