Botswana

CriteriaProvisions
Key LawData Protection Act 32 of 2018
Linkhttps://www.bocra.org.bw/sites/default/files/documents/DataProtectionAct.pdf
Biometric data"biometric data” means any information stemming from the statistical analysis of biological data
Consent“consent” means any freely given, specific and informed expression of the wishes of the data subject, by which the data subject agrees to the processing of personal data relating to him or her
Data controller“data controller” means a person who alone or jointly with others, determines the purposes and means of which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf
Data processor“data processor” means a person who processes data on behalf of the data controller
Data protection supervisor / officer / representative“data protection representative” means a person who is appointed by the data controller, which person shall independently ensure that personal data is processed in a correct and lawful manner
Data subject“data subject” means an individual who is the subject of personal data; “direct marketing” means directly reaching a market, customers or potential customers on a personal basis or mass media basis, and it includes attempting to locate, contact, offer and make incentives to consumers, through communication medium such as phone calls, private meetings infomercials, magazines or advertisements
Genetic data“genetic data” personal data relating to the inherited or acquired characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Personal data“personal data” means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity; and “data” shall be construed accordingly
Processing“processing of personal data” means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data; and “processing” shall be construed accordingly
Research purposesNot defined.
Special / sensitive personal data“sensitive personal data” means personal data relating to a data subject which reveals his or her — (a) racial or ethnic origin; (b) political opinions; (c) religious beliefs or philosophical beliefs; (d) membership of a trade union; (e) physical or mental health or condition; (f) sexual life; (g) filiation; or (h) personal financial information, and includes — (a) any commission or alleged commission by him or her of any offence; (b) any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such proceedings, or the sentence of any court in such proceedings; and (c) genetic data, biometric data and the personal data of minors
AnonymisationNot defined.
De-identificationNot defined.
TokenisationNot defined.
PseudonymisationNot defined.
Purpose of the ActAn Act to regulate the protection of personal data and to ensure that the privacy of individuals in relation to their personal data is maintained; to establish the Information and Data Protection Commission; and to provide for all matters incidental thereto.
Application of the Act3. (1) This Act shall apply to the processing of personal data entered in a file by or for a data controller — (a) in Botswana; or (b) where the data controller is not in Botswana, by using automated or non-automated means situated in Botswana, unless those means are used only to transmit personal data: Provided that when the recorded personal data is processed by nonautomated means, it forms part of a filing system or is intended to form part of a filing system.
Exemptions / exceptions3. (2) This Act shall not apply to the processing of personal data — (a) in the course of a purely personal or household activity; and (b) by or on behalf of the State where the processing — (i) involves national security, defence or public safety, (ii) is for the prevention, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, (iii) is for economic or financial interest, including monetary, budgetary and taxation matters, and (iv) is for a monitoring, inspection or regulatory function connected with the exercise of functions under subparagraphs (i), (ii) and (iii). (3) This Act is exempt from application to the processing of personal data specified under subsection (2) (b), to the extent that adequate security safeguards have been established in specific legislation for the protection of such personal data.
Processing of personal information14. A data controller shall ensure that — (a) personal data is processed fairly and lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject; (b) personal data that is collected is adequate and relevant in relation to the purposes of its processing; (c) to the extent necessary for processing, personal data is accurate, complete and kept up-to-date; (d) personal data is collected for specific, explicitly stated and legitimate purposes; (e) personal data is not processed for any purpose that is incompatible with the specified, explicitly stated and legitimate purposes; (f) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; (g) where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed; (h) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed; and (i) personal data is processed in accordance with good practice. 15. Personal data shall not be disclosed, made available or otherwise used for purposes other than those specified, except — (a) with the consent of the data subject; or (b) as may be authorised by any written law.
Obligations imposed on data controllers / processors14. A data controller shall ensure that — (a) personal data is processed fairly and lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject; (b) personal data that is collected is adequate and relevant in relation to the purposes of its processing; (c) to the extent necessary for processing, personal data is accurate, complete and kept up-to- date; (d) personal data is collected for specific, explicitly stated and legitimate purposes; (e) personal data is not processed for any purpose that is incompatible with the specified, explicitly stated and legitimate purposes; (f) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; (g) where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed; (h) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed; and (i) personal data is processed in accordance with good practice.
