Understanding Zimbabwe’s draft Data Protection Bill

Guest Author Avatar
IS Security Computer Society of Zimbabwe

image credit- talent-src.com

The crafting of legislation is always a slow process, and for laws and regulation around technology, the pace isn’t any different. However, 2015 has been marked by a greater focus on how technology is viewed through a legal lens.

Besides the visible intent to draft a new ICT Policy, other pieces of legislation within the confines of technology are also being examined. These include the e-Transactions Bill and the CyberCrime Bill. Another piece of law being combed through is the Data Protection Bill.

What is the Data Protection Bill?

This draft legislation (it hasn’t been made law yet) seeks to govern the processing of personal information by private and public bodies. The Bill also prevents the unauthorised use, collection, and processing of identifiable persons data.

A Data Protection Authority (the Authority) will be established to take care of these matters and to ensure that provisions of the Bill are adhered to. This draft Bill is a welcome piece of legislation that seeks to strengthen the individual’s right to privacy.

The Bill tries to ensure that whenever an individual’s data is collected, it is only used for the specified purpose and not abused.In the Bill, data is categorised into broad categories, namely personal information, sensitive data and genetic data.

Personal information includes details such as the person’s name, address or phone number.

Sensitive data includes details about the person’s sex life, health information, financial information, and employment history.

Genetic data refers to any personal information stemming from an analysis of the individual’s Deoxyribonucleic acid (DNA). A person’s data can be abused in a number of ways, for example, by being used for targeted adverts or other profiling purposes.

The Bill introduces a few tech savvy terms that are of interest, here are a few that caught my attention. The individual whose data is collected is called the data subject.

A data controller is any natural person or legal person who determines the purpose and means of processing of personal data.

A data processor is a natural person or legal person who processes personal data for and on behalf of the data controller.

Data protection officers are individuals appointed by the data controller and are the ones responsible for ensuring that provisions of the Bill are complied with.

The Data Protection Authority of Zimbabwe will be a body corporate or a juristic person. This means it will be capable of suing and being sued in its name. Any interested party or individual will be able to approach the Authority to initiate investigations related to the improper collection or processing of data. The Authority will also advise the relevant Minister on matters relating to the right to privacy and access to information.

Operations of the Authority will be controlled and managed by a board known as the Data Protection Authority of Zimbabwe Board (the Board). The Board will have a minimum of five members and a minimum of seven members.

Unfortunately, the Board members will be appointed by the President of the Republic in consultation with the Minister responsible for the Authority. This is a cause of concern mainly because of the high levels of skepticism in government appointments, which are usually viewed as political in nature.

The fact that Board members also serve at the pleasure of the President (yes, the President can hire and fire Board members) affects the independence of the Board and in effect the independence of the Authority. At least three of the Board members must have experience in communications, law, accountancy or administration. Board members will be able to serve for a maximum of three years.

Non-sensitive data may be processed without the data subjects consent, for example, when the data is necessary for proving an offence. However, sensitive information can only be processed with the data subject’s consent.

The data subject is able to withdraw consent to process his or her sensitive information at any time and free of charge. In effect, a patient may consent to his or her doctor’s collection of medical information, and the patient can at any time request the doctor to destroy any data collected without giving a reason.

There are, however, instances where the data subject cannot stop the processing of sensitive information, for example, if the data is necessary for health-insurance claims. The Authority has the last say on when a data subject may stop processing of information and this limits the power that the data subject has over the whole process.

As stated above, this Bill is a necessary piece of legislation that helps to regulate a currently poorly regulated sector. The Bill also attempts to give the data subject some control over the information collected on him or her.

However, a lot more could have been done to ensure that the data subject has a stronger say in the whole process. Independence of the Board could also have been promoted by, for example, allowing the public to participate in the nomination of Board members.

When all is said and done the Bill is a good starting point which leaves a lot of room for improvement in the field of data protection.

This article was written by Kuda Hove, a legal and information officer who has a keen focus on Zimbabwean ICT legislation. 


  1. tinm@n

    Genetic data refers to any personal information stemming from an analysis of the individual’s Deoxyribonucleic acid (DNA). A person’s data can be abused in a number of ways, for example, by being used for targeted adverts or other profiling purposes.

    Do you really know what you’re on about here? Targetted profiling through DNA records?

    Even in the most advanced nations, this does not happen.

    DNA data is a wealth of info for Big Pharma, can be used to discriminate, can be used to predetermine one’s risk profile for medical insurance or health cover… etc

    Not that nonsense

    1. Anonymous

      “DNA data is a wealth of info for Big Pharma, can be used to discriminate, can be used to predetermine one’s risk profile for medical insurance or health cover… etc”

      How is that not profiling?

  2. Silas

    This was long overdue. I would have loved to have a link to the draft and see how my personal data on a work computer is regulated!

    1. Rr

      Nt that much even in states the nature of a work computer is such that they can search for data they dnt want. Though such thinds as health banking details etc are protected.
      Always use personal email laptop phone for any private research findings or invotatiom/invention

  3. macd chip

    We do not lack laws, even with these new ones coming.

    What we lack is respect of law. Where law must be enforced, it seems to be very selective. The law here only catches small flies whilst some fly through it and shreds it to pieces if it annoys them.

    There is no point at, to me its a waste of time and resources to making all these laws only to be ignored or applied according to one’s taste.

    1. cool

      Another way to waste tax payers money, as long if government lay their dirty hands on this data protection body it’s as gud as useless. It’s like asking a thief to sell us his guardian dog to protect us from robbers

  4. LeeTendai

    This is a sound idea but the selection process of board members who will govern this law is on its own a let down not all things recquire government intervention etc an independent body would ensure no one is bove the law

  5. Rr

    Probarly as usual the board members will consust of ex armycolonel/general police some political gigyre and a fubious aythority who dont knao what phishing and spam is.

  6. David

    Interesting, I’m worried of how much access my employer has of my internet/online content and usage.

    1. Farai

      Don’t be worried. Read your company IT policy and it may state that they HAVE the right to monitor and intercept anything you do on their systems. Plus they can even retain/archive your emails for years. So if you are using company systems, your “privacy” falls away. Call it your mini spy Gvt

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed