1 PRIME MINISTERS OFFICE DATA PROTECTION OFFICE An overview of the Mauritian Data Protection Act with regard to its legal implications on the rights of

11

PRIME MINISTER’S OFFICEPRIME MINISTER’S OFFICEDATA PROTECTION OFFICEDATA PROTECTION OFFICE

An overview of the Mauritian Data Protection Act with An overview of the Mauritian Data Protection Act with regard to its legal implications on the rights of data regard to its legal implications on the rights of data

subjects and the corresponding legal obligations of data subjects and the corresponding legal obligations of data controllers and data processors for guaranteeing these controllers and data processors for guaranteeing these

rights namely the protection of personal data for rights namely the protection of personal data for processing purposes.processing purposes.

PRESENTED BY:PRESENTED BY:

MRS D. CAULLYCHURN-MADHUBMRS D. CAULLYCHURN-MADHUBSENIOR STATE COUNSEL &SENIOR STATE COUNSEL &

DATA PROTECTION COMMISSIONERDATA PROTECTION COMMISSIONER30.11.0730.11.07

22

OBJECTIVESOBJECTIVES

• The objectives which the DATA PROTECTION OFFICE The objectives which the DATA PROTECTION OFFICE is striving to attain in its ambitious endeavour to is striving to attain in its ambitious endeavour to protect in an efficient manner the privacy rights of protect in an efficient manner the privacy rights of all individuals are founded on the following all individuals are founded on the following principles derived from :-principles derived from :-

– Article 12 of the Universal Declaration of Human Rights Article 12 of the Universal Declaration of Human Rights of 10 December 1948 provides:- of 10 December 1948 provides:-

No one shall be subjected to arbitrary interference with No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has attacks upon his honour and reputation. Everyone has the right to the protection of the law against such the right to the protection of the law against such interference or attacks.interference or attacks.

33


• Article 17 of the International Covenant on Civil and Article 17 of the International Covenant on Civil and Political Rights of 16 December 1966 to which Political Rights of 16 December 1966 to which Mauritius is a party provides:-Mauritius is a party provides:-

– No one shall be subjected to arbitrary or unlawful No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour correspondence, nor to unlawful attacks on his honour and reputation.and reputation.

– Everyone has the right to the protection of the law Everyone has the right to the protection of the law against such interference or attacks.against such interference or attacks.

• And in compliance with the EU Directive 95/46 to And in compliance with the EU Directive 95/46 to secure investment in the country.secure investment in the country.

44


• The data protection office derives its The data protection office derives its existence from the existence from the the Data Protection Act the Data Protection Act 2004 (2004 (DPA) and up to now only sections 1, 2, DPA) and up to now only sections 1, 2, 4, 5 (b), (c), (e), (g), (h), (i), (j) and 6 of the 4, 5 (b), (c), (e), (g), (h), (i), (j) and 6 of the Act have been proclaimed, that is, have force Act have been proclaimed, that is, have force of law since 27.12.04 whereas the other of law since 27.12.04 whereas the other provisions of the Act do not yet enjoy legal provisions of the Act do not yet enjoy legal existence as they have not yet been existence as they have not yet been proclaimed.proclaimed.

55


• It is the urgent priority of this office to have the DPA as a It is the urgent priority of this office to have the DPA as a whole proclaimed for the proper launching of the office.whole proclaimed for the proper launching of the office.

• The relevant documents have already been sent to the The relevant documents have already been sent to the Senior Chief Executive of the PMO for the proclamation Senior Chief Executive of the PMO for the proclamation together with the required regulations, a draft of the together with the required regulations, a draft of the website, the relevant guidelines for data controllers and website, the relevant guidelines for data controllers and data subjects and a leaflet addressed to the general public.data subjects and a leaflet addressed to the general public.

• The Data Protection Act 2004 (DPA) gives individuals the The Data Protection Act 2004 (DPA) gives individuals the right to know what information is held about them. It right to know what information is held about them. It provides a framework to ensure that personal information provides a framework to ensure that personal information is handled properly.is handled properly.

66


• Should an individual or organisation feel they're being Should an individual or organisation feel they're being denied access to personal information they're entitled to, or denied access to personal information they're entitled to, or feel their information has not been handled according to the feel their information has not been handled according to the DPA, they can contact the Data Protection Office for help.DPA, they can contact the Data Protection Office for help.

