Data Protection in Botswana

Collection and processing in Botswana

Processing means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by automatic means, and includes the collection, recording, organization, storage, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment, or combination, blocking, erasure or destruction of such data.

Processing personal data 

Prior to undertaking the processing of personal data, data controllers are generally required to obtain written consent from the data subjects. Consent is not required in instances authorised by any written law. In addition, a data subject who has given consent for processing of personal data may at any time, in writing, revoke the consent for legitimate, reasonable, and compelling reasons at that particular time.

Alternatively to where written consent is obtained, personal data may further be processed where the processing is necessary for: 

  • the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject entering into a contract;
  • compliance with a legal obligation to which the data controller is subject;
  • protecting the vital interests of the data subject;
  • performing an activity that is carried out in the public interest or in the exercise of an official authorization vested in the data controller, or of a third party to whom the data is disclosed; or
  • a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular, the right to privacy.

Where personal data is processed for historical, statistical or scientific purposes, the data controller must ensure that there are appropriate security safeguards in place in instances where the personal data may be kept for a period longer than necessary, having regard to the purpose for which it is processed or the personal data kept is not used for any decision concerning the data subject. 

In the event that processing is for direct marketing, the data controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to the processing of the personal data.  A data controller who processes the data despite the objection made by the data subject commits an offence which is punishable by fine not exceeding BWP500 000 or to imprisonment for a term not exceeding nine years, or to both.

Processing sensitive personal data 

Processing sensitive personal data is heavily restricted thereby requiring the data controller to ensure that appropriate security safeguards have been adopted. The processing of sensitive personal data is generally be prohibited save for where:

  • the processing is specifically provided for under the DPA;
  • the data subject has given consent in writing;
  • the data subject has made the data public;
  • the processing is necessary for national security, for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment, or where the processing is authorized by any other written law for any reason of substantial interest to the public; or
  • the processing is necessary to protect the vital interest of a data subject and another person in a case where consent cannot be given by or on behalf of the data subject, the data controller cannot be reasonably expected to obtain consent or the consent by or on behalf of the data subject has been unreasonably withheld.

Bodies or entities, not being a commercial bodies or entities, which have political, philosophical, religious or trade union objects are allowed to process sensitive personal data relating to the political, philosophical, religious or trade union objects concerning the members of that body or entity, or any other person who the body or entity regularly exchanges information with. Such processing by an entity or body is allowed if it is done in the course of its legitimate activities and with appropriate guarantees. It should also be noted that this sensitive personal data may be provided to a third party only where the data subject has given written consent.

Furthermore, processing of sensitive personal data for health or medical purposes is allowed where the processing is done by a health professional and is necessary for preventative medicine as well as protection of public health, medical diagnosis, health care or the management of health and hospital care services.

Processing sensitive personal data is also allowed where it is for research, scientific and statistics purposes so long as the processing is compatible with specified, explicitly stated and legitimate purposes. In the case of research and scientific purposes, the Commissioner must have approved the processing on the advice of a committee responsible for research and scientific ethics, whilst in the case of statistics, the processing must be necessary for the purposes provided under the Statistics Act (Cap 17:01).

There is a general prohibition against processing genetic and biometric data for what it reveals or contains. The prohibition does not apply where such data is processed in accordance with the general requirements for processing sensitive personal data as outlined above. Where genetic and biometric data is processed for medicinal purposes and the consent of the data subject has been granted, the processing must only be effected where a unique patient identification number is given to the data subject. This patient number must be different from any other identification number possessed by the data subject.

Sensitive personal data may also be processed for legal purposes where it is necessary in connection with any legal proceedings including prospective proceedings, for the purposes of obtaining legal advice, for establishing, exercising or defending legal rights, or for the administration of justice.

With respect to a data subject’s identity card number, processing in the absence of the data subject’s consent is only allowed where the processing is clearly justifiable having regard to the purpose of the processing, the importance of a secure identification or any valid reason as may be prescribed.

During the processing operation where personal data is obtained directly from the data subject, the data controllers and data processors are required to furnish to the data subject with the following information, except where the data subject already has the information:

  • The identity and habitual residence or principal place of business;
  • The purpose of the processing;
  • The existence of the right to object to the intended processing if the processing is for purposes of direct marketing;
  • Any other additional information if it will ensure fair processing, which may include the recipient or category of recipients, whether the reply to any question posed is obligatory or voluntary and the possible consequences of failure to reply as well as the existence of the right to access, rectify, delete the data concerning the data subject; or
  • Any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the data subject.

A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this amounts to an offence which is punishable by a fine not exceeding BWP 20,000 or to imprisonment for a term not exceeding one year, or to both. 

Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable by a fine not exceeding BWP 100, 000 or to imprisonment for a term not exceeding three years, or to both.

It is mandatory to safeguard the security of personal data by taking appropriate technical and organisational security measures necessary to protect the personal data from negligent or unauthorised destruction, negligent loss or the alteration, unauthorised access and any other unauthorised processing of personal data. 

When taking appropriate technical and organisational security measures necessary to protect the personal data, the person doing so must ensure an appropriate level of security by taking into account: 

  • technological developments of processing personal data, and the costs for implementing the security measures; and
  • the nature of the personal data to be protected and the potential risks involved.

Additionally, when outsourcing processing of personal data, the data processor to be chosen must be one who gives sufficient guarantees regarding the technical and organisational security measures in place for the processing to be done. The data controller or processer who outsources must ensure that the said measures are complied with.

Continue reading

  • no results

Previous topic
Back to top