Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Botswana - Data Protection Overview
Back

Botswana - Data Protection Overview

March 2022

1. Governing Texts

Prior to the introduction of the Data Protection Act, Act No. 32 of 2018 ('the Data Protection Act'), Botswana did not have any primary legislation that regulated the protection of personal data and ensured the privacy of individuals in relation to their personal data.

The Data Protection Act, which was assented to by Parliament of Botswana on 3 August 2018, recently came into effect on 15 October 2021. However, there is a grace period of one year to any person processing personal data to allow them to conform with the Provisions of the Data Protection Act.

The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller, and data processor. Further, the Data Protection Act establishes the Information and Data Protection Commission ('the Commission'), which will be responsible for ensuring effective application of the Data Protection Act after its commencement.

1.1. Key acts, regulations, directives, bills

The Data Protection Act

The Data Protection Act relating to data protection has come into effect and is in force. The objective of the Data Protection Act is to provide for the regulation and protection of personal data by providing necessary security safeguards required for the processing of personal data obtained in the processing of an individual's personal information in Botswana. To realise this, the Data Protection Act sets conditions for the lawful processing of personal data, establishes procedures for complaints by data subjects against violations of the Data Protection Act by data controllers, and provides for sanctions in the form of fines and imprisonment.

Prior to the introduction of the Data Protection Act, there was data protection in law for individuals, albeit limited, under the common law, the Constitution of the Republic of Botswana ('the Constitution'), and certain specific pieces of legislation. These laws do not however offer clear and comprehensive protection of data that adequately safeguards the rights and interests of individuals in line with the latest trends.

The Data Protection Act was published in the Government Gazette on 15 October 2021 and commenced on the same date.

The Constitution

There is no specific provision that relates to data protection in the Constitution. However, Section 3 of the Constitution provides that every person in Botswana is entitled to the fundamental rights and freedoms of the individual, including the right to the protection of their home and other property, whatever their race, place of origin, political opinions, colour, creed, or sex, albeit subject to the rights and freedoms of others and the public interest.

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The purpose of the Data Protection Act is to regulate the protection of personal data and ensure that the privacy of individuals in relation to their personal data is maintained.

The Data Protection Act imposes obligations on data controllers and data processors in relation to the processing of data. There is no distinction placed as to the type of organisation and identifiable natural persons.

2.2. Territorial scope

In Section 3(1) of the Data Protection Act, it is stipulated that its provisions apply to the processing of personal data entered in a file or for a data controller:

  • in Botswana; and
  • where the data controller is not in Botswana, by using automated or non-automated means situated in Botswana, unless those means are used only to transmit personal data.

2.3. Material scope

The Data Protection Act applies to the processing of personal data. However, as stated in Section 3(2) of the Data Protection Act, its application is limited, as it does not apply to the processing of personal data:

  • in the course of a purely personal or household activity; and
  • by or on behalf of the State where the processing:
    • involves a matter of national security, defence, or public safety;
    • is for the prevention, investigation, or proof of offences, the prosecution of offenders, or the execution of sentences or security measures;
    • is for economic or financial interest, including monetary, budgetary, and taxation matters; and
    • is for a monitoring, inspection, or regulatory function connected with the exercise of functions.

Further, the Data Protection Act makes provision for the processing of sensitive personal data, including the processing of data for health or medical purposes, for research, scientific, and statistical purposes, for legal purposes, or by the Government of Botswana.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator in terms of the Data Protection Act will be the Commission.

3.2. Main powers, duties and responsibilities

The Data Protection Act provides that the Commission must do all such things as are necessary to protect the personal rights of individuals with regard to their personal data and must ensure the effective application of and compliance with the Data Protection Act and, in particular, the right to protection of personal data, access, rectification, objection, and cancellation of such data.

The Commission is authorised to:

  • ensure compliance with the provisions of the Statistics Act, 2009 (Cap 17:01) with regard to the collection of statistical data and statistical secrecy, issue precise instructions, and give opinions on the security safeguards in place for files set up for purely statistical purposes;
  • instruct a data controller to take such measures which are necessary to ensure that the processing of personal data is in accordance with the Data Protection Act;
  • provide guidance and instructions on appropriate measures to ensure security of personal data;
  • conduct research and studies, and promote educational activities relating to protection of personal data;
  • receive reports and claims from a data subject or their representative in regard to a violation of the Data Protection Act, and take such remedial action as is necessary or as may be prescribed;
  • investigate complaints from data subjects and respond to queries of such complaints;
  • monitor and adopt any authorisation for transborder flow of personal data, and facilitate international cooperation on the protection of personal data;
  • create and maintain a public register of all data controllers;
  • obtain information from data controllers as to which information is necessary for the exercise of its functions;
  • prepare and disseminate a code of practice for data controllers;
  • publicise the exercise of personal data files, and regularly publish a list of such files, and any other information that the Commission deems necessary;
  • record all directions received from the Minister in the course of the year; and
  • perform any other functions that may be conferred on it by the Minister.

