The Act is organized into ten distinct parts. It begins with preliminary matters, setting the stage by defining key terms such as "data controller," "data processor," "personal data," and "sensitive personal data." These definitions are crucial as they delineate the scope and applicability of the Act, ensuring that all stakeholders have a clear understanding of their responsibilities and the data subjects' rights.
The administration of the Act is designated to the Malawi Communications Regulatory Authority, identified as the Data Protection Authority. This body is endowed with broad functions and powers, from developing data protection guidelines to promoting public awareness and ensuring compliance through the ability to issue compliance orders.
One of the core elements of the Act is the set of principles governing data processing. These principles emphasize lawful, fair, and transparent processing, along with purpose limitation, ensuring that data is collected for explicit and legitimate purposes and not used in ways incompatible with those original purposes. Additionally, the principles of data minimization and accuracy dictate that only necessary data is collected and that it remains accurate and up-to-date.
The rights of data subjects are robustly protected under the Act. Individuals have the right to access their data, request corrections, and even demand the deletion of their data under certain circumstances. They can also restrict processing or object to the processing of their data, particularly in cases where the processing does not align with the data protection standards set out in the Act.
Duties of data controllers and processors are clearly outlined, focusing on compliance with the data protection principles and the secure handling of personal data. Data controllers are required to perform data protection impact assessments for processing activities that pose high risks to the rights and freedoms of individuals, emphasizing the Act's preventative approach.
Data security is another critical area addressed by the Act. It mandates controllers and processors to implement suitable technical and organizational measures to safeguard personal data. This includes obligations to notify the Data Protection Authority and affected individuals in the event of a data breach.
Cross-border data transfers are strictly regulated, prohibiting the transfer of personal data outside Malawi unless adequate protections are in place. This ensures that personal data is not subjected to jurisdictions with lax data protection standards.
Significant data controllers and processors must register with the Data Protection Authority, a measure aimed at ensuring that entities handling large volumes of data or sensitive information maintain high data protection standards.
Finally, the Act provides mechanisms for complaints and legal redress, allowing individuals to lodge complaints with the Data Protection Authority if they believe their data has been mishandled. It also outlines penalties for non-compliance, emphasizing the Act's enforceability.