Cross-border data sharing for research in Africa: An analysis of the data protection and research ethics requirements in 12 jurisdictions

Background In recent years, there has been a notable uptake in genomic and health-related research activities across the African continent. Similarly, there has been increased introduction of data protection legislation that affects the sharing of personal data such as health data and genomic data, including for research. Many of these statutes have stricter requirements when sharing personal data across borders. Consequently, the cross-border sharing of health data that includes genetic data requires careful navigation of the pertinent data protection legislation, in particular concerning the sharing of such data for research purposes. To help researchers navigate these legal frameworks, 12 African countries were analysed to develop country guides on cross-border data sharing. Results Of the 12 countries that were analysed, ten have data protection laws in place (Botswana, Ghana, Kenya, Malawi, Nigeria, Rwanda, South Africa, Tanzania, Uganda, and Zimbabwe), while two countries (Cameroon and The Gambia) do not. With the exception of Ghana, all countries with data protection statutes or bills had additional requirements to be met when sharing personal data across borders. Consent and adequacy are the most common grounds for justifying the sharing of personal data across borders. Conclusion Given the limitations of the current models of consent, consent is not a suitable basis to transfer large quantities of data for research. Adequacy is a common ground, but there are national differences in the implementation of this ground. Researchers must therefore analyse each national legal framework and make decisions on a case-by-case and country-by-country basis.


Background
In recent years, there has been a notable uptake in genomic and health-related research activities across Africa, driven in part by the collaborative efforts of national and international consortia such as Human Heredity and Health in Africa (H3Africa), Bridging Biobanking and Biomedical Research Across Europe and Africa (B3Africa), the Public Health Alliance for Genomic Epidemiology (PHA4GE), and the recently established Data Science for Health Discovery and Innovation in Africa (DS-I Africa).This research entails collecting, using and disseminating genomic and other health-related data, with a signi cant emphasis on cross-border data sharing.While the collaborative sharing of such data is indispensable for advancing scienti c knowledge, it also highlights a host of legal and ethical considerations that demand careful attention (1)(2)(3).Some of these ethico-legal issues relate to the ongoing debates about appropriate consent models for this research.While broad consent enables data to be shared for secondary research purposes more easily, it does not account for the individual preferences of research participants, which may evolve over time (4,5) and there are also concerns that broad consent may not be permitted under some national data protection legislation (6, 7).Static models of consent do not easily provide for these changing preferences.Accordingly, other models of consent such as dynamic consent, which uses information technology to enable participants to change and update their preferences, have been proposed as alternatives (8,9).There are increasing numbers of examples of the successful use and implementation of dynamic consent in highincome countries (HIC) but, to date, there are a paucity of examples in the African context (10,11).
Beyond consent-related issues, there are concerns that the data may be used to stigmatise or discriminate against individuals or their communities (12)(13)(14).The use and sharing of health data that includes genetic data must have processes in place to guard against and mitigate such risks.Concerns about the exportation of samples and data for that researchers have a comprehensive overview of the national requirements to be met when sharing health data that includes genetic data across borders.
For the national research ethics frameworks, the template required all applicable national laws, regulations and guidelines to be stated, followed by detail of all national requirements that must be met in cross-border data sharing.The template then focused on data protection-related issues.Although the purpose of the guides was to provide detailed guidance on the additional requirements for the cross-border sharing of data, the authors considered it important to contextualise this information and provided researchers with basic information on the data protection legislation generally.The template rst required details on whether the relevant country had signed or rati ed the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) that came into force in June 2023.Next, the template set out the details to be lled in as they relate to the application of the national data protection law, the de nition of different categories of data, a de nition and description of the key individuals, the principles to be met in the processing of personal data, the rights of the data subjects and, nally, the grounds under which personal data can be shared across borders.
Once the template was nalised, training on the use of the template was provided to the research assistants (RAs).The RAs then inputted the relevant data for the 12 countries.CS checked this work and sent back queries and points for clari cation.
This continued until all issues were addressed.The draft country guides were then sent to the country experts (LA, AA, AG, and PO) for review.Following this, CS reviewed these edits and sent back queries and points for clari cation.This continued until all issues had been addressed.Finally, AE reviewed the sections on the application of data protection legislation and made changes where necessary.
On completion of the country guides, CS compared each country guide under the following criteria: application of data protection law, descriptors of categories of data, descriptors of relevant individuals speci ed in the data protection law, requirements for the processing of personal data, rights of data subjects, grounds for the cross-border ow of data, and additional requirements from research ethics regulatory frameworks.

