FUNGAI CHIMWAMUROMBE & SIMBARASHE MUKWEKWEZEKE
Many people woke up to news that the Data Protection Act [Chapter 10:11] on the 3rd of December 2021 had been gazetted and came into effect on the same day of gazetting.
This piece of legislation comes on the back of the need to protect data in the fast-changing business environment where client information has become gold as well as the digitisation of data.
The Data Protection Act deals with how data is collected, stored and transmitted with section 4 of the Act making it applicable to all persons who deal with data relating to person within Zimbabwe which includes foreign entities operating in Zimbabwe which shall be expected to appoint a local representative for purposes of the Administration of the Act.
Section 3 of the Act defines Data as “means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data”.
From this definition it is clear the Act covers not only the personal information of persons held by data controllers but also curb what would be termed irresponsible use of the internet.
Through the amendment of the Criminal law (Codification and Reform) Act [ Chapter 9:23] by creating crimes related to the unlawful collection, use and disclosure/leaking of data including the unlawful interception of data by any persons. The amendment to our criminal law also makes it unlawful to;-
- Transmission of data message inciting violence or damage to property
- Sending threatening data message
- Cyber-bullying and harassment
- Transmission of false data message intending to cause harm
- Transmission of intimate images without consent
- Spam( sending unsolicited messages to persons without their consent)
- Production and dissemination of racist and xenophobic.
The Postal and Telecommunications Regulatory Authority commonly known as Potraz is the designated Data Protection Authority responsible with the data protection levels set by the Act and penalties thereon.
There is also a duty to report all data breaches with Authority by all Data controllers and also those whose data was compromised which is touted as a new level of disclosure.
It is undoubtable that corporates will be required to align their storage of client data to the standards sets by the Data Protection Act failure of which will result in hefty fines especially around the criminal laws against spam and the storage of data.
Under section 10 of the Act Data controllers will only be allowed to process Non-Sensitive Data under the following conditions ;-
(a) being material as evidence in proving an offence; or
(b) compliance with an obligation to which the controller is subject by or by virtue of a law; or
(c) protecting the vital interests of the data subject; or
(d) performing a task carried out in the public interest, or in the exercise of the official authority vested in the controller, or in a third party to whom the data is disclosed; or
(e) promoting the legitimate interests of the controller or a third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under the Act.
The Data Protection Act defines sensitive Data to be formation or any opinion about an individual which reveals or contains the following ;-
(i) racial or ethnic origin;
(ii) political opinions;
(iii) membership of a political association; (iv) religious beliefs or affiliations;
(iv) philosophical beliefs;
(v) membership of a professional or trade association;
(vi) membership of a trade union;
(vii) sex life;
(viii) criminal educational, financial or employment history;
(ix) gender, age, marital status or family status;
(x) health information about an individual; genetic information about an individual; or
(xi) any information which may be considered as presenting a major risk to the rights of the data subject;
All data controllers are advised to acquaint themselves with the Data Protection Act to avoid infringements of the law . A two part series will follow this article to break down the rules as they relate to Data collection and storage respectively.
Fungai Chimwamurombe is a registered legal practitioner and Senior Partner at Chimwamurombe Legal Practice and can be contacted for feedback at fungai@ zenaslegalpractice.com and WhatsApp 0772 997 889. Simba Mukwekwezeke is a senior associate, email: simbarashe@ zenaslegalpractice.com.
