Overview of Data Privacy and Protection in Lesotho

What is data protection? 

The protection of personal information is essential to fulfilling the fundamental principle and value of personal privacy and personal information privacy. As such, data protection is the process of safeguarding important information from corruption, compromise or loss.
 

Does Lesotho Have data protection laws?

Lesotho implements the right to privacy under the Data Protection Act, 2011 (“the Act”).
 

Who does the Data Protection Act apply to? 

The Act protects living individuals’ personal information and widely imposes restrictions and obligations on private and public organisations, companies and individuals who handle the data or information of an individual (data controllers) and who intend to process personal information.
 

What is considered the processing of personal information or data?

The “processing” of data, includes, but is not limited to any operation or activity relating to:
 

• the use, 
• collection, 
• alteration, 
• erasure, 
• distribution, 
• transmission, and
• storage of information. 

What is considered personal information or data?

The definition of personal information or data (“information”) is broadly defined as any information about a living individual, which can be used to identify that individual either by the information alone or in conjunction with other information that the data controller has or may have access to. 

A data controller who processes information must to comply with the requirements of the Act.
 

What requirements are imposed by the Act? 

The Act places a number of requirements on a data controller in relation to how they are to process information. In general, the following are the main principles that must be observed under the act:
 

1. Information should be obtained directly from an individual, and with their explicit consent. 
2. Notification of the processing of information to which the Act applies must be given to the Data Protection Commission by the data controller.
3. Information should only be processed if the purpose for the processing is “adequate, relevant and not excessive”. 
4. Information should not be retained longer than reasonably required or allowed by the law. 
5. A data controller must ensure that adequate security measures are in place to protect information and must take into account generally accepted security practices. This includes an obligation on a data controller to undertake regular risk assessments to identify all reasonably foreseeable internal and external risks to information in its possession, in order to establish and maintain appropriate safeguards against risks identified. 

The above requirements represent the minimum standard that must be met under the Act, we note that there are a number of further requirements and exceptions which may apply under certain circumstances.
 

What is the potential liability to data controllers under the Act?

The Act imposes a number of potential sanctions on those who fail to comply with its provisions. It further entrenches a civil claim for damages by an individual where there has been a statutory breach under the Act by a data controller. 

Criminally, on conviction, a data controller who breaches the Act may face a fine not exceeding M50 000 or imprisonment not exceeding 5 years or both. If the data controller is a juristic person the chief executive officer will serve the term of imprisonment.

It is worth noting that a data controller will not escape liability by making use of an agent to process the information. It is the data controller’s responsibility to ensure that the agent’s security measures comply with the Act. The Act goes further and requires that the relationship between the data controller and agent must be governed by a written contract, which obliges the agent to have adequate security measures in place as well as measures to protect the confidentiality of the information. The data controller cannot mitigate its liability under the Act by using an agent.

It is imperative that data controllers are aware of their responsibilities and the potential consequences of failure to comply. It is prudent that data controllers obtain legal advice to ensure that they are compliant under the Act.
 

Article by Lesotho member firm Webber Newdigate Attorneys