4. Key Definitions

Key definitions under Section 2 of the Data Protection Act are set out below.

Data controller: A person who alone or jointly with others determines the purposes and means by which personal data is to be processed, regardless of whether or not such data is processed by such person or agent on that person's behalf.

Data processor: A person who processes data on behalf of the data controller.

Personal data: Personal data means information relating to an identified or identifiable individual, which individual can be identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the individual's physical, physiological, mental, economic, cultural, or social identity.

Sensitive data: Personal data relating to a data subject which reveals their:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs or philosophical beliefs;
  • membership of a trade union;
  • physical or mental health or condition;
  • sexual life;
  • filiation; or
  • personal financial information.

Sensitive data also includes:

  • any commission or alleged commission by them of any offence;
  • any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings, or the sentence of any court in such proceedings; and
  • genetic data, biometric data, and the personal data of minors.

Health data: There is no definition of health data in the Data Protection Act.

Biometric data: Any information stemming from the statistical analysis of biological data.

Pseudonymisation: There is no definition of pseudonymisation in the Data Protection Act.

Data subject: An individual who is the subject of personal data.

Data protection officer: There is no definition of 'data protection officer' ('DPO') under the Act. However, the Act refers to a data protection representative which means a person who is appointed by the data controller, who shall independently ensure that personal data is processed in a correct and lawful manner (Section 2 of the Act).

5. Legal Bases

5.1. Consent

Personal data must be processed with freely given, specific, and informed consent of the data subjects. Section 16(a) of the Data Protection Act provides that personal data may be processed where the data subject has given their written consent. The same applies to sensitive personal data as provided for in Section 20 of the Data Protection Act.

Per Section 19 of the Data Protection Act, consent may, at any time, in writing, be revoked by the data subject at any time based on legitimate, reasonable, and compelling grounds.

5.2. Contract with the data subject

Section 16(b) of the Data Protection Act outlines that personal data may be processed where processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

5.3. Legal obligations

Section 16(c) of the Data Protection Act provides that personal data may be processed where processing is necessary for compliance with a legal obligation to which the data controller is subject.

5.4. Interests of the data subject

Section 16(d) of the Data Protection Act sets out that that personal data may be processed where processing is necessary in order to protect the vital interests of the data subject.

5.5. Public interest

In terms of Section 16(e) of the Data Protection Act, processing may be carried out if it is necessary for the performance of an activity that is carried out in the public interest or in the exercise of an official authority vested in the data controller or in a third party to whom the data is disclosed. The personal interests of the data subject must still be considered.

5.6. Legitimate interests of the data controller

Section 16(f) of the Data Protection Act provides that personal data may be processed where processing is necessary for a purpose that concerns a legitimate interest of the data controller or of a third party to whom personal data is provided. However, this cannot be relied upon where such interest is overridden by the fundamental rights and freedoms of the data subject, with particular attention to the right to privacy.

5.7. Legal bases in other instances

Further processing

Personal data may not be disclosed, made available, or used for purposes other than those specified, unless it is done with the consent of the data subject or authorised in terms of written law (Section 15 of the Data Protection Act).

Processing for historical, statistical, or scientific purposes

Pursuant to Section 17 of the Data Protection Act, personal data may also be processed for historical, statistical, or scientific purposes, provided that the data controller ensures that there are appropriate security safeguards in place, and that such personal data is not used for any decision concerning the data subject.

Processing for health and medical purposes

Section 23 of the Data Protection Act provides that a health professional or other person who are subject to the obligation of professional secrecy may process sensitive personal data for health or medical purposes, where the processing is necessary for:

  • prevention medicine and the protection of public health;
  • medical diagnosis;
  • healthcare; or
  • the management of health and hospital care services.

6. Principles

Personal data must be processed, by people and entities, in accordance with the principles specified in Section 14 of the Data Protection Act. The principles of data processing provide:

  • personal data must be processed lawfully, transparently, and fairly;
  • data should be collected only for specific legitimate purposes and limited to what is necessary, relevant, and accurate;
  • data should be kept up to date, stored only for as long as is necessary, and with appropriate security; and
  • personal data must be protected by reasonable security safeguards against risks, such as loss, unauthorised access, destruction, use, disclosure, etc.

