A Bill to govern the collection, processing, use and disclosure of personal data and to establish and making provisions about offenses relating to violation of the right to data privacy of individuals by collecting, obtaining or processing of personal data by any means. (Excerpts of the bill appear below along with comments in parenthesis.)
Whereas it is expedient to provide for the processing, obtaining, holding, usage and disclosure of data while respecting the rights, freedoms and dignity of natural persons with special regard to their right to privacy, secrecy and personal identity and for matters connected therewith and ancillary thereto; Now therefore it is enacted as follows: (selected highlights of the bill below)
- It shall come into force after one year from the date of its promulgation or such other date not falling beyond two years from the date of its promulgation as the Federal Government may determine through a notification in the Official Gazette providing at least three months advance notice of the effective date.
- The collection, processing and disclosure of personal data shall only be done in compliance with the provisions of this Act.
- A data controller shall not process personal data including sensitive personal data of a data subject unless the data subject has given his consent to the processing of the personal data... Notwithstanding (the previous section), a data controller may process personal data about a data subject if the processing is necessary (under certain specificied conditions.)
- A data controller shall by written notice inform a data subject (as specified within the bill)
- Subject to section 24, no personal data shall, without the consent of the data subject, be disclosed (subject to certain specified conditions)
- The Authority shall prescribe standards to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
- A data controller or processor shall, when collecting or processing personal data, take practical steps to protect the personal data in the terms mentioned under sub-section (1) by.. (steps and details are specified within the bill).
- (Data retention and integrity requirements are also contained within.)
- (The right to access data, correct data, remove data and erasure of data are specified.)