Rights of the data subject30. (1) A data subject shall have the right to — (a) obtain from a data controller or data processor, confirmation of whether or not the data controller or data processor has personal data relating to him or her; (b) receive communication of personal data relating to him or her within a reasonable time, from the time of request, and at a reasonable charge, if any; (c) be given a reason for refusal of a request made under paragraph (a) or (b); (d) challenge the refusal for requests made under paragraphs (a) and (b) and submit a complaint in accordance with section 42 (1); and (e) challenge personal data relating to him or her by submitting a complaint in accordance with section 42 (1), and if the challenge is successful, have the personal data deleted, rectified, completed or amended, whichever is required: Provided that where the data subject is for any reason unable to challenge personal data relating to him or her then his or her next of kin may submit a complaint on his or her behalf. (2) Subsection (1) (a) and (b) shall not apply when the personal data is processed solely for the purpose of scientific research or is kept in a personal form for a period which does not exceed the period necessary for the sole purpose of compiling statistics: Provided that this subsection shall not apply where the personal data is used for taking a measure or decision regarding any particular individual or where there is a risk of breaching the privacy of the data subject.
Safeguards for the processing of personal data32. (1) A data controller, a data processor or a person acting under authorisation of the data controller or the data processor, shall, in order to safeguard the security of personal data, take appropriate technical and organisational security measures necessary to protect personal data from — (a) negligent or unauthorised destruction; (b) negligent loss; or (c) alteration, unauthorised access and any other unauthorised processing of personal data. (2) A data controller, a data processor or a person acting under authorisation of the data controller or the data processor, shall when undertaking the measures under subsection (1), ensure an appropriate level of security by taking into account — (a) technological development of processing personal data, and the costs for implementing the security measures; and (b) the nature of the personal data to be protected and the potential risks involved. (3) Where the data controller or data processor outsources the processing of personal data, the data controller or data processor shall choose a data processor who gives sufficient guarantees regarding the technical and organisational security measures in place for the processing to be done, and shall ensure that the measures are complied with. (4) The Commissioner may issue appropriate standards relating to information for security safeguards for all categories of processing personal data. 33. (1) The data controller shall, without delay, notify the Commissioner of any breach to the security safeguards of personal data. (2) The data processor shall, without delay, notify the data controller of any breach to the security safeguards of personal data, which the data processor holds on behalf of the data controller. (3) A person who contravenes this section commits an offence and is liable to a fine not exceeding P100 000 or to imprisonment for a term not exceeding three years, or to both. 36. (1) A data controller may appoint a data protection representative, and shall thereupon notify the Commissioner of such appointment. (2) A data protection representative appointed under subsection (1) shall — (a) be a person who holds the requisite qualifications; and (b) keep a list of the processing carried out, which list shall be immediately accessible to any person applying for access. (2) The data protection representative shall, at the instruction of the data controller, provide the information referred to under section 34 (3) (a) to (e) to any person who requests for it, if that information has not been notified to the Commissioner in terms of section 34.(3) Where a data protection representative has been appointed, the notification required under section 34 (1) shall not be required. (4) A data protection representative shall — (a) ensure that the data controller processes personal data in a lawful and correct manner and in accordance with good practice, and where the data protection representative identifies any inadequacies, he or she shall bring these to the attention of the data controller; and (b) assist the data subject to ensure that his or her rights under the Act are protected. (5) Where the data protection representative has reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after such contravention is pointed out, the data protection representative shall notify the Commissioner. (6) The data protection representative may consult with the Commissioner where there is doubt as to how the rules applicable to processing of personal data are to be applied.
Consent of the data subject2. [...] “consent” means any freely given, specific and informed expression of the wishes of the data subject, by which the data subject agrees to the processing of personal data relating to him or her 19. (1) Where the processing of personal data takes place with the consent of the data subject, the data subject may at any time, in writing, revoke his or her consent for legitimate grounds compelling him or her at that particular time. (2) The grounds referred to under subsection (1) shall be legitimate, reasonable and compelling.