7. Controller and Processor Obligations

7.1. Data processing notification

Section 5(i) of the Data Protection Act provides that the Commissioner shall create and maintain a public register of all data controllers.

However, Section 39 of the Data Protection Act provides that the Commissioner shall maintain a register of processing operations which records the carrying out of any wholly or partially automated processing operation or set of such operations which are intended to serve a single purpose or several related purposes.

Per Section 34(1) of the Data Protection Act, a data controller is obliged to notify the Commissioner before carrying out the abovementioned process, subject to Section 35 of the Data Protection Act.

It is therefore unclear whether the register will be kept for all data controllers, or whether it will be limited to those that carry out wholly or partially automated processing operations.

The notification under Section 34(1) of the Act may specify (Section 34(3) of the Act):

  • the name and address of the data controller or data processor;
  • the purpose of the processing;
  • a description of the category or categories of a data subject and of the personal data or categories of personal data relating to the data subject;
  • the recipient or categories of recipients to whom personal data can be disclosed to;
  • proposed transfers of personal data to a third country; and
  • a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken under Section 32 of the Act to ensure security of processing: Provided that the data controller shall notify the Commission of any changes affecting the information referred to under Section 34(3) of the Act and the Minister of Presidential Affairs, Governance and Public Administration ('the Minister') may prescribe any matter related to the form of such notification.

A data controller or data processor, if instructed by the data controller, shall provide to any person who requests for it (Section 40(1) of the Act):

  • any information required under Section 34 (3) of the Act; or
  • any information relating to the processing of personal data that is not notified to the Commission under Section 34(3) of the Act.

Section 40(2) of the Act shall not apply to the information specified under Section 34(2) of the Act. In addition, Section 34(1) of the Act shall not apply to operations which have the sole purpose of keeping a register that is intended to provide information to the public by virtue of any law, which register is open for public inspection (Section 34(2) of the Act).

The Commission may exempt a notification required under Section 34(1) of the Act, where the Commission is satisfied that (Section 35(1) of the Act):

  • the personal data being processed has no apparent risk of infringement to the rights of the data subject;
  • the purposes of the processing, the category of processing, the category of a data subject, the category of a recipient, and the data retention period are specified; and
  • the data controller has appointed a data protection representative, and the data controller has notified the Commission of such appointment.

Where an exemption is granted under Section 35(1) of the Act, the data controller shall disclose any information required for processing under Section 28 of the Act (Section 35(2) of the Act).

However, a public body shall not be exempted from notification under Section 34(1) of the Act, for any processing undertaken by that body (Section 35(3) of the Act).

An exemption for notification under Section 35(1) of the Act shall also not apply to processing of personal data that involves a particular risk of improper interference with the rights and freedoms of the data subject, and notification of such processing shall be submitted to the Commission, prior to its processing (Section 38(1) of the Act).

The Minister may prescribe the processing operations involving particular risks referred to under Section 38(1) of the Act (Section 38(2) of the Act).

7.2. Data transfers

Section 48 of the Data Protection Act provides that the transfer of personal data from Botswana to another country is prohibited. The exception to this is when the transfer of personal data that is undergoing processing or intended processing is transferred to a third country which ensures an adequate level of protection. Such protection will be assessed by the Commissioner in light of all the circumstances surrounding the data transfer operation. However, if the third country does not have adequate security safeguards, personal data may still be transferred if consent is given by the data subject or if the transfer:

  • is necessary for the performance of a contract between the data subject and the data controller;
  • is necessary for the performance of a contract concluded in the interests of the data subject between the data controller and a third party;
  • is necessary in the interests of the public or for the establishment or defence of a legal claim;
  • is necessary to protect the vital interests of the data subject; or
  • is made from a register that is intended to prove the information to the public and which is open to the public for inspection.

7.3. Data processing records

There are no specific requirements for the data controllers and/or data processor to maintain data processing records. However, according to Section 37(1) of the Data Protection Act, data protection representatives are obliged to maintain a register of the processing conducted on behalf of the data controller.

In terms of the Electronic Communications and Transactions Act, 2014, where a person, by virtue of law, is required to retain certain documents, records, or information, such requirement is satisfied by retaining an electronic communication if:

  • the information contained in the electronic communication is accessible so as to be usable for subsequent reference;
  • the electronic communication is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent, or received; and
  • the origin and destination of the electronic communication and the date and time when it was sent or received can be determined.

7.4. Data protection impact assessment

This is not provided for in the Data Protection Act.

7.5. Data protection officer appointment

Section 36 of the Data Protection Act provides that a data controller may appoint a data protection representative, and that where one has been appointed, the Commissioner must be informed of such appointment. Where a data protection representative has been appointed, the notification to the commissioner before carrying out any wholly or partially automated processing operation or set of such operations, which are intended to serve a single purpose or related purpose pursuant to Section 34(1) of the Act shall not be required (Sections 35(1)(c) and 36(3) of the Act).

However, Section 38(1) of the Act notes that exemption for notification under Section 35(1) of the Act shall not apply to processing of personal data that involves a particular risk of improper interference with the rights and freedoms of the data subject, and notification of such processing shall be submitted to the Commissioner, prior to its processing.

A data protection representative appointed under Section 36(1) of the Act shall:

  • be a person who holds the requisite qualifications; and
  • keep a list of the processing carried out, which list shall be immediately accessible to any person applying for access.

The functions of the data protection representative are outlined in Section 36(2) of the Data Protection Act, including holding hold the requisite qualifications.. In particular, where a data protection representative has reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after such contravention is pointed out, Section 36(5) of the Data Protection Act provides that the data protection representative must notify the Commissioner.

A data protection representative shall (Section 36(4) of the Act):

  • ensure that the data controller processes personal data in a lawful and correct manner and in accordance with good practice, and where the data protection representative identifies any inadequacies, he or she shall bring these to the attention of the data controller; and
  • assist the data subject to ensure that his or her rights under the Act are protected.

A data protection representative shall maintain a register of the processing conducted on behalf of the data controller (Section 37(1) of the Act).

The data protection representative shall, at the instruction of the data controller, provide the following information to any person who requests for it, if that information has not been notified to the Commissioner in terms of Section 34 of the Act:

  • the name and address of the data controller or data processor;
  • the purpose of the processing;
  • a description of the category or categories of a data subject and of the personal data or categories of personal data relating to the data subject;
  • the recipient or categories of recipients to whom personal data can be disclosed to; and
  • proposed transfers of personal data to a third country.

Moreover, a data protection representative, if instructed by the controller, shall provide to any person who requests for it (Section 40(1) of the Act):

  • any information required under Section 34(3) of the Act; or
  • any information relating to the processing of personal data that is not notified to the Commissioner under Section 34(3) of the Act.

The data protection representative may consult with the Commissioner where there is doubt as to how the rules applicable to processing of personal data are to be applied (Section 36(6) of the Act).

Finally, where the data protection representative has reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after such contravention is pointed out, the data protection representative shall notify the Commissioner (Section 36(5) of the Act).

7.6. Data breach notification

Section 33 of the Data Protection Act states that the data controller should, without delay, notify the Commissioner of any breach of the security safeguards of personal data.

7.7. Data retention

Section 14 of the Data Protection Act provides that the data controller must ensure that personal data is not kept for a period longer than is necessary having regard to the purposes for which it was processed.

7.8. Children's data

The definition of sensitive personal data includes the personal data of minors. The provisions relating to sensitive personal data would therefore apply in relation to the processing of children's data (see section on special categories of personal data below).

7.9. Special categories of personal data

A person must not process sensitive personal data, except where:

  • the processing is specifically provided for under the Data Protection Act;
  • the data subject has given their consent in writing;
  • the data subject has made the data public;
  • the processing is:
    • necessary for national security;
    • necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment; or
    • authorised by any other written law, for any reason of substantial interest to the public; or
  • the processing is necessary to protect the vital interest of a data subject or another person in a case where:
    • consent cannot be given by or on behalf of the data subject;
    • the data controller cannot be reasonably expected to obtain the consent of the data subject; or
    • consent by or on behalf of the data subject has been unreasonably withheld.

Furthermore, Section 25(1) of the Data Protection Act explicitly provides that the processing of genetic data and biometric data, if it is processed for what it reveals or contains, is prohibited, except where the processing is in accordance with the above conditions.

Notably, the definition of sensitive personal data includes any commission or alleged commission by them of any offence. The provisions relating to sensitive personal data would therefore apply in relation to the processing of criminal conviction.

7.10. Controller and processor contracts

There are no requirements for a contract between a controller and a processor. However, a person who has access to personal data and is acting under the authorisation of the data controller or the data processor, which person includes the data processor, must process personal data only as instructed by the data controller or the data processor (Section 31(1) of the Data Protection Act).

Furthermore, where the data controller or data processor outsources the processing of personal data, the data controller or data processor must choose a data processor who gives sufficient guarantees regarding the technical and organisational security measures in place for the processing to be done and shall ensure that the measures are complied with.

