You are here

  Protection of Personal Data: 'The Administration cannot and should not do everything with user data.
Protection of Personal Data: 'The Administration cannot and should not do everything with user data.
Dr Mouhamadou Lô

Legal advisor to the State IT Agency (ADIE)

Digital law lawyer, holder of a thesis on Electronic Administration and public law from the University of Paris I Sorbonne, Dr Mouhamadou LO is the drafter of the Senegalese law on the protection of personal data. He was the founding President of the Commission for the Protection of Personal Data of Senegal (CDP). Main coordinator of the implementation of draft laws and decrees on the information society in Senegal,

Dr LÔ is the current legal advisor to the State IT Agency (ADIE). He published in December 2017 with Baol Editions, the first book in Africa dedicated to the legislation of “personal data protection: regulation and regulation”.
In this interview, he discusses the regulatory aspects planned to protect data within the Administration.

What are we referring to when we talk about personal data?

Personal data means any information enabling the identification of a natural person. This concerns data linked to civil identity (name, parentage, address, marital status, date and place of birth, etc.), to numbers (national identity card, IP address, badge, telephone , vehicle, bank account, driving license, social security, real estate plot, etc.) or to biological elements (voice, image, size, fingerprint or palm print, DNA, retina, iris,
facial recognition, hand contours, etc.).
It should also be noted that machines produce data allowing a person to be identified, in particular the history of our presence on the Internet and the use of information collected from connected objects.
The concept of personal data varies and depends on technological developments.

We live in an increasingly digital world with digital use of personal data, what guarantees are in place to protect people against possible abuses?

Guarantees vary from one country to another. In Senegal, the existence of a law and an operational protection authority constitutes a “shield” against abuse. As you know, the right to protection is part of the right to respect for private life. It is a protective corpus for the benefit of natural persons.

Guaranteed information can only be a reality if regulations are strictly respected. This is why the Personal Data Commission (CDP) was established, responsible for protecting the citizen against the State, the consumer against the professional and finally, the employee against the actions of his employer.

The Senegalese Administration has also integrated information and communication technologies into its operations. Moreover, ADIE is deploying more and more solutions to modernize this Administration. What assurances can we give to users regarding the protection of their data?

ADIE is subject to the law on personal data like all public or private structures. It must declare to the CDP all files containing information on users.

To date, to my knowledge, the reporting formalities have been respected. As a guarantee, the Agency can communicate on the authorizations received in order to reassure all users.

What use could the State make of the data of Administration agents?
What does the law allow?

Be careful. The Administration cannot and must not do everything with user data. This remark is also valid for the private sector. To answer your question, I discuss three fundamental principles of data protection. The first is the principle of finality which prohibits any misuse of the purpose of the data collected on citizens.
To this end, any subsequent use must be compatible with the original purposes. The second principle relates to proportionality which requires collecting the minimum necessary data from a user.
It is not recommended to collect all categories of a person. Whatever the service offered.

Finally, the last is the security principle which requires (this is an obligation of means) the data controller to take all useful precautionary measures in terms of security with regard to the nature of the information processed. However, this principle deserves to be reinforced by the legislator, like what is happening in Ghana, for example by requiring data controllers to declare to the CDP security flaws observed on their information system. Compliance with these principles will help give users confidence and put an end to fear, fear and suspicion regarding data processing within the Senegalese administration.

December 10 2019

Subscribe to our newsletter