By Letsatsi Lekhooa |

In today’s interconnected world, data has become an important asset. It is now a powerful driver of social and economic development, a tool for improving governance, and an enabler of innovation across sectors. From digital payments and e-health services to e-government platforms, data is at the centre of everyday life. Yet, with this transformation comes a pressing responsibility to ensure the protection of rights, including the data protection of citizens. Lesotho was among the early African countries to recognise this responsibility. In 2011, the country enacted the Data Protection Act, a law that established privacy as a legal right and imposed obligations on organisations that collect and process personal data. The Act also mandated the creation of a Data Protection Commission (DPC) to oversee and enforce data compliance. This was a bold and progressive move at the time, placing Lesotho ahead of many of its regional peers.

However, almost fifteen years later, the Commission has not been established. The absence of this critical institution means that the law is not being implemented in practice. Citizens have legal rights on paper, but no independent body exists to enforce them or to hold organisations accountable.

This gap has left individuals exposed to potential data misuse and has weakened public trust in digital services. At the same time, Lesotho is embarking on ambitious digital reforms. The government is investing in Digital Public Infrastructure (DPI), while civil society, academia, and development partners are working to strengthen national data governance capacity. These developments highlight both the challenges and the opportunities that lie ahead. The choices made today will determine whether Lesotho can build a digital future that is inclusive, trusted, and rights-based.

The Current Landscape of Data Protection

The Data Protection Act 2011 remains the cornerstone of Lesotho’s data protection framework. The Act defines the obligations of data controllers and processors, recognises individual rights such as access and correction of personal data, and envisions an independent Data Protection Commission with oversight powers. However, in the absence of the Commission, the framework remains incomplete.

For several years, ministries debated whether the Act should be amended before implementation, frequently citing financial constraints as a limiting factor. At the same time, responsibility for digital policy and data governance remains fragmented across multiple government institutions and private sectors, resulting in duplication of efforts and delays in advancing effective data protection implementation.

Meanwhile, institutions such as banks, telecom operators, and universities have developed their own internal policies to manage data. While these efforts are important, they are siloed and inconsistent. Without national authority to provide oversight, citizens have little assurance that their rights are being protected.

Civil society has been vocal about these shortcomings. The National University of Lesotho Legal Clinic, through Advocate Rasetla Mofoka, has emphasised that Basotho currently lack an independent body to which they can report breaches or violations of their privacy. Instead, citizens are forced to rely on the goodwill of institutions themselves. This situation underscores the urgent need for a regulator that can enforce compliance, investigate complaints, and ensure accountability.

While Lesotho delays the necessary actions towards data protection, digital advancements that threaten cybersecurity continue to affect it. The protection of personal information law of one of its peers, the Republic of South Africa, defines ‘personal information’ and ‘data subject’ to encompass legal persons and other identifiable social groups. The definition raises serious concerns amid the data protection risks posed by the introduction of Artificial Intelligence, which impacts the personal data and private rights of legal persons and other identifiable social groups.  The sincere pursuit of interoperability demands that Lesotho and other peers consider the position taken by the RSA and take a stance.    

A Renewed Push for Data Governance

Although implementation has been slow, recent developments suggest a renewed focus on data governance at the highest levels of government. Early August 2025, the Ministry of Information, Communications, Science, Technology, and Innovation (MICSTI) convened the Lesotho Data Governance Capacity Building and Stakeholder Engagement Workshop. The event brought together policymakers, regulators, private sector players, academics, and civil society to explore the role of data as a driver of development. This capacity building was spearheaded and facilitated by CIPESA.

Closing the workshop, Permanent Secretary Kanono Leronti Ramashamole, speaking on behalf of the Minister Hon. Nthati Moorosi, captured the significance of the moment: “Data is no longer merely a byproduct of administration. It is a strategic national asset, a cornerstone of governance, digital service delivery, innovation, and trade. Responsible data governance is not just a technical necessity; it is a governance imperative”. This statement reflects a major shift: data is now being positioned not only as an ICT issue but as a national development priority.

One month later, in August 2025, MICSTI hosted another milestone event: a multi-stakeholder workshop on Digital Public Infrastructure (DPI), supported by UNDP Lesotho. The workshop aimed to validate Lesotho’s DPI Framework Concept Note, which sets out plans for:

• Digital identity for all Basotho through biometric authentication.
• Secure data exchange to protect citizens’ information and enable interoperability between systems.
• Digital payments for government-to-person transfers, person-to-government transactions, and cross-border trade.
• Cybersecurity and digital trust to safeguard online services and ensure resilience.

Stakeholders from across government, the financial sector, telecom operators, academia, and civil society contributed to the discussions. The framework will guide Lesotho’s digital transformation over the next three to five years and is closely linked to continental initiatives like the AU Digital Transformation Strategy and global priorities such as the UN Global Digital Compact.

These initiatives show that Lesotho is not standing still. The recognition of data as a strategic resource is growing, and the momentum for reform is being built. The challenge is to ensure that these efforts are matched by the institutional reforms needed to enforce rights and build trust.

