News
Data Protection draft law in final stages of review
View(s):The Personal Data Protection Legislation bill is in its final stages of review and amendment by the Legal Draftsman’s Department.
The legislation has been recognised as most urgently required in view of the digital strategies being adopted by the Government and private sector, such as contract tracing for effective management of COVID-19 by health authorities as well as the digital identity initiative, said Jayantha Fernando, Chair/Convener of the Drafting Committee.
It will strengthen the governance and administration of personal data and the Government has therefore given it high priority through the Information and Communication Technology Agency (ICTA), he said.
Among other things, obligations are imposed on those who collect and process personal data. For instance, the data shall only be used for defined purposes in a proportionate and relevant manner while ensuring its security and confidentiality.
It would be an offence for institutions like banks, telecom operators and hospitals to share–including sell–client information for any purpose that is not first clearly specified.
The law took months of consultation led by the Justice Ministry’s Data Protection Drafting Committee. The draft bill was presented to Cabinet early this year and to the legal community in February.
Discussions were also held with the Ceylon Chamber. The Attorney General and the Telecommunications Regulatory Commission of Sri Lanka gave their observations on the bill.
“The on-going review and amendments would ensure that all pending issues and concerns are duly addressed,” Mr Fernando said, pointing out that it was a complex piece of legislation.
Even the Government’s budget presented to Parliament this month refers to its importance. And the establishment of institutional frameworks for implementation is now under the Presidential Secretariat with a Presidential Task Force to be appointed in due course.
Those who collect personal data are called “controllers” under the law while those who process it are called “processors”. A new set of rights are given to citizens termed “the rights of data subjects”.
For instance, individuals will have the right to withdraw the consent given to controllers and to rectify the data without undue delay. They can also object to processing of their data.
The controllers must respond within a defined time period and are obliged to give reasons for refusing to meet requests, etc. An individual can appeal against a controller’s decision to a Data Protection Authority (DPA).