Reviewing The Data Protection Act In Zimbabwe - Part 1

• Published date: 21 January 2022
• Subject Matter: Privacy, Data Protection
• Law Firm: ChimwaMurombe Legal Practice
• Author: Mr Fungai Chimwamurombe and Simbarashe Mukwekwezeke

Many people woke up to news that the Data Protection Act [Chapter 10:11] on the 3rd of December 2021 had been gazetted and came into effect on the same day of gazetting. This piece of legislation comes on the back of the need to protect data in the fast-changing business environment where client information has become gold as well as the digitisation of data. The Data Protection Act deals with how data is collected, stored and transmitted with section 4 of the Act making it applicable to all persons who deal with data relating to person within Zimbabwe which includes foreign entities operating in Zimbabwe which shall be expected to appoint a local representative for purposes of the Administration of the Act.

Section 3 of the Act defines Data as "means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data". From this definition it is clear the Act covers not only the personal information of persons held by data controllers but also curb what would be termed irresponsible use of the internet.

Through the amendment of the Criminal law (Codification and Reform) Act

[ Chapter 9:23] by creating crimes related to the unlawful collection, use and disclosure/leaking of data including the unlawful interception of data by any persons. The amendment to our criminal law also makes it unlawful to;-

1. Transmission of data message inciting violence or damage to property
2. Sending threatening data message
3. Cyber-bullying and harassment
4. Transmission of false data message intending to cause harm
5. Transmission of intimate images without consent
6. Spam( sending unsolicited messages to persons without their consent)
7. Production and dissemination of racist and xenophobic.

The Postal and Telecommunications Regulatory Authority commonly known as Potraz is the designated Data Protection Authority responsible with the data protection levels set by the Act and penalties thereon. There is also a duty to report all data breaches with Authority by all Data controllers and also those whose data was compromised which is touted as a new level of disclosure.

It is undoubtable that corporates will be required to align their storage of client data...