Data Protection Act, 2002

This Act has not yet come into force.
Jurisdiction
Seychelles
Citation
Act 9 of 2003
Date
1 December 2014
Language
English
Type
Legislation
Download
Download PDF (358.5 KB)
Seychelles

Data Protection Act, 2002

Act 9 of 2003

  • Not commenced
  • [This is the version of this document at 1 December 2014.]
[Act 9 of 2003]

Part I – Preliminary

1. Short title

This Act may be cited as the Data Protection Act, 2002 and shall come into operation on such date as the Minister may by notice in the Gazette appoint.
[Note: This Act was not yet in force as at 6 January 2014.]

2. Interpretation

(1)The following provisions shall, unless the context otherwise requires, have effect for the interpretation of this Act.
(2)"Business" includes a trade or profession.
(3)"Commissioner" means the Data Protection Commissioner appointed under section 4.
(4)"Court" means the Supreme Court.
(5)"Data" means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose.
(6)"Data equipment" means equipment for the automatic processing of data or for recording information so that it can be automatically processed.
(7)"Personal data" means, data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual.
(8)"Data material" means any document or other material used in connection with data equipment.
(9)"Data subject" means an individual who is the subject of personal data.
(10)"Data user" means a person who holds data, and a person "holds" data if—(a)the data form part of a collection of data processed or intended to be processed by or on behalf of that person as mentioned in subsection (5);(b)that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection, and(c)the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion.
(11)A person carries on a "computer bureau" if he provides other persons with services in respect of data, and a person provides such services if—
(a)as agent for other persons he causes data held by them to be processed as mentioned in subsection (5) or
(b)he allows other persons the use of equipment in his possession for the processing as mentioned in that subsection of data held by them.
(12)"De-registration notice" means a notice under section 15.
(13)"Prescribed" means prescribed by regulations under section 46.
(14)"Processing", in relation to data, means amending, augmenting, deleting or re-arranging the data or extracting the information constituting the data and, in the case of personal data, means performing any of those operations by reference to the data subject:
Provided that this subsection shall not apply to any operation performed only for the purpose of preparing the text of documents.
(15)"Disclosing", in relation to data, includes disclosing information extracted from the data and where the identification of the individual who is the subject of personal data depends partly on the information constituting the data and partly on other information in the possession of the data user, the data shall not be regarded as disclosed or transferred unless the other information is also disclosed or transferred.
(16)"Enactment" includes an enactment subsequent to this Act.
(17)"Enforcement notice" means a notice under section 14.
(18)"Register" means the register maintained under section 8.
(19)"Transfer prohibition notice" means a notice under section 16.

3. Data protection principles

(1)Subject to subsection (3), references in this Act to the data protection principles are to the principles set out in Part I of the Schedule and those principles shall be interpreted in accordance with Part II of the Schedule.
(2)The first seven principles apply to personal data held by data users and the eighth applies both to such data and to personal data in respect of which services are provided by persons carrying on computer bureaux.
(3)The Minister may, by Order published in the Gazette, modify or supplement those principles for the purpose of providing additional safeguards in relation to personal data consisting of information as to—
(a)the racial origin of the data subject;
(b)his political opinions or religious or other beliefs;
(c)his physical or mental health or his sexual life ; or
(d)his criminal convictions,
and references in this Act to the data protection principles include, except where the context otherwise requires, references to any modified or additional principle having effect by virtue of an Order under this subsection.
(4)An Order under subsection (3) may modify a principle either by modifying the principle itself or by modifying its interpretation; and where an Order under that subsection modifies a principle or provides for an additional principle it may contain provisions for the interpretation of the modified or additional principle.
(5)An Order under subsection (3) modifying the third data protection principle may, to such extent as the Minister thinks appropriate, exclude or modify in relation to that principle any exemption from the non-disclosure provisions contained in Part IV; and the exemptions from those provisions shall accordingly have effect subject to any Order made by virtue of this subsection.
(6)An Order under subsection (3) may make different provisions in relation to data consisting of information of different descriptions.

4. Data Protection Commissioner

(1)For the purposes of this Act, there shall be an officer known as the Data Protection Commissioner.
(2)The Commissioner shall be appointed by the President.
(3)Subject to subsections (4) and (5), the Commissioner shall hold office for a term of 5 years, but on expiry of such term shall be eligible for re-appointment.
(4)The Commissioner may at any time resign his office by writing addressed to the President.
(5)The Commissioner may be removed from office by the President.

5. Other officers

(1)The President shall cause such arrangements to be made as the President considers appropriate for the provision of officers to assist the Commissioner in the exercise of his functions under this Act.
(2)Any function of the Commissioner under this Act may, to the extent authorised by him, be performed by any such officer.

6. Receipts and expenses

(1)All fees and other sums received by the Commissioner in the exercise of his functions under this Act shall be paid by him into the Consolidated Fund.
(2)There shall be paid to the Commissioner out of moneys provided by an Appropriation Act such sum as may be necessary towards his expenses.

7. Audit of accounts

The accounts of the Commissioner shall be audited in accordance with article 158 of the Constitution.