Persistent Challenges

Despite this renewed momentum, the challenges facing Lesotho remain substantial. The Data Protection Act of 2011 cannot be effectively enforced in the absence of an operational Data Protection Commission, leaving citizens’ rights largely unprotected in practice. Institutional responsibilities for data protection and data governance are dispersed across multiple ministries and agencies, resulting in duplication, fragmented accountability, and slow progress.

While funding constraints are frequently cited as the primary cause of delays, many observers argue that the underlying issue is political prioritisation rather than the absolute availability of resources. Years of workshops, consultations, and strategy discussions have yielded limited tangible outcomes, contributing to growing frustration among civil society actors and development partners.

In the absence of a central oversight body, public and private organisations continue to rely on internal policies, leading to inconsistent standards and weak, uneven protection for citizens. In addition, there may be a need to revisit and clarify key definitions within the Data Protection Act, particularly the concepts of “personal information” and “data subject,” to ensure adequate protection for legal persons and identifiable social groups whose data may also be vulnerable to misuse.

Opportunities to Build On

Lesotho’s current challenges can be turned into opportunities if decisive action is taken.

Establishing the Data Protection Authority: The most urgent step is to operationalise the Authority mandated by the 2011 Act. This would establish an independent body to enforce compliance, investigate breaches, and provide citizens with a trusted avenue to report violations. Once in place and functional, the Data Protection Commission will identify shortcomings in the Act that may necessitate review, including any hindrances to interoperability.

Aligning with the African Union, Lesotho has signed but has yet to ratify the AU Malabo Convention on Cybersecurity and Personal Data Protection. Ratifying and implementing the Convention would align the country with continental standards, promote harmonisation of laws, and strengthen its role in cross-border digital trade under the African Continental Free Trade Area (AfCFTA).

Harnessing Digital Public Infrastructure: The DPI framework offers an unprecedented opportunity to modernise governance and service delivery. But without strong data protection, DPI systems risk eroding trust. Establishing a Data Protection Authority is critical to ensuring DPI is built on transparency, accountability, and citizen rights.

Empowering citizens and civil society: Civil society organisations (CSOs) can play a vital role by advocating for reforms, raising awareness, and educating citizens about their rights. Citizens themselves can begin exercising their rights under the 2011 Act by demanding transparency and accountability from institutions.

Expanding academic and professional expertise: Universities such as Botho University and the National University of Lesotho are producing graduates in data science and statistics. At the same time, lawyers are pursuing specialisations in digital law and cybersecurity. This growing pool of expertise can directly support the establishment of a functional regulatory authority and strengthen national capacity.

Steps Already Taken by the State

It is important to acknowledge progress while remaining clear about what remains to be done. The Data Protection Act of 2011 continues to provide a strong legal foundation for the protection of personal data. The Data Governance Workshop held from 28 to 31 July 2025 reaffirmed the strategic value of data for national planning, service delivery, and accountability. Similarly, the Data Protection Impact Assessment Workshop conducted in August 2025 produced a practical roadmap for building inclusive and rights-respecting digital systems. Together, these steps demonstrate clear political recognition of the importance of data governance and protection. What is now required is sustained implementation, stronger institutional coordination, and effective enforcement to ensure that these commitments translate into tangible and lasting outcomes.

Conclusion

Lesotho’s journey in data protection and governance is one of early ambition, stalled implementation, and renewed opportunity. The legal framework exists, but without a Data Protection Commission, it remains incomplete. Citizens have rights in theory, but no mechanism to enforce them in practice. At the same time, the country is making bold moves through DPI and capacity-building initiatives. Universities, lawyers, and civil society are engaged. Development partners are supportive. The momentum is there – but action is urgently required. If Lesotho operationalises its Data Protection Commission, ratifies the AU Malabo Convention, and leverages the growing expertise within its institutions, it can build a trusted data governance ecosystem. This will not only protect citizens’ rights but also enable the country to fully participate in Africa’s digital economy.

Call to Action

The path forward is clear and requires coordinated action across all sectors. Government leaders must establish and adequately resource the Data Protection Commission without further delay to ensure that the existing legal framework is effectively implemented. Civil society organisations and NGOs should sustain advocacy efforts, empower citizens with knowledge, and hold public and private institutions accountable for their data protection obligations. Universities and legal professionals have a critical role in building national expertise through research, training, and professional practice that supports ongoing reforms. Development partners should complement these efforts by providing targeted technical and financial support for institutional strengthening and capacity development. At the same time, citizens must demand transparency, actively use their voices, and assert their digital rights in everyday interactions with digital systems.

As Lesotho continues to develop digital identity systems, payment platforms, and data exchange frameworks, the need for robust and enforceable data protection has never been greater. A functioning Data Protection Commission is not only a legal requirement but also the foundation for public trust, social inclusion, and sustainable innovation in the digital era.

Ensuring that no Mosotho is left behind, and no Mosotho’s rights are left unprotected, is not only a governance responsibility but a national imperative.