Data Protection Bill, 2015
OBJECTIVE OF THE BILL
The Bill seeks to make provision for the regulation of the processing of information relating to individuals
NUMBER OF CLAUSES/PARTS
The Bill has 11 Clauses including citation and explanatory memorandum
The Bill applies to:
In the application of the Bill, the data obtained:
IMPLICATIONS OF THE BILL
When this Bill is passed,
GENERAL PROVISIONS OF THE BILL
1. Right of Access to Personal Data: -
Clause 2 provides that an individual is entitled, where such individual is a data subject:
2. Obligation of a Data Controller: -
A data controller is not obligated to provide information on a data subject unless he has received a request in writing and in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
Furthermore, a data controller is not obliged to comply with a request to supply information on a data subject, unless he is provided with information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information being sought.
A data controller is not obliged to comply with the request of disclosing information relating to an individual where the disclosure will involve information relating to another individual unless –
3. Compliance without Consent: -
Where a data controller complies with a request to release information without the consent of the other individual concerned, regard shall be had to –
An individual making a request in such case may specify that his request is limited to personal data of any prescribed description. A data controller shall comply with a request in this regard and in the event before the end of the prescribed period beginning with the relevant day.
4. Application to a Court due to Failure to Comply: -
Any person who has made a request may apply to a court to compel the data controller to comply. Where the court is satisfied on the application of any person who has made a request that the data controller failed to comply with the request in contravention of the provisions of this Bill (when it becomes law), the court may order him to comply
5. Right to Prevent Processing Likely to Cause Damage: -
According to Clause 3, an individual is entitled by notice in writing to the data controller to require the data controller to cease, or not to begin processing, for a specific reason or in a certain manner, any personal data in respect of which he is the data subject on the grounds that –
The data controller shall within 21 days of receiving the writing notice (“the data subject notice”) provide to the data subject in writing a notice:
The failure of the data subject to exercise this right does not affect any other right conferred on him under this Bill (when it becomes law).
6. Right to Prevent Processing for Purposes of Direct Marketing: -
A data subject is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstance to cease, or not to begin, processing for the purposes of direct marketing his personal data (Clause 4). The term “direct marketing” means the communication of any advertising or marketing material, which is directed to particular individuals.
7. Rights in relation to Automated Decision-Making: -
A data subject is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller, which significantly affects that individual is based solely on the processing by automatic means of his personal data (Clause 5).
Where however, no notice was issued and a decision which significantly affects the data subject was taken based solely on such processing, the data controller must as soon as reasonably practicable notify the data subject that a decision was taken on that basis.
The data subject is entitled, within 21 days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or take a new decision otherwise than on that basis.
In response, the data controller must within 21 days of receiving a notice from the data subject, give the data subject a written notice specifying the steps that he intends to take to comply with the data subject notice.
If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“responsible person”) has failed to comply with the written notice, the court may order the responsible person to reconsider the decision or take a new decision, which is not based solely on such processing.
8. Compensation for Failure to Comply with Certain Requirements
Anyone who suffers damage or distress by reason of any contravention by a data controller of any requirements of this Bill (when it becomes law) is entitled to compensation from the data controller for that damage or distress (Clause 6). Provided that the individual suffered damage by reason of the contravention relating to the processing of personal data
As a defense, the responsible person can prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
9. Rectification, Blocking, Erasure and Destruction: -
If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy the data and any other personal data in respect of which he is the data controller, and which contains an expression of opinion which appears to the court to be based on the inaccurate data.
The court order shall apply whether or not the data accurately records information obtained by the data controller from the data subject or a third party.
10. Unlawful Access to Personal Data
A person must not knowingly or recklessly, without consent of the data controller -
This rule does not apply to a person who shows that the disclosure or procurement of the data was necessary for the purpose of preventing or detecting crime, and it was required or authorized by or under any enactment, by any rule of law or by the order of a court (Clause 8).
Another exception is that the person accessing or disclosing the data acted in reasonable belief that he would have had the consent of the data controller if the data controller had known of the disclosure or procurement of the data and circumstances of it, or that in the particular circumstances, accessing the data, procuring or disclosing it, was justified as being in the public interest.
11. Offences Under the Bill: -
Anyone who unlawfully obtains, discloses or procures personal data is guilty of an offence under this Bill (when it becomes law). Anyone who sells personal data is guilty of an offense if he has obtained the data unlawfully. A person who offers to sell personal data is guilty of an offence if he obtains or subsequently obtains it unlawfully.
12. Prohibition of Requirements for Production of Certain Records: -
According to Clause 9, a person must not, in connection with the recruitment of another person as an employee, the continued employment of another person or any contract for the provision of services to him by another person require that a 3rd party supply him with relevant record or provide a relevant record to him.
A person concerned with the provision of goods, facilities or services to the public or a section of the public must not as a condition of providing or offering to provide any goods, services or facilities to another person to supply/provide him with a relevant record.
However, the above rules do not apply to a person who shows that imposition of a requirement was needed or authorized by law or an order of the court; or that imposition of a requirement was justified as being in the interest of the public.
Anyone who contravenes Clause 9 of this Bill (when it becomes law) shall be guilty of an offence
CHALLENGES OF THE BILL
The Bill is filled with numbering errors –
The Bill seeks to provide personal data protection to regulate the processing of information relating to individuals. In seeking to protect personal data, the Bill seeks to guarantee the right of an individual (data subject) whose data resides in the custody of another person (data controller) to seek redress in a court of law. Though the Bill is silent on which court should be the court of first instance, it provides the nature conducts that constitute offences under Clause 8(3) – (5) and Clause 9(4).
This Bill has been passed by the House of Representatives and is currently at the Committee stage in the Senate. Passage of the Bill would provide more protection to personal data and confidential information.