• However, though not all the sections of the DPA have yet However, though not all the sections of the DPA have yet been proclaimed, the Commissioner, do enjoy the following been proclaimed, the Commissioner, do enjoy the following powers, as they are provided in section 5 of the Act:- powers, as they are provided in section 5 of the Act:-

– to issue or approve codes of practice or guidelines;to issue or approve codes of practice or guidelines;– create and maintain a register of all data controllers;create and maintain a register of all data controllers;– promote self-regulation among data controllers;promote self-regulation among data controllers;

77


– take such measures as may be necessary so as to bring to the take such measures as may be necessary so as to bring to the knowledge of the general public the provisions of this Act;knowledge of the general public the provisions of this Act;

– undertake research into, and monitor developments in, data undertake research into, and monitor developments in, data processing and computer technology, including data-processing and computer technology, including data-matching and data linkage, ensure that any adverse effects matching and data linkage, ensure that any adverse effects of such developments on the privacy of individuals are of such developments on the privacy of individuals are minimized;minimized;

– examine any proposal for data matching or data linkage that may examine any proposal for data matching or data linkage that may involve an interference with, or may otherwise have adverse effects involve an interference with, or may otherwise have adverse effects on the privacy of individuals and, ensure that any adverse effects of on the privacy of individuals and, ensure that any adverse effects of such proposal on the privacy of individuals are minimised;such proposal on the privacy of individuals are minimised;

– do anything incidental or conducive to the attainment of the objects do anything incidental or conducive to the attainment of the objects of, and to the better performance of his duties and functions under of, and to the better performance of his duties and functions under this Act.this Act.

88

What are the data protection What are the data protection principles?principles?

• Personal data shall be processed fairly and lawfully.Personal data shall be processed fairly and lawfully.

• Personal data shall be obtained only for any specified Personal data shall be obtained only for any specified and lawful purpose, and shall not be further processed and lawful purpose, and shall not be further processed in any manner incompatible with that purpose.in any manner incompatible with that purpose.

• Personal data shall be accurate and, where necessary, Personal data shall be accurate and, where necessary, kept up to date.kept up to date.

• Personal data processed for any purpose shall not be Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those kept longer than is necessary for that purpose or those purposes.purposes.

• Personal data shall be processed in accordance with the Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection rights of the data subjects under the Data Protection Act.Act.

99

What are the data protection What are the data protection principles?principles?

• Appropriate security and organisational measures Appropriate security and organisational measures shall be taken against unauthorised or unlawful shall be taken against unauthorised or unlawful processing of personal data and against accidental processing of personal data and against accidental loss or destruction of, or damage to, personal data.loss or destruction of, or damage to, personal data.

• Personal data shall not be transferred to a third Personal data shall not be transferred to a third country, unless that country ensures an adequate country, unless that country ensures an adequate level of protection for the rights of data subjects in level of protection for the rights of data subjects in relation to the processing of personal data. relation to the processing of personal data.

1010

Is the Data Protection Office a public oneIs the Data Protection Office a public one?? Yes.Yes.

What is the composition of the Data Protection Office What is the composition of the Data Protection Office

for the time beingfor the time being??

The Office consists of the Commissioner for the time being, The Office consists of the Commissioner for the time being, who is also the head of the office.who is also the head of the office.

1111

What is the mission of the Data Protection What is the mission of the Data Protection OfficeOffice??

The mission of the Data Protection Office is to safeguard the The mission of the Data Protection Office is to safeguard the privacy rights of all individuals with regard to the processing privacy rights of all individuals with regard to the processing of their personal data, in Mauritius. of their personal data, in Mauritius.

What are the functions of the CommissionerWhat are the functions of the Commissioner??

She registers all data controllers in Mauritius, exercises She registers all data controllers in Mauritius, exercises control over all data processing activities in Mauritius, control over all data processing activities in Mauritius, investigates complaints, undertakes research in data investigates complaints, undertakes research in data processing and computer technology, amongst others.processing and computer technology, amongst others.

1212

Who can make a complaint to the Data Who can make a complaint to the Data

Protection OfficeProtection Office??

Any individual or organization who feel that their privacy Any individual or organization who feel that their privacy rights with regard to their personal data may have been rights with regard to their personal data may have been affected.affected.

What does the Data Protection Office do What does the Data Protection Office do

when it receives a complaintwhen it receives a complaint??It investigates the complaint, unless the complaint is It investigates the complaint, unless the complaint is frivolous, and as soon as possible, notify the complainant frivolous, and as soon as possible, notify the complainant in writing of its decision. in writing of its decision.

1313

What can the Data Protection Office do when a data What can the Data Protection Office do when a data controller or a data processor contravenes the Data controller or a data processor contravenes the Data

Protection ActProtection Act??

- Where the Commissioner finds that a data controller or a data - Where the Commissioner finds that a data controller or a data processor is acting in violation of the Data Protection Act, she processor is acting in violation of the Data Protection Act, she may serve an may serve an enforcement noticeenforcement notice on the data controller or the on the data controller or the data processor requiring him/her to take such steps within the data processor requiring him/her to take such steps within the period of time specified in the notice which must not be less period of time specified in the notice which must not be less than 21 days, to remedy the matter and implement the measures than 21 days, to remedy the matter and implement the measures recommended by the Commissioner in the recommended by the Commissioner in the enforcement noticeenforcement notice..

