What the bill is all about
The Data Protection Bill is a regulation intended to protect the ‘personal data’ of Namibians and to regulate how that data is processed.
‘Personal data’ is any information unique to an individual and which can therefore be used to identify them – examples include a person’s name, ID number, physical address, medical history, fingerprints, facial imaging or even their cellphone or computer’s IP address.
This information is typically collected, recorded, stored, analysed or even disclosed to third parties by organisations – the draft Bill collectively defines those and similar activities as the ‘processing’ of personal data.
The regulation would therefore apply to any individual or organisation that ‘processes’ personal data, as defined.
Why it is necessary
In the information-driven world we live in, data – particularly sensitive personal data – is a prized possession. Improper processing of your information can make you a victim of identity theft, unwanted advertising, discrimination, fraud or even physical harm.
For instance, if a potential employer requests information regarding your political affiliation and uses this information to deny you a job that would be improper and unfair use of your personal data.
Consequently, regulations such as this draft Bill that outline what information someone can collect about you and how that information can be used are necessary to protect you and your rights.
What it means to consumers
Some of your rights as a consumer whose personal data is being processed will include asking a person or business that processes your data to:
– Confirm, free of charge, whether they hold any of your personal data;
– Request for a record of the personal data they hold of you;
– Request the identity of any third parties who have or had access to your personal data;
– Correct or delete data that is incorrect or outdated;
– Delete data that is irrelevant, unlawfully obtained or which they no longer need to process.
You will also have the right to submit a complaint to the Data Protection Authority regarding alleged non-compliance with the regulation.
A new governing body
The draft Bill also proposes the establishment of an independent entity named the Data Protection Supervisory Authority (DPSA).
The DPSA will be funded by the government and its responsibilities will include compliance monitoring and the investigation and remediation of alleged violations of protection of personal information obligations.
The draft Bill requires the DPSA to have a Board whose Chairperson, Vice Chairperson and members are to be appointed by the MICT Minister. An example of another regulator MICT has established under an MICT-sponsored Act is The Communications Regulatory Authority of Namibia (CRAN).
What Next?
The draft Bill is available on the MICT’s official website as well as at regional council offices; interested third parties and members of the general public have until 30 November 2022 to submit commentary and input on the Bill to the Ministry.
In the meantime, companies who will fall under the scope of the draft Bill would be well advised to assess how the legislation will impact them, and to begin mapping out an appropriate course of action to be taken in order to eventually be compliant to it.
*Thomas Paavo Hamata is a Namibian technology governance, risk and compliance professional based in The Netherlands.