Results
Out of the 12 countries, two countries (Cameroon and The Gambia) have no data protection legislation in place and one country (Malawi) has a bill serving before parliament.The remaining nine countries have a data protection statute in force.
The bill in Malawi is included in the analysis, together with the nine countries with data protection statutes in force.As represented in Table 1, two countries (Ghana and Rwanda) have rati ed the Malabo Convention, while three other countries (Cameron, South Africa and The Gambia) have signed the Malabo Convention.
"anonymisation" means "the removal of personal identi ers from personal data so that the data subject is no longer identi able".The Act provides that data must be anonymised to ensure "the data subject is no longer identi able".
Unfortunately, Kenya's Data Protection Act and the Kenyan Data Protection General Regulations do not contain standards for non-identi ability.
In Rwanda the Law Relating to the Protection of Personal Data and Privacy, 2021 does refer to "de-identi ed" data and "pseudonymisation".Pseudonymisation is when information is removed from the data so it is not possible to identify an individual, and that information is kept separate through technical and organisational measures.Similar to the GDPR, it is clear that data that has been pseudonymised does fall under the Act."De-identi ed" data is mentioned in the Act, but is not de ned.Article 57 provides that it is an offence to knowingly, recklessly or intentionally re-identify data that has been deidenti ed.It appears from this context that de-identi cation is a reversible technique.
Tanzania's Data Protection Act does not refer to anonymised or pseudonymised data but the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023, refer to both anonymisation and pseudonymisation, but they are not de ned.From the context in which it is used, anonymisation is a tool that may be employed by data controllers or data processors to minimise their use or retention of data in an identi able form where it is not necessary to do so.This aligns with the principles of proportionality, necessity, retention, and storage of personal data.The data controller or data processor must ensure that there is "no possibility of re-identi cation of anonymous personal data" and that this is properly tested (emphasis added, regulation 30 (d)).The inclusion of the phrase "no possibility" and the requirement for this to be tested suggests that for data to be considered anonymised, the anonymisation must be proved through testing to be effective and absolute.Although not de ned, pseudonymisation is referred to as a safety measure that involves "storing identi cation keys separately" (Regulation 28(d)).
In Nigeria, the Data Protection Act applies to personal data but does refer to de-identi cation and pseudonymisation.Data that has been pseudonymised does fall under the NDPA.Although "de-identi cation" is mentioned in the Act, it is not de ned.From its context in section 39, de-identi cation is one of the technical and organisational measures a data controller may use to ensure the security, integrity and con dentiality of the personal data under its control, in order to guard against misuse, or unauthorised disclosure or access, among others.
The Data Protection Bill in Malawi refers to "de-identi cation" and "pseudonymisation".Data that has been pseudonymised remains in the ambit of the Data Protection Bill.Although "de-identi cation" is mentioned in the Bill, it is not de ned.From its context in section 31(2), de-identi cation is one of the technical and organisational measures a data controller may use to ensure the security, integrity and con dentiality of the personal data in its control, in order to guard against misuse, or unauthorised disclosure or access, among others.In the absence of speci c guidance and clarity in the alternative on this point, it would seem that data that has been de-identi ed falls squarely within the ambit of the Bill.

De ning personal data and sensitive data
Table 2 lists the de nitions for personal data and sensitive personal data.Personal data is typically data about a particular person that can identify them.In South Africa, this is referred to as "personal information".Sensitive personal data pertains to information that is particularly sensitive in respect of an individual, such as health or genetic data.This category of data receives special protection under data protection legislation and bills.In South Africa, it is called "special personal information".
In Zimbabwe, there is an additional category of data covered in its Data Protection Act, which is referred to as "data".This is de ned as "any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and tra c data".This category of data does not appear in any other data protection act.