- The data controller or the data processor must then notify the - The data controller or the data processor must then notify the data subject of his compliance with the enforcement notice, not data subject of his compliance with the enforcement notice, not later than 21 days after such compliance.later than 21 days after such compliance.

1414

• Is it an offence not to comply with the Is it an offence not to comply with the

enforcement noticeenforcement notice??

Yes. Any person who does not comply with the Yes. Any person who does not comply with the enforcement notice and does not have a enforcement notice and does not have a reasonable excuse for not complying will commit reasonable excuse for not complying will commit an offence, the penalty of which will be a fine not an offence, the penalty of which will be a fine not exceeding Rs 50,000 and imprisonment not exceeding Rs 50,000 and imprisonment not exceeding 2 years.exceeding 2 years.

1515

What are the other powers of the CommissionerWhat are the other powers of the Commissioner??

– Where the Commissioner is of the view that the investigation Where the Commissioner is of the view that the investigation reveals the commission of a criminal offence under the Data reveals the commission of a criminal offence under the Data Protection Act, she can refer the matter to the Police. Protection Act, she can refer the matter to the Police.

– The Commissioner can also request information from a person The Commissioner can also request information from a person whenever it is required for the Commissioner to discharge her whenever it is required for the Commissioner to discharge her functions properly by sending a notice. functions properly by sending a notice.

– The Commissioner can also carry out security checks when The Commissioner can also carry out security checks when she believes that the processing or transfer of data by a data she believes that the processing or transfer of data by a data controller will entail specific risks to the privacy rights of the controller will entail specific risks to the privacy rights of the data subjects to assess the security measures taken by the data subjects to assess the security measures taken by the data controller prior to the beginning of the processing or data controller prior to the beginning of the processing or transfer.transfer.

1616

What are the other powers of the What are the other powers of the

CommissionerCommissioner??

– The Commissioner can also carry out periodical audits of The Commissioner can also carry out periodical audits of the systems of data controllers to ensure compliance with the systems of data controllers to ensure compliance with the data protection principles.the data protection principles.

– An officer of the Data Protection Office may at any time An officer of the Data Protection Office may at any time enter and search the premises where data processing enter and search the premises where data processing activities are being carried on.activities are being carried on.

– If it is a dwelling house, the officer must show a warrant to If it is a dwelling house, the officer must show a warrant to enter and search the dwelling house issued by a magistrate.enter and search the dwelling house issued by a magistrate.

– An officer of the Data Protection Office may at any time An officer of the Data Protection Office may at any time enter and search the premises where data processing enter and search the premises where data processing activities are being carried on.activities are being carried on.

– If it is a dwelling house, the officer must show a warrant to If it is a dwelling house, the officer must show a warrant to enter and search the dwelling house issued by a magistrate.enter and search the dwelling house issued by a magistrate.

1717

What can the complainant do if he/she is not What can the complainant do if he/she is not satisfied with the outcome of the satisfied with the outcome of the

investigationinvestigation??– The complainant may appeal to the Information and The complainant may appeal to the Information and

Communication Technologies (ICT) Tribunal if he/she is Communication Technologies (ICT) Tribunal if he/she is not satisfied with the decision reached by the not satisfied with the decision reached by the Commissioner.Commissioner.

What is dataWhat is data??– Data means information which can be processed by Data means information which can be processed by

automated means or manually through a filing system.automated means or manually through a filing system.

1818

What does sensitive personal data meanWhat does sensitive personal data mean??

– It means personal information of a data subject which It means personal information of a data subject which consists of information as to his/her -consists of information as to his/her -

– racial or ethnic origin;racial or ethnic origin;– political opinion or adherence;political opinion or adherence;– religious belief or other belief of a similar nature;religious belief or other belief of a similar nature;– membership to a trade union;membership to a trade union;– physical or mental health;physical or mental health;– sexual preferences or practices;sexual preferences or practices;– the commission of an offence; orthe commission of an offence; or– any proceedings for an offence committed or alleged to any proceedings for an offence committed or alleged to

have been committed by him, the disposal of such have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings or the sentence of any court in such proceeding.proceeding.

1919

Can sensitive data be processed by a data Can sensitive data be processed by a data

controller controller ??– No sensitive data can be processed without No sensitive data can be processed without

the consent of the data subject or the latter the consent of the data subject or the latter has made the data public, subject to certain has made the data public, subject to certain further exceptions as provided in the Act.further exceptions as provided in the Act.

Who is a data controller Who is a data controller ??– A data controller is a person or a group of A data controller is a person or a group of

persons who decide as to the purposes for persons who decide as to the purposes for which personal data is to be processed.which personal data is to be processed.

2020

Are you a "data controller"Are you a "data controller"??