Part II – Regulation of data users and computer bureaux

8. Registration of data users and computer bureaux

(1)The Commissioner shall maintain a register of data users who hold, and of persons carrying on computer bureaux who provide services in respect of, personal data and shall make an entry in the register in pursuance of each application for registration accepted by the Commissioner under this Part.
(2)Each entry shall state whether it is in respect of—
(a)a data user;
(b)a person carrying on a computer bureau, or
(c)a data user who also carries on such a bureau.
(3)Subject to this section, an entry in respect of a data user shall consist of the following particulars—
(a)the name and address of the data user;
(b)a description of the personal data to be held by him and of the purpose or purposes for which the data are to be held or used;
(c)a description of every source from which he intends or may wish to obtain the data or the information to be contained in the data;
(d)a description of every person to whom he intends or may wish to disclose the data (otherwise than in a case mentioned in section 41(5)(a), (b) or (c));
(e)the name of every country outside Seychelles to which he intends or may wish directly or indirectly to transfer the data; and
(f)one or more addresses for the receipt of requests from data subjects for access to the data.
(4)Subject to this section, an entry in respect of a person carrying on a computer bureau shall consist of that person's name and address.
(5)Subject to this section, an entry in respect of a data user who also carries on a computer bureau shall consist of his name and address and, as respects the personal data to be held by him, the particulars specified in subsection (3)(b) to (f).
(6)In the case of a registered company, the address referred to in subsections (3)(a), (4) and (5) is that of its registered office, and the particulars to be included in the entry shall include the company's number in the register of companies.
(7)In the case of a person (other than a registered company) carrying on a business the address referred to in subsections (3)(a), (4) and (5) is that of his principal place of business.
(8)The Minister may by Order published in the Gazette vary the particulars to be included in entries made in the register.

9. Prohibition of unregistered holding of personal data

(1)A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries on a computer bureau, is for the time being contained in the register.
(2)A person in respect of whom such an entry is contained in the register shall not—
(a)hold personal data of any description other than that specified in the entry;
(b)hold any such data, or use any such data held by him, for any purpose other than the purpose or purposes described in the entry;
(c)obtain such data, or information to be contained in such data, to be held by him from any source which is not described in the entry;
(d)disclose such data held by him to any person who is not described in the entry; or
(e)directly or indirectly transfer such data held by him
to any country outside Seychelles other than a country named in the entry.
(3)A servant or agent of a person to whom subsection (2) applies shall, as respects personal data held by that person, be subject to the same restrictions on the use, disclosure or transfer of the data as those to which that person is subject under subsection (2)(b), (d) and (e) and as respects personal data to be held by that person, to the same restrictions as those to which he is subject under subsection (2)(c).
(4)A person shall not, in carrying on a computer bureau, provide services in respect of personal data unless an entry in respect of that person as a person carrying on such a bureau is for the time being contained in the register.
(5)Any person who contravenes subsection (1) or knowingly or recklessly contravenes any of the other provisions of this section shall be guilty of an offence.

10. Application for registration and amendment

(1)A person applying for registration shall state whether he wishes to be registered as a data user, as a person carrying on a computer bureau or as a data user who also carries on a computer bureau, and shall furnish the Commissioner, in such form as the Commissioner may require, with the particulars required to be included in the entry to be made in pursuance of the application.
(2)Where a person intends to hold personal data for two or more purposes he may make separate applications for registration in respect of any of those purposes.
(3)A registered person may at any time apply to the Commissioner for the alteration of any particulars included in the entry or entries relating to that person.
(4)Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may, instead of making an application under subsection (3), make a fresh application for registration in respect of the additional purpose.
(5)A registered person shall make an application under subsection (3) whenever necessary for ensuring that the entry or entries relating to that person contain his current address; and any person who fails to comply with this subsection shall be guilty of an offence.
(6)Any person who, in connection with an application for registration or the alteration of registered particulars, knowingly or recklessly furnishes the Commissioner with information which is false or misleading in a material respect shall be guilty of an offence.
(7)Every application for registration shall be accompanied by the prescribed fee, and every application for the alteration of registered particulars shall be accompanied by such fee, if any, as may be prescribed.
(8)Any application for registration or the alteration of registered particulars may be withdrawn by notice in writing to the Commissioner at any time before the applicant receives a notification in respect of the application under section 11(1).

11. Acceptance and refusal of applications

(1)Subject to this section, the Commissioner shall, as soon as practicable and in any case within the period of 6 months after receiving an application for registration or for the alteration of registered particulars, notify the applicant in writing whether his application has been accepted or refused; and where the Commissioner notifies an applicant that his application has been accepted, the notification shall state—
(a)the particulars entered in the register, or the alteration made; and
(b)the date on which the particulars were entered or the alteration was made.
(2)The Commissioner shall not refuse an application made in accordance with section 10 unless—
(a)he considers that the particulars proposed for registration or, as the case may be, the particulars that would result from the proposed alteration, will not give sufficient information as to the matters to which they relate;
(b)he is satisfied that the applicant is likely to contravene any of the data protection principles; or
(c)he considers that the information available to him is insufficient to satisfy him that the applicant is unlikely to contravene any of those principles.
(3)Subsection (2)(a) shall not be construed as precluding the acceptance by the Commissioner of particulars expressed in general terms in cases where that is appropriate, and the Commissioner shall accept particulars expressed in such terms in any case in which he is satisfied that more specific particulars would be likely to prejudice the purpose or purposes for which the data are to be held.
(4)Where the Commissioner refuses an application under this section he shall give his reasons and inform the applicant of the right of appeal conferred by section 17.