8. Data Subject Rights

8.1. Right to be informed

Where personal data is obtained directly from the data subject, the data controller or data processor must provide the following information (Section 28 of the Data Protection Act):

  • their identity and habitual residence or principal place of business;
  • the purpose of the processing for which the personal data is intended;
  • the existence of the right to object to the intended processing, if the processing of the personal data is obtained for the purposes of direct marketing; and
  • any other additional information that may be necessary to ensure fair processing.

Where personal data is collected from other sources, the information to be provided to the data subject is detailed in Section 29 of the Data Protection Act.

Notably, Section 18(1) of the Data Protection Act also confirms that personal data that is to be processed for direct marketing purposes requires that the data controller inform the data subject of their right to oppose the processing.

8.2. Right to access

Section 30(1)(a) of the Data Protection Act provides that a data subject has the right to obtain from a data controller confirmation of whether or not the data controller has personal data relating to them within a reasonable time, from the time of request, and at a reasonable charge, if any.

8.3. Right to rectification

Refer to our response in section on the right to object/opt-out below.

8.4. Right to erasure

Refer to our response in section on the right to object/opt-out below.

8.5. Right to object/opt-out

Section 30(1)(e) of the Data Protection Act provides that the data subject has the right to challenge personal data relating to them and, if successful, to have the personal data deleted, rectified, completed, or amended.

In addition, where the processing of personal data takes place with the consent of the data subject, the data subject may at any time, in writing, revoke their consent for legitimate grounds compelling them at that particular time (Section 19(1) of the Data Protection Act).

Furthermore, Section 18(2) of the Data Protection Act stipulates that where the data subject gives a notice of objection to the processing of their personal data for direct marketing, the personal data of the data subject must not be processed for such purpose.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

A data controller merely has an obligation to notify the Commissioner before carrying out any wholly or partially automated processing operation. The Data Protection Act does not specify that the data subject has a right to be refuse the automated decision-making, and it is the Commission that assesses any risks of infringements to the rights of the data subject.

8.8. Other rights

Not applicable.

9. Penalties

General penalties

Section 51 provides for offences and penalties under the Data Protection Act. It provides different punishments for data controllers and for ordinary persons who possess personal data in contravention of the Data Protection Act.

In terms of ordinary persons, Section 51 of the Data Protection Act details that:

  • An ordinary person who processes personal data in contravention of the Act is liable to a fine not exceeding BWP 300,000 (approx. €23,220). A data controller, on the other hand, who processes personal data in contravention of the Act will be liable to a fine not exceeding BWP 500,000 (approx. €38,700), or imprisonment for a term not exceeding nine years; and 
  • An ordinary person who processes sensitive personal data in contravention of the Data Protection Act will be liable to a fine not exceeding BWP 500,000 (approx. €38,700) or imprisonment for a term not exceeding nine years. A data controller, on the other hand, will be liable to a fine not exceeding BWP 1 million (approx. €77,400), or imprisonment for a term not exceeding 12 years.

In terms of data controllers, Section 51 provides that:

  • a data controller who processes personal data in contravention of the Data Protection Act is liable to a fine not exceeding BWP 500,000 (approx. €38,700), or to imprisonment for a term not exceeding nine years, or to both;
  • a data controller who processes sensitive personal data in contravention of the Data Protection Act is liable to a fine not exceeding BWP 1 million (approx. €77,400), or to imprisonment for a term not exceeding 12 years, or to both;
  • a data controller who does not inform a data subject of the rights conferred on the data subject under the Data Protection Act is liable to a fine not exceeding BWP 100,000 (approx. €7,740), or to imprisonment for a term not exceeding three years, or to both.
  • where a data controller does not implement the security safeguards under Section 32 of the Data Protection Act, the data controller is liable to a fine of BWP 500,000 (approx. €38,700), or to imprisonment for a term not exceeding nine years, or to both.

Other penalties

Section 10(3) of the Data Protection Act provides that any person who does not comply with a request made by the Commissioner under Section 10 is liable to a fine not exceeding BWP 100,000 (approx. €7,740), or to imprisonment for a term not exceeding three years, or to both.

Section 18(3) of the Data Protection Act provides that where a data controller who processes data despite the objection of the data subject for direct marketing purposes is liable to a fine not exceeding BWP 500,000 (approx. €38,700), or to imprisonment for a term not exceeding nine years, or to both.

9.1 Enforcement decisions

There are no enforcement decisions to report at this time, as the Data Protection Act is yet to come into force.