The Office of the Data Protection Commissioner has published new guidelines for specific sectors to be applied in the processing of personal data for privacy purposes.
The new rules for education, communication, digital credit providers and health now bring the total number of published guidance notes to eight.
This is in addition to that on consent, electoral purposes, data protection impact assessment and registration of data controllers and data processors.
“These guidance notes are designed to assist these industries in understanding and adhering to data protection laws,” a statement issued on January 8 reads.
The stringent measures provide for how these particular public and private institutions in the country can handle and store personal data including circumstances under which they can share or use it.
Educational institutions, for instance, are required to process personal data lawfully, fairly, and transparently.
This means that they must have a valid legal basis for processing personal data and inform individuals of how the data will be used.
“When collecting student data, institutions must obtain consent from the student or their parent or guardian and provide a clear explanation of why the data is being collected and how it will be used,” the consent note reads.
Under the purpose limitation principle, learning institutions are required to limit the collection and storage of personal data to only what is necessary for a specific purpose that has been communicated to the individual.
“For instance, when collecting student data, educational institutions should only collect information that is relevant to the educational purposes for which it is being collected,” it states.
This could include information such as academic records and attendance information.
“A school may collect personal data from students and parents during the admission process, and must clearly state that the information will be used for admission purposes only, such as to provide necessary services, to communicate with the students and their families, or to manage student records,” it adds.
The Digital Credit Providers, are required to only collect the necessary data and refrain from collecting data not directly related to the digital borrower.
For instance, they cannot collect from clients’ phones, the phone contacts of other people that form part of their contact list.
“Such collection is unlawful and requires consent from the owners of the numbers,” reads the guideline.
Healthcare providers on their part are prohibited from sharing the personal data collected from medical consultations without their consent.
It states that it should not be used for any other purpose, such as marketing or medical research, without the patient's explicit consent.