Key role-players in data protection legislation
All the acts and the bill allocate rights and duties to roughly the same set of key role-players.These role-players are typically referred to as a 'data subject', a 'data processor', a 'data controller', and a 'data protection o cer'.Table 3 provides the exact de nition in each country.Typically, a data subject is the person to whom the personal data relates.A data controller is generally the person who decides what the data will be used for.In the research context, this will be the person deciding on the purpose of the research and how it will be achieved.Legal responsibility generally falls on the principle investigator and the institution as the employer.(20) The nomenclature adopted in South Africa is quite different, although the meaning and roles remain roughly equivalent.In POPIA, the data controller is known as the 'responsible party'.A data processor is not directly employed by the data controller but is processing the personal data under the direction of the data controller.In the research context, this may be a consultant.In South Africa, a data processor is known as an operator.A data protection o cer (DPO) is a person in an organisation who is appointed to advise and promote compliance with the law.In South Africa, this person is known as an Information O cer, and in Botswana the person is called a Data Protection Representative.A DPO is not de ned in Nigeria, Malawi or Rwanda, whereas a DPO is not de ned but provided for in Kenya and Uganda.(Law relating to the protection of personal data and privacy Article 3) A person designated by the data controller or the data processor or associations and other bodies representing categories of data controllers or data processors in accordance with the provisions of the law.This o cer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices, and the ability to ful l the tasks assigned to him or her.The Personal Data Protection O cer may be a permanent staff member of the data controller or the data processor, or a person who ful ls the tasks on the basis of a service contract.The o cer's role includes due regard to the risk associated with personal data processing operations, considering the nature, scope, context and purpose of processing.
( All countries with data protection acts or a bill, set out the requirements for the lawful processing of data.As can be seen from Table 4, there are variations on the exact requirements but, typically, they require a lawful basis for the processing of personal data, follow the principles of data minimisation, purpose limitation and storage limitations, have requirements on the accuracy of the data and/or data quality, security safeguards, and provide data subjects with rights.

Country
Conditions for the lawful processing of personal data Botswana Lawfulness and fairness (section 14(a)) Adequacy (section 14(b)) Accuracy and completeness (section 14(c)) Purpose limitation (section 14(d)) Security (section 14(f)) Completeness and correction (section 14(g)) Storage limitation (section 14(h)) Good practice (section 14(i)) Processing limitation (sections 14(e) and 15) Kenya Processed in accordance with the right to privacy of the data subject (section 25(a)) Processed lawfully, fairly and in a transparent manner in relation to any data subject (section 25(b)) Collected for explicit, speci ed and legitimate purposes and not further processed in a manner incompatible with those purposes (section 25(c)) Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (section 25(d)) Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or recti ed without delay (section 25(f)) Kept in a form which identi es the data subjects for no longer than is necessary for the purposes which it was collected (section 25(g)) Not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data subject (section 25(h)) Malawi* Lawfulness of data processing (section 18) Accountability (section 24)

Rights of data subjects
All countries with data protection acts or a bill provide certain rights for data subjects.As illustrated in Table 5, there are variations in the exact rights that are provided for.All countries provide a right to access and a right to information.In Uganda, the right to information is not explicitly provided for, but the data subject must still be provided with certain information.All countries, with the exception of Botswana and Kenya, provide for rights in relation to automated decisionmaking and pro ling.All countries except for Botswana provide for a right to either object to or to prevent processing.Some countries provide for certain exceptions to these rights for research.The right to information and the right to access can be derogated from in Botswana if the processing is for research.In Rwanda, an exception is provided for the right to erasure of personal data where the processing is for scienti c research.In Zimbabwe and South Africa, the right to information can be exempted from if the personal data has not been collected directly from the data subject and the processing is for research purposes.
There are no exceptions to data subject rights for research in Ghana Uganda, Tanzania, and Kenya.For all other countries, there must be a basis on which to transfer personal data across borders.These conditions must be met in addition to the general requirements set out in the respective legislation, including a lawful basis for processing personal data and processing special personal data.The grounds for transfer can be broadly grouped into (1) adequacy and (2) grounds other than adequacy.We now consider each of these in turn.

