Seeking comments from the public, the government yesterday published a draft Data Protection Bill which envisages the appointment of a Data Protection Commissioner and sets stiff penalties, in one case a fine of $100m and five years of imprisonment.
Publication of the draft bill followed news that the government had sealed a controversial deal for an electronic ID system which would store a broad range of information on citizens. Critics had said that it was premature for such a deal to be struck when there was no data protection system here and cybersecurity capabilities were week.
In a statement yesterday, the Attorney General’s Chambers said that the government intends to lay in the National Assembly shortly, the Data Protection Bill 2023.
As part of its policy to engage in public consultations on important pieces of intended legislation, the Government invited submissions and recommendations in relation to the draft Bill from national stakeholder organisations and members of the public. The draft Bill can be accessed on the Attorney General and Ministry of Legal Affairs website www.mola.gov.gy and submissions and recommendations are hereby invited within days from yesterday to agchambersmola@gmail.com.
The Explanatory Memorandum of the bill said that the intent is to protect a person’s right to protection with respect to the processing of personal data. Personal data is defined as any information relating to an identified or identifiable natural person. This includes data pertaining to the private life of a person, which includes professional activities, as well as information concerning the person’s public life.
This Bill also recognises a person’s right to privacy as one of the inalienable rights of humans.
The right to respect for private life and the right to protection of personal data are interlinked as the Explanatory Memorandum said that both are pivotal for the fulfilment of other rights such as the freedom of expression, freedom of peaceful assembly and association, and freedom of religion.
The Bill sets out the legal parameters within which data can be processed in accordance with the law.
Consequently, the objects of the Bill are to- (a) define the general principles of data protection and the rights of data subjects;
(b) protect personal data collected, used or stored by both private and public entities; and
(c) provide for enforcement mechanisms, including penalties, for failure to process personal data in accordance with the law.
Part II of the Bill sets out the data protection principles.
These principles are that personal data must be-
(a) processed lawfully, fairly, and in a transparent manner;
(b) collected for specified, explicit, and legitimate purposes only;
(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date;
(e) kept in a form which permits identification of data
subjects for no longer than is necessary; and
(f) processed in a manner that ensures appropriate security of the personal data.
According to the Explanatory Memorandum, this Part also provides for the general principles governing the conditions of consent in relation to the processing of personal data. Consent must be freely given, informed, specific, and unambiguous and be in the form of a statement or clear affirmative action conferring agreement to the processing. The data subject also has the right to withdraw their consent at any time.
In relation to the processing of sensitive personal data, this Part establishes that the processing of sensitive personal data is prohibited in principle.
“Sensitive personal data means personal data consisting of information on a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a political body or trade union, genetic and biometric data, financial or criminal record, a person’s sex life or sexual orientation. There is, however, an exhaustive list of exemptions to this prohibition, which can be found in clause 9 of the Bill and which amount to lawful grounds for processing sensitive personal data.
These exemptions include situations where the data subject explicitly consents to the data processing, processing concerns data explicitly made public by the data subject, processing is necessary to establish,
exercise or defend legal claims or when courts act in their judicial capacity or for preventative or occupational medicine purposes”, the Explanatory Memorandum added.
Furthermore, data subjects have the right not to be subject to decision-making based solely on automated processing, including profiling, that have legal effects or that significantly affect him or her. This means that data subjects have the right to obtain human intervention on the part of the data controller and express their point of view and contest a decision founded on automated processing.
General principles
Part IV of the Bill makes provision for general principles governing the safeguards which must be in place where there is a transfer of the personal data of data subjects outside of Guyana. The free flow of data for the purposes of international trade and cooperation is pivotal, however, the transfer of data outside of Guyana heightens the risk to personal data being misused, the Explanatory Memorandum said. This Part therefore provides that personal data shall not be transferred to a state or territory outside of Guyana unless that state or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
“Any person who fails to comply with the provisions of this Part commits an offence and is liable to a fine of up to one hundred million dollars and to imprisonment for five years”, the Explanatory Memorandum said.
Part V of the Bill describes the instances in which a data controller will not be required to comply with certain provisions of the legislation. Personal data processed for the prevention, detection or investigation of crime, the apprehension or prosecution of offenders, the assessment or collection of any tax or duty, are exempted from the principle that data shall be processed fairly and lawfully, the provisions regarding the right of access to personal data and the non-disclosure provisions. The non-disclosure provisions are those provisions which prohibit the disclosure of personal data were the instances cited.