– Data controllers are the people or body, who determine Data controllers are the people or body, who determine the purposes and the means of the processing, both in the purposes and the means of the processing, both in the public and in the private sector. A medical the public and in the private sector. A medical practitioner would usually be the controller of the data practitioner would usually be the controller of the data processed on his clients; a company would be the processed on his clients; a company would be the controller of the data processed on its clients and controller of the data processed on its clients and employees; a sports club would control the data employees; a sports club would control the data processed on its members and a public library controls processed on its members and a public library controls the data processed on its users. the data processed on its users.

2121

DData controllers are required to observe several principles. ata controllers are required to observe several principles. These principles not only aim to protect the data subjects These principles not only aim to protect the data subjects but also are a statement of good business practices that but also are a statement of good business practices that contribute to reliable and efficient data processing.contribute to reliable and efficient data processing.

EEach data controller must adhere to the Data Protection Act ach data controller must adhere to the Data Protection Act when he is established in Mauritius and where he is not when he is established in Mauritius and where he is not established in Mauritius but uses equipment in Mauritius established in Mauritius but uses equipment in Mauritius for processing data, other than for the purposes of transit for processing data, other than for the purposes of transit through Mauritius.through Mauritius.

WWhere the data controller is not established in Mauritius, he here the data controller is not established in Mauritius, he must nominate a representative who resides in Mauritius to must nominate a representative who resides in Mauritius to carry out his data processing activities through an office in carry out his data processing activities through an office in Mauritius.Mauritius.

2222

A A data controller is therefore the natural person (the data controller is therefore the natural person (the individual) or the legal person who controls and is individual) or the legal person who controls and is responsible for the keeping and use of personal responsible for the keeping and use of personal information on computer or in structured manual information on computer or in structured manual files.files.

BBeing a data controller carries with it serious legal eing a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If responsibilities apply to you or your organisation. If you are in any doubt, or are unsure about the you are in any doubt, or are unsure about the identity of the data controller in any particular case, identity of the data controller in any particular case, you should consult your legal adviser or seek the you should consult your legal adviser or seek the advice of the Data Protection Commissioner.advice of the Data Protection Commissioner.

2323

In essence, you are a data controller if you can In essence, you are a data controller if you can answer answer YESYES to the following question:- to the following question:-

– Do you keep or process any information about Do you keep or process any information about living people?living people?

– In practice, to find out who controls the In practice, to find out who controls the contents and use of personal information kept, contents and use of personal information kept, you should ask yourself the following you should ask yourself the following questions:-questions:-

– Who decides what personal information is Who decides what personal information is going to be kept? going to be kept?

– Who decides the use to which the information Who decides the use to which the information will be put?will be put?

2424

IIf your organisation controls and is responsible for f your organisation controls and is responsible for the personal data which it holds, then your the personal data which it holds, then your organisation is a data controller. If, on the other organisation is a data controller. If, on the other hand, you hold the personal data, but some other hand, you hold the personal data, but some other organisation decides and is responsible for what organisation decides and is responsible for what happens to the data, then that other organisation happens to the data, then that other organisation is the data contoller, and your organisation is a is the data contoller, and your organisation is a "data processor"."data processor".

2525

DData Processors ata Processors

• As mentioned above, if you hold or process personal data, but As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the personal do not exercise responsibility for or control over the personal data, then you are a "data processor". data, then you are a "data processor".

• Examples of data processors include payroll companies, Examples of data processors include payroll companies, accountants and market research companies, all of which accountants and market research companies, all of which could hold or process personal information on behalf of could hold or process personal information on behalf of someone else.someone else.

• A data processor is distinct from the data controller for whom A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data they are processing the personal data. An employee of a data controller, or a section or unit within a company which is controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a processing personal data for the company as a whole, is not a "data processor". "data processor".

• However, someone who is not employed by the data However, someone who is not employed by the data controller, but is contracted to provide a particular data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data company used to manage customer accounts) would be a data processor. processor.

2626

DData Processorsata Processors

• A subsidiary company owned by a data controller to A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data the payroll) is a distinct legal person and is a data processor.processor.

• It is possible for one company or person to be both a data It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets controller and a data processor, in respect of distinct sets of personal data. of personal data.

• For example, a payroll company would be the data For example, a payroll company would be the data controller in respect of the data about its own staff, but controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll would be the data processor in respect of the staff payroll data it is processing for its client companies.data it is processing for its client companies.

2727

RResponsibilities of Data Processorsesponsibilities of Data Processors

• Unlike data controllers, data processors have a very Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection limited set of responsibilities under the Data Protection Act. Act.

• These responsibilities concern the necessity to keep These responsibilities concern the necessity to keep personal data secure from unauthorised access, alteration, personal data secure from unauthorised access, alteration, unlawful disclosure, destruction or accidental loss and the unlawful disclosure, destruction or accidental loss and the duty to destroy data whenever he receives such a duty to destroy data whenever he receives such a notification from the data controller notification from the data controller

2828

How is the Act enforced How is the Act enforced ??