Adequacy
Each country provides for transfer based on some form of adequate level of protection (hereinafter referred to as adequacy) in the country to which the data controller is sharing the data.There are considerable differences in how adequacy is determined in each country.
In Tanzania, a transfer of personal data to another country may occur where the country has a legal framework that provides for adequate data protection and if one of the following has been established: (i) the recipient establishes that the personal data is necessary for the performance of a task carried out in the public interest or for a purpose related to the lawful functions of a data controller (Article 31(2)(a)) or, (ii) the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject's legitimate interests might be prejudiced by the transfer or the processing in the recipient country (Article 31(2)(b)).Decisions as to the necessity of the transfer must rst be made by the data controller and this must be veri ed by the recipient.The data controller also must ensure that the recipient processes the personal data for the purposes for which it was transferred.
Where a country does not have a relevant legal framework that provides for an adequate level of protection, the Tanzanian legislation provides that a cross-border transfer of data can still take place if an adequate level of protection is ensured in the country of the recipient and the personal data is transferred solely to permit processing authorised by the controller.An assessment of adequacy is made taking into consideration the following: (i) all the circumstances of the relevant personal data transfer; (ii) the nature of the personal data; (iii) the purpose and duration of the proposed processing; (iv) the recipient's country; (v) the relevant laws in force in the third country; and (vi) professional rules and security measures are complied with in that recipient's country.
In Botswana, section 48(1) of the Data Protection Act prohibits the transfer of personal data from Botswana to another country unless the country is listed in the Gazette by the Minister publishing it in an Order (section 48(2)).The cross-border ow of personal data can take place to any country listed without the need for further safeguards.For countries not on the list, the cross-border ow of personal data can only take place if the third country to which the data is transferred provides an adequate level of protection (section 49 (1)).This assessment is carried out by the Commissioner, who will determine whether the third country to which the data is being transferred has an adequate level of protection (section 49 (2)).This assessment depends on the circumstances of each case, with particular consideration being given to: (i) the nature of the data (section 49(2)(a)); (ii) the purpose and duration of the proposed processing operation (i.e., the research) (section 49(2) (b)); (iii) the country of origin and country of nal destination (section 49(2)(c) of the Data Protection Act); (iv) the rule of law, both general and sectoral, in force in the third country (section 49(2)(d) of the Data Protection Act); (v) the professional rules and security safeguards which are complied with in that country (section 49(2)(e) of the Data Protection Act).
In Zimbabwe, adequacy is assessed having considered all the circumstances of a data transfer operation.It provides that particular consideration be given to the nature of the data, the purpose and duration of the proposed processing operation, the recipient country, the laws relating to data protection in force in the country, and the professional rules and security measures which are complied with in that country (section 28(2)).
In Nigeria, a transfer based on adequacy can occur when the recipient of the personal data is subject to a law, binding corporate rules (BCR), contractual clauses, code of conduct or certi cation mechanism that affords an adequate level of protection to personal data in accordance with the Act (section 41 (1).Having selected a mechanism to transfer, the data controller must then assess whether the level of protection afforded by the recipient country is "adequate" for the purposes of this Act (section 41(2)).In considering whether the level of protection is adequate, the data controller or data processor can take into account: (i) the availability of the data subject's enforceable rights and ability to enforce such rights through administrative and judicial redress; (ii) the availability of any appropriate instrument in place between the Commission and a competent authority in the recipient jurisdiction that guarantees 'adequate' data protection; (iii) the access of public authority to personal data; (iv) the existence of an effective data protection law; (v) the existence of an independent and competent data protection or similar supervisory authority; (vi) the relevant country being bound by international commitments or conventions and by its membership of any multilateral or regional organisations (section 42(2)).Regarding determining the adequacy of the law in the recipient country, the list developed by NITDA in the NDPR Implementation Framework is applicable.In addition, Nigeria deems any country that has rati ed the Malabo Convention as adequate.
Under Malawi's Data Protection Bill, the assessment is similar to Nigeria's.The Bill provides that the recipient of the personal data can be subject to a law, BCR, contractual clauses, code of conduct or certi cation mechanism that affords an adequate level of protection with respect to the personal data (section 34( 1)).A level of protection is adequate if it upholds principles that are substantially similar to the conditions for processing personal data provided for in the Data Protection Bill (section 35(1)).In considering whether the protection is adequate, there must be consideration of the following: (i) the availability of data subject rights, the ability of data subjects to enforce their rights, and the rule of law (section 35(2)(a)); (ii) any legally binding instrument between the Authority and a public authority in the recipient country addressing elements of adequate protection (section 35(2)(b)); (iii) access of a public authority to personal data (section 35(2)(c)); (iv) the existence of an effective data protection law (section 35(2)(d)); (v) the existence and functioning of an independent data protection supervisory authority (section 35(2)(e)); and (vi) international conventions that are binding on the country and membership of any multilateral or regional organisations (section 35(2)(f)).
The Bill further provides that the Authority may give notice in the Gazette of any country, region or speci ed sector in a country or standard contractual clauses that it has determined (and also not determined) as affording or as not affording an adequate level of protection (section 35(3)).The Authority may approve BCR, codes of conduct, or certi cation mechanisms proposed by a data controller where the Authority determines that they have adequate protection (section 35(4)).The Authority can make a decision based on a decision made by other data protection authorities where their decisions consider the same factors as required by the Data Protection Bill (section 35(6)).
South Africa, Uganda and Rwanda all provide for transfer based on adequacy but have less detailed provisions.In South Africa, POPIA states that there must be an adequate level of protection in the form of a law, BCR or a binding agreement.In Uganda, the legislation states that the country where the data is processed or stored must have adequate measures in place for the protection of personal data, at least equivalent to the protection provided for by the Act.Rwanda requires a data controller or processor to obtain authorisation from the supervisory authority after providing proof that the outside country has appropriate provisions (Article 48(1)).
In Kenya, there are eight legal bases on which a transfer can occur, including adequacy.However, the transfer of sensitive personal data is permissible only if the data subject has consented to the transfer and there are appropriate safeguards (section 49(1)).If sensitive personal data can be shared on this ground, the Data Commissioner may request a demonstration of the effectiveness of the security safeguards or the existence of compelling legitimate interests (section 49(2)).To protect the rights and fundamental freedoms of data subjects, the Data Commissioner may prohibit, suspend or subject the transfers to such conditions as may be determined (section 49(3)).

