Lesotho

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY NOT APPOINTED

Download the Act

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, Lesotho’s constitution protects the right to privacy in Articles 4 and 11.

DPA legislation: In 2012, the Data Protection Act, 2011 (the Act) became law after being published in the Lesotho Government Gazette as Act, No. 5 of 2012. The Act attempts to bring Lesotho into compliance with EU standards and to reflect the South African Development Community (SADC) data protection standards.

Lesotho’s Data Protection Commission (Commission) has not yet been appointed to enforce the Act, and when it is appointed, the body will have considerably less enforcement power than analogous bodies in other jurisdictions given its stipulated powers in the Act (such as its lack of ability to impose fines on entities that violate the Act). Further, the law does not explicitly state that the Commission is independent, which potentially leaves it open to undue influence from the Executive

Under the Act, data subjects have the right to:
- have their personal data corrected;
- access their personal data;
- prevent the processing of personal data that causes or is likely to cause them unwarranted damage or distress;
- prevent processing of personal data for purposes of direct marketing;
- not be subject to a decision by a data controller that would significantly affect them or have adverse legal repercussions if the decision was solely based on automatic processing; and
- correct or delete personal data when it is inaccurate.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No
Personal Data
Personal information is information about an identifiable individual in recorded form, such as:
- information relating to race, national or ethnic origin, religion, age or marital status;
- information relating to education level, or medical, criminal or employment history;
- information relating to financial transactions;
- any identifying number, symbol or other particular assigned to the individual;
- an address, fingerprints, or blood type;
- an individual’s name alongside other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
- correspondence sent to a data controller by the individual that is explicitly or implicitly private or confidential, and replies to such correspondence that would reveal the contents of the original correspondence; and
- the views or opinions of any other person about the individual.
Sensitive personal information may not be processed unless specifically permitted under the Act or covered by an exemption. This category includes:
- genetic data;
- data related to children;
- data related to offenses, criminal sentences, or security measures;
- biometric data;
- personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender, and data concerning health or sex life (if they are processed for what they reveal); and
- any personal information otherwise considered by Lesotho law as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.
Collection and Processing
Personal information processing shall abide by the following principles:
- Purpose specification and further processing limitation: collection of personal data is required to be for a specified, explicit and legitimate purpose and not to be further processed in a way incompatible with those purposes.
- Minimality: processing of personal data is required to adequate, relevant and not excessive.
- Data retention: records of personal data shall not be retained any longer than is necessary.
- Information security: data controllers are required to secure the integrity of personal data against loss, damage, unauthorised destruction, and unlawful access.
- Quality of information: personal information collected must be complete, not misleading and kept up to date, where necessary.
- Automated processing control: processing of personal information solely based on automated means is prohibited except under conditions provided in the Act.
Personal information processing shall be automated, processed, and kept in:
- a filing cabinet; and
- electronic form.
Personal information shall only be processed if one of the following applies:
- the data subject explicitly consents to the processing;
- processing is necessary for the conclusion or performance of a contract to which the data subject is a party;
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- processing is necessary to protect the legitimate interests of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.
* By requiring data processing to be automated as a general condition for processing, it narrows the scope of the Act, which otherwise extends to manual processing of personal data as well. The overall effect of this limitation is to make the Act weaker by default unless the Commission or courts decide to take a broader approach.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA
Accountability

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): Unclear

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: No

Adequate protections against undue removal: No

Number of members in DPA: 6

Maximum term length for members of the DPA (years): 5
Participation
Cross-border Transfer
The Act allows personal information to be transferred to recipients in a member state that has adopted the SADC data protection requirements if:
- the recipient demonstrates that the data is necessary for a task carried out in the public interest or pursuant to the lawful functions of a data controller; or
- the recipient demonstrates a need for the transfer and there is no reason to assume that the data subject’s interests would be prejudiced by the transfer or processing in the member state.
In either scenario, the data controller must make a provisional evaluation of the necessity for the transfer, and the recipient must ensure that the necessity can be subsequently verified. The data controller must ensure that the recipient processes the personal information only for the specified purposes.

Personal information may only be transferred to recipients outside of the SADC if an adequate level of protection is ensured in the recipient’s country, and the data is transferred solely to permit processing otherwise authorised by the controller.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022