• The Commissioner's role is to ensure that those who keep The Commissioner's role is to ensure that those who keep personal information comply with the provisions of the Act. personal information comply with the provisions of the Act.

• These powers include the serving of legal notices These powers include the serving of legal notices compelling data controllers to provide information needed compelling data controllers to provide information needed to assist his enquires, or compelling a data controller to to assist his enquires, or compelling a data controller to implement one or more provisions of the Acts. She may implement one or more provisions of the Acts. She may investigate complaints made by the general public or carry investigate complaints made by the general public or carry out investigations proactively.out investigations proactively.

• She may, for example, authorise officers to enter premises She may, for example, authorise officers to enter premises

and to inspect the type of personal information kept, how it and to inspect the type of personal information kept, how it is processed and the security measures in place. You and is processed and the security measures in place. You and your staff must cooperate fully with such officers.your staff must cooperate fully with such officers.

• A data controller found guilty of an offence under the Acts A data controller found guilty of an offence under the Acts can be fined to a maximum of Rs 200,000 and imprisoned can be fined to a maximum of Rs 200,000 and imprisoned to a maximum of five years.to a maximum of five years.

2929

Basic Data Protection ChecklistBasic Data Protection Checklist

• Are the individuals whose data you collect aware Are the individuals whose data you collect aware of your identity?of your identity?

• Have you told the data subject what use you Have you told the data subject what use you make of his/her data?make of his/her data?

• Are the disclosures you make of that data Are the disclosures you make of that data legitimate ones?legitimate ones?

• Do you have appropriate security measures in Do you have appropriate security measures in place?place?

• Do you have appropriate procedures in place to Do you have appropriate procedures in place to ensure that each data item is kept up-to-date?ensure that each data item is kept up-to-date?

3030

Basic Data Protection ChecklistBasic Data Protection Checklist

• Do you have a defined policy on retention periods Do you have a defined policy on retention periods for all items of personal data?for all items of personal data?

• Do you have a data protection policy in place?Do you have a data protection policy in place?

• Do you have procedures for handling access Do you have procedures for handling access requests from individuals?requests from individuals?

• Are you clear on whether or not you should be Are you clear on whether or not you should be registered?registered?

• Are your staff appropriately trained in data Are your staff appropriately trained in data protection?protection?

• Do you regularly review and audit the data which Do you regularly review and audit the data which you hold and the manner in which they are you hold and the manner in which they are processed?processed?

3131

What is the scope of the exemptions provided What is the scope of the exemptions provided

in the Data Protection Act in the Data Protection Act ??

• Personal data which is required for the purposes of:-Personal data which is required for the purposes of:-

• safeguarding national security;safeguarding national security;

• the prevention or detection of crime;the prevention or detection of crime;

• The prosecution of offenders;The prosecution of offenders;

• The collection of any tax, duty or any such similar The collection of any tax, duty or any such similar charges;charges;

• health and social work;health and social work;

3232

What is the scope of the exemptions What is the scope of the exemptions

provided in the Data Protection Act provided in the Data Protection Act ??

• journalism, literature, art, research, history and journalism, literature, art, research, history and statistics;statistics;

• where information is required to be made available where information is required to be made available to the public by the law or in connection with legal to the public by the law or in connection with legal proceedings;proceedings;

• domestic purposes; anddomestic purposes; and

• confidential information between client and legal confidential information between client and legal practitioner, is exempt from the application of practitioner, is exempt from the application of certain or all provisions of the Data Protection Actcertain or all provisions of the Data Protection Act

3333

MAIN RESPONSIBILITIESMAIN RESPONSIBILITIES

• RegistrationRegistration• Are we clear about whether or not we need to be Are we clear about whether or not we need to be

registered with the Data Protection registered with the Data Protection Commissioner? Commissioner?

• If registration is required, is the registration kept If registration is required, is the registration kept up to date? Does the registration accurately up to date? Does the registration accurately reflect our practices for handling personal data? reflect our practices for handling personal data? [Remember, if your data-handling practices are [Remember, if your data-handling practices are out of line with the details set out in your register out of line with the details set out in your register entry, you may be committing an offence.] entry, you may be committing an offence.]

• Is a named individual responsible for meeting our Is a named individual responsible for meeting our registration requirements?registration requirements?

3434

HHow is an application made to the Data ow is an application made to the Data Protection Office for registration?Protection Office for registration?

• It must be made in writing to the Commissioner It must be made in writing to the Commissioner and it must contain the following information:-and it must contain the following information:-

– His/her name and address or that of his/her His/her name and address or that of his/her representative.representative.

– A description of the personal data being processed, the A description of the personal data being processed, the purpose for which it is being processed and the category purpose for which it is being processed and the category of data subjects targetted, where possible their names.of data subjects targetted, where possible their names.