Grounds other than adequacy
Some countries have additional requirements and provisions for the cross-border sharing of data.Zimbabwe provides that the Authority can lay down categories of processing operations and the circumstances in which data transfer to countries outside Zimbabwe is authorised (section 28(3) of the Data Protection Act).In Rwanda, if a data controller or data processor authorises a person to access personal data and share or transfer the data to a third party outside Rwanda, they must enter into a written contract with such a person.This contract must set out the respective roles and responsibilities of each party to ensure compliance with the law (Article 49).The Supervisory Authority may, by a regulation, determine the form of the contract to be used for transfers of personal data outside Rwanda (Article 49).The Supervisory Authority may require the data controller or the data processor to demonstrate their compliance with the provisions of this Article and, in particular, with personal data security safeguards and interests as speci ed in Article 48(3)(f).In addition, the Supervisory Authority may prohibit or suspend the transfer of personal data outside Rwanda in order to protect the personal rights and freedoms of the data subject (Article 49).Furthermore, the storage of personal data outside Rwanda is permitted only if the data controller or the data processor holds a valid registration certi cate authorising them to store personal data outside Rwanda, and which is issued by the Supervisory Authority (Article 50).
Tanzania requires that in addition to a legal basis for cross-border data sharing, section 20 of the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023, provides that a data controller or data processor who intends to transfer personal data outside the country apply for a permit using Form No. 7 set out in the First Schedule to the Regulations.The application must include the following information: particulars of the applicant; particulars of the recipient; particulars of the data subject; the type of personal data to be transferred; the purpose and necessity of transferring personal data; details of the security of personal data in the country of the recipient; consent of the data subject; date and time of sending personal data; and any other information as may be required by the Commission.In addition, at the time of application, proof must be submitted that the country receiving the personal data has rati ed an international agreement that specify details on the protection of personal data; there is an agreement between the Republic and the country receiving the personal data regarding the protection of personal data, or there is a contractual agreement between the person requesting the personal data and the recipient of the personal data who is outside the country.The Commission must consider an application within 14 days, after which time it can reject or approve a permit.An application may be rejected for the following reasons: (i) the transfer of personal data endangers national security; (ii) the Commission is satis ed that there is inadequate protection of personal data in the country of the recipient; (iii) other written laws restrict the transfer of personal data; (iv) the application for the permit to transfer personal data does not meet the requirements of Regulation 20; and (v) other reasonable grounds which the Commission may deem necessary for the public interest.Finally, the permit is issued subject to the following conditions: (i) the personal data must be transferred to the recipient authorised in the permit; (ii) the personal data transferred must be processed for the intended purpose only; (iii) the personal data must not be disclosed or transferred to another recipient without the approval of the Commission; and (iv) the processing of personal data outside the country must not violate the laws of the country.

