Data Privacy and Data Protection
What is Data Protection?
Data protection is the practice of safeguarding data from loss, corruption, or compromise. Data protection includes factors such as data integrity, data privacy, protection from errors and corruption and guidance on the use of data by individuals and businesses. The concept of data protection applies to personal, business, public entities, and political and international data. It is becoming more important as the volume of data collected and stored digitally on online platforms is rising.
Section 3 of the Data Protection Act [Chapter 11:12], defines data as any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data.
What is the importance of data protection laws?
- Protect personal data from being misused, mishandled, or exploited;
- Ensure that the fundamental rights and freedoms of providers of data are being upheld;
- Ensure fair and friendly practices in commercial activities between consumers and businesses;
- Placing responsibilities with organizations on handling personal data;
- Provide greater control and understanding to individuals over how their data is collected and used.
What is the Data Protection Regime?
The Constitution of Zimbabwe in Section 57 protects the right to privacy and provides that;
Every person has the right to privacy, which includes the right not to have-
- their home, premises or property entered without their permission;
- their person, home, premises or property searched;
- their possessions seized;
- the privacy of their communications infringed; or
- their health condition disclosed.
Zimbabwe enacted its first data protection legislation in December 2021. The Data Protection Act provides a comprehensive data protection regime, but also significantly amends cybercrime-related law, including the Criminal Procedure and Evidence Act (Chapter 9:07) and the Interception of Communications Act (Chapter 11-20). The Data Protection Act also establishes a Cyber Security and Monitoring of Interceptions of Communications Centre. However, it does not create a specific data protection authority, but grants this responsibility to the Postal and Telecommunications Regulatory Authority (POTRAZ).
Consent
Under the Data Protection Act, consent is the default basis for processing data. The Act provides that consent in writing must be obtained by a data controller before sensitive data is processed. The consent to the processing of data may be withdrawn by the data subject at any time and without any explanation and free of charge. However, consent is not required from a data subject where the processing is necessary to comply with national security laws; for the promotion and protection of public health, including medical examination of the population; for the prevention of imminent danger or the mitigation of a specific criminal offence.
What is a Data Subject and a Data Controller?
Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.
On the other end, the Act defines a data controller as “any natural person or legal person who is licensable by the Data Protection Authority which includes public bodies and any other person who determines the purpose and means of processing data.”
Data controllers are required to ensure that the processing of data is necessary and that data is processed fairly and lawfully. As a data protection mechanism, the Act also requires that if a data controller is not established in Zimbabwe, then a representative must be appointed in Zimbabwe. This means that any entity that processes a Zimbabwean’s personal data must designate a representative in Zimbabwe.
The Act requires controllers to take appropriate technical and organisational measures that are necessary to protect data from negligent or unauthorised destruction, negligent loss, unauthorised alteration or access and any other unauthorised processing of the data. In the event of a data security breach of any kind, controllers have an obligation to report to POTRAZ within 24-hours.
What are the Duties of a Data Controller?
Every data controller or data processor shall ensure that personal information is—
- processed in accordance with the right to privacy of the data subject;
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
- collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay; and kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected.
What are the rights of a Data Subject?
A data subject has a right to;
- be informed of the use to which their personal information is to be put;
- access their personal information in custody of data controller or data processor; object to the processing of all or part of their personal information;
- correction of false or misleading personal information and the deletion of false or misleading data about them.
Which offences are related to computer systems, computer data, data storage mediums, data codes and devices?
Hacking
The offence occurs when a person who knowing or suspecting that he or she must obtain prior authority to access the data, computer programme, computer data storage medium, or the whole or any part of a computer system intentionally, unlawfully and without such authority, secures access to such data, programme, medium or system.
If found guilty of committing the offence, in aggravating circumstances the person shall be liable to a fine not exceeding level 14 or to imprisonment for a period not exceeding ten years or both such fine and such imprisonment. In any other case, to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.
Unlawful acquisition of data
The offence is committed when a person unlawfully and intentionally intercepts any private transmission of computer data to, from or within a computer network, computer device, database or information system or electromagnetic emissions from a computer or information system carrying such computer data; overcomes or circumvents any protective security measure intended to prevent access to data.
The offence is also committed when an individual acquires data within a computer system or data which is transmitted to or from a computer system. The offence attracts a fine not exceeding level 14 or imprisonment for a period not exceeding five years or both a fine and imprisonment.
Which offences are related to electronic communications and materials?
Transmission of data message inciting violence or damage to property
A person who unlawfully by means of a computer or information system makes available, transmits, broadcasts or distributes a data message to any person, group of persons or to the public with intent to incite such persons to commit acts of violence against any person or persons or to cause damage to any property is guilty of the offence. Such person shall be liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.
Sending threatening data message
This offence is committed when a person unlawfully and intentionally by means of a computer or information system sends any data message to another person threatening harm to the person or the person’s family or friends or damage to the property of such persons.
It is also an offence to up skirt and record nude images or videos of a citizen or a foreigner who is resident in Zimbabwe without consent. Such persons shall liable to fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both a fine and imprisonment.
Cyber-bullying and harassment
Any person who unlawfully and intentionally by means of a computer or information system generates and sends any data message to another person, or posts on any material whatsoever on any electronic medium accessible by any person, with the intent to coerce, intimidate, harass, threaten, bully or cause substantial emotional distress, or to degrade, humiliate or demean the person of another or to encourage a person to harm himself or herself, shall be guilty of an offence and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding ten years or to both a fine and imprisonment.
Transmission of intimate images without consent
An intimate image is a visual depiction of a person made by any means in which the person is nude, the genitalia or naked female breasts are exposed or sexual acts are displayed. The offence is committed when a person unlawfully and intentionally by means of a computer or information system makes available, broadcasts or distributes a data message containing any intimate image or video of an identifiable person without the consent of the person concerned or with recklessness as to the lack of consent of the person concerned, with the aim of causing the humiliation or embarrassment of such person. A person found guilty of such acts will be liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both a fine and imprisonment.”.
Recording of genitalia and buttocks beneath clothing without consent
The offence is committed when a person unlawfully and intentionally records, makes available, broadcasts or distributes an image or video beneath the clothing of another person which depicts this person’s genitalia or buttocks, whether covered by underwear or not, without the consent of the depicted person or with recklessness as to the lack of consent of the person concerned, as far as these are to be protected against sight according to the recognizable will of the depicted person. Such an individual shall be guilty of the offence and liable to a fine not exceeding level 10 or to imprisonment for a period not exceeding five years or to both a fine and imprisonment.
Exposing children to pornography
When an individual unlawfully and intentionally through a computer or information system makes pornographic material available to any child; or facilitates access by any child to pornography or displays pornographic material to any child; with or without the intention of lowering the child’s inhibitions in relation to sexual activity or inducing the child to have sexual relations with that person such person shall be guilty of the offence. Sentencing shall result in a fine not exceeding level 14 or to imprisonment for a period not exceeding five years or to both such fine and such imprisonment.
Conclusion
It is an international consensus that the collection, processing, and use of personal information should be regulated. The presence of a Data Protection Act for the handling of personal information will protect individuals and organisations from costly breaches.
Visit us today at 7 Edmonds Avenue, Belvedere, Harare if you require assistance on any of the areas discussed in the article above.