12. Duration and renewal of registration

(1)No entry shall be retained in the register after the expiration of the initial period of registration except in pursuance of a renewal application made to the Commissioner in accordance with this section.
(2)Subject to subsection (3), the initial period of registration and the period for which an entry is to be retained in pursuance of a renewal application ("the renewal period") shall be a period 5 years beginning with the date on which the entry in question was made or, as the case may be, the date on which that entry would fall to be removed if the application had not been made.
(3)The person making an application for registration or a renewal application may, in his application specify as the initial period of registration or, as the case may be, as the renewal period, a period shorter than five years, being a period consisting of one or more complete years.
(4)Where the Commissioner notifies an applicant for registration that his application has been accepted, the notification shall state the date when the initial period of registration will expire.
(5)Any person who, in connection with a renewal application, knowingly or recklessly furnishes the Commissioner with information which is false or misleading in a material respect shall be guilty of an offence.
(6)Every renewal application shall be accompanied by the prescribed fee and no such application shall be made except in the period of 6 months ending with the expiration of—
(a)the initial period of registration; or
(b)if there have been one or more previous renewal applications, the current renewal period.
(7)Where a person making a renewal application notifies the Commissioner in writing that no alteration of registered particulars is sought, no further particulars may be demanded in support of the application.
(8)Any renewal application may be sent by post, and the Commissioner shall acknowledge its receipt and notify the applicant in writing of the date until which the entry in question will be retained in the register in pursuance of the application.
(9)Without prejudice to the foregoing provisions of this section, the Commissioner may at any time remove an entry from the register at the request of the person to whom the entry relates.

13. Inspection etc. of registered particulars

(1)The Commissioner shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours on payment of such fee, if any, as may be prescribed.
(2)The Commissioner shall, on payment of such fee, if any, as may be prescribed, supply any member of the public with a duly certified copy in writing of the particulars contained in the entry made in the register in pursuance of any application for registration.

14. Enforcement notice

(1)If the Commissioner is satisfied that a registered person has contravened or is contravening any of the data protection principles, the Commissioner may serve that person with an enforcement notice requiring him to take, within such time as is specified in the notice, such steps as are so specified for complying with the principle or principles in question.
(2)In deciding whether to serve an enforcement notice the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
(3)An enforcement notice in respect of a contravention of the fifth data protection principle may require the user—
(a)to rectify or erase the data and any other data held by him and containing an expression of opinion which appears to the Commissioner to be based on the inaccurate data; or
(b)in the case of such data as are mentioned in section 29(2), either to take the steps mentioned in paragraph (a) or to take such steps as are specified in the notice for securing compliance with the requirements specified in section 29(2) and, if the Commissioner thinks fit, for supplementing the data with such statements of the true facts relating to the matters dealt with by the data as the Commissioner may approve.
(4)The Commissioner shall not serve an enforcement notice requiring the person served with notice to take steps for complying with paragraph (a) of the seventh data protection principle in respect of any data subject unless satisfied that the person has contravened section 28 by failing to supply information to which the data subject is entitled and which has been duly requested in accordance with that section.
(5)An enforcement notice shall contain—
(a)a statement of the principle or principles which the Commissioner is satisfied have been or are being contravened and his reasons for reaching that conclusion; and
(b)particulars of the right of appeal conferred by section 17.
(6)Subject to subsection (7), the time specified in an enforcement notice for taking the steps which it requires shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, those steps need not be taken pending the determination or withdrawal of the appeal.
(7)If by reason of special circumstances the Commissioner considers that the steps required by an enforcement notice should be taken as a matter of urgency, he may include a statement to that effect in the notice, and in that event, subsection (6) shall not apply.
(8)The Commissioner may cancel an enforcement notice by written notification to the person on whom it was served.
(9)Any person who fails to comply with an enforcement notice shall be guilty of an offence; but it shall be a defence for the person charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.

15. De-registration notice

(1)If the Commissioner is satisfied that a registered person has contravened or is contravening any of the data protection principles, the Commissioner may—
(a)serve the person with a de-registration notice stating that the Commissioner proposes, at the expiration of such period as is specified in the notice, to remove from the register all or any of the particulars constituting the entry or any of the entries contained in the register in respect of that person; and
(b)subject to the provisions of this section, remove those particulars from the register at the expiration of that period.
(2)In deciding whether to serve a de-registration notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress, and the Commissioner shall not serve such a notice unless he is satisfied that compliance with the principle or principles in question cannot be adequately secured by the service of an enforcement notice.
(3)A de-registration notice shall contain—
(a)a statement of the principle or principles which the Commissioner is satisfied have been or are being contravened and the reasons for reaching that conclusion; and
(b)particulars of the right of appeal conferred by section 17.
(4)Subject to subsection (5), the period specified in a deregistration notice shall not expire before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the particulars shall not be removed pending the determination or withdrawal of the appeal.
(5)If by reason of special circumstances the Commissioner considers that any particulars should be removed from the register as a matter of urgency, he may include a statement to that effect in the deregistration notice; and in that event subsection (4) shall not apply and the particulars shall be removed immediately.
(6)The Commissioner may cancel a de-registration notice by written notification to the person on whom it was served.

16. Transfer prohibition notice

(1)If it appears to the Commissioner that a person registered as a data user or as a data user who also carries on a computer bureau proposes to transfer personal data held by him to a place outside Seychelles, the Commissioner may, if satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle, serve that person with a transfer prohibition notice prohibiting him from transferring the data either absolutely or until he has taken such steps as are specified in the notice for protecting the interests of the data subjects in question.
(2)In deciding whether to serve a transfer prohibition notice, the Commissioner shall consider whether the notice is required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free transfer of data between Seychelles and other states.
(3)A transfer prohibition notice shall specify the time when it is to take effect and contain—
(a)a statement of the principle or principles which the Commissioner is satisfied is or are likely to be contravened and his reasons for reaching that conclusion; and
(b)particulars of the right of appeal conferred by section 17.
(4)Subject to subsection (5), the time specified in a transfer prohibition notice pursuant to subsection (3) shall not be before the end of the period within which an appeal can be brought against the notice and, if such an appeal is brought, the notice shall not take effect pending the determination or withdrawal of the appeal.
(5)If by reason of special circumstances the Commissioner considers that the prohibition notice should take effect as a matter of urgency, he may include a statement to that effect in the transfer prohibition notice, and in that event, subsection (4) shall not apply and the notice shall take effect immediately.
(6)The Commissioner may cancel a transfer prohibition notice by written notification to the person on whom it was served.
(7)No transfer prohibition notice shall prohibit the transfer of any data where the transfer of the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on Seychelles.
(8)Any person who contravenes a transfer prohibition notice shall be guilty of an offence but it shall be a defence for a person charged with an offence under this subsection to prove that he exercised all due diligence to avoid a contravention of the notice in question.