Personal data processed only for special purposes (that is, journalism, artistic or literary purposes) are exempt from the data protection principles. However, exemption is only permissible where-
(a) the processing is with a view to publishing any journalistic, literary or artistic material;
(b) the publication would be in the public interest;
(c) and in all the circumstances, compliance with the principles would be incompatible with the special purposes.
Part VI of the Bill sets out the obligations of the data controller,
data processor and data protection officer. According to the Explanatory Memorandum, a data controller is any person who alone, jointly or in common with others determines the purposes for which, and the manner in which, any personal data is or should be processed, or where personal data is processed only for the purpose for which the data is required by or under any law to be processed, the person on whom the obligation to process the data is imposed by or under any law.
A person who operates as a data controller without being registered is liable on summary conviction to a fine of ten million dollars or to imprisonment for two months, according to the draft bill.
Like data controllers, data processors must also be registered, and when necessary appoint a representative established in Guyana.
The Explanatory Memorandum said that both a data controller and a data processor shall-
(a) maintain a record of processing activities;
(b) cooperate with the Commissioner;
(c) implement appropriate technical and organisational measures to ensure a level of security when processing data;
(d) notify the Commissioner and the data subject when there is a breach of personal data.
Body corporate
Part VII of the Bill establishes the office of the Data Protection Commissioner and sets out the functions of that office. The Data Protection Commissioner is to be established as a body corporate and shall be responsible for the administration of the Act. The Commissioner is appointed by the President.
Some of the functions of the Commissioner are to-
(a) monitor and enforce the application of this Act;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing;
(c) organise activities addressed specifically to children to educate them about the risks, rules, safeguards and rights in relation to processing;
(d) conduct an audit of the personal data processed by the person, for the purpose of ascertaining whether or not the data is processed in accordance with this Act;
(e) maintain a register of data controllers and data processors;
(f) investigate complaints from persons concerning abuses in the processing of personal data.
The Explanatory Memorandum said that the Minister shall provide the Commissioner with the necessary staff.
Part VIII of the Bill describes the enforcement powers of the Commissioner. This Part empowers the Commissioner to issue enforcement notices in instances where the Commissioner is satisfied that a data controller has contravened, or is contravening, any of the data protection standards. The Commissioner must consider whether the contravention has caused or is likely to cause any individual damage or distress at the point when deciding to serve an enforcement notice. The notice issued may require the data controller to-
(a) take or refrain from taking specific steps within a specified time;
(b) refrain from processing any personal data or personal data of a specified description; or
(c) refrain from processing data for a specific purpose or in a specific manner, after a specified time.
This Part also provides that any person who is, or believes himself or herself to be, directly affected by any processing of personal data, to require the Commissioner to carry out an assessment of whether the legislation is being complied with. When the Commissioner receives a request, the Commissioner shall make an assessment and may serve the data controller with an information notice requiring the data controller to furnish the Commissioner with the required information relating to the request or to comply with the provisions of the Act, the Explanatory Memorandum said.
Failure to comply with an enforcement notice, an information notice or a special information notice is an offence which carries a penalty of a fine of one million dollars or imprisonment for three months, the bill said.
This Part also provides for the issuance of a warrant by a judge of the High Court to authorise a police officer accompanied by the Commissioner, staff or any other person skilled in information technology to, inter alia, enter any premises, search it, inspect, examine and seize any document or other material found on the premises. A judge shall not issue a warrant in respect of any personal data processed for the purpose of journalism or for artistic or
literary purposes unless the Commissioner has determined that the data is not being processed only for that purpose.
Part IX of the bill provides that any person who suffers damage or distress due to any contravention of the Act by the data controller or data processor is entitled to compensation from that controller or processor.
This Part also sets out that it is an offence to knowingly or recklessly, without the consent of the data controller, obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data.
The penalties in this section are a fine of not less than twenty million dollars nor more than one hundred million dollars or a term of imprisonment not exceeding five years (on summary conviction) and a fine of not less than twenty million dollars nor more than five hundred million dollars or a term of imprisonment not exceeding ten years (conviction on indictment).
Further, under this Part the Commissioner is empowered to impose an administrative penalty not exceeding ten million dollars.
Where an offence is committed by a body corporate, the directors, managers, secretaries and other similar officers of that body corporate may be held liable, the Explanatory memorandum said. Additionally, the body corporate may be liable to a fine not exceeding 4% of its annual gross worldwide turnover for the preceding year of assessment.
Image from www.csoonline.com