Lesotho’s Data Protection Act aims to balance the protection of personal data rights against broader economic interests, particularly the free flow of information. Effective since February 22, 2012, this law draws on international best practices for the processing of personal information, clarifying how data may be collected, stored, and transferred. Below is an overview of the Act’s scope, definitions, and primary obligations.
Key Objectives of the Act
Protect Personal Data Rights: Ensure individuals’ personal data is collected and used lawfully and fairly.
Support the Free Flow of Information: Promote economic growth by allowing information to move freely, within the bounds of the law.
Establish International Standards: Align with global best practiceson data protection rules and principles.
The two-year grace period for compliance has already passed, meaning all data controllers in Lesotho are now required to fully adhere to the Act.
Scope of Application
Location-Neutral: The Act applies to both public and private bodies or any person that processes personal data in Lesotho, regardless of their primary location.
Exemptions: Processing done purely for personal or household purposes, or for journalistic, artistic, or literary expression, falls outside the Act’s scope.
Obligations for Data Controllers
Data controllers in Lesotho have several legal obligations under the Act:
Mandatory Notification
Section 25(5): A data controller must notify the Commission each time personal information is received or processed.
Notification details include the name and address of the controller, the purpose of processing, categories of data subjects, data recipients, any transborder flows, and a general description of security measures.
Direct Collection
The Act generally requires personal information to be collected directly from the data subject.
Indirect collection is permitted under specific circumstances (e.g., publicly available records, consent from the data subject, law enforcement needs).
Purpose Specification & Consent
Processing must have a specified, explicit, and legitimate purpose; information must be adequate, relevant, and not excessive.
Data controllers must gain the data subject’s explicit consent for processing unless exceptions apply (e.g., for compliance with a legal obligation or the performance of a contract).
Sensitive Personal Information
The Act prohibits processing of sensitive data (e.g., a child’s information, data revealing racial origin, religious beliefs, political affiliations, health, or criminal behavior) unless certain exemptions—like parental consent—apply.
Children’s Data
Special protections apply for minors, requiring parental or guardian consent if the child is under parental control.
Notification to Data Subjects
Before or as soon as reasonably practicable after data collection, data subjects must be informed of the purpose of processing, type of data collected, the data controller’s contact details, and any consequences of refusing to provide the information.
Data Storage and Processing Requirements
Automation or Filing System: The Act indicates that personal information “shall be automated” and stored either electronically or in a filing cabinet.
Accuracy & Currency: Data controllers must take reasonably practicable steps to keep personal data complete, accurate, and up to date.
Pending Revisions: The Act’s text on automation is somewhat unclear, and further revisions may clarify whether manual methods of record-keeping remain permissible alongside electronic systems.
Transfer of Personal Information & Third Parties
Cross-Border Transfers
A data controller may transfer personal data out of Lesotho if the recipient is subject to substantially similar laws or safeguards that mirror the Act’s protections.
Consent from the data subject can also permit transborder data flow.
6.2 Third-Party Processing
When a third party processes data on behalf of a data controller, the controller must ensure the third party maintains adequate security measures in line with the Act.
A written contract is required to preserve confidentiality and security of personal information.
Security and Confidentiality Measures
Data controllers are responsible for maintaining the integrity and confidentiality of personal data. They must:
Identify Risks Pinpoint internal and externalthreats to the security of the data.
Establish Safeguards Implement appropriate, reasonablemeasures (technical, physical, and organizational) to protect personal information.
Regularly Verify Periodically testand verify that security measures remain effective.
Update Continuously Address new risksand deficiencies in previously implemented safeguards without delay.
Enforcement and Penalties
Any person may submit a complaint to the Commission if they believe the Act has been violated. The Commission can:
Investigate Breaches
Issue summons for written or oral evidence.
Apply for warrants to enter and search the data controller’s premises if necessary.
Impose Penalties
Violators can face fines up to M 50,000 and/or imprisonment of up to 5 years.
The Act also allows data subjects to file civil lawsuits for damages against offending data controllers.
Conclusion
Lesotho’s Data Protection Act, effective since 2012, establishes a critical legal framework for balancing personal privacy with the need for free-flowing information. With its clear definitions, enforcement provisions, and emphasis on consent and data security, the Act echoes international standards and best practices. For public and private entities alike, understanding and complying with these rules is vital to avoid penalties and safeguard the rights of data subjects in Lesotho.
Disclaimer: This article is for informational purposes and does not constitute legal advice. For specific questions regarding the Data Protection Act or its enforcement, consult a qualified attorney or contact the Data Protection Commission in Lesotho.
Get the best solutions to your
legal problems.
We make our clients’ goals and challenges our own and strive to create a lasting impact on their business.
Contact Us