17. Right of appeal

(1)A person may appeal to the Minister against—
(a)any refusal by the Commissioner of an application by that person for registration or for the alteration of registered particulars;
(b)any enforcement notice, de-registration notice or transfer prohibition notice with which that person has been served.
(2)The Minister may make regulations prescribing the procedures for the making and the determination of appeals under this section.

18. Determination of appeals

(1)If on an appeal under section 17 the Minister considers that the refusal or notice against which the appeal is brought is not in accordance with the law, the Minister shall allow the appeal or substitute such other decision or notice as could have been made or served by the Commissioner; and in any other case the Minister shall dismiss the appeal.
(2)The Minister may review any determination of fact on which the refusal or notice in question was based.
(3)Any party to an appeal to the Minister may appeal from the decision of the Minister on a point of law to the Supreme Court.

19. Unauthorised disclosure by computer bureaux

(1)Personal data in respect of which services are provided by a person carrying on a computer bureau shall not be disclosed by that person without the prior authority of the person for whom those services are provided.
(2)Subsection (1) applies also to any servant or agent of a person carrying on a computer bureau.
(3)Any person who knowingly or recklessly contravenes this section shall be guilty of an offence.

20. Power of entry and inspection

(1)If a Judge of the Supreme Court is satisfied by information on oath supplied by the Commissioner that there are reasonable grounds for suspecting—
(a)that an offence under this Act has been or is being committed; or
(b)that any of the data protection principles has been or is being contravened by a registered person,
and that evidence of the commission of the offence or of the contravention is to be found on any premises specified in the information, he may grant a warrant authorising the Commissioner or any of his officers to enter those premises, to search them, to inspect, examine, operate and test any data equipment found there and to inspect and seize any documents or other material found there which may be such evidence asaforesaid.
(2)For the purpose of this section, "premises" includes any vessel, vehicle, aircraft or hovercraft and references to the occupier of any premises include references to any person in charge of any vessel, vehicle, aircraft or hovercraft.

21. Execution of warrants

(1)A person executing a warrant issued under section 20 may use such reasonable force as may be necessary.
(2)A warrant issued under section 20 shall be executed at a reasonable hour unless it appears to the person executing it that there are grounds for suspecting that the evidence in question would not be found if it were so executed.
(3)If the person who occupies the premises in respect of which a warrant is issued under section 20 is present when the warrant is executed, he shall be shown and supplied with a copy of it; and if that person is not present a copy of the warrant shall be left in a prominent place on the premises.
(4)A person seizing anything in pursuance of a warrant under section 20 shall give a receipt for it if asked to do so, and retain the thing seized for so long as is necessary in all the circumstances.

22. Matters exempt from inspection and seizure

The powers of inspection and seizure conferred by a warrant issued under section 20 shall not be exercisable in respect of—
(a)personal data which are exempt from Part II;
(b)any communication between an attorney-at-law and his client in connection with the giving of legal advice to the client with respect to his obligations, liabilities or rights under this Act.

23. Return of warrants

A warrant issued under section 20 shall be returned to theRegistrar of the Supreme Court
(a)after being executed; or
(b)if not executed within the time authorised for its execution, and the person by whom any such warrant is executed shall make an endorsement on it stating what powers have been exercised by him under the warrant.

24. Offences

Any person who—
(a)intentionally obstructs a person in the execution of a warrant issued under section 20; or
(b)fails without reasonable excuse to give any person executing such a warrant such assistance as he may reasonably require for the execution of the warrant, shall be guilty of an offence.

25. Disclosure of information

No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude—
(a)a person from furnishing the Commissioner or the Minister with any information necessary for the discharge of their functions under this Act; or
(b)the Commissioner or any officer or servant of the Commissioner from disclosing any information where the disclosure is made for the purpose of discharging his duties under this Act or for the purpose of proceedings under or arising out of this Act.

26. Prosecution and penalties

(1)Proceedings for an offence under this Act may be instituted by the Commissioner or by, or with the consent of the Attorney General.
(2)A person guilty of an offence under any provision of this Act shall be liable on conviction to a fine not exceeding R20,000.
(3)Subject to subsection (4), the court by which a person is convicted of an offence under sections 9, 14, 16 or 19 may order any data material appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.
(4)The court shall not make an order under subsection (3) in relation to any material where a person (other than the offender) claiming to be the owner or otherwise interested in it applies to be heard by the court, unless an opportunity is given to him to show cause why the order should not be made.

27. Liability of directors etc.

(1)Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly.
(2)Where the affairs of a body corporate are managed by its members, subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.

