In an increasingly digital world, personal data has become one of the most valuable assets. From mobile money platforms to government services, the collection of sensitive information such as biometric identifiers, national ID numbers, and health data, has become widespread across Lesotho. Yet, despite this shift, there remains a glaring absence of modern data protection laws to safeguard citizens and institutions from data misuse and cyber threats.
Recent high-profile incidents including the 2023 malware breach in Lesotho’s public health system and the cyberattack on the Central Bank of Lesotho, highlight the vulnerability of both individuals and national infrastructure. At the same time, mobile money services like Vodacom Lesotho’s M-Pesa retain biometric and personal user data for up to 10 years, with policies that permit sharing with third parties. While these practices may mirror global norms, Lesotho lacks binding legal standards and enforcement mechanisms to prevent abuse or offer remedies to affected individuals.
The core issue lies in the outdated legal framework. Lesotho’s Data Protection Act of 2013 was drafted long before the widespread adoption of mobile money, biometric registration, cloud computing, and AI-driven profiling. It fails to address critical areas such as:
- Cross-border data transfers
- Automated decision-making and algorithmic profiling
- Handling of biometric and genetic information
- Digital consent protocols and user rights
This legislative gap leaves citizens exposed, with minimal legal protection over how their personal data is collected, stored, or shared, whether by private corporations or public institutions.
While the Computer Crime and Cybersecurity Bill of 2022 is a welcome development to combat cyber offenses, it is not a comprehensive privacy law. It does not enshrine digital privacy rights or provide a framework for lawful data processing, oversight, or redress in the event of abuse.
To build public trust and strengthen digital governance, Lesotho urgently needs a dedicated, modern Data Protection and Digital Privacy Law that:
- Clearly defines data rights and responsibilities
- Regulates the collection, retention, and transfer of personal and biometric data
- Establishes an independent Data Protection Commission to oversee compliance
- Introduces penalties and legal remedies for unlawful data use
Section 11 of the 1993 Constitution of Lesotho guarantees the right to privacy, a right that must now evolve to include digital privacy in the 21st century. With growing reliance on technology, cloud-based systems, and data-driven platforms, protecting personal information is no longer optional, it is essential.
The responsibility of shaping Lesotho’s digital future lies significantly with the Ministry of Communications, Science and Technology, which now faces the important task of reviewing and modernising the country’s data protection framework. By advancing clear and comprehensive legislation, the Ministry can help ensure that transparency, accountability, and respect for digital rights become foundational principles in how personal information is managed. In an increasingly data-driven world, these reforms are not only necessary, but they are also essential for building public trust and aligning Lesotho with international standards in digital governance.