Collection of data28. The data controller or data processor shall, where personal data is obtained directly from the data subject, provide the following information to the data subject, except where the data subject already has the information — (a) the identity and habitual residence or principal place of business of the data controller or data processor; (b) the purpose of the processing for which the personal data is intended; (c) the existence of the right to object to the intended processing, if the processing of the personal data is obtained for the purposes of direct marketing; (d) taking into account the specific circumstances the data is processed, any other additional information, if the information is necessary to ensure fair processing for the data subject, which information may include — (i) the recipient or category of recipients of the data, (ii) whether the reply to any question made to the data subject is obligatory or voluntary, as well as the possible consequence of failure to reply, and (iii) the existence of the right to access, rectify, and where applicable, the right to delete the data concerning him or her; or (e) any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the data subject. 29. (1) Where personal data is not obtained directly from the data subject, the data controller or data processor shall, except where the data subject already has the information, at least provide the information listed in section 28. (2) The information referred to under subsection (1) shall be provided — (a) at the time of undertaking the recording of personal data; or (b) if a disclosure to a third party is foreseen, not later than the time when the personal data is first disclosed. (3) The data controller or data processor may not provide the information required under subsection (1) — (a) if any other law provides for the registration or disclosure of any such personal data, and appropriate security safeguards are adopted; (b) if the personal data is required for — (i) processing for statistical purposes, (ii) purposes of historical or scientific research, or (iii) purposes of medical examination of the population, with a view to protect and promote public health; or (c) if the provision of such information will be impossible or would involve a disproportionate effort.
Processing of data14. A data controller shall ensure that — (a) personal data is processed fairly and lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject; (b) personal data that is collected is adequate and relevant in relation to the purposes of its processing; (c) to the extent necessary for processing, personal data is accurate, complete and kept up-to- date; (d) personal data is collected for specific, explicitly stated and legitimate purposes; (e) personal data is not processed for any purpose that is incompatible with the specified, explicitly stated and legitimate purposes; (f) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; (g) where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed; (h) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed; and (i) personal data is processed in accordance with good practice. 16. Personal data may be processed where — (a) the data subject has given his or her consent in writing; (b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the data controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject; (e) processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of an official authorisation vested in the data controller or in a third party to whom the data is disclosed; or (f) processing is necessary for a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy. 17. (1) Notwithstanding section 14, personal data may be processed for historical, statistical or scientific purposes. (2) The data controller shall, when processing data in accordance with subsection (1), ensure that — (a) there are appropriate security safeguards in place where personal data processed for historical, statistical or scientific purposes may be kept for a period longer than is necessary, having regard to the purposes for which it is processed; or (b) personal data kept for historical, statistical or scientific purposes is not used for any decision concerning the data subject."
Retention of data14. A data controller shall ensure that — (a) personal data is processed fairly and lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject; (b) personal data that is collected is adequate and relevant in relation to the purposes of its processing; (c) to the extent necessary for processing, personal data is accurate, complete and kept up-to- date; (d) personal data is collected for specific, explicitly stated and legitimate purposes; (e) personal data is not processed for any purpose that is incompatible with the specified, explicitly stated and legitimate purposes; (f) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; (g) where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed; (h) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed; and (i) personal data is processed in accordance with good practice. 17. (1) Notwithstanding section 14, personal data may be processed for historical, statistical or scientific purposes. (2) The data controller shall, when processing data in accordance with subsection (1), ensure that — (a) there are appropriate security safeguards in place where personal data processed for historical, statistical or scientific purposes may be kept for a period longer than is necessary, having regard to the purposes for which it is processed; or (b) personal data kept for historical, statistical or scientific purposes is not used for any decision concerning the data subject.
Health data23. (1) A health professional or other person who is subject to the obligation of professional secrecy, may process sensitive personal data for health or medical purposes, where the processing is necessary for — (a) preventive medicine and the protection of public health; (b) medical diagnosis; (c) health care; or (d) the management of health and hospital care services. (2) For the purposes of this section, a “health professional” means a person registered under the Botswana Health Professions Act, the Nurses and Midwives Act, or any other person under the personal direction or supervision of the health professional and person who is directly authorised to perform such functions. 25. (1) The processing of genetic data and biometric data, if it is processed for what it reveals or contains, is prohibited, except where the processing is in accordance with section 20. (2) Where genetic data and biometric data is processed for medicinal purposes and the consent of the data subject has been granted, such data shall be processed, only if, a unique patient identification number is given to the data subject, which patient identification number is different from any other identification number possessed by the data subject.
