Ensuring Data Protection and Privacy in Botswana

Botswana’s Data Protection Act 2018 or the Data Protection Act for short is a data privacy law that was recently passed in Botswana in 2018. Prior to the passing of the Data Protection Act, the country of Botswana had yet to pass any legislation strictly pertaining to data rights or personal privacy. As such, the Data Protection Act established the regulations and requirements for data processing within the country. What’s more, the Data Protection Act also established the Data Protection Commission, or the Commission for short, for the purposes of enforcing the law by imposing a variety of punishments against individuals and organizations who fail to maintain compliance with the law.

How is personal data defined under the Data Protection Act?

Under Botswana’s Data Protection Act 2018, personal data is defined broadly to include  “information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural, or social identity”. Alternatively, the law defines a data controller to mean “A person who alone or jointly with others determines the purposes and means by which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf”, while a data processor is defined as “A person who processes data on behalf of the data controller”.

Conversely, the personal scope of the Data Protection Act applies to all individuals who collect or process personal data within the country of Botswana, as the law makes no specific distinction between organizations and individuals. Additionally, the territorial scope of the law applies to both personal data that is collected and processed within Botswana, as well as personal data that is processed outside of the country, permitting these processing utilities automated or non-automated means that are situated within the country. Furthermore, the material scope of the law applies to the processing of personal data, but makes certain exceptions, such as instances in which data processing involves a matter of public safety or national security.

What are the obligations of data controllers and processors under the law?

Botswana’s Data Protection Act 2018 mandates that data controllers and processors within the country observe the following principles when collecting and processing personal data:

• Personal data must be processed in a manner that is lawful, transparent, and fair.
• Personal data may only be collected for specific and legitimate purposes, and must also be limited to what is accurate, relevant, and necessary in regards to the purposes for which it is to be processed.
• Personal data must be kept up to date, and stored with an appropriate level of security for no longer than is necessary to fulfill the purposes for which it was collected.
• Personal data must be protected at all times against risks such as unauthorized use or access, loss, destruction, or disclosure through the means of reasonable safeguards.

In addition to these four data protection principles, data controllers and processors within Botswana are also responsible for ensuring that personal data is not retained for any period longer than is necessary for the completion of the function for which it was collected, and providing a further level of security and confidentiality when collecting the personal sensitive data of data subjects. Under the law, sensitive personal data can include any of the following:

• Data related to race or ethnic origin.
• Data related to political opinions.
• Genetic and biometric data.
• Data related to religious or philosophical beliefs.
• Data related to trade union membership.
• Data related to physical or mental health.
• Data related to an individual’s sexual life.
• Personal financial data.

What are the rights of data subjects under Botswana’s Data Protection Act 2018?

Under the Data Protection Act, data subjects are given the right to be informed of data processing involving their personal data, the right to access personal data in the possession of a data controller or processor, and the right to object to or opt-out of consent. Moreover, the law also provides data subjects with the right to rectification, the right to erasure, and the right not to be subject to data processing decisions made solely on the basis of automated processing. The law does not provide data subjects with the right to data portability. In terms of penalties for non-compliance under the law, the Commission has the authority to impose a variety of monetary fines and criminal punishments.

These penalties include a monetary fine of up to BWP 300,000 ($31,279) for any “person who processes personal data in contravention of the Act”, while data controllers who fail to comply with the law are also subject to a monetary penalty of up to BWP 500,000 ($43,909), as well as a prison term of up to nines years. Contrarily, data controllers who fail to inform data subjects of their rights under the Data Protection Act 2018 prior to collecting or processing their personal data are also subject to a monetary fine of up to BWP 1 million ($87,823), as well as a term of imprisonment of up to twelve years.

Through the passing of the Data Protection Act 2018 data subjects residing within Botswana were guaranteed personal data protection through legislation for the first time in the history of their country. To this end, Botswana joins the multitude of countries around the world that have passed comprehensive privacy laws in a similar manner to the EU’s GDPR Law and the California Privacy Rights Act or CCPA. As such, the Data Protection Act 2018 sets forth severe penalties and punishments for individuals and organizations who fail to comply with the law, ensuring that data subjects’ rights are protected and upheld at all times.