The Data Protection Act 2013, Data Privacy in Lesotho

The Data Protection Act 2013, Data Privacy in Lesotho

Lesotho’s Data Protection Act, 2013, also known as the DPA for short, is a data protection law that was passed in Lesotho in 2013. The DPA was passed to provide Lesotho citizens with the fundamental right to data protection and privacy, as this right is not explicitly given under The Constitution of the Kingdom of Lesotho. As such, legislation was needed to guarantee data subjects within Lesotho the right to data privacy. To this end, the DPA provides the principles for the regulation of the collection, processing, and disclosure of personal data in Lesotho, as well as the punishments that can be imposed as a result of failing to comply with the law.

What is the scope and jurisdiction of the DPA?

As it pertains to the personal scope of the law, the DPA applies to “a public or private body or any other person which or who, alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by the party or by a data processor on its behalf”. Moreover, the DPA defines data processing broadly to include the “collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, degradation, erasure, or destruction, of personal information”.

Conversely, the territorial scope of the DPA states that the law applies to any person who processes personal data, whether they are:

What are the requirements of data controllers under the DPA?

Under the Data Protection Act, 2013, data controllers within Lesotho must adhere to the following data protection principles:

What are the rights of data subjects under the DPA?

The Data Protection Act, 2013 provides data subjects within Lesotho with various rights as it relates to the collection, processing, and dissemination of their personal data. These rights include the right to rectification, with a charge to the data subject, as well as the right to access any personal data that a particular data controller may hold concerning them. What’s more, the DPA also provides citizens with the right to object to or opt-out of the processing of their personal data, as well as the right not to be subject to data processing decisions made solely on the basis of automated processing. Alternatively, the DPA does not provide data subjects with the right to be informed, or the right to data portability.

In terms of penalties that can be imposed against data controllers who fail to comply with the law, the DPA is enforced by the Data Protection Commission or the Commission for short. As such the Commission is authorized to levy the following monetary penalty of up to LSL 50 million ($3,383), as well as a term of imprisonment of up to five years for the following offenses:

Through the passing of the Data Protection Act, 2013, data subjects within Lesotho were provided the explicit right to privacy through legislation for the first time. While the DPA may not offer the same level of protection as the South African POPIA law, the Data Protection Act, of 2013 was nevertheless a turning point in the quest to achieve guaranteed data privacy rights for citizens of the country. As such, Lesotho has joined the ranks of the many African countries to guarantee the data protection and in turn privacy rights of their citizens through the means of legislation in the last decade.

Related Reads