Special provisions for sensitive personal data 20. Subject to the provisions of this Part, a person shall not process sensitive personal data, except where — (a) the processing is specifically provided for under this data Act; (b) the data subject has given his or her consent in writing; (c) the data subject has made the data public; (d) the processing is — (i) necessary for national security, (ii) necessary for the purposes of excerciesing or performing andy right or obligation whihc is conferred or imposed by law on the data contriller in connection with the employment, or (iii) authorised by any other written law, for any reason of substantial interest to the public; or (e) the processing is necessary to protect the vital interest of a data subject or another person in a case where — (i) consent cannot be given by or on behalf of the data subject; (ii) the data controller cannot be reasonably expected to obtain the consent of the data subject; (iii) consent by or on behalf of the data subject has been unreasonably withheld. 21. A data controller, shall where sensitive personal data is processed, ensure that appropriate security safeguards are adopted. 24. (1) Sensitive personal data may be processed for research, scientific and statistics purposes: Provided that the processing is compatible with specified, explicitly stated and legitimate purposes. (2) To determine whether the processing of sensitive personal data is necessary under subsection (1), the following shall be satisfied — (a) in the case of research and scientific purposes, that the Commissioner has approved the processing on the advice of a committee responsible for research and scientific ethics in an institution recognised by the Commissioner; and (b) in the case of statistics, the processing is necessary for the purposes provided under the Statistics Act. 25. (1) The processing of genetic data and biometric data, if it is processed for what it reveals or contains, is prohibited, except where the processing is in accordance with section 20. (2) Where genetic data and biometric data is processed for medicinal purposes and the consent of the data subject has been granted, such data shall be processed, only if, a unique patient identification number is given to the data subject, which patient identification number is different from any other identification number possessed by the data subject.
Secondary data analysis for research14. A data controller shall ensure that — (a) personaldataisprocessedfairlyandlawfully,and whereappropriate, the data is obtained with the knowledge or consent of the data subject; (b) personal data that is collected is adequate and relevant in relation to the purposes of its processing; (c) to the extent necessary for processing, personal data is accurate, complete and kept up-to-date; (d) personal data is collected for specific, explicitly stated and legitimate purposes; (e) personaldataisnotprocessedforanypurposethatisincompatible with the specified, explicitly stated and legitimate purposes; (f) personal data is protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification or disclosure; (g) where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block or delete the personal data, having regard to the purposes for which it is processed; (h) personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed; and (i) personal data is processed in accordance with good practice. 15. Personal data shall not be disclosed, made available or otherwise used for purposes other than those specified, except — (a) with the consent of the data subject; or (b) as may be authorised by any written law. 17. (1) Notwithstanding section 14, personal data may be processed for historical, statistical or scientific purposes. (2) The data controller shall, when processing data in accordance with subsection (1), ensure that — (a) there are appropriate security safeguards in place where personal data processed for historical, statistical or scientific purposes may be kept for a period longer than is necessary, having regard to the purposes for which it is processed; or (b) personal data kept for historical, statistical or scientific purposes is not used for any decision concerning the data subject.
Cross-boarder data transfer2. [...] "transborder flow" means the international flow of personal data whihc can either be transmitted by electronic or other forms of transmission, including satellite [...] "third country" means a State that is not included in the Order made under section 48 48. (1) The transfer of personal data from Botswana to another country is prohibited. (2) Notwithstanding the generality under subsection (1), the Minister may, by Order published in the Gazette, designate the transfer of personal data to any country listed in such Order. 49. (1) Without prejudice to section 48, and subject to the provisions of this Act, the transfer of personal data that is undergoing processing or intended processing, to a third country may only take place if the third country to which the data is transferred ensures an adequate level of protection. (2) The adequacy of the level of protection of data by a third country referred to under subsection (1) shall be assessed by the Commissioner in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and particular consideration shall be given to — (a) the nature of the data; (b) the purpose and duration of the proposed processing operation; (c) the country of origin and country of final destination; (d) the rule of law, both general and sectoral, in force in the third country in question; and (e) the professional rules and security safeguards which are complied with in that country. (3) The Commissioner shall decide whether a third country ensures adequate security safeguards. (4) The transfer of personal data to a third country that does not ensure adequate security safeguards is prohibited. (5) Notwithstanding subsection (4), a transfer of personal data to a third country that does not ensure adequate security safeguards may be effected by the data controller if the data subject has given his or her consent to the proposed transfer or if the transfer — (a) is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractu al measures taken in response to the data subject’s request; (b) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the data controller and a third party; (c) is necessary or legally required for the public interest, or for the establishment, exercise or defence of a legal claim; (d) is necessary in order to protect the vital interests of the data subject; or (e) is made from a register that according to any law, is intended to provide information to the public and which is open for public inspection. (6) Notwithstanding subsection (1), the Commissioner may authorise a transfer or a set of transfers of personal data to a third country that does not ensure an adequate level of security safeguards within the meaning of subsection (2): Provided that the data controller provides adequate safeguards, which may result by means of appropriate contractual provisions, with respect to the protection of the privacy and fundamental rights and freedoms of individuals and with respect to their exercise.