– A statement as to whether he/she holds sensitive A statement as to whether he/she holds sensitive personal datapersonal data

– A description of the intended recipients of the A description of the intended recipients of the information detained by the data controller.information detained by the data controller.

– A description of the country to which the data controller A description of the country to which the data controller intends to transfer data.intends to transfer data.

WWhere an offence is committed, which court has here an offence is committed, which court has jurisdiction to try the criminal case? jurisdiction to try the criminal case? • The Intermediate Court will have jurisdiction.The Intermediate Court will have jurisdiction.

3535

WWhat if the data controller supplies false information hat if the data controller supplies false information to the Commissioner?to the Commissioner?

• It is an offence and the penalty is a fine not exceeding Rs It is an offence and the penalty is a fine not exceeding Rs 100,000 and imprisonment not exceeding 2 years.100,000 and imprisonment not exceeding 2 years.

FFor how long does the registration remain valid?or how long does the registration remain valid?

• It remains valid for a period of one year and if registration It remains valid for a period of one year and if registration is not renewed, it will be cancelled.is not renewed, it will be cancelled.

IIs it an offence not to register or to renew registration?s it an offence not to register or to renew registration?

• Yes, the penalty is a fine not exceeding Rs 200,000 and Yes, the penalty is a fine not exceeding Rs 200,000 and imprisonment not exceeding 5 years.imprisonment not exceeding 5 years.

3636


HHow to organize yourself to ensure the ow to organize yourself to ensure the protection of data within your protection of data within your organization?organization?

• The right of access is the most important right The right of access is the most important right that an individual has and you need to organize that an individual has and you need to organize yourself for handling access requests. Dealing yourself for handling access requests. Dealing with access requests is not your only obligation. with access requests is not your only obligation. Staff should also be made aware of the Staff should also be made aware of the obligations imposed by the Data Protection Act. obligations imposed by the Data Protection Act.

3737


To comply you should:To comply you should:

– Ensure that the basic principles of data protection are Ensure that the basic principles of data protection are explained to staff;explained to staff;

– Ensure that there are regular updates to guidance material Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a and staff training and awareness, so that data protection is a “living” process aligned to the way the organisation conducts “living” process aligned to the way the organisation conducts its business;its business;

– Document procedures, for example with regard to accuracy Document procedures, for example with regard to accuracy and have regular security reviews;and have regular security reviews;

– Allocate responsibility for compliance and set-out what in-Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not house sanctions may be imposed if correct procedures are not followed;followed;

– Set out the circumstances in which personal data may be Set out the circumstances in which personal data may be disclosed to third parties.disclosed to third parties.

3838


• Obligations on retention and security need to be Obligations on retention and security need to be addressedaddressed

• Adhere to the ‘need to know principle’ – only personal Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected data necessary for the purpose should be collected and staff should only be able to access the personal and staff should only be able to access the personal data that they need to carry out their functions;data that they need to carry out their functions;

• Have adequate access controls, firewalls and virus Have adequate access controls, firewalls and virus protection and do not forget manual files;protection and do not forget manual files;

• There should be retention policies for the various There should be retention policies for the various categories of data.categories of data.

3939


• Dealing with Subject Access RequestsDealing with Subject Access Requests

• The key right for the individual is the right of The key right for the individual is the right of access. Essentially this means that you have to access. Essentially this means that you have to supply to the individual the personal data that you supply to the individual the personal data that you hold if a valid request is made under Section 41. hold if a valid request is made under Section 41.

• The time limit for complying with an access request The time limit for complying with an access request is 28 days. In order to ensure your compliance with is 28 days. In order to ensure your compliance with the time limit and your other access obligations the the time limit and your other access obligations the following organisational and procedural steps may following organisational and procedural steps may be effected:be effected:

4040


• Appoint a Co-ordinator or a Data Protection Officer Appoint a Co-ordinator or a Data Protection Officer who will be responsible for the response to the who will be responsible for the response to the access request. A description of the functions and access request. A description of the functions and responsibilities of the Co-ordinator should be responsibilities of the Co-ordinator should be circulated within the organisation and staff should circulated within the organisation and staff should be advised of the necessity for co-operation with the be advised of the necessity for co-operation with the Co-ordinator. Co-ordinator.

• All subject access matters should be submitted to All subject access matters should be submitted to the Co-ordinator.the Co-ordinator.

• Check the validity of the access request. Ensure that Check the validity of the access request. Ensure that it is in writing, that the appropriate fee is included.it is in writing, that the appropriate fee is included.

4141


• Check that sufficient material has been supplied to Check that sufficient material has been supplied to definitively identify the individual. This is most definitively identify the individual. This is most important as a third party may provide false material important as a third party may provide false material to lodge a false access request.to lodge a false access request.

• Check that sufficient information to locate the data Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject is being requested you should ask the data subject for more information. This could involve identifying for more information. This could involve identifying the databases, locations or files to be searched or the databases, locations or files to be searched or giving a description of the interactions the individual giving a description of the interactions the individual has had with the organisation.has had with the organisation.

