The crafting of legislation is always a slow process, and for laws and regulation around technology, the pace isn’t any different. However, 2015 has been marked by a greater focus on how technology is viewed through a legal lens.
Besides the visible intent to draft a new ICT Policy, other pieces of legislation within the confines of technology are also being examined. These include the e-Transactions Bill and the CyberCrime Bill. Another piece of law being combed through is the Data Protection Bill.
What is the Data Protection Bill?
This draft legislation (it hasn’t been made law yet) seeks to govern the processing of personal information by private and public bodies. The Bill also prevents the unauthorised use, collection, and processing of identifiable persons data.
A Data Protection Authority (the Authority) will be established to take care of these matters and to ensure that provisions of the Bill are adhered to. This draft Bill is a welcome piece of legislation that seeks to strengthen the individual’s right to privacy.
The Bill tries to ensure that whenever an individual’s data is collected, it is only used for the specified purpose and not abused.In the Bill, data is categorised into broad categories, namely personal information, sensitive data and genetic data.
Personal information includes details such as the person’s name, address or phone number.
Sensitive data includes details about the person’s sex life, health information, financial information, and employment history.
Genetic data refers to any personal information stemming from an analysis of the individual’s Deoxyribonucleic acid (DNA). A person’s data can be abused in a number of ways, for example, by being used for targeted adverts or other profiling purposes.
The Bill introduces a few tech savvy terms that are of interest, here are a few that caught my attention. The individual whose data is collected is called the data subject.
A data controller is any natural person or legal person who determines the purpose and means of processing of personal data.
A data processor is a natural person or legal person who processes personal data for and on behalf of the data controller.
Data protection officers are individuals appointed by the data controller and are the ones responsible for ensuring that provisions of the Bill are complied with.
The Data Protection Authority of Zimbabwe will be a body corporate or a juristic person. This means it will be capable of suing and being sued in its name. Any interested party or individual will be able to approach the Authority to initiate investigations related to the improper collection or processing of data. The Authority will also advise the relevant Minister on matters relating to the right to privacy and access to information.
Operations of the Authority will be controlled and managed by a board known as the Data Protection Authority of Zimbabwe Board (the Board). The Board will have a minimum of five members and a minimum of seven members.
Unfortunately, the Board members will be appointed by the President of the Republic in consultation with the Minister responsible for the Authority. This is a cause of concern mainly because of the high levels of skepticism in government appointments, which are usually viewed as political in nature.
The fact that Board members also serve at the pleasure of the President (yes, the President can hire and fire Board members) affects the independence of the Board and in effect the independence of the Authority. At least three of the Board members must have experience in communications, law, accountancy or administration. Board members will be able to serve for a maximum of three years.
Non-sensitive data may be processed without the data subjects consent, for example, when the data is necessary for proving an offence. However, sensitive information can only be processed with the data subject’s consent.
The data subject is able to withdraw consent to process his or her sensitive information at any time and free of charge. In effect, a patient may consent to his or her doctor’s collection of medical information, and the patient can at any time request the doctor to destroy any data collected without giving a reason.
There are, however, instances where the data subject cannot stop the processing of sensitive information, for example, if the data is necessary for health-insurance claims. The Authority has the last say on when a data subject may stop processing of information and this limits the power that the data subject has over the whole process.
As stated above, this Bill is a necessary piece of legislation that helps to regulate a currently poorly regulated sector. The Bill also attempts to give the data subject some control over the information collected on him or her.
However, a lot more could have been done to ensure that the data subject has a stronger say in the whole process. Independence of the Board could also have been promoted by, for example, allowing the public to participate in the nomination of Board members.
When all is said and done the Bill is a good starting point which leaves a lot of room for improvement in the field of data protection.
This article was written by Kuda Hove, a legal and information officer who has a keen focus on Zimbabwean ICT legislation.
- Technology Zimbabwe