DLA Piper Intelligence

Data Protection
Laws of the World

Law

Lesotho
Lesotho

The right to privacy is recognised and protected in the Constitution of the Kingdom of Lesotho.

Lesotho established a Data Protection Commission ("Commission") in terms of their Data Protection Act ("the Act"). The Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.  

Last modified 8 Feb 2017
Law
Lesotho

The right to privacy is recognised and protected in the Constitution of the Kingdom of Lesotho.

Lesotho established a Data Protection Commission ("Commission") in terms of their Data Protection Act ("the Act"). The Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.  

Last modified 8 Feb 2017
Definitions

Definition of personal data

The Act defines personal data or information as being information about an identifiable individual that is recorded in any form, including:

  • information relating to the race, national or ethnic origin, religion, age or marital status of the individual;
  • information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
  • any identifying number, symbol or other particular assigned to the individual;
  • the address, fingerprints or blood type of the individual;
  • the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
  • correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and
  • the views or opinions of any other person about the individual.

Definition of sensitive personal data

The Act defines sensitive personal information as:

  • genetic data, data related to children, data related to offences, criminal sentences or security measure, biometric data as well as, if they are processed for what they reveal, personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; or
  • any personal information otherwise considered by Lesotho law as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.

Section 29 prohibits a data controller from processing sensitive personal information, unless specifically permitted under the Act.

Section 36 contains general exemptions to the prohibition on processing sensitive personal information. These include instances where:

  • processing is carried out with prior parental consent where the data subject is a child and is subject to parental control in terms of the law;
  • the processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • processing is necessary to comply with an obligation of international public law;
  • the Commission has granted authority in terms of section 37 for processing in the public interest, and appropriate guarantees have been put in place in law to protect the data subject’s privacy;
  • processing is carried out with the consent of the data subject; or
  • the information has deliberately been made public by the data subject.
Last modified 8 Feb 2017
Authority

Part 2 of the Act provides for the establishment of a Data Protection Commission, an independent and administrative authority established to have oversight and control over this Act and the respective rights of information privacy provided for.

The powers and duties of the Commission are set out in section 8 of the Act.

Last modified 8 Feb 2017
Registration

In terms of section 25(5) of the Act, a data controller shall process personal information only upon notification to the Commission.

Last modified 8 Feb 2017
Data Protection Officers

The Act at section 58 authorises the head of a data controller to designate, by order, one or more officers or employees to be Data Protection Officers of that controller. In terms of that order, the Data Protection Officers may exercise, discharge or perform any of the power, duties or functions of the head of the data controller under this Act.

Last modified 8 Feb 2017
Collection & Processing

The Act defines processing as an operation or activity or any set of operations, whether or not by automatic means relating to:

  • The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • Dissemination by means of transmission, distribution or making available in any other form; or
  • Merging, linking, as well as blocking, degradation, erasure, or destruction, of information.

In terms of section 15(2) of the Act, personal information shall be processed if:

  • The data subject provides explicit consent to the processing;
  • Processing is necessary for the conclusion or performance of a
  • contract to which the data subject is a party;
  • Processing is necessary for compliance with a legal obligation to which the data controller is subject;
  • Processing is necessary to protect the legitimate interests of the data subject;
  • Processing is necessary for the proper performance of public law duty by a public body; or
  • Processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.

Regarding the collection of data, the Act requires that a person shall collect personal information directly from the data subject, except where:

  • The information is contained in a public record or has deliberately been made public by the data subject;
  • The data subject has consented to the collection of the information from another source;
  • Collection of the information from another source would not prejudice a legitimate interest of the data subject;
  • Collection of the information from another source is necessary –
  • To avoid prejudice to the maintenance or enforcement of the law and order;
  • For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
  • In the legitimate interests of national security;
  • To maintain the legitimate interests of the data controller or of a third party to whom the information is supplied
  • Compliance would prejudice a lawful purpose of the collection; or
  • Compliance is not reasonably practicable in the circumstances of the particular case.
Last modified 8 Feb 2017
Transfer

The Act distinguishes between the transfer of personal information to a recipient in a Member State that has transposed the SADC data protection requirements and the transfer of personal information to a Member state that has not transposed the SADC data protection requirements or to a non-Member State.

Personal information shall only be transferred to recipients in a Member State that has transposed the SADC data protection requirements:

  • where the recipient establishes that the data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller, or
  • where the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject's legitimate interests might be prejudiced by the transfer or the processing in the Member State.

Further to the above, the Act requires that the controller make a provisional evaluation of the necessity for the transfer of the data. The recipient shall ensure that the necessity for the transfer of the data can be subsequently verified. The data controller shall ensure that the recipient shall process the personal information only for the purposes for which they were transferred.

Personal information shall only be transferred to recipients, other than in Member States of the SADC, or which are not subject to national law adopted pursuant to the SADC data protection requirements, if an adequate level of protection is ensured in the country of the recipient and the data is transferred solely to permit processing otherwise authorised to be undertaken by the controller.

The adequacy of the level of protection afforded by the relevant third country in question shall be assessed in the light of all the circumstances surrounding the relevant data transfer(s), particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing, the recipient’s country, the relevant laws in force in the third country and the professional rules and security measures which are complied with in that recipient’s country.

Last modified 8 Feb 2017
Security

N/A

Last modified 8 Feb 2017
Breach Notification

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an authorised person, the data controller, or any other third party processing personal information under the authority of a data controller, shall notify:

  • the commission; and
  • the data subject, unless the identity of such data subject cannot be established.

The notification shall be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the data controller’s information system.

The data controller, in terms of section 23(3), shall delay notification to the data subject where the Lesotho Mounted Police Service, the National Security Service or the Commission determines that notification will impede a criminal investigation.

The breach notification to a data subject shall be in writing and communicated to the data subject in one of the following ways:

  • mailed to the data subject’s last known physical or postal address;
  • sent by e-mail to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the party responsible for notification;
  • published in the news media; or
  • as may be directed by the commission.

The notification is required to provide sufficient information to allow the data subject to take protective measures against potential consequences of the compromise, including, if known to the data controller, the identity of the unauthorised person who may have accessed or acquired the personal information.

Mandatory breach notification

See above.

Last modified 8 Feb 2017
Enforcement

 

The Commission is responsible for the enforcement of the Act.

 

The Act also permits a data subject to institute a civil action for damages in a court having jurisdiction against a data controller for breach of any provision of this Act.

Last modified 8 Feb 2017
Electronic Marketing

 

Direct marketing is defined in section 50 as communication by whatever means of any advertising or marketing material which is directed to particular data subjects.

 

A data subject is entitled any time by notice to a data controller to require the data controller to cease, or not to begin, processing of personal data in respect of which he is the data subject for the purposes of direct marketing.

Last modified 8 Feb 2017
Online Privacy

There are no sections of the Act which regulate privacy in relation to cookies and location data. These issues may be dealt with in future regulations, which the Act permits the Minister to make on the recommendations of the Commission.

Last modified 8 Feb 2017
Contacts
Janine Simpson
Janine Simpson
Director
DLA Piper
T 0027 (0) 11 282 0797
Lungelo Magubane
Lungelo Magubane
Associate
DLA Piper
T 0027 (0) 11 282 0698
Last modified 8 Feb 2017