Introduction and definition of personal data
This is an overview of the laws in Zimbabwe that govern the protection of personal data. The definition of personal information (data) is recorded information about an identifiable person which includes:
• The person’s name, address or telephone number
• The person’s race, national or ethnic origin, religious or political beliefs or associations
• The person’s age, sex, sexual orientation, marital status or family status
• An identifying number, symbol or other particulars assigned to that person
• Fingerprints, blood type or inheritable characteristics
• Information about a person’s healthcare history, including a physical or mental disability
• Information about educational, financial, criminal or employment history
• A third party’s opinions about the individual
• The individual’s personal views or opinions (except if they are about someone else)
• Personal correspondence with home or family
What is the main legislation that regulates data privacy and security?
At present there is no single legislation that governs data privacy and security. The following legislation together with any industry specific requirements are used with respect to data privacy and security:
- Access to Information and Protection of Privacy Act (Chapter 10:27)
- Census and Statistics Act (Chapter 10:29)
- Consumer Protection Act (Chapter 14:14)
- Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04)
- Interception of Communication Act (Chapter 11:20)
- National Registration Act (Chapter 10:17)
In August 2016, the Cabinet of Zimbabwe approved the Revised National Policy for Information Communication Technology (“ICT Policy”). According to the policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cyber security is anticipated. In addition there will be development, implementation and promotion of appropriate security and legal systems for e-commerce. The policy also envisages reform of the following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to information, computer related and cybercrime laws: (i) data protection and privacy, (ii) intellectual property protection and copyright, (iii) consumer protection and (iv) child online protection.
What are the key data privacy and security provisions in general?
- Access to Information and Protection of Privacy Act ( Chapter 10:27)
This act regulates the collection, protection and retention of personal information held by public bodies. Protected information includes
o deliberations of Cabinet and Local government bodies
o advice or recommendation given to the President, Cabinet member or a public body
o information that is subject to client-attorney privilege of the public body
o information whose disclosure will be harmful to law enforcement process and national security
o information relating to intergovernmental relations/negotiations
o information relating to the financial or economic interests of the public body or the state
o research information if such disclosure will result in the researcher losing their right of first publication or any intellectual property rights
o information which if disclosed will result in damage or interference with conservation of heritage sites
o information that relates to a person’s safety or mental or physical health and personal privacy
o business interests of a party including but not limited to trade secrets, commercial information, scientific information and technical information
Provision of false information is an offence for which one may result in a level 5 fine and / or imprisoned for 6 months.
In addition to the above, the Act provides for regulation of mass media services and the establishment of the Media and Information Commission.
[This act is due to be repealed by the Freedom of Information Act which will give effect to Section 62 of the Constitution which relates to the right of access to information. The Bill was gazetted on the 5th of July 2019. Some of the issues covered by the Access to Information and Protection of Privacy Act will be in the yet to be gazetted Data Protection Act]
- Census and Statistics Act [Chapter 10:29]
Use and disclosure of aggregated information collected and relating to Commercial, Industrial, Agricultural, and Mining, Social, Economic General activities and conditions of the inhabitants of Zimbabwe obtained during the conducting of a census exercise is restricted and regulated under this act. Unless in a public data base, information collected may not be disclosed without consent obtained in terms of the act.
- Consumer Protection Act ( Chapter 14:14)
Under this act it is the duty of any person who receives, compiles, retains or reports any confidential information pertaining to a customer or prospective customer to protect such information. Release of confidential information requires the consent of the customer or prospective customer. It is an offence to disclose confidential information obtained unless such disclosure was for the purpose of compliance with or proper administration of the act or for the purpose of administrative justice. In the event of breach an administrative fine of up to 2.5% of the respondent’s annual net profit for the year or any amount that the court may deem fit will be imposed. Under the Consumer Protection Act employees and employers are jointly and severally liable for contravention of the provisions including the confidentiality provisions.
- Courts and Adjudicating Authorities Publicity Restriction Act [Chapter 07:04]
Whilst the general position is that adjudications (including proceedings in court and other authorities) shall be in public, this right of access and even dissemination of the information may be restricted and regulated through this act. At any stage of the process, an adjudicator may if it deems it necessary make an order for such restriction either at its own instance or following an application by a party to the proceedings.
- Interception of Communication Act (Chapter 11:20)
The purpose of this act is to provide for the lawful interception and monitoring of communications of any form of transmission including telecommunications and postal. Access to the information is restricted to security services who are required to apply for permission to intercept their desired and specific information. A holder of encrypted (protected) information may be put on notice and required to disclose such information where there is reasonable belief that disclosure of such information is in the interests of national security, prevents or exposes a serious office or is in the interests of the economic well-being of Zimbabwe. Information obtained may not be disclosed to any other person unless for the purposes of the act or as evidence in a court of law. A breach of this may result in a level 14 fine and / or 5 years imprisonment.
