DATA PROTECTION FACTSHEET
Prime Minister: Sam Matekane
2021 Freedom House Score: 63/100
Data protection law? Yes, but data protection authority not yet appointed
Privacy enshrined in Constitution: Yes, Lesotho’s constitution protects the right to privacy in Articles 4 and 11.
DPA legislation: In 2012, the Data Protection Act, 2011 (the Act) became law after being published in the Lesotho Government Gazette as Act, No. 5 of 2012. The Act attempts to bring Lesotho into compliance with EU standards and to reflect the South African Development Community (SADC) data protection standards.
Lesotho’s Data Protection Commission (Commission) has not yet been appointed to enforce the Act, and when it is appointed, the body will have considerably less enforcement power than analogous bodies in other jurisdictions given its stipulated powers in the Act (such as its lack of ability to impose fines on entities that violate the Act). Further, the law does not explicitly state that the Commission is independent, which potentially leaves it open to undue influence from the Executive
Under the Act, data subjects have the right to:
- have their personal data corrected;
- access their personal data;
- prevent the processing of personal data that causes or is likely to cause them unwarranted damage or distress;
- prevent processing of personal data for purposes of direct marketing;
- not be subject to a decision by a data controller that would significantly affect them or have adverse legal repercussions if the decision was solely based on automatic processing; and
- correct or delete personal data when it is inaccurate.
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
Personal information is information about an identifiable individual in recorded form, such as:
- information relating to race, national or ethnic origin, religion, age or marital status;
- information relating to education level, or medical, criminal or employment history;
- information relating to financial transactions;
- any identifying number, symbol or other particular assigned to the individual;
- an address, fingerprints, or blood type;
- an individual’s name alongside other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
- correspondence sent to a data controller by the individual that is explicitly or implicitly private or confidential, and replies to such correspondence that would reveal the contents of the original correspondence; and
- the views or opinions of any other person about the individual.
Sensitive personal information may not be processed unless specifically permitted under the Act or covered by an exemption. This category includes:
- genetic data;
- data related to children;
- data related to offenses, criminal sentences, or security measures;
- biometric data;
- personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender, and data concerning health or sex life (if they are processed for what they reveal); and
- any personal information otherwise considered by Lesotho law as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.
Personal information processing shall abide by the following principles:
- Purpose specification and further processing limitation: collection of personal data is required to be for a specified, explicit and legitimate purpose and not to be further processed in a way incompatible with those purposes.
- Minimality: processing of personal data is required to adequate, relevant and not excessive.
- Data retention: records of personal data shall not be retained any longer than is necessary.
- Information security: data controllers are required to secure the integrity of personal data against loss, damage, unauthorised destruction, and unlawful access.
- Quality of information: personal information collected must be complete, not misleading and kept up to date, where necessary.
- Automated processing control: processing of personal information solely based on automated means is prohibited except under conditions provided in the Act.
Personal information processing shall be automated, processed, and kept in:
- a filing cabinet; and
- electronic form.
Personal information shall only be processed if one of the following applies:
- the data subject explicitly consents to the processing;
- processing is necessary for the conclusion or performance of a contract to which the data subject is a party;
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- processing is necessary to protect the legitimate interests of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.
* By requiring data processing to be automated as a general condition for processing, it narrows the scope of the Act, which otherwise extends to manual processing of personal data as well. The overall effect of this limitation is to make the Act weaker by default unless the Commission or courts decide to take a broader approach.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: No
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: NA
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): Unclear
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: No
Adequate protections against undue removal: No
Number of members in DPA: 6
Maximum term length for members of the DPA (years): 5
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
The Act allows personal information to be transferred to recipients in a member state that has adopted the SADC data protection requirements if:
- the recipient demonstrates that the data is necessary for a task carried out in the public interest or pursuant to the lawful functions of a data controller; or
- the recipient demonstrates a need for the transfer and there is no reason to assume that the data subject’s interests would be prejudiced by the transfer or processing in the member state.
In either scenario, the data controller must make a provisional evaluation of the necessity for the transfer, and the recipient must ensure that the necessity can be subsequently verified. The data controller must ensure that the recipient processes the personal information only for the specified purposes.
Personal information may only be transferred to recipients outside of the SADC if an adequate level of protection is ensured in the recipient’s country, and the data is transferred solely to permit processing otherwise authorised by the controller.
Provides a right not to be subject to automated decision-making: Yes