The Data Protection Act 2013, Data Privacy in Lesotho

Lesotho’s Data Protection Act, 2013, also known as the DPA for short, is a data protection law that was passed in Lesotho in 2013. The DPA was passed to provide Lesotho citizens with the fundamental right to data protection and privacy, as this right is not explicitly given under The Constitution of the Kingdom of Lesotho. As such, legislation was needed to guarantee data subjects within Lesotho the right to data privacy. To this end, the DPA provides the principles for the regulation of the collection, processing, and disclosure of personal data in Lesotho, as well as the punishments that can be imposed as a result of failing to comply with the law.

What is the scope and jurisdiction of the DPA?

As it pertains to the personal scope of the law, the DPA applies to “a public or private body or any other person which or who, alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by the party or by a data processor on its behalf”. Moreover, the DPA defines data processing broadly to include the “collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, degradation, erasure, or destruction, of personal information”.

Conversely, the territorial scope of the DPA states that the law applies to any person who processes personal data, whether they are:

• An established or ordinary resident with Lesotho who processes data while in the country.
• A non-established or non-ordinary resident in Lesotho, who uses automated or non-automated means to process personal data Lesotho, or these means used to forward personal data to other individuals or parties.

What are the requirements of data controllers under the DPA?

Under the Data Protection Act, 2013, data controllers within Lesotho must adhere to the following data protection principles:

• Purpose specification and further processing limitation– The DPA mandates that the collection of personal data is limited to specific, explicit, and legitimate purposes, and forbids personal data to be further processed in a manner that is incompatible with these purposes.
• Minimality– The DPA mandates that the processing of personal data is relevant, adequate, and not excessive.
• Data retention– The DPA mandates that records detailing personal data that has been collected are kept for no longer than is necessary.
• Information security– The DPA mandates that controllers take measures to secure the integrity of all personal data collected against loss, damage, unlawful access, and unauthorized destruction.
• Quality of information– The DPA mandates that all personal data that is collected must be complete, not misleading, and kept up to date, whenever necessary.
• Automated processing control– The DPA prohibits the processing of personal data solely on the basis of automated processing, subject to certain exceptions.

What are the rights of data subjects under the DPA?

The Data Protection Act, 2013 provides data subjects within Lesotho with various rights as it relates to the collection, processing, and dissemination of their personal data. These rights include the right to rectification, with a charge to the data subject, as well as the right to access any personal data that a particular data controller may hold concerning them. What’s more, the DPA also provides citizens with the right to object to or opt-out of the processing of their personal data, as well as the right not to be subject to data processing decisions made solely on the basis of automated processing. Alternatively, the DPA does not provide data subjects with the right to be informed, or the right to data portability.

In terms of penalties that can be imposed against data controllers who fail to comply with the law, the DPA is enforced by the Data Protection Commission or the Commission for short. As such the Commission is authorized to levy the following monetary penalty of up to LSL 50 million ($3,383), as well as a term of imprisonment of up to five years for the following offenses:

• Violating any of the provisions or regulations of the DPA.
• Obstructing, hindering, or otherwise unlawfully influencing the Commission, or any person acting on behalf of the Commission with respect to enforcement of provisions of the DPA.
• Violating the rules of confidentiality as it applies to personal data.
• Unlawfully and intentionally obstructing an individual in the execution of a warrant issued in accordance with the DPA.
• Failing to assist an individual in the execution of a warrant issued in accordance with the DPA, in instances where such assistance is reasonably required.

Through the passing of the Data Protection Act, 2013, data subjects within Lesotho were provided the explicit right to privacy through legislation for the first time. While the DPA may not offer the same level of protection as the South African POPIA law, the Data Protection Act, of 2013 was nevertheless a turning point in the quest to achieve guaranteed data privacy rights for citizens of the country. As such, Lesotho has joined the ranks of the many African countries to guarantee the data protection and in turn privacy rights of their citizens through the means of legislation in the last decade.