- National Registration Act (Chapter 10:17)
The Registrar- General and all persons employed to carry out national registry of Zimbabwean residents are required to keep in safe custody any information acquired in the performance of their duties. Information that is provided by residents during their registration includes full names and address, citizenship status, date of birth, tribal affiliations marital status and family particulars. All persons employed shall keep secret and take part in ensuring that all information is kept secret all information that comes to their knowledge in the exercise of their duties. Contravention of this requirement is an offence with one year imprisonment.
Are new or material changes to those key data privacy and security laws anticipated?
- Freedom of Information Bill which was gazetted on the 5th of July 2019
The Freedom of Information Bill will repeal and replace the Access to Information and Protection of Privacy Act. The purpose of the act is to give effect to Section 62 of the Constitution of Zimbabwe which enshrines the right of access to information.
Section 62: Access to information
(1) Every Zimbabwean citizen or permanent resident, including juristic persons and the Zimbabwean media, has the right of access to any information held by the State or by any institution or agency of government at every level , in so far as the information is required in the interests of public accountability.
(2) Every person, including the Zimbabwean media, has the right of access to any information held by any person, including the State, in so far as the information is required for the exercise or protection of a right.
(3) Every person has a right to the correction of information, or the deletion of untrue, erroneous or misleading information, which is held by the State or any institution or agency of the government at any level, and which relates to that person.
(4) Legislation must be enacted to give effect to this right, but may restrict access to information in the interests of defence, public security or professional confidentiality, to the extent that the restriction is fair, reasonable, necessary and justifiable in a democratic society based on openness, justice, human dignity, equality and freedom.
In terms of the bill:
o The definition of personal information is expanded to cover identifiable individual and sensitive data including:
information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual
information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
any identifying number, symbol or other particular assigned to the individual;
the address, fingerprints or blood type of the individual;
the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual;
correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
the views or opinions of another individual about the individual;
the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and
the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual, but excludes information about an individual who has been dead for more than twenty years
o Protected information now specifically includes deliberations or functions of the Cabinet and its committees and information protected from disclosure in victim friendly courts. The latter therefore covers information that may be provided by minors in these courts.
o The process to be followed for requests to access public information is detailed and includes a requirement for the public office to respond within 21 days on the outcome. Where the information cannot be found or does not exist the officer is required to notify the applicant of this.
o The actual access process is provided and includes the opportunity to inspect the information, provision of copies, making suitable arrangement for the reproduction of the information, provision of written transcript of sound recordings and making available in a readable form information from a computer.
- The Data Protection Bill (yet to be gazetted)
o The purpose of the Data Protection bill is to harmonize data protection policies in Zimbabwe with the rest of Sub-Sahara Africa and to give effect to the right to privacy as found in the Constitution of Zimbabwe. In order to achieve the harmonization of the laws, the SADC Model Law for data protection is to be transposed for Zimbabwe which will result in the alignment of the laws of Zimbabwe with internationally accepted principles of data protection.
o The bill is therefore set to govern the processing of personal information of public and private bodies, to prevent unauthorized and arbitrary use, collection, processing, transmission and storage of data of identifiable person, to provide for the regulation of data protection and to establish a data Protection Authority.
o Key definitions:
Personal Information is as defined in the Access to Information and Protection of Privacy Act.
Processing informs the activities to which the principles of protection must be applied. The terms processing refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as obtaining, recording or holding the data or carrying out any operation or set of operations on data, including –. (a) organization, adaptation or alteration of the data; (b) retrieval, consultation or use of the data; or (c) alignment, combination, blocking, erasure or destruction of the data.
Sensitive data refers to information or an opinion about an individual which reveals or contains racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sex life; criminal, educational, financial or employment history; gender, age, marital status or family status. Sensitive data also refers to the health information about an individual; genetic information about an individual; or information which may be considered as presenting a major risk to the rights of the data subject.
Data controller or controller refers to any natural person and legal person excluding a public body which alone or jointly with others determines the purpose and means of processing of personal data. Where the purpose and means of processing are determined by or by virtue of an act, decree or ordinance, the controller is the natural person, legal person or public body designated as such by virtue of that act, decree or ordinance. This person is required to inform a data subject of the purpose of the collection of the data and to ensure that there are safeguards to ensure the integrity and prevent the loss / damage to personal information.
Data processor refers to a natural person or legal person, which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorised to process the data.
o Regulation is provided for Transborder flow of information to a SADC Member State which has transposed the SADC Model Law and those stated that have not transposed to the SADC Model Law or a non SADC state. Transfer of information is subject to assurance of adequate levels of protection. Transborder flow refers to international flows of personal data by the means of transmission including data transmission electronically or by satellite.
Article compiled by Nellie Tiyago – Jinjika, Partner at Zimbabwean member firm Scanlen & Holderness