Part III – Rights of data subjects

28. Right of access to personal data

(1)Subject to this section, an individual shall be entitled—
(a)to be informed by a data user whether the data held by the data user include personal data of which that individual is the data subject;
(b)to be supplied by a data user with a copy of the information constituting any such data held by the data user; and
(c)where any information referred to in paragraph (b) is expressed in terms which are not intelligible without explanation the information accompanied by an explanation of those terms.
(2)A data user shall be obliged to supply any information under subsection (1) only in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require; but a request for information under paragraphs (a) and (b) of that subsection shall be treated as a single request.
(3)In the case of a data user having separate entries in the register in respect of data held for different purposes a separate request shall be made and a separate fee paid in respect of the data to which each entry relates.
(4)A data user shall not be obliged to comply with a request under this section—
(a)unless he is given the information he may reasonably require to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks; and
(b)if he cannot comply with the request without disclosing information relating to another individual who can be identified from that information, unless he is satisfied that the other individual has consented to the disclosure of the information to the person making the request.
(5)In subsection (4)(b) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and subsection (4)(b) shall not be construed as excusing a data user from supplying so much of the information sought by the request as can be supplied without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6)A data user shall comply with a request under this section within 40 days of receiving the request or, if later, receiving the information referred to in subsection (4)(a) and, in a case where it is required, the consent referred to in subsection (4)(b).
(7)The information to be supplied pursuant to a request under this section shall be supplied by reference to the data in question at the time when the request is received except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
(8)If the Court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data user in question has failed to comply with the request in contravention of those provisions, the Court may order him to comply with the request; but the Court shall not make an order under this subsection if it considers that it would in all the circumstances be unreasonable to do so, whether because of the frequency with which the applicant has made requests to the data user under those provisions or for any other reason.

29. Compensation for inaccuracy

(1)An individual who is the subject of personal data held by a data user and who suffers damage by reason of the inaccuracy of the data shall be entitled to compensation from the data user for that damage and for any distress which the individual has suffered by reason of the inaccuracy.
(2)In the case of data which accurately record information received or obtained by the data user from the data subject or a third party, subsection (1) does not apply if the following requirements have been complied with—
(a)the data indicate that the information was received or obtained as aforesaid or the information has not been extracted from the data except in a form which includes an indication to that effect; and
(b)if the data subject has notified the data user that he regards the information as incorrect or misleading, an indication to that effect has been included in the data or the information has not been extracted from the data except in a form which includes an indication to that effect.
(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to ensure the accuracy of the data at the material time.
(4)Data are inaccurate for the purposes of this section if incorrect or misleading as to any matter of fact.

30. Compensation for loss or unauthorised disclosure

(1)An individual who is the subject of personal data held by a data user or in respect of which services are provided by a person carrying on a computer bureau and who suffers damage by reason of—
(a)the loss of the data;
(b)the destruction of the data without the authority of the data user or, as the case may be, of the person carrying on the bureau; or
(c)subject to subsection (2) the disclosure of the data, or access having been obtained to the data, without such authority as aforesaid, shall be entitled to compensation from the data user or, as the case may be, the person carrying on the bureau for that damage and for any distress which the individual has suffered by reason of the loss, destruction, disclosure or access.
(2)In the case of a registered data user, subsection (1) (c) does not apply to disclosure to, or access by, any person falling within a description specified pursuant to section 8 (3)(d) in an entry in the register relating to that data user,
(3)In proceedings brought against any person by virtue of this section it shall be a defence to prove that he had taken such care as in all the circumstances was reasonably required to prevent the loss, destruction, disclosure or access in question.

31. Rectification and erasure

(1)If the Court is satisfied on the application of a data subject that personal data held by a data user of which the applicant is the subject are inaccurate within the meaning of section 29, the Court may order the rectification or erasure of the data and any data held by the data user and containing an expression of opinion which appears to the Court to be based on the inaccurate data.
(2)Subsection (1) applies whether or not the data accurately record information received or obtained by the data user from the data subject or a third party but where the data accurately record such information then—
(a)if the requirements mentioned in section 29 have been complied with, the Court may instead of making an order under subsection (1), make an order requiring the data to be supplemented by such statement of the true facts relating to the matters dealt with by the data as the Court may approve; and
(b)if all or any of those requirements have been complied with, the Court may, instead of making an order under subsection (1) make such order as it thinks fit for securing compliance with those requirements with or without a further order requiring the data to be supplemented by such a statement as mentioned in paragraph (a).
(3)If the Court is satisfied on the application of a data subject—
(a)that he has suffered damage by reason of the disclosure of personal data, or of access having been obtained to personal data, in circumstances entitling him to compensation under section 30; and
(b)that there is a substantial risk of further disclosure of or access to the data without such authority as is mentioned in that section,
the Court may order the erasure of the data; but, in the case of data in respect of which services were being provided by a person carrying on a computer bureau, the Court shall not make such an order unless such steps as are reasonably practicable have been taken for notifying the person for whom those services were provided and giving him an opportunity to be heard.

32. No access pending court determination

For the purpose of determining any question whether an applicant under section 28(8) is entitled to the information which he seeks (including any question whether any relevant data are exempt from that section by virtue of Part IV), the Court may require the information constituting any data held by the data user to be made available for its own inspection but shall not, pending the determination of that question in the applicant's favour, require the information sought by the applicant to be disclosed to him or his representatives whether by discovery or otherwise.

Part IV – Exemptions

33. Preliminary

(1)References in any provision of Part II or III to personal data do not include references to data which by virtue of this Part are exempt from that provision.
(2)In this Part "the subject access provisions" means—
(a)section 28; and
(b)any provision of Part II conferring power on the Commissioner to the extent to which it is exercisable by reference to paragraph (a) of the seventh data protection principle.
(3)In this Part of this Act "the non-disclosure provisions" means—
(a)sections 9(2)(d) and 19; and
(b)any provision of Part II conferring a power on the Commissioner to the extent to which it is exercisable by reference to any data protection principle inconsistent with the disclosure in question.
(4)Except as provided by this Part, the subject access provisions shall apply notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

34. National security

(1)Personal data are exempt from the provisions of Part II and of sections 28 to 31 if the exemption is required for the purpose of safeguarding national security.
(2)Any question whether the exemption mentioned in subsection (1) is or at any time was required for the purpose there mentioned in respect of any personal data shall be determined by the Minister and a certificate signed by the Minister certifying that the exemption is or at any time was so required shall be conclusive evidence of that fact.
(3)Personal data which are not exempt under subsection (1) are exempt from the non-disclosure provisions in any case in which the disclosure of the data is for the purpose of safeguarding national security.
(4)For the purposes of subsection (3), a certificate signed by the Minister certifying that personal data are or have been disclosed for the purpose mentioned in that subsection shall be conclusive evidence of that fact.
(5)A document purporting to be such a certificate as is mentioned in this section shall be received in evidence and deemed to be such a certificate unless the contrary is proved.