• Log the date of receipt of the valid request.Log the date of receipt of the valid request.

4242


• Keep note of all steps taken to locate and collate Keep note of all steps taken to locate and collate data – if different divisions of the organisation are data – if different divisions of the organisation are involved, have the steps “signed off” by the involved, have the steps “signed off” by the appropriate person.appropriate person.

• Check each item of data to establish whether any Check each item of data to establish whether any of the restrictions on or denial of access provided of the restrictions on or denial of access provided by section 43 will apply.by section 43 will apply.

• If data relating to a third party is involved, do not If data relating to a third party is involved, do not disclose without the consent of the third party disclose without the consent of the third party such data. An opinion given by a third party may such data. An opinion given by a third party may be disclosed unless it is an opinion which was be disclosed unless it is an opinion which was given in confidence on the clear understanding given in confidence on the clear understanding that it would be treated as confidential.that it would be treated as confidential.

4343


• Monitor process of responding to the request – Monitor process of responding to the request – observing time limit of observing time limit of 28 days.28 days.

• Supply the data in an intelligible form (include an Supply the data in an intelligible form (include an explanation of terms if necessary). Also provide explanation of terms if necessary). Also provide description of purposes, disclosees and source of description of purposes, disclosees and source of data (unless revealing the source would be data (unless revealing the source would be contrary to the public interest). Number the contrary to the public interest). Number the documents supplied. Have the response “signed-documents supplied. Have the response “signed-off” by an appropriate person.off” by an appropriate person.

• Regularly review your procedures and processes.Regularly review your procedures and processes.

4444


• Self Regulation and Codes of Practice Self Regulation and Codes of Practice The requirements of data protection law are The requirements of data protection law are quite clear, and applying the rules and quite clear, and applying the rules and principles of data protection to your business principles of data protection to your business activities is often a matter of common sense. activities is often a matter of common sense.

• However, for some businesses and professions, However, for some businesses and professions, interpreting and applying data protection law is interpreting and applying data protection law is not so straightforward, and sometimes requires not so straightforward, and sometimes requires a fine appreciation of the ethical norms and a fine appreciation of the ethical norms and standards, and the traditional expectations of standards, and the traditional expectations of good practice, associated with that sector. good practice, associated with that sector.

4545

• For that reason, Section 56 of the Data For that reason, Section 56 of the Data Protection Act 2004 provides that the Protection Act 2004 provides that the Commissioner may approve codes of practice Commissioner may approve codes of practice elaborated by data controllers which should have elaborated by data controllers which should have a direct input into the establishment of data a direct input into the establishment of data protection standards within their sector.protection standards within their sector.


4646


• It is a matter for the data controller to devise It is a matter for the data controller to devise a code of practice that is appropriate to his a code of practice that is appropriate to his sector. If the Commissioner agrees that the sector. If the Commissioner agrees that the code provides adequate data protection for code provides adequate data protection for individuals, then the code of practice may be individuals, then the code of practice may be approved by her and incorporated through approved by her and incorporated through regulations to be enacted under the Act. The regulations to be enacted under the Act. The code will then have the force of law, and will code will then have the force of law, and will be binding upon all data controllers in that be binding upon all data controllers in that sector.sector.

4747

• The Commissioner will keep a register of The Commissioner will keep a register of approved codes and guidelines which will approved codes and guidelines which will be available for public inspection. Upon be available for public inspection. Upon the payment of the prescribed fee, the payment of the prescribed fee, provide copies or extracts from the provide copies or extracts from the register.register.


4848


HHow can the Data Controller initiate a statutory Code of ow can the Data Controller initiate a statutory Code of Practice?Practice?

• If you would like to initiate a code of practice, to If you would like to initiate a code of practice, to clarify how data protection rules are to be applied clarify how data protection rules are to be applied for your sector, then we suggest that you contact for your sector, then we suggest that you contact the Data Protection Commissioner, with a view to the Data Protection Commissioner, with a view to arranging discussions to progress the matter. The arranging discussions to progress the matter. The Commissioner will be glad to provide you with Commissioner will be glad to provide you with practical advice on what should be covered in your practical advice on what should be covered in your code of practice, and on how circumstances code of practice, and on how circumstances specific to your sector might be handled.specific to your sector might be handled.

4949

UUnder section 41 of the Data Protection Act, any individual nder section 41 of the Data Protection Act, any individual may make a written request to the data controller, who may make a written request to the data controller, who keeps personal information regarding that particular keeps personal information regarding that particular individual on computer or in a relevant filing system and is individual on computer or in a relevant filing system and is entitled to:entitled to:

>> A copy of the data upon payment of the prescribed fee,>> A copy of the data upon payment of the prescribed fee,

>> Whether the data kept by the data controller include >> Whether the data kept by the data controller include personal data relating to the data subject, (c) a personal data relating to the data subject, (c) a description of the purposes for which it is held and (d) a description of the purposes for which it is held and (d) a description of those to whom the data may be disclosed description of those to whom the data may be disclosed unless compliance with such a request would be in breach unless compliance with such a request would be in breach of the confidentiality obligation of the data controller. of the confidentiality obligation of the data controller.

