DATA PROTECTION OVERVIEW
Everyone has the right to the protection of their private life, of which personal data forms an integral part. The right to privacy is expressly provided for in the Constitution of Mauritius and in the Mauritian Civil Code. The Data Protection Act 2017 (DPA) came into force on 15 January 2018 and supersedes the earlier 2004 law. The DPA aims to strengthen the personal autonomy of data subjects and the control the have over their personal data. It seeks to bring Mauritius’ data protection framework in line with international standards, namely the EU General Data Protection Regulation (GDPR).
The DPA is enforced by the Mauritius Data Protection Office (DPO), a public office under the aegis of the Ministry of Technology, Communication and Innovation. The DPO is completely independent and is not subject to the control or direction of any other person or authority in the discharge of its functions. The head of the DPO is the Data Protection Commissioner (Commissioner).
The DPA applies to the processing of personal data, wholly or partly, by automated means and to any processing, other than by automated means, where the personal data forms part of, or are intended to form part of, a filing system. It does not apply to the exchange of information between Ministries, Government departments, and public sector agencies where such an exchange is required on a need-to-know basis. It also does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.
Collecting personal data
At the time of personal information collection, the data controller must ensure that data subjects are made fully aware of:
- the identity and contact details of the controller and, where applicable, its representative and any data protection officer;
- the purpose for which the data are being collected;
- the intended recipients of the data;
- whether or not the supply of the data by that data subject is voluntary or mandatory;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the existence of the right to request from the controller access to and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing;
- the existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- the period for which the personal data shall be stored;
- the right to lodge a complaint with the Commissioner;
- where applicable, that the controller intends to transfer personal data to another country and the level of suitable protection afforded by that country; and
- any further information necessary to guarantee fair processing in respect of the data subject’s personal data, having regard to the specific circumstances in which the data is collected.
What constitutes valid consent?
Under the DPA, “consent” means any freely-given, specific, informed and unambiguous indication of the wishes of a data subject, either by a statement or a clear affirmative action.
At the time of data collection, data subjects should be informed about the right to withdraw consent at any time and it should be easy to withdraw consent without affecting the lawfulness of processing, for example by providing a simple opt-out mechanism. Consent should be verifiable.
Processing Personal Data
Under the DPA, “processing” means an operation or set of operations performed on personal data, or sets of personal data, whether or not by automated means, such as collection, recording, organising, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligning or combining, restriction, erasure or destruction.
Personal data should be processed lawfully, fairly, securely and in a transparent manner. All processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which the data are being processed. Personal data held should be accurate and, where necessary, kept up to date.
Where processing of personal data is carried out by a third-party processor on behalf of a data controller, the DPA requires that a contract be put in place between the two parties under which the data processor is to act only on the data controller’s instructions and comply with obligations equivalent to those imposed on a data controller.
Special categories of personal data, or sensitive personal data, means personal data pertaining to racial or ethnic origin; political opinion or adherence; religious or philosophical beliefs; membership of a trade union; physical or mental health or condition; sexual orientation, practices or preferences; genetic data or biometric data uniquely identifying a person; the commission or alleged commission of an offence; any proceedings for an offence committed or alleged to have been committed by the individual; or such other personal data as the Commissioner may determine to be sensitive personal data.
Retention and destruction of Personal data
Data controllers must be clear about the length of time for which data will be kept and the reason why the information is being retained. If there is no good reason, then that information should be routinely deleted. Information should never be kept “just in case” a use can be found for it in the future.
Particular attention should be paid to information about former customers or clients, which may have been held in the past for a particular purpose, but which is no longer needed. Where a business wants to retain customer information to help with future customer service, the business must obtain the customers’ consent in advance.
The same principles apply to paper records. Good housekeeping dictates that the records should be regularly reviewed. Retention periods should be set by taking into account other laws, for example, personal data may be removed from marketing lists/databases if the data subject withdraws their consent. Another example is retaining records until after a statutory retention period or limitation period expires (such as retaining client verification information).
The DPA provides data subjects with a wide array of rights that can be enforced against organisations that process personal data. The rights of access and to rectify, erase and restrict processing have been enhanced under the DPA and new provisions have been made to cater for decisions which are based on automated processing and the right to object to the processing of personal data by data subjects.
Accessing Personal Information
Data subjects are entitled to access their personal data and also request that any inaccurate data is corrected without undue delay. The data access request must be made in writing to the data controller. Following receipt of the written request, the data controller will provide, at reasonable intervals, without excessive delay and, providing the request is not excessive, free of charge, confirmation as to whether or not personal data relating to the data subject is being processed and provide the data subject with a copy of the data.
Personal data processing for the purposes of crime prevention or detection, the apprehension or prosecution of offenders, or the assessment or collection of any tax, duty or any imposition of a similar nature, are exempt from some sections of the DPA. Personal data is exempt from any DPA provision where non-application would, in the opinion of the Prime Minister, be required for the purpose of safeguarding national security.
Personal data processing will be exempt from some provisions of the DPA, to the extent that such an application would be likely to prejudice the proper discharge of functions such as those designed to protect members of the public against financial loss due to dishonesty, malpractice or other serious improper conduct, or by the unfitness or incompetence of persons concerned in the provision of banking, insurance, investment or other financial services, or in the management of bodies corporate.
Are there any other exemptions?
Yes. The processing of personal data by an individual in the course of a purely personal or household activity is exempt under the DPA.
Personal data processing for the purpose of historical, statistical or scientific research is also exempt, provided that security and organisational measures are implemented to protect the rights and freedoms of any data subjects involved.
International transfers of personal information
The DPA aims to promote the safe transfer of personal data to and from foreign jurisdictions. A controller or processor can transfer personal data to another country in the following circumstances:
- with the data subject’s consent;
- when the transfer is necessary (for example for the performance of a contract, public interest, defence of a legal claim, etc.);
- when the transfer is made from a register which, according to law, is intended to provide information to the public and which is open for consultation by the public or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down by law for consultation are fulfilled in the particular case.
The Commissioner may request a person who transfers data to another country to demonstrate the existence of compelling legitimate interests.
The Commissioner may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as he may determine. The Commissioner may also request a person who transfers data to another country to demonstrate the effectiveness of the safeguards.
How is direct marketing regulated?
Under the DPA, individuals should not receive unsolicited marketing directed at a named individual unless they have consented, or at least indicated that they do not object to such use of their personal data. The right to object must be explicitly brought to their attention.
A data subject also has the right, at any time, to require the data controller to stop using their personal data for direct marketing purposes.
Childrens’ personal data enjoys specific protection under the DPA, especially when such personal data is collected and used for marketing purposes.
Provided an “opt-out” option is clearly visible and explicit in its wording, the Commissioner will be prepared to accept that the individual has given their “passive consent” by not checking the option, provided the personal data in question, and what it will be used for, is not of a sensitive nature. However, the Commissioner advocates the use of positive “opt-in” boxes as a matter of good practice.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the DPA. Best practice would be for the employer to carry out a privacy impact assessment and evaluate the use of less intrusive approaches to achieving the monitoring objectives. Employers should draft and communicate a written monitoring policy to affected employees, explaining the purposes of the monitoring, and the types of personal data being collected.
Special categories of personal data should not be processed by an employer unless the processing is necessary for the assessment of the working capacity of an employee.
Can telephone calls be recorded?
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal information, its use will be regulated by the DPA. To ensure that any personal information collected via CCTV is not excessive or goes beyond the collection purpose, consideration should be given to camera location and recording angles. Particular care should also be taken if CCTV is used as part of any employee monitoring process. Any monitoring needs to be disclosed to the employees in advance. CCTV images should be kept for a specified time. This time period must not be longer than is necessary to achieve the organisation’s collection purpose.
Under the DPA, individuals whose images are recorded have a right to view the CCTV images/footage of themselves and to be provided with a copy. If there are other identifiable people in the footage, the organisation will need to look at options to protect the privacy of those individuals.
The Commissioner oversees, ensures compliance with, and enforces the DPA. The Commissioner has a wide range of enforcement powers including the serving of legal notices to compel data controllers to provide information needed to assist their enquiries, or compelling a data controller to implement one or more of the DPA provisions. The Commissioner may investigate complaints made by the general public or carry out investigations proactively, and may also enter premises to inspect the type of personal information kept, how it is processed and the security measures in place. Where the Commissioner is of the opinion that a controller or a processor has contravened, is contravening, or is about to contravene the DPA, the Commissioner may serve an enforcement notice on them requiring them to take such steps within such period as may be specified in the notice.
Is registration with the Regulator required?
Yes. Under the DPA, organisations and businesses are legally required to register as data controllers or processors. Failure to register is an offence.
What are the penalties for non-compliance?
Any controller or processor who knowingly supplies any information with respect to their application for registration as controller or processor, which is false or misleading in a material respect commits an offence and shall, on conviction, be liable to a fine not exceeding 100,000 rupees (approximately US$3,000) and to imprisonment for a term not exceeding 5 years.
Any controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected, commits an offence. Similarly any processor who, without lawful excuse, discloses personal data processed by them without the prior authority of the controller, on whose behalf the data is being or has been processed, commits an offence and shall on conviction be liable to a fine not exceeding 200,000 rupees (approximately US$6,000) and to imprisonment for a term not exceeding 5 years.
Any person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offence and shall on conviction be liable to a fine not exceeding 50,000 rupees (approximately US$1,500) and to imprisonment for a term not exceeding 2 years.
No separate cybersecurity legislation has been enacted in Mauritius. The DPA does not specifically detail security measures but requires that “appropriate security and organisational measures” are in place to prevent “unauthorised access to, alteration of, disclosure of, accidental loss, and destruction of the data in his control.” The measures required will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity, and in particular, where the processing involves the transmission of data over a communication network.
The Computer Misuse and Cybercrime Act enacted in 2003 criminalises a number of acts perpetrated through computer systems and provides procedures to be followed for the purpose of an investigation. Any person who causes a computer system to perform a function knowing that the access they intend to secure is unauthorised, commits an offence and shall on conviction be liable to a fine not exceeding 50,000 rupees (approximately US$1,500) and to penal servitude not exceeding 5 years.
Who needs to be notified in the event of a data breach?
The concept of a “personal data breach” has been introduced into the DPA. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the case of a personal data breach, the controller must, without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner and the affected data subject(s). If notification is not made within 72 hours, reasons for the delay will have to be provided to the Commissioner. Similarly, where a processor becomes aware of a personal data breach, they must notify the controller without any undue delay.