Data protection bill presented to Seychelles National Assembly for approval

He stressed that when the bill becomes law it will not allow an individual to use personal information for personal activity. (Stock Catalog,Flickr) Photo License: CC BY 2.0 

To protect the personal information of Seychellois citizens, a Data Protection bill is before the National Assembly for approval after being presented on Monday by Vice President Ahmed Afif.

Afif said, "Article 20 of our Constitution makes provision for the right to privacy this shows the importance of protecting our personal information.  However, our Constitution does not give much information on how this should be done.  So like all the other provisions in our Constitution, it is important to have other laws to guide the implementation  of those provisions and ensure that the rights are respected."

He said that "as individuals, we very often see ourselves in situations where we have to give our personal information for us to access a service private or public. This means that every day our personal information is manipulated by individuals or entities."

The bill will replace the Data Protection Act 2003, which Afif said was approved but never came into force for several reasons.

These included not covering all aspects of the protection of personal information such as those transferred to another country and not making provision for entities to have an officer that looks at the protection of personal information.

The new bill makes provisions for data protection officers and is in line with international best practices and standards for the protection of personal information.

"To ensure that we conform with international best practices and to ensure that the rights of our citizens under our Constitution are respected, it is important that we have such a law to protect the personal information of individuals. Also, to ensure that the information is used well and does not fall into bad hands," Afif explained.

In the Data Protection Bill 2023, the term "personal information" relates to any information that pertains to an individual and can allow the identification of the individual such as name, surname, national identity number, and residential address among others.

It also defines processing, which is the procedure that allows manipulation of personal information, and this includes collection of the information, where it is stored, if it is transferred to other entities or individuals, until the information is destroyed or erased.    

Afif said the bill has three important roles - a data subject is the individual giving the personal information, a data controller collects the personal information and determines how it will be used, and a data processor is the person or entity that manipulates the information.  

"The bill clearly defines that any data controller or processor has to ensure that its operation is in line with the provision made and the conditions where personal information can be manipulated. These include consent of the data subject, any other laws the controller needs to manipulate the information to make it in line with the provision in the bill," said the Vice President.

He stressed that when the bill becomes law it will not allow an individual to use personal information for personal activity, or any activity linked to national security, and when the information is needed for an authority conducting a criminal investigation.  

The Information Commission of Seychelles will have the mandate to implement the law and under the law, provisions have been made so that it can issue fines for individuals or entities not respecting notices given for not functioning in line with the provisions of this law.

However, if an individual or entity disagrees with a decision made by the Commission, they have 21 days to bring their case to the Court of Appeal.

"Individuals who give their personal information also have rights prescribed under the law, such as the right to be informed by the data controller on why the information is being used, how it is being used, and how long it will be used.  It also obligates the data controller to give any other information that will ensure that the individual can exercise their rights under this law," he added.