YYour our RRightsights

5050


EEvery individual about whom a data controller keeps very individual about whom a data controller keeps personal information on computer or in a relevant filing personal information on computer or in a relevant filing system, has a number of other rights under the Act, in system, has a number of other rights under the Act, in addition to the Right of Access. addition to the Right of Access.

TThese include the right to have any inaccurate information hese include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain marketing or direct mailing list and the right to complain to the Data Protection Commissioner. to the Data Protection Commissioner.

5151


TThe data controller is also obliged to explain to the data he data controller is also obliged to explain to the data subject the logic used in any automated decision making subject the logic used in any automated decision making process where the decision significantly affects the process where the decision significantly affects the individual and the decision is solely based on the individual and the decision is solely based on the automated process. automated process.

TThis "right of access" is subject to a limited number of his "right of access" is subject to a limited number of exceptions, which are listed below.exceptions, which are listed below.

5252


An individual making an access request must:-An individual making an access request must:-

Apply to the data controller in writing by filling in the Apply to the data controller in writing by filling in the request for access to data form available on the website or request for access to data form available on the website or at the Data Protection Office , at the Data Protection Office ,

Give any details which might be needed to help the data Give any details which might be needed to help the data controller identify him or her and locate all the information controller identify him or her and locate all the information the data controller may keep about him/her.the data controller may keep about him/her.

The individual must also pay the data controller the access The individual must also pay the data controller the access feefee

5353


Are there exceptions or limitations on the right of access to Are there exceptions or limitations on the right of access to

personal datapersonal data??Yes, there are. Section 43 of the Data Protection Act provides that the Yes, there are. Section 43 of the Data Protection Act provides that the

right of access does not apply in a number of cases.right of access does not apply in a number of cases.

The restrictions upon the right of access fall into five groups:The restrictions upon the right of access fall into five groups:

TThe obligation to comply with an access request does not apply he obligation to comply with an access request does not apply where the data controller is not supplied with the information he where the data controller is not supplied with the information he reasonably requires in order to satisfy himself as to the identity of reasonably requires in order to satisfy himself as to the identity of the person making the request and to locate the information which the person making the request and to locate the information which the person seeks;the person seeks;

5454

YYourour RRightsights

WWhere compliance with the request would be in contravention of the here compliance with the request would be in contravention of the confidentiality obligation of the data controller under the Mauritian confidentiality obligation of the data controller under the Mauritian law;law;

TThe right of access does not include a right to see personal data he right of access does not include a right to see personal data about another individual, without that other person’s consent. This about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was expression of opinion except where that expression of opinion was given in confidence;given in confidence;

TThe right of access does not include the revelation of evidence of the he right of access does not include the revelation of evidence of the commission of a criminal offence other than an offence under the commission of a criminal offence other than an offence under the Act.Act.

5555

WWhere the data controller cannot comply with the request without here the data controller cannot comply with the request without disclosing personal data relating to another person, he may disclosing personal data relating to another person, he may refuse the request unless the other individual has consented to refuse the request unless the other individual has consented to the disclosure of his personal data to the person making the the disclosure of his personal data to the person making the request or he obtains the written approval of the Commissioner;request or he obtains the written approval of the Commissioner;

TThe right of access does not include information given in he right of access does not include information given in confidence to the data controller for the purposes of the confidence to the data controller for the purposes of the education, training or employment, or prospective education, of education, training or employment, or prospective education, of the data subject, the appointment or prospective appointment of the data subject, the appointment or prospective appointment of the data subject to any office, the provision or prospective the data subject to any office, the provision or prospective provision by the data subject of any service, the personal data provision by the data subject of any service, the personal data requested consist of information recorded by candidates during requested consist of information recorded by candidates during an academic, professional or other examination;an academic, professional or other examination;

YYourour R Rightsights

5656

Contact detailsContact details

• Address:Address: Data Protection OfficeData Protection Office

6th Floor,6th Floor,

New Government Centre,New Government Centre,

Port LouisPort Louis

• Phone:Phone: + (230) 201 3604+ (230) 201 3604

• Email:Email: [email protected]@mail.gov.mu

• Website:Website: www.dataprotection.gov.muwww.dataprotection.gov.mu

mailto:[email protected]

5757

THANK YOUTHANK YOU

Documents

1 PRIME MINISTERS OFFICE DATA PROTECTION OFFICE An overview of the Mauritian Data Protection Act with regard to its legal implications on the rights of