Zimbabwe’s Cyber and Data Protection Act in perspective

Advocate Isaya Muriwo Sithole

THERE has recently been an interest by Zimbabweans to know the country’s cyber and data laws, and we found it worthwhile to make a contribution on the subject.

In the contemporary digital age, the collection, storage and use of personal data have become increasingly significant.

As technology advances, the risk of cybercrimes and data breaches also grows.

To address these concerns, the Government enacted the Cyber and Data Protection Act (CDPA).

This comprehensive law aims to regulate the processing of personal data, prevent cybercrimes and promote online safety.

What is the Cyber and Data Protection Act?

The CDPA is a law that governs the collection, storage and use of personal data in Zimbabwe.

It applies to all organisations, including businesses, Government agencies and non-profit-making organisations that process personal data.

In its preamble, the CDPA states that it is an Act meant to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to establish a cyber-security centre and a data protection authority and to provide for their functions; to create a technology-driven business environment and encourage technological development and the lawful use of technology.

The CDPA also amended Sections 162 to 166 of the Criminal Law (Codification and Reform) Act (Chapter 9:23) to provide for investigation and collection of evidence of cybercrime and unauthorised data collection and breaches; and to provide for the admissibility of electronic evidence for such offences and to provide for matters connected with or incidental thereto.

Section 2 identifies the object of the Act as to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.

Data is defined as any representation of facts, concepts and information, be it in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data.

Data controller refers to any natural or legal person who is licensable by the data protection authority and it includes public bodies and any other person who determines the purpose and means of processing data.

The data protection authority refers to the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz), established in terms of Section 5 of the Postal and Telecommunications Act (Chapter 12:05). Data subject refers to an individual who is an identifiable person and the subject of data.

All definitions are provided for in Section 3 of the Act, which is the interpretation clause.

Key provisions

The CDPA designates Potraz as the data protection authority, which should regulate the manner in which personal information may be processed through the establishment of conditions for the lawful processing of data.

Other functions of the data protection authority are provided for in Section 6 of the Act.

The Act also provides for the establishment of a cyber-security and monitoring centre and a cyber-security committee.

The cyber security and monitoring centre means the Cyber Security and Monitoring of Interception of Communications Centre. It is the central monitoring apparatus designed to be the monitoring facility through which all the intercepted communications and call-related information of a particular interception target are forwarded to an authorised person.

The CDPA also makes the necessary amendments to the Interception of Communications Act (Chapter 11:20) and the centre is established in the Office of the President and its functions are provided for in section 4A of the CDPA, and they include the monitoring and interception of communications and the issuance of a warrant against violators of the Act.

Some of the key highlights of the Act relate to issues to do with transmission of data and Part II, Section 164 of the CDPA, deals with the transmission of data messages inciting violence or damage to property.

Section 164A deals with protection of citizens from receiving threatening messages.

Section 164B makes provision for cyber bulling and harassment, and criminalises the sending of data messages to coerce, harass or intimidate.

Section 164C criminalises the transmission of false data messages intending to cause harm and these crimes have penalties ranging from a fine to imprisonment for a period ranging from five to 10 years.

It is important, therefore, that Zimbabwean citizens be well conversant with the CDPA to avoid the pitfalls of committing crimes that they do not know of because ignorance of the law is not a defence at law in Zimbabwe.

Some of the key provisions of the CDPA relate to data protection: It regulates the processing of personal data, including collection, storage and transmission.

Organisations must ensure that personal data is processed lawfully, fairly and transparently.

The consent of the data subject must be sought at all material times.

Organisations must obtain consent from individuals before collecting or processing their personal data. Consent must be specific, informed and unambiguous.

Personal information or data means information relating to a data subject. It includes a person’s name, address or telephone number, as well as other details mentioned in Section 3 of the Act, which is the interpretation clause.

The Act also makes it mandatory for businesses and other organisations to make a notification of a data breach in the event of one occurring; that is, institutions must notify the relevant authorities and affected individuals in the event of a data breach.

As stated elsewhere in this contribution, the Act criminalises various forms of cybercrimes, including hacking, phishing and online harassment.

Violators of the Act may face fines, imprisonment or both.

Implications

The CDPA has significant implications for organisations operating in Zimbabwe.

Organisations must develop and implement data protection policies and procedures; obtain consent from individuals before collecting or processing their personal data; ensure that personal data is processed lawfully, fairly and transparently; and notify the relevant authorities and affected individuals in the event of a data breach.

Conclusion

The Cyber and Data Protection Act is a crucial step towards safeguarding personal data and promoting online safety in Zimbabwe.

Organisations must take proactive steps to comply with the Act and protect the personal data of individuals.

By doing so, we can build trust in the digital economy and promote economic growth and development.

Advocate Isaya Muriwo Sithole is the founder and executive director of the Dr Edson F.C. Sithole Foundation. Feedback: [email protected]

facebookShare on Facebook
TwitterPost on X
FollowFollow us
PinterestSave

Related Posts

Nutty O angles for international success with second album . . . Announces August UK launch
Nutty O angles for international success with second album . . . Announces August UK launch

Maria Chiguvari FIVE years after the success of his debut album “Mustard Seed”, Zimdancehall and Afro-fusion star Nutty O is preparing to release his second project, which he describes as…

Continue reading
JAC T6 Single Cab: Built to Save, Built to Work
JAC T6 Single Cab: Built to Save, Built to Work

A Smart Buy for Businesses That Mean Business If you are looking for a hardworking single-cab bakkie that delivers real value from day one, the JAC T6 Single Cab deserves…

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *