DATA PROTECTION OVERVIEW
Seychelles does not currently have data protection legislation in operation. The Data Protection Act, 2003 (DPA 2003) was passed in 2003, with the aim of ensuring that personal data is obtained and processed in a fair and lawful manner. However, the DPA 2003 is not currently in force.
The DPA 2003 provides for, and seeks to protect and promote the following principles (Data Protection Principles) with respect to personal data held by data users:
- Personal data shall be obtained, and be processed, fairly and lawfully.
- Personal data shall be held only for one or more specified and lawful purposes.
- Personal data shall not be used or disclosed in any manner incompatible with the purpose/those purposes it was collected for.
- Personal data held for any purpose or purposes shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall not be kept for longer than is necessary for that collection purpose/those purposes.
- An individual shall be entitled, at reasonable intervals and without undue delay or expense,:
- to be informed by any data user whether he holds personal data of which that individual is the subject; and
- to access any such data held by a data user; and
- where appropriate, to have such data corrected or erased.
- With respect to personal data held by data users, or in respect of services provided by persons carrying on computer bureau (see below), appropriate security measures shall be taken to prevent unauthorised access to, alteration of, disclosure or destruction of, personal data and/or to prevent accidental loss or destruction of personal data.
Personal data is defined under the DPA 2003 as data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual, but not any indication of the intentions of the data user in respect of that individual. Data can be defined as information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
Collecting personal information
The DPA 2003 envisages the appointment of a Data Protection Commissioner (Commissioner) who shall be responsible for the implementation of the provisions of the DPA 2003. The DPA 2003 seeks to regulate the data held by data users and persons carrying on computer bureau who hold personal data or provide services in respect of personal data. Once the DPA 2003 comes into force, a register of data users (Data Register) will be maintained by the Commissioner and a person will not be able to hold personal data unless they are listed on the Data Register.
A ‘data user’ is defined in the DPA 2003 as a person who holds data, and a person is considered to hold data if:
(a) the data forms part of a collection of data processed or intended to be processed by or on behalf of that person;
(b) that person (either alone or jointly or in common with other persons) controls the content and use of the data comprised in the collection, and
(c) the data are in the form in which they have been or are intended to be processed or (though not for the time being in that form) in a form into which they have been converted after being so processed, with a view to being further so processed on a subsequent occasion.
The following particulars are required to be entered into the Data Register:
- the name and address of the data user;
- a description of the personal data to be held by it and of the purpose or purposes for which the data is to be held or used;
- a description of every source from which it intends, or may wish, to obtain the data;
- a description of every person to whom it intends or may wish to disclose the data to (otherwise than in cases of exemptions from non-disclosure as set out in the DPA 2003);
- the name of every country outside of the Seychelles to which it intends or may wish directly or indirectly to transfer the data, and
- one or more addresses for the receipt of requests from data subjects for access to the data.
As per the DPA 2003, a person is prohibited from holding personal data unless entered as a data user, or as a data user who also carries on a computer bureau, in the Data Register. Furthermore, a person shall not hold or use personal data of any description other than that specified in the Data Register entry; or obtain such data, or information to be contained in such data, from any source which is not described in the Data Register entry. Further, a person carrying on a computer bureau is prohibited from disclosing personal data in respect of which services are provided by that person, without the prior authority of the person those services are being provided.
Processing Personal Data
Under the DPA 2003, data processing means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data. Data processing in respect of personal data means performing any of the above operations by reference to a specific data subject. The DPA 2003 excludes any operation performed for the purpose of preparing the text of documents from the ambit of data processing.
Sensitive personal information
Sensitive personal data’ is not treated differently from personal data under the DPA 2003, and biometric data is not separately protected. However, the DPA 2003 makes provision for the Minister of the Department of Information Communication Technology (Minister) to modify or supplement the Data Protection Principles, set out in the DPA 2003, for the purpose of providing additional safeguards for personal data that includes information relating to the data subject’s:
– racial origin;
– political opinions, religious or other beliefs;
– physical or mental health, or his sexual life, or
– criminal convictions.
Retention of Personal Information
No data entry shall be retained in the Data Register after the expiration of the initial registration period, except where a renewal application is made to the Commissioner.
Subject to the below, the initial registration period and the period an entry can be retained relating to a renewal application (the renewal period) is 5 years beginning on the date the entry was made or, the date the entry is due to be removed, were it not for the renewal application.
The person applying for registration or a renewal application can specify an initial registration period or renewal period of less than five years, so long as it consists of one or more complete years.
Accessing Personal Information
Once the DPA 2003 comes into force, data subjects will have a right to access their personal data. and shall be entitled:
- to be informed by a data user whether the data they hold includes the individual’s personal data;
- to be supplied with a copy of the information held by the data user; and
- where any information referred to above is expressed in terms which are not intelligible or necessitate explanation, the information should be accompanied by an explanation of those terms.
A data user will be obliged to supply any information referred to above following a written request and upon payment of a fee (not exceeding the prescribed maximum).
