Thoughts On The Cyber Security And Data Protection Bill

On the 15th of May The Cyber Security and Data Protection Bill was gazetted. The public was asked to comment on the bill in a process that ends on the 26th of June.

The digital age has brought with it a unique set of concerns. Security was something that was assured by physical or geographical fortifications. Within borders, measures were drawn to govern the relationships of all actors in a country.

Technology and it’s rapid rise brought with it a new sphere or terrain. This new arena has been growing at a pace that has made it difficult for all involved to understand what can or cannot be done. Which interests should be protected and under what circumstance.

What follows is my opinion on two aspects of the bill I was confused by or portions I thought needed more explaining. There are, I’m sure, many legal experts out there and my assessment will not cover everything and, I would appreciate your views and thoughts in the comments.

Better still, we really need all you knowledgeable folks to add your voices to the law making process by sending your comments to the parliament before Friday (the final date for such). Send the comments to bills@parlzim.gov.zw or clerk@parlzim.gov.zw

What is the Cyber Security and Data Protection Bill?

“The purpose of this Bill is to consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest, to establish a Cyber Security Centre and a Data Protection Authority, to provide for their functions, provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences. It will create a technology driven business environment and encourage technological development and the lawful use of technology.”

Cyber Security and Data Protection Bill

This Bill is there to protect the interest of all parties who are a part of the digital space in Zimbabwe. The Bill outlines:

• The establishment of the Cyber Security Center and the designation of the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as that centre
• POTRAZ’s designation as the Data Protection Centre
• The data sets that will be collected and evaluated
• The rules to how information will be processed
• The rules and duties of those who will process and evaluate the data collected in the event of an investigation.
• Duties of the individuals who will collect and process data
• The subject of the data
• The transborder flow of data if the assessment of the data needs a third party outside the country
• General code of conduct
• General provisions, these being the appeals process, offences and penalties, and regulations
• Consequential amendments.

Designation of POTRAZ as both the Cyber Security Centre and The Data Protection Centre

The duties set out in this Bill are quite extensive and I would have thought that the most efficient way of dealing with the issue of cyber security and data protection was to have a separate and new organisation to deal with these matters. POTRAZ already has a full plate and delegating the organisation this role doesn’t inspire much confidence.

The Bill in Part X (1) reads:

“The Authority shall provide guidelines and approve codes of conduct and ethics governing the rules of conduct to be observed by data controllers and categories of data controllers.”

An Authority with a focused mission should have been established to undertake what is written in this bill. The guidelines of its conduct and the conduct of those who will work beneath it clearly outlined and published to accompany this bill.

Government can get our data easily

The government institution mandated with enforcing this bill if it makes into a law has powers under this bill to launch an investigation if there is suspicion of this new law being broken. Such an investigation involves the authority (POTRAZ) getting access to any data it requests from the entity under investigation. There is a real risk that the government can purport to be investigating any business they like (Econet or a bank for example) just so they get hold of yours and my data. The bill does not fully stipulate how an investigation should be carried out and under what circumstances data must be requested from the subject of an investigation.