The Postal and Telecommunication Regulatory Authority of Zimbabwe (POTRAZ) has begun enforcing the implementation of the recently promulgated Data Protection Act.
The law aims to increase data protection to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.
The Act also ensures that data controllers do not take information that they would have been given by individuals for an express purpose and pass it on to third parties or misuse it.
“Further take note that any entity or body established in its own right including, a sole trader business, company, charity, club, association that processes personal data for any living individual including customers, potential clients or member of the public and club or association member (in the case of voluntary organisations ) is a data controller,” POTRAZ director general, Gift Machengete, said.
He added: “All data controllers and processors must comply and demonstrate when called upon to do so, compliance with all requirements of the Data Protection Act and any existing data protection legislation including that relating to employment, anti-money laundering, record keeping of data subjects rights and record keeping of processing activities irrespective of whether the controller or processor is operating physically or online.”
Machengete said the controllers and processors will be required to notify the data protection authority that they hold or process more than thirty individuals and indicate the reason for possessing this data.
They will also need to appoint a data protection officer with an ‘A’ level qualification or higher along with the officer’s contact information.
He said they should also provide full details of their data controllers including legal persona status, physical address and proof of residence in the form of telephone, rates or electricity bill.
Although it seems to be in the best interest of individuals, the Media Institute of Southern Africa (MISA) has criticised the Act.
MISA said the placement of POTRAZ as the Data Protection Authority was misguided.
“In enforcing the Act, it is hoped that this data will receive the levels of protection that it should. The Act is also establishing the POTRAZ as the Data Protection Authority. From stakeholder submissions and public hearings, the appointment of POTRAZ was criticised on the basis that it would create a super administrative authority as POTRAZ is also the telecommunications sector regulator.
While it is important that the Authority should shed light on any contentious or vague issues relating to data protection and privacy, it is hoped that this function will not be abused by some stakeholders qualifying as ‘any person with legitimate interest,” MISA said.