35. Crime and taxation

(1)Personal data held for any of the following purposes—
(a)the prevention or detection of crime;
(b)the apprehension or prosecution of offenders; or
(c)the assessment or collection of any tax or duty,
are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
(2)Personal data which—
(a)are held for the purpose of discharging statutory functions; and
(b)consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),
are exempt from the subject access provisions to the same extent as personal data held for any of the purposes mentioned in that subsection.
(3)Personal data are exempt from the non-disclosure provisions in any case in which—
(a)the disclosure is for any of the purposes mentioned in subsection (1); and
(b)the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection;
and in proceedings against any person for contravening section 9(2)(d) or 19 it shall be a defence to prove that he had reasonable grounds for believing that failure to make the disclosure in question would have been likely to prejudice any of those matters.
(4)Personal data are exempt from the provisions of Part II conferring powers on the Commissioner, to the extent to which they are exercisable by reference to the first data protection principle, in any case in which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in subsection (1).

36. Health and social work

(1)The Minister may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data consisting of information as to the physical or mental health of the data subject.
(2)The Minister may by order exempt from the subject access provisions, or modify those provisions in relation to, personal data of such other descriptions as may be specified in the order, being information—
(a)held by government departments or voluntary organisations or other bodies designated by the order; and
(b)appearing to him to be held for, or acquired in the course of, carrying out social work in relation to the data subject or other individuals;
but the Minister shall not under this subsection confer any exemption or make any modification except so far as he considers that the application to the data of those provisions (or of those provisions without modification) would be likely to prejudice the carrying out of social work.
(3)An order under this section may make different provision in relation to data consisting of information of different descriptions.

37. Regulation of financial services etc.

(1)Personal data held for the purpose of discharging statutory functions to which this section applies are exempt from the subject access provisions in any case in which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions.
(2)This section applies to any functions designated for the purpose of this section by an order made by the Minister, being functions conferred by or under any enactment appearing to him to be designed for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or to the conduct of discharged or undischarged bankrupts.

38. Appointments and professional privilege

(1)Personal data held by a government department are exempt from the subject access provisions if the data consist of information which has been received from a third party and is held as information relevant to the making of appointments.
(2)Personal data are exempt from the subject access provisions if the data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings.

39. Payrolls and accounts

(1)Personal data held by a data user only for one or more of the following purposes—
(a)calculating amounts payable by way of remuneration or pensions or gratuities in respect of services in any employment; or
(b)keeping accounts relating to any business or other activity carried on by the data user; or
(c)distributing or supplying, or recording the distribution or supply of, articles, information or services to the data subjects are exempt from the provisions of Part II and of sections 28 to 31.
(2)It shall be a condition of the exemption of any data under this section that the data are not used for any purpose other than the purpose or purposes for which they are held and are not disclosed except as permitted by subsections (3) and (4); but the exemption shall not be lost by any use or disclosure in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances was reasonably required.
(3)Data held only for one or more of the purposes mentioned in subsection (1)(a) may be disclosed—
(a)to any person by whom the remuneration or pensions in question are payable;
(b)for the purpose of obtaining actuarial advice;
(c)as information for use in medical research into the health of persons engaged in particular occupations or working in particular places or areas;
(d)if the data subject has requested or consented to the disclosure of the data either generally or in specified circumstances.
(4)Data held for any of the purposes mentioned in subsection (1) may be disclosed—
(a)for the purpose of audit or where the disclosure is for the purpose only of giving information about the data user's financial affairs; or
(b)in any case in which disclosure would be permitted by any other provision of this Part if subsection (2) were included among the non-disclosure provisions.

40. Domestic or other limited purposes

(1)Personal data held by an individual and concerned only with the management of his personal, family or household affairs or held by him only for recreational purposes are exempt from the provisions of Part II and of sections 28 to 31.
(2)Subject to subsections (3) and (4)—
(a)personal data held by an unincorporated members' club and relating only to the members of the club; and
(b)personal data held by a data user only for the purpose of distributing, or recording the distribution of, articles or information to the data subjects and consisting only of their names, addresses or other particulars necessary for effecting the distribution, are exempt from the provisions of Part II and of sections 20 to 31.
(3)Subsection (2) shall apply to personal data relating to any data subject only if has been notified by the club or data user that data relating to him is held as mentioned in that paragraph and has not objected to its being so held.
(4)It shall be a condition of the exemption of any data under paragraph (b) of subsection (2) that the data are not used for any purpose other than that for which they are held and of the exemption of any data under either paragraph of that subsection that the data are not disclosed except as permitted by subsection (5); but the first exemption shall not be lost by any use, and neither exemption shall be lost by any disclosure, in breach of that condition if the data user shows that he had taken such care to prevent it as in all the circumstances was reasonably required.
(5)Data to which subsection (4) applies may be disclosed—
(a)if the data subject has requested or consented to the disclosure of the data either generally or in specified circumstances;
(b)if the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a); or
(c)in any case in which disclosure would be permitted by any provision of this Part if subsection (4) were included among the non-disclosure provisions.
(6)Personal data held only for—
(a)preparing statistics; or
(b)carrying out research,
are exempt from the subject access provisions; but it shall be a condition of the exemption that the data are not used for any other purpose, or disclosed (otherwise than in a case mentioned in section 41(5)) for any other purpose, and that the resulting statistics or the results of the research are not made available in a form which identifies the data subjects or any of them.

