What does the principle of lawfulness, fairness and transparency mean under the data protection law?
Data Protection Principles
- Lawfulness, fairness and transparency principle
Section 5(a) of the Personal Data Protection Act,2022 establish an obligation to data controller to comply with lawfulness, fairness and transparently principle during data collection or data processing.
Conceptualization of the principle for more understanding.
i) Lawfulness; this means personal must only be processed when a data controller has a legal ground for processing the data. Personal data should be processed within the limit of the laws such as Personal Data Protection Act,2022 and other relevant laws deals with various areas such as finance,employment,health,telecom etc.
Moreover, the laws of Tanzania provide lawful basis for processing personal data and sensitive personal data. Legal grounds for processing personal data can be consent, vital interest of individuals, performance of the contract etc.
What does data controller or processor need to do?
- Establish a legal ground for data processing. For example, if it is consent, performance of the contract etc
- Inform the data subject(s). This is through privacy notice and privacy policy.
- Document or keep records of your legal basis for data processing. This should be visible on the Record of Data Processing (RoPA).This would assist a data controller or processor to demonstrate compliance before the Personal Data Protection Commission and also would assist during data protection Audit.
- Conduct regular Audit to measure the level of compliance
- Be ready to demonstrate compliance once it has been requested by the regulators such as Personal Data Protection Commission
ii) Fairness; simply personal must be processed fairly. It is linked to the idea that, the data subject(s) must be aware of the fact that, their personal data will be processed, including how data will be collected, kept and used, to allow them to make an informed decision as well to enable them to exercise their rights.
Fairness also requires to conduct an assessment how data processing will affect data subjects. If processing negatively affects data subjects and such detriments is not justified. Such processing is regarded as unfair.
What does data controller or processor is required to do?
- Provide sufficient information to the data subject(s).
- Implement proper mechanism such as allowing individuals to make an informed decision,
- Individuals should be able to exercise their rights such as right to erasure, right to rectification etc.
iii) Transparency; means that the data controller must be open and clear towards data subjects when processing personal data. Data subjects should be given full information of how their personal data will be processed. Transparency has direct relation with fairness.
If personal data collected directly from the data subject, then the information should be available at the time of data collection. Information should be clear, concisely and easy to understand and that information should be easily accessible.
Moreover, Tanzania data protection laws exempt a data controller to provide full information if; the personal data is publicly available, data subject has authorized the collection of personal data from third party, compliance is not reasonably practicable in the circumstance of a particular case, compliance with other written laws or if providing the full information would prejudice the lawful purpose of data collection.
What does data controller or processor is required to do?
- Provide a full information to the data subjects through a privacy notice and privacy policy.
- Information should be clear, concisely and easily to understand.
- Use simple language so that data subject would understand. Do not use legal jargons or other technical terms.
- Update users when there are changes or amendment of privacy notice or privacy policy.
- Conduct regular Audit to measure the level of compliance with data protection laws.
Disclaimer: This document does not intent to provide a data protection advice. Author will not be responsible for any loss in the event the document is relied without seeking the guidance from the privacy & data protection professionals.
Mrisho Swetu
LinkedIn @Mrisho Swetu
Privacy & Data Protection/Policy Analyst/AI Governance
Dar es salaam-Tanzania
