Lesotho
Data Protection Act, 2012
Act 5 of 2012
- Published in Government Gazette 19 on 22 February 2012
- Commenced on 22 February 2012
- [This is the version of this document from 22 February 2012.]
Part I – Preliminary
1. Citation and commencement
This Act may be cited as the Data Protection Act, 2011 and shall come into operation on the date of publication in the Gazette.2. Interpretation
In this Act, unless the context otherwise requires— "agent" in relation to personal data, means a person (other than an employee of the data controller) who processes the data on behalf of the data controller;"automatic calling machine" means a machine that is able to do automated calls without human intervention;"biometric" means a technique of personal identification that is based on physical characteristics including fingerprinting, DNA analysis, retinal scanning and voice recognition;"child" means a natural person under the age of 18 years;"code of conduct" means a code of conduct made and approved in terms of this Act;"Commission" means the Data Protection Commission established under section 6;"Constitution" means the Constitution of Lesotho of 1993 as amended;"data" means an unidentified data record, anonymised personal data or a fact about an unidentified individual;"data controller" means a public or private body or any other person which or who, alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by that party or by an agent on its behalf;"data subject" means an individual who is the subject of the personal data;"de-identify" in relation to personal information of a data subject, means to delete any information that—(a)identifies the data subject;(b)can be used or manipulated by a reasonably foreseeable method to identify the data subject; and(c)can be linked by a reasonably foreseeable method to other information that identifies the data subject;"electronic mail" or "e-mail" means any text, voice, sound or image message which is sent over a public communications network and can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;"enforcement notice" means a notice issued under section 46;"explicit consent" means any voluntary, specific and informed consent communicated expressly by spoken or written word in terms of which a data subject agrees to the processing of personal information relating to the data subject;"filing system" means a set or collection of personal data records, structured either by reference to individuals or criteria relating to individuals, in a way that specific information relating to a particular individual is readily accessible;"implicit consent" means consent that is inferred from signs, actions, or facts, or by inaction or silence;"information matching programme" means the comparison, whether manually or by means of any electronic or other device, of a document that contains personal information about ten or more data subjects with one or more documents which contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;"member" means the member of Commission established under section 6;"Minister" means the minister responsible for Home Affairs, Public Safety and of Parliamentary Affairs;"opt-in-consent" means express consent, that is, where the data subject expressly agrees to something;"opt-out-consent" means implied consent, that is, where the data subject is deemed to have consented to something;"personal data or information" means data which relates to a living individual who can be identified—(a)from that data; or(b)from that data and other information which is in the possession, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;"prescribed" means prescribed by the Regulations;"private body" means a natural person or juristic person who or which carries or has carried on any trade, business or profession but only in that capacity;"processing" means an operation or activity or any set of operations, whether or not by automatic means relating to—(a)the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;(b)dissemination by means of transmission, distribution or making available in any other form; or(c)merging, linking, as well as blocking, degradation, erasure or destruction, of information;"professional legal adviser" means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice;"public body" means—(a)any department of state or administration in the national sphere of government or any council in the local sphere of government; or(b)any other functionary or institution when—(i)exercising a power or performing a duty in terms of the Constitution; or(ii)exercising a public power or performing a public function in terms of any legislation;"public communications network" means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services;"public record" means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body;"record" means any recorded information—(a)regardless of form or medium, including the following—(i)writing on any material;(ii)information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;(iii)label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;(iv)book, map, plan, graph or drawing; or(v)photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;(b)in the possession or under the control of a data conroller;(c)whether or not it was created by the data controller; and(d)regardless of when it came into existence;"re-identify" in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that—(a)identifies the data subject;(b)can be used or manipulated by a reasonably foreseeable method to identify the data subject; or(c)can be linked by a reasonably foreseeable method to other information that identifies the data subject.3. Application of the Act
This Act applies to a data controller—4. Exemptions
This Act does not apply to the processing of personal information—5. Sector specific legislation
Part II – Data Protection Commission
6. Establishment of the Data Protection Commission
7. Disqualification from office
A person shall not be appointed as a member if the person—8. Functions of the Commission
9. Tenure of office
A member shall—10. Allowances of the members of the Commission
A member of the Commission shall be paid such allowances as the Minister may, in consultation with the Minister responsible for finance, determine.11. Funds of the Commission
12. Audit of accounts
13. Protection of Commission
The Commission or any person acting on behalf of or under the direction of the Commission shall not be civilly or criminally liable for anything done in good faith in the exercise or performance or purported exercise or performance of any power, duty or function of the Commission in terms of this Act.14. Duty of confidentiality
A person acting on behalf of or under the direction of the Commission shall treat, as confidential, personal information which comes to his knowledge, except if the communication of such information is required by law or in the proper performance of his duties.Part III – Protection of personal information
15. Processing of personal information
16. Minimality
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.17. Collection directly from the data subject
18. Purpose specification and further processing limitation
19. Retention of records
20. Security measures on integrity of personal information
21. Information processed by an agent of the data controller
An agent or anyone processing personal information on behalf of a data controller shall—22. Security measures regarding information processed by an agent
23. Notification of security compromises
24. Quality of information
25. Notification to the Commission and to the data subject
26. Access to and challenges of personal information
27. Correction of personal information
28. Data controller to give effect to principles
The data controller shall ensure that the principles set out under this Act and all the measures that give effect to the principles are complied with.29. Prohibition on processing of sensitive personal information
Unless specifically permitted under this Act, a data controller shall not process personal information concerning a—Part IV – Exemptions from protection on processing of personal information
30. Exemption on data subject’s spiritual, religious or philosophical beliefs
31. Exemption on data subject’s race
32. Exemption on data subject’s trade union membership
33. Exemption on data subject’s political affiliation
34. Exemption on data subject’s health or sexual life
35. Exemption on data subject’s criminal behaviour
36. General exemption on sensitive personal information
Without prejudice to sections 29 to 35, the prohibition on processing personal information shall not apply where—37. Authorisation by the Commission
38. Exemption for processing of personal data for historical, statistical and research purposes
Part V – Enforcement
39. Complaints
A person may submit a complaint to the Commission in the prescribed manner and form—40. Investigation by the Commission
41. No action by the Commission
42. Pre-investigations by the Commission
Before proceeding to investigate any matter in terms of this Part, the Commission shall inform the complainant and the data controller to whom the investigation relates of the—43. Investigation proceedings of the Commission
44. Matters exempt from search and seizure
45. Parties to be informed of developments during and result of investigation
If the Commission makes an investigation following a complaint, and—46. Enforcement notice
47. Cancellation of an enforcement notice
48. Reviews and appeals
49. Civil remedies
A data subject may institute a civil action for damages in a court having jurisdiction against a data controller for breach of any provision of this Act.Part VI – General provisions
50. Unsolicited electronic communications
51. Automated decision making
52. Transfer of personal information outside Lesotho
A data controller in Lesotho shall not transfer personal information about a data subject to a third party who is in a foreign country unless—53. Notifications
54. Codes of conduct
55. Offences and penalties
A person who—56. Regulations
The Minister may, on the recommendation of the Commission, make regulations generally for the purpose of giving effect to this Act.57. Transitional arrangements
History of this document
22 February 2012 this version
Commenced