41. Other exemptions

(1)Personal data held by any person are exempt from the provisions of Part II and of sections 28 to 31 if the data consist of information which that person is required by or under any enactment to make available to the public, whether by publishing it, making it available for inspection or otherwise and whether gratuitously or on payment of a fee.
(2)The Minister may by order exempt from the subject access provisions data consisting of information the disclosure of which is prohibited or restricted by or under any enactment if he considers that the prohibition or restriction ought to prevail over those provisions in the interests of the data subject or of any other individual.
(3)Personal data are exempt from the subject access provisions if the data are kept only for the purpose of replacing other data in the event of the latter being lost, destroyed or impaired.
(4)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is—
(a)required by or under any enactment, by any rule of law or by the order of a court; or
(b)made for the purpose of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.
(5)Personal data are exempt from the non-disclosure provisions in any case in which—
(a)the disclosure is to the data subject or a person acting on his behalf; or
(b)the data subject or any such person has requested orconsented to the particular disclosure in question; or
(c)the disclosure is by a data user or a person carrying on a computer bureau to his servant or agent for thepurpose of enabling the servant or agent to performhis functions as such.
(6)Personal data are exempt from the non-disclosure provisions in any case in which the disclosure is urgently required for preventing injury or other damage to the health of any person or persons; and in proceedings against any person for contravening section 9(2)(d) or 19 it shall be a defence to prove that he had reasonable grounds for believing that the disclosure in question was urgently required for that purpose.
(7)A person need not comply with a notice, request or order under the subject access provisions if compliance would expose him to proceedings for any offence other than an offence under this Act; and information disclosed by any person in compliance with such notice, request or order shall not be admissible against him in proceedings for an offence under this Act.

42. Examination marks

(1)Section 28 shall have effect subject to the provisions of this section in the case of personal data consisting of marks or other information held by a data user—
(a)for the purpose of determining the results of an academic, professional or other examination or of enabling the results of any such examination to be determined; or
(b)in consequence of the determination of any such results.
(2)Where the period mentioned in section 28(6) begins before the results of the examination are announced that period shall be extended until the end of 40 days after the date of the announcement.
(3)Where by virtue of subsection (2) a request is complied with more than 40 days after the beginning of the period mentioned in section 28(6), the information to be supplied pursuant to the request shall be supplied both by reference to the data in question at the time when the request is received and (if different) by reference to the data as from time to time held in the period beginning when the request is received and ending when it is complied with.
(4)For the purposes of this section the results of an examination shall be treated as announced when they are first published or (if not published) when they are first made available or communicated to the candidate in question.
(5)In this section "examination" includes any process for determining the knowledge, intelligence, skill or ability of a candidate by reference to his performance in any test, work or other activity.

Part V – General

43. General duties of the Commissioner

(1)It shall be the duty of the Commissioner so to perform his functions under this Act as to promote the observance of the data protection principles by data users and persons carrying on computer bureaux.
(2)The Commissioner may consider any complaint that any of the data protection principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a matter of substance and to have been made without undue delay by a person directly affected; and where the Commissioner considers any such complaint he shall notify the complainant of the result of his consideration and of any action which he proposes to take.
(3)The Commissioner shall arrange for the dissemination, in such form and manner as he considers appropriate, of such information as it may appear to him expedient to give to the public about the operation of this Act and other matters within the scope of his functions under this Act and may give advice to any person as to any of those matters.
(4)The Commissioner shall, where he considers it appropriate to do so, encourage trade associations or other bodies representing data users to prepare, and to disseminate to their members, codes of practice for guidance in complying with the data protection principles.
(5)The Commissioner shall annually submit to the Minister a general report on the performance of the Commissioner's functions under this Act.

44. Application to Public Authorities

(1)Except as provided in subsection (2), a Public Authority shall be subject to the same obligations and liabilities under this Act as a private person; and for the purposes of this Act each Public Authority shall be treated as a person separate from any other Public Authority and a member of the Public Service shall be treated as a servant of the Public Authority to which his responsibilities or duties relate.
(2)A Public Authority shall not be liable to prosecution under this Act but—
(a)sections 9(3) and 19(2) and, so far as relating to those provisions, sections 9(5) and 19(3) shall apply to a member of the Public Service who by virtue of this section falls to be treated as a servant of the Public Authority in question; and
(b)sections 10(6) and 24 shall apply to a member of the Public Service as they apply to any other person.
(3)For the purposes of this section, "Public Authority" means a Ministry, department, division or agency of the Government or a statutory corporation or a limited liability company which is directly or ultimately under the control of the Government or any other body which is carrying out a governmental function or service or a person or body specified by an Act.

