Ministries, high-risk data processors mandated to register with OIC by June 1

With less than three weeks before data controllers are required to conform to the requirements of the Data Protection Act (DPA), the minister with responsibility for skills and digital transformation is urging government entities and data controllers in high-risk sectors to comply with the June 1, 2024 deadline for registration with the Office of the Information Commissioner (OIC).

In a ministerial statement in the Upper House yesterday, Senator Dr Dana Morris Dixon, minister without portfolio in the Office of the Prime Minister with responsibility for skills and digital transformation, said there will be no exemption to government ministries, departments and agencies to comply with the DPA.

Other categories of data controllers that Morris Dixon said must comply by June 1, next month, are data controllers in high-risk sectors such as financial, health, education, tourism and the information communication technology services.

In addition, Morris Dixon said that data controllers who are required to appoint a data protection officer and other controllers processing personal data for in excess of 10,000 data subjects are also required to be in compliance by the beginning of June.

“You may have a small business with two people who may be very data heavy in their data processing, it could be a third party data processor, they will have to comply,” she said.

Morris Dixon said the data controllers identified for prioritisation represent large stakeholder groupings that are important for the protection of consumers, who undertake transactions locally, regionally, and internationally.

“For these consumers, data protection and privacy practices are paramount in the conduct of their day-to-day business,” she added.

Safeguard personal data

The Data Protection Act was enacted to safeguard personal data processed by organisations and individuals. It mandates that personal data must be collected for specific, lawful purposes and with explicit consent. This ensures that individuals have control over their personal information, significantly reducing the risk of misuse and unauthorised access.

The minister with responsibility for skills and digital transformation said the OIC will, over time, require other data controllers not previously listed to register and ensure their full compliance with the DPA.

The DPA was slated for implementation on December 1, 2023. However, Morris Dixon said through consultation the government acknowledged that most data controllers were not sufficiently prepared to meet the requirements for compliance with the law.

A six-month grace period was granted for all data controllers to become fully compliant with the provisions of the Act.

Minimum data protection compliance requirements for registration:

1. Appointment of a DPO or responsible officer for data protection

2. Documented data protection policies and procedures

3. Published privacy notice

4. Data inventory and data mapping

5. Storage for physical records properly secured with limited access

6. Electronic storage secured using at least three (3) privacy and security measures

7. Written agreements with data processors binding them to DPA compliance

8. System for the management of Data Subject Access Request, i.e. requests from individuals in exercise of their right to information about personal data being processed by a data controller and the nature of the processing activities

9. Breach response strategy and plan

10. Staff training and sensitisation