InternationalTelecommunicationUnion

HIPSSA Project

Support for Harmonization of the ICT Policies in Sub-Sahara Africa,

Meeting with the Namibia ICT Ministry and Data Protection Stakeholders

PRESENTATION ON SADC DATA PROTECTION MODEL LAW/ TRANSPOSITION APPROACH

Samson Muhapi, ITU National Legal Expert on Data Protection

Summary of the Content

National assessment –Policy and Legislative frameworks

Summary of Conflict and Gaps

Recommendations

In-country Assessment

• Communications Act, 2009• Namibia Central Intelligence Act, 1997• Statistics Act, 2011• Financial Intelligence Act, 2007• Anti-Corruption Act, 2003• Children’s Status Act, 2006 • Prevention of Organised Crime Act, 2004• Namibian Constitution, 1990• Health related legislation• Research, Science and Technology Act, 2004

Cont……

Electoral Act, 1992 Police Act, 1990 International Co-operation in

Criminal Matters Act, 2000 Information Technology Policy,

2008 Vision 2030 Policy Framework

Cont……

Namibia ICT Policy, 2004 National Development Plans

(NDPs) Draft Electronic Transactions

Bill (2013) Draft Financial Institutions and

Markets Bill (2013) Draft NAMFISA Bill (2013

Assessment: Statistics Act, 2011

Sec 5(1) sets out the objectives of the NSA;

- Sec 4(2) relates to the purpose and principles

Statistics Act, 2011

Sec 34 –imposes obligation- on the Statistician -General to publish Codes of Practice with regard to ethical and professional standards to be adhered to in the collection and processing of data;

Statistics Act, 2011

Sec 36 looks at the quality criteria, information and records, etc to be furnished as well as the right of access to the data by researchers.

Statistics Act, 2011

Sec 36 standards and security of networks

Sec 36 conforms to the requirements of sections 24 and 25 of the Model Law

Namibia Central Intelligence Act, 1997

Sections 6, 24 and 25 deals with the manner in which lawful collection of information may be authorised by the DG in the process of monitoring and interception of communications

Communications Act, 2009

Part 6 of the Act dealing with interception of telecommunications – is yet to come into operation.

Interception Centres-Sec 70(1) Staff of Interception centres sec 70(2)

Communications Act, 2009

Subsec (2) provides for the staffing of such interception centres, which, in terms of the Data Protection Model Law, could be categorised as data controllers;

Subsec (6) provides for the appropriation of funds by Parliament- for purposes of funding the establishment and activities of interception centres. Such moneys to be dealt with in accordance with section 10 of the NCIS Act, 1997;

Communications Act, 2009

Of importance is subsec (8) which provides that where any law authorises any person or institution to intercept or monitor electronic communications or to perform similar activities, that person or institution may forward a request together with any warrant that may be required under the law in question to the head of an interception centre.

Communications Act, 2009 In essence, interceptions of and or

monitoring of electronic communications, are only authorised under the NCIS Act, 1997;

Other relevant provisions of this Act in relation to data protection are sections 70(9) –dealing with decoding and decryption to make the information obtained intelligible

Communications Act, 2009

Sec 70(10) and (11), Sec 71;, Sec 72 Sec 73 Sec 74 Sec 75 and Sec 76

Anti-Corruption Act, 2003 Sec 27 may be relevant to the data protection

model law. This section deals with access to bank accounts, purchase accounts, share accounts, expense accounts or any other account, by police.

The only requirement in terms of sec 27(1) is that the Director or Deputy Director or investigating officer authorised by the Director or Deputy Director, may require access to and investigation into accounts mentioned above……….

Financial Intelligence Act, 2007

Sec 15 imposes a duty on accountable institutions to keep records in the manner and form set out in sec 20 and 22.

Such copies must be kept for a period of not less than five years;

FIA Act, 2007

Sec 16 relates to right of access to information kept by third parties;

Sec 20 deals with the analysis of reports

received, while sec 22 deals with the internal rules concerning reporting of suspicious or unusual transactions

FIA Act, 2007

Sec 22(d) places emphasis on responsibility and accountability of accountable institutions (compatible with accountability requirement of the model law- see sec 11);

Sec 22(a) and (b) provides for the requirement of “necessity” in the processing of information (which is in line with the model law-see sec 32)

Summary of conflict with Model Law

Sec 23 of the Model Law- imposes a duty to process person data on the Data Protection Authority as opposed to interception centres- as required by section 70(8) of the Communications Act, 2009;

In terms of the limitation clause (sec 42), interceptions and monitoring could be classified as matters falling under national security, crime, journalism, etc, and thus be excluded from application of this model law.

Summary of conflict Both the Com Act and NCIS Act are silent on right of

access to personal data by data subjects on personal information processed by data controllers

Both the Com Act and NCIS Act are silent on issues of rectification

Although Sec 6 of the Com Act makes provision for the establishment of interception centres, it does not expressly provide for interceptions and monitoring to be carried out subject to suspicious criminal activities which conflicts with the Policy statement in clause 7.2 of ICT Policy 2008

Recommendations

Model Law is compatible with Art. 13 of the Constitution (right to privacy);

It is compatible with Vision 2030, NDPs and the Information and Communication Policies 2004 and 2008;

Recommendations

The above policies allows for the adoption of Data Protection Policy and Regulatory Framework

The adoption of the Model Law will provide greater legal certainty by introducing a harmonised set of core values, rules and protection of fundamental rights

Recommendations Both the data subjects and data controllers will

benefit from a harmonised SADC Data Protection Model Law rules and procedures ensuring consistent enforcement of data protection rules;

Individuals will enjoy better control of their personal data and trust the digital environment;

They will also encounter reinforced accountability of those processing their personal data.

Thank You

Questions?

Samson MuhapiITU National Law Expert: Data Protection

Pria ChettyITU International Law Expert: Data Protection