45. Data held and services provided outside Seychelles

(1)Subject to the following provisions of this section, this Act does not apply to a data user in respect of data held, or to a person carrying on a computer bureau in respect of services provided, outside Seychelles.
(2)For the purposes of subsection (1)—
(a)data shall be treated as held where the data user exercises the control referred to in section 2(9)(b) in relation to the data; and
(b)services shall be treated as provided where the person carrying on the computer bureau does any of the things referred to in section 2(10)(a) or (b).
(3)Where a person who is not resident in Seychelles—
(a)exercises the control mentioned in subsection (2)(a); or
(b)does any of the things mentioned in subsection (2)(b) through a servant or agent in Seychelles, this Act shall apply as if that control were exercised or, as the case may be, those things were done, in Seychelles by the servant or agent acting on his own account and not on behalf of the person whose servant or agent he is.
(4)Where by virtue of subsection (3) a servant or agent is treated as a data user or as a person carrying on a computer bureau, he may be described for the purposes of registration by the position or office which he holds; and any such description in an entry in the register shall be treated as applying to the person for the time being holding the position or office in question.
(5)This Act does not apply to data processed wholly outside Seychelles unless the data are used or intended to be used in Seychelles.
(6)Sections 8(3)(e), 9(2)(e) and section 16(1) do not apply to the transfer of data which are already outside Seychelles but references in section 16 to a contravention of the data protection principles include references to anything that would constitute such contravention if it occurred in relation to the data when held in Seychelles.

46. Regulations and orders

(1)The Minister may by regulations prescribe any matter which by this Act is to be prescribed.
(2)Without prejudice to sections 3(6) and 36(3), regulations o orders under this Act may make different provision for different cases or circumstances.
(3)Before making regulations or orders under any provision of this Act, the Minister may consult the Commissioner.

47. Transitional provisions

(1)No application for registration shall be made until such day as the Minister may by Order published in the Official Gazette appoint, and sections 9 and 19 shall not apply until the end of the period of 6 months beginning with that day.
(2)Until the end of the period of 2 years beginning with the day appointed under subsection (1), the Commissioner shall not have the power—
(a)to refuse an application made in accordance with section 10 except on the ground mentioned in section 11(2)(a); or
(b)to serve an enforcement notice imposing requirements to be complied with, a deregistration notice expiring, or a transfer prohibition notice imposing a prohibition taking effect, before the end of that period.
(3)Where the Commissioner proposes to serve any person with an enforcement notice before the end of the period mentioned in subsection (2) he shall, in determining the time by which the requirements of the notice are to be complied with, have regard to the probable cost to that person of complying with those requirements.
(4)Section 28 and section 20 (1)(b) shall not apply until the end of the period mentioned in subsection (2).
(5)Section 29 shall not apply to damage suffered before the end of the period mentioned in subsection (1) and in deciding whether to refuse an application or serve a notice under Part II the Commissioner shall treat the provision about accuracy in the fifth data protection principle as inapplicable until the end of that period and as inapplicable thereafter to data shown to have been held by the data user in question since before the end of that period.
(6)Sections 30 and 31(3) shall not apply to damage suffered before the end of the period of 2 months beginning with the date on which this Act is brought into operation.
(7)Section 31 (1) and (2) shall not apply before the end of theperiod mentioned in subsection (1).

Schedule

Data protection principles (Section 3)

Part I – The principles

Personal data held by data users

1.The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
2.Personal data shall be held only for one or more specified and lawful purposes.
3.Personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
4.Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes.
5.Personal data shall be accurate and, where necessary, kept up to date.
6.Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
7.An individual shall be entitled—
(a)at reasonable intervals and without undue delay or expense—
(i)to be informed by any data user whether he holds personal data of which that individual is the subject; and
(ii)to access to any such data held by a data user; and
(b)where appropriate, to have such data corrected or erased.

Personal data held by data users or in respect of which servicesare provided by persons carrying on computer bureau

8.Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

Part II – Interpretation

The first principle

1.
(1)Subject to subparagraph (2), in determining whether information was obtained fairly regard shall be had to the method by which it was obtained, including in particular whether any person from whom it was obtained was deceived or misled as to the purpose or purposes for which it is to be held, used or disclosed.
(2)Information shall in any event be treated as obtained fairly if itis obtained from a person who—
(a)is authorised by or under any enactment to supply it; or
(b)is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the Republic of Seychelles; and in determining whether information was obtained fairly there shall be disregarded any disclosure of the information which is authorised or required by or under any enactment or required by any such convention or other instrument as aforesaid.

The second principle

Personal data shall not be treated as held for a specified purpose unless that purpose is described in particulars registered under this Act in relation to the data.Personal data shall not be treated as used or disclosed in contravention of this principle unless—
(a)used otherwise than for a purpose of a description registered under this Act in relation to the data; or
(b)disclosed otherwise than to a person of a description so registered.[Please note: numbering as in original.]

The fifth principle

4.Any question whether or not personal data are accurate shall be determined as for the purposes of section 29 but, in the case of such data as are mentioned in subsection (2) of that section, this principle shall not be regarded as having been contravened by reason of any inaccuracy in the information there mentioned if the requirements specified in that subsection have been complied with.The fourth and sixth principles have not been interpreted.

The seventh principle

5.
(1)Paragraph (a) of this principle shall not be construed as conferring any rights inconsistent with section 28.
(2)In determining whether access to personal data is sought at reasonable intervals regard shall be had to the nature of the data, the purpose for which the data are held and the frequency with which the data are altered.
(3)The correction or erasure of personal data is appropriate only, where necessary for ensuring compliance with the other data protection principles.

The eighth principle

6.Regard shall be had—
(a)to the nature of the personal data and the harm that would result from such access, alteration, disclosure, loss or destruction as are mentioned in this principle; and
(b)to the place where the personal data are stored, to security measures programmed into the relevant equipment and to measures taken for ensuring the reliability of staff having access to the data.

Use for historical, statistical or research purposes

7.Where personal data are held for historical, statistical or research purposes and not used in such a way that damage is, or is likely to be, caused to any data subject—
(a)the information contained in the data shall not be regarded for the purposes of the first principle as obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained; and
(b)the data may, notwithstanding the sixth principle, be kept indefinitely.
▲ To the top

History of this document

01 December 2014 this version
Consolidation