News
Final draft of law protecting personal data released
The final draft of a Law to protect personal data, was released this week, making it an offence for institutions such as banks, telecom operators and hospitals to share–including to sell–client information for any purpose that is not first clearly specified.
The Personal Data Protection Legislation Bill was released through the website of the Information Technology Ministry. It was prepared by the Ministry’s Data Protection Drafting Committee, after months of consultation.
Once passed, it will be implemented in stages, with the full Law coming into operation within 3 years from the date the Speaker certifies it. This is to allow sufficient time for the Government and the private sector to conform. A Data Protection Authority (DPA) will be set up within 18 months.
The legislation will bind institutions to collect personal data only for a specified purpose. Hospitals, for instance, will no longer be able to share client information with health and life insurance providers without express permission.
At present, this practice is widely observed, granting insurance providers valuable, privileged information, without the knowledge of clients. Some hospitals and insurance companies are jointly owned, making surreptitious data sharing even easier.
The Law will allow processing of data in public interest or, for the purpose of scientific or historical research. Personal data will have to be processed in a manner ensuring appropriate security, including protection against accidental loss, destruction or damage.
Those who collect personal data are called “Controllers” under the Law, while those who process it are called “Processors”. A new set of rights are given to citizens, termed “the rights of data subjects”. For instance, individuals will have the right to withdraw the consent given to controllers and to rectify the data without undue delay. They can also object to processing of their data.
The Controllers must respond within a defined time period and are obliged to give reasons for refusing to meet requests, etc. An individual can appeal against a Controller’s decision, to the DPA.
An earlier draft made it mandatory for Controllers to be registered. This requirement has now been withdrawn. Instead, the Drafting Committee has introduced specific transparency and accountability obligations on Controllers requiring, for instance, the implementation of internal controls and procedures known as a “data protection management programme” to demonstrate how they implement the Act’s stipulations.
One sign of personal data being monetised and sold without a person’s permission are messages he/she receives, flogging products or services he/she didn’t ask for, from companies he/she has no dealings with.
Controllers who process personal data will now be prohibited from sending unsolicited messages without individual consent. There are provisions to deal with relationships between Controllers and third parties who process personal data on their behalf. And there will be administrative penalties with a ceiling, instead of fines calculated on the global turnover of the Controllers.