Additional requirements from ethics frameworks
In addition to the requirements as set out in the applicable data protection legislation, additional requirements are set out in national research ethics legislation and/or guidance for the cross-border sharing of data for research.This is in addition to the general research ethics requirements, such as informed consent, research ethics committee oversight, and other requirements.Table 7 sets out the relevant national research ethics legislation and guidance in each country.Table 8 sets out the additional requirements imposed by national research ethics requirements for cross-border data sharing for research.
Six countries (Botswana, Ghana, Kenya, Nigeria, Rwanda, and The Gambia) have no extra requirements outside of the general research ethics requirements that apply to the cross-border sharing of data for research.The remaining six countries have differing requirements that include a material transfer agreement (MTA), designation of a local PI, through to some other o cial approval being required.South Africa requires a human research ethics o ce (NHREC) to approve and sign an MTA.Data is allowed to be shared outside of Malawi only if (1) there is a justi able reason to do so, (2) if the National Health Sciences Research Committee (NHSRC) has reviewed and approved the study, (3) if the NHSRC has reviewed and approved the MTA, (4) if the genetic material and information is provided in a form that ensures that participants cannot be identi ed, and (5) if the research group ensures that privacy and con dentiality are not compromised in holding the material and information.Tanzania requires approval from the National Institute for Medical Research (NIMR) for all research that involves foreign researchers or collaborators, and it is an offence to send samples for human DNA analysis abroad without the permission of the O ce of the Regulator of Human DNA Services.The transfer of genetic data outside of Cameron can take place only if the data subject has given his or her free, informed and written consent, the body in charge of ethics establishes that the research cannot be conducted in Cameroon, and a national investigator is involved in the research project in question.For other health data, the transfer can occur outside of Cameron only if the data subject consents, if there is a written data-sharing agreement, and if a national investigator is involved in the research project in question.Uganda requires a REC to approve any cross-border data sharing, the researcher must be a local PI, and an MTA must be signed.Finally, international collaborative research can occur in Kenya only if a Kenyan PI is involved.

Table 2
an identi ed or identi able natural person who can be identi ed, directly or indirectly, in particular by reference to an identi er such as a name, an identi cation number, location data, an online identi er or to one or more factors speci c to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person., natural person, and where it is applicable, an identi able, existing juristic person, including, but not limited to -(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, nancial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identi er or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or con dential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person (Protection of Personal Information Act No. 4 of 2013 s1) TanzaniaMeans data about an identi able person that is recorded in any form, including -(a) personal data relating to the race, national or ethnic origin, religion, age or marital status of the individual; (b) personal data relating to the education, the medical, criminal or employment history; (c) any identifying number, symbol or other particular assigned to the individual; (d) the address, ngerprints or blood type of the individual; (e) the name of the individual appearing on personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; (f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of

Table 3
Key role-players in the data protection legislation