In the 21st century, access to data is a key asset for any entity. Companies that make billions of dollars in revenues are not only those that are dealing with petroleum products, oil and gas or real estate but also those in the data business such as Google, Facebook, Twitter, Amazon, just to mention but a few.
Businesses collect personal data mostly because it helps them to get a better understanding of their consumers’ behavior and identify ways in which they can improve the overall customer experience.
Others collect personal data for marketing purposes and the data help them develop products and services according to customers’ preferences.
Due to this prominent significance of personal data, governments try hard to protect the general public due to the fact that this information is the doorway to people’s financial records, medical records, and other important personal records which should not be accessed to the detriment of the owner.
In a recent attempt to catch up with the rest of the world with respect to personal data and privacy, Rwanda has just gazetted Law nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. This law generally establishes the manner in which personal data shall be processed, stored, shared and what rights the data owner has.
This law requires anyone who wants to collect personal data to seek the affirmative or informed consent of the data owner which may be obtained through an oral, written, or electronic statement or by a clear affirmative action that signifies agreement to the processing of personal data relating to him or her.
In order to establish this consent, most of the time the collector prepares a "privacy policy or notice” which the data owner has to agree to, thus, the consent is acquired. This article endeavors to provide model elements of a complete "privacy policy” for your businesses.
1. The personal data to collect
A privacy policy should explain in great detail what kind of information is being collected from a person; this is where the data collector gets the chance to clarify to the data owner every single information he intends to collect from them and how the purpose is achieved. The data to be collected should be limited to the purposes for which personal data are collected.
2. How personal data is used
Make the data owner understand how their personal data are used; give a detailed plan of what the data will be used for. Maybe the data will be used for; registering the person as a new customer, processing and delivering their services, managing their relationship with the business, enabling them to participate in promotions, competitions, and surveys, improving the business website, applications, products, and services, recommending/advertising products or services which may be of interest to them, complying with business legal obligations, including verifying their identity where necessary, detecting fraud, etc…
3. How personal data is shared with third parties
Here, inform the data owner how, why, and in which circumstances their personal data may be shared with third parties. This section is where a business thinks of any scenario it may need to share the information to any other person for legitimate and lawful reasons.
4. International transfers.
If at any point businesses may need to transfer personal data to locations in another country outside Rwanda, this is permissible in limited circumstances. In a privacy notice inform the data owner about this possibility beforehand. However, it is worth noting that at this level, the data owner’s consent is not enough. In addition, businesses need prior authorization from Rwanda’s National Cyber Security Authority (NCSA).
5. Data security
Inform data owners available measures to prevent their personal data from being accidentally lost, used, or accessed in an unauthorized way, altered or disclosed. Mention how access is limited to their personal data to those employees, agents, contractors and other third parties who have a business need to know and how those people are subjected to a duty of confidentiality.
6. Information from Minors
In this part, disclose that the business does not knowingly solicit data from or market to children under 16 years of age. Under the new law, a minor is a person under the age of 16. Also, disclaim that consenting to the collection of that, data owner represents that they are at least 16 or that they are the parent or guardian of such a minor and consent to such minor dependent consent. Moreover, include measures to be taken in case it is discovered that data from a minor have been unknowingly collected in unlawful fashion such as deleting the data from the businesses records, deactivating the minor’s account,…
7. Data owner legal rights
It is also important for a business to inform the data owner all the rights they have under applicable data protection laws in relation to their personal data, including the right to access, correct, or erase their personal data ("right to be forgotten”), object to or restrict processing of their personal data, right to appeal to the supervisory authority, and more importantly, the right to withdraw their consent at any time under any circumstances.
8. Data breach
In this part of the policy, explain what happens in case of the personal data breach. A breach of personal data security is defined as any action/omission leading to unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This includes promptly within 48 hours, of learning the breach, informing the supervisory authority, NCSA about the incident, submitting a detailed report to NCSA within 72 hours of the incident, and where applicable alerting the data owner within a reasonable time. In the event of failure to observe this notification requirement, the concerned party is liable to an administrative fine of one percent (1%) of the global turnover of the preceding financial year.
9. Further details
Provide a procedure by which if the data owners are looking for more information on how business processes their personal data, or their wish to exercise any of their legal rights in respect of their personal data.
10. Updates to the Policy
Let the data owners know that if there are any material changes to the privacy notice they have just consented to; then, the business will notify them.
Other points to put at the top of mind when drafting a business privacy policy include writing in a clear, straightforward language; don’t ever take silence as consent; be more transparent by informing the user whether the decision is automated and give him/her a possibility to contest it, automated data processing is restricted and prohibited in case of sensitive personal data. Consequently, business failing to observe material provisions of personal data protection law in regard to personal data including those concerning access, collection, use, offer, share, transfer, disclose, sale, destruction, erasure, concealment or alteration of personal data commits an offence and can attract a liability of a fine of Rwandan francs amounting to five percent (5%) of its annual turnover of the previous financial year and a risk of permanent or temporary closure.
The views expressed in this article are of the author and do not constitute legal advice. Please seek professional advice in relation to any particular matter you may have.
The writer is a corporate and commercial lawyer and Trainee Associate at K-Solutions & Partners.
Email; felix@ksolutions-law.com