Data Protection Act 2017: Stakeholders sensitised on the new legislation

The Data Protection Act 2017 (DPA 2017), which repealed the Data Protection Act 2004, was the focus of a one-day workshop yesterday at the Intercontinental Mauritius Resort, in Balaclava. The aim was to educate and sensitise stakeholders on the new legislation which came into force on 15 January 2018 to further protect the rights to privacy of individuals.

In his opening address, the Minister of Technology, Communication and Innovation, Mr Yogida Sawmynaden, underlined that it is no surprise that Mauritius chose to adopt appropriate data protection legislations and is among one of the first countries in Africa to do so since the ICT sector has gained tremendous importance, island-wide, as the third pillar of the economy. The increased sophistication of information technology in its capacity to collect, analyse and disseminate information of individuals has introduced a sense of urgency to the demand for legislation, he added.

According to the Minister, it is beyond doubt that technological innovation is having transformational impact on the way business is conducted and the way people interact among themselves as well as with Government and other stakeholders.

Speaking about privacy, Mr Sawmynaden underpinned that population throughout the world express fears about its infringement. With the rapid proliferation of cloud computing and internet of things, amongst others, individuals both in Mauritius and beyond want to feel confident that their privacy is being strongly protected, he emphasised. As the global economy shifts more into a computer information space, the relevance of data protection and the mean for controlling privacy increases further, he observed.

Moreover, the Minister highlighted that while information technologies are indispensable source of economic growth, they also raise the need for more effective protection of citizens. The starting point of an effective system of data protection is that the use of personal data should be relevant, fair, lawful, accurate, and adequate and appropriate organisational and security measures should be taken to prevent unlawful disclosure or unauthorised access, he pointed out.

For her part, the Data Protection Commissioner, Mrs Drudeisha Madhub, underscored that privacy is considered to be an international fundamental human right and it has become imperative for us to protect privacy given its vulnerable nature. The Data Protection Office, in collaboration with several Ministries and the State Law Office came up with a new law DPA 2017 to cement Mauritius's position in Africa at the forefront of technological innovation international data sharing and the protection of personal data, she emphasised.

The DPA 2017, said Mrs Madhub, increases accountability of Data Controllers and Processors resulting in better administration, greater productivity and efficiency and high levels of security across organisations. Those organisations who will succeed under the new law will be those who recognise that the key feature of the Act is to put the individual at the heart of their data protection policies, she added.

Participants attending the workshop are those responsible for data protection issues within their respective organisations namely legal advisors, data protection officers and compliance officers. A Guide and a video clip 'Introductory Guide to the Data Protection Act 2017' were launched on that occasion.

DPA 2017

The Data Protection Act 2017 has as objective to strengthen the control and personal autonomy of data subjects (individuals) over their personal data. It is in line with current relevant international standards, in particular the European Union's General Data Protection Regulation (GDPR) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Major changes brought in the new Act

Some of the main changes brought to the new Data Protection Act 2017 include:

Modernisation of existing data protection principles and key definitions such as consent and personal data;

Introduction of new concepts namely: Data Protection Impact Assessments; Notification by controllers of personal data breaches to the Data Protection Office and data subjects; Voluntary certification mechanisms and data protection seals & marks for controllers; and, Rights to object to automated individual decision-making including profiling);

Simplifying: the registration/renewal process of controllers and processors; the complaints' mechanism and the procedures related to hearings conducted by the Data Protection Office; the ease of business, in particular in terms of free flow of data from EU or other parts of the world to Mauritius.

Source: Government of Mauritius