Personal data is exempt from the regulations for data users, persons carrying on computer bureau, and the subject access provisions where the personal data:
- is held for the purpose of safeguarding national security;
- is held for the purpose of preparing payrolls and accounting;
- is held by an individual and concerned only with the management of his personal, family or household affairs or held by him only for recreational purposes;
- consists of information which that person is required by, or under, any enactment to make available to the public, whether by publishing it, making it available for inspection, or otherwise, and whether gratuitously or on payment of a fee.
Are there any other exemptions?
Personal data is exempt from the subject access provisions if the data is held for any of the following purposes:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders;
- the assessment or collection of any tax or duty;
- the discharging of any statutory functions and consists of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned immediately above;
- the information relates to the physical or mental health of the data subject (when exempted by the Minister on order);
- the discharging of any statutory functions for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or to the conduct of discharged or undischarged bankrupts;
- the data consists of information which has been received from a third party and is held by a government department as information relevant to the making of appointments; and
- a claim to legal professional privilege could be maintained in legal proceedings.
This is not an exhaustive list.
International transfers of personal information
Once the DPA 2003 comes into force, personal data may only be transferred internationally once the data user has named the jurisdiction to which it will be transferring the data in the Data Register, which will also contain descriptions of the data being held.
The Commissioner may issue a transfer prohibition notice if he is satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle. The transfer prohibition notice shall prohibit a data user from transferring the data, either absolutely or until such steps as specified in the notice are taken for protecting the interests of the data subject in question. A transfer prohibition notice cannot prohibit the transfer of any data where the transfer of the information, constituting the data, is required or authorised by or under any enactment or convention or other instrument imposing an international obligation on the Seychelles.
The DPA 2003 shall not apply to activities or services provided outside of the Seychelles or to data processed wholly outside of the Seychelles unless the data are used or intended to be used in the Seychelles.
How is direct marketing regulated?
The DPA 2003 is silent on direct marketing. Cookies and similar technologies are not subject to specific regulation.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring. Best practice would be for Employers to carry out a privacy impact assessment and evaluate less intrusive approaches for achieving their monitoring objectives. Employers should explain the monitoring purposes and the kinds of personal information being collected. Employee data will almost always include sensitive personal information so additional employee consents to the use of this data may be required.
Can telephone calls be recorded?
The DPA 2003 is silent on this, however, in the event personal information is to be collected during the call, the caller needs to be notified at the start that the conversation may be recorded.
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal information, its use will be regulated by the DPA 2003.
To ensure that any personal information collected via CCTV is not excessive or goes beyond the collection purpose, consideration will need to be given to camera location and the recording angles.
Particular care should also be taken if CCTV is used as part of any employee monitoring process. Any monitoring needs to be disclosed to the employees in advance.
Currently the DPA 2003 is not yet in force and the Office of the Data Protection Commissioner as envisaged under the DPA 2003 is yet to be set up.
What will the penalties for non-compliance be?
Under the DPA 2003, proceedings for an offence may be instituted by the Commissioner or by, or with the consent of, the Attorney General. A person guilty of an offence under any DPA 2003 provision shall be liable on conviction to a fine not exceeding SCR20,000.
If the Commissioner is satisfied that a registered person has contravened or is contravening any of the Data Protection Principles, the Commissioner may:
- serve that person with an enforcement notice requiring him to take such steps as are specified in the notice for complying with the principle or principles in question;
- serve the person with a de-registration notice stating that the Commissioner proposes to remove from the Data Register all or any of the particulars constituting the entry or any of the entries contained in the Data Register in respect of that person; and remove those particulars from the Data Register at the expiration of that period.
An enforcement notice in respect of a contravention of the fifth Data Protection Principle may require the user to rectify or erase the data and any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data.
Failure to comply with an enforcement notice would constitute an offence, but it would be a defence for the person charged with that offence to prove that he exercised all due diligence in order to comply with the notice.
In deciding whether to serve a de-registration notice, the Commissioner shall consider whether the contravention has caused, or is likely to cause, any person damage or distress. The Commissioner shall not serve a de-registration notice unless he is satisfied that compliance with the Data Protection Principle or Principles in question cannot be adequately secured by the service of an enforcement notice.
The Commissioner also has the power to cancel any enforcement notice or de-registration notice issued.
The Computer Misuse Act, 1998 makes it a criminal offence for a person to secure unauthorised access to a computer, programme, or data held by a company.
The Electronic Transactions Act, 2001 also provides for numerous offences including tampering with a computer source document, failing to furnish information, acting in breach of confidentiality and privacy, and fraudulently dealing with a digital signature certificate.
The DPA 2003 provides that appropriate security measures should be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss of personal data.
The DPA 2003 provides that appropriate security measures should be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.
Who needs to be notified in the event of a data breach?
There is no mandatory requirement under the DPA 2003 to report data security breaches or losses to the Commissioner. However, the DPA 2003 provides that the Commissioner may consider any complaint that any of the Data Protection Principles or DPA 2003 provisions have been, or is being, contravened.