Privacy Compliance Assessment in Mauritius

September 26, 2015

Privacy is a subject that is poorly understood in Mauritius. I often see local websites collecting information through contact forms yet having no privacy policy or some times the policy is a mere “copy & paste” without considering compliance as per the Data Protection Act 2004 of Mauritius.

Privacy Compliance Assessment in MauritiusCompliance with the Data Protection Act can be a cumbersome process for many. Some might even ignore it as very few people ever question about privacy in Mauritius. Nonetheless, the law remains the law. To help in making privacy simpler to understand and comply with, several months ago, Nadim Bundhoo, Nirvan Pagooah, Ajay Ramjatan, S. Moonesamy and I collaborated on a project, which we called the “Privacy Compliance Assessment” webapp.

The Privacy Compliance Assessment web application can be accessed at http://www.elandsys.com/~sm/privacy-mu.

As per the Data Protection Act, a "data controller" is a person who either alone or jointly with any other person, makes a decision with regard to the purposes for which and in the manner in which any personal data are, or are to be, processed.

A data controller needs to make sure that procedures of collection, processing and storage of data as set are compliant with the Data Protection Act 2004 of Mauritius.

We're thankful to the Data Protection Commissioner, Mrs. Drudeisha Madhub and her team, who provided us the relevant information. The Data Protection Office helped us throughout the project with regular reviews and suggesting amendments.

The Data Protection Commissioner accepted our invitation to introduce the webapp and do a presentation during the Developers Conference 2015. The slides which the Commissioner used for her presentation are at http://dataprotection.govmu.org.

How does the webapp work?

The application runs on the client side, that is your web browser. The assessment takes you through a series of questions that can be answered with a Yes/No toggle button. At the end of the assessment, you’re told whether your organization is compliant with the Data Protection Act 2004. Information that you provide are not sent back to the server. You may run the assessment as many times as you require.

The web application is released under the GNU General Public License (GPL) version 2. You may use the app, modify it and redistribute it as allowed under GNU GPLv2.

We aim to present “privacy” in a simple way and make “privacy compliance” a bit of a fun thing to achieve :)

On 15 May 2014, I highlighted a major privacy breach on the mnic.mu website where personal data collected through Google Forms were exposed on the Internet.

On 1 June 2014, I reported a data leak on the Tourism Authority’s website that affected over 9,000 people.

On 7 July 2014, I presented security flaws on the government web portal that could lead to data leakage.

On 5 October 2014, I wrote about my concerns over the use of Face recognition CCTV cameras in urban areas of Mauritius.

On 3 October 2014, S. Moonesamy reported privacy concerns with konetou advertising.

On 21 September 2015, S. Moonesamy wrote to the Government Online Centre regarding the “privacy policy” of www.govmu.org.

On 23 September 2015, I wrote to the Ministry of Technology, Communication and Innovation, highlighting my concerns as to the collection of telephony log data through the “login captcha” on the government web portal.