Related documents
Zimbabwe
Cyber and Data Protection Act, 2021
Chapter 12:07
- Published on 11 March 2022
- Commenced on 11 March 2022
- [This is the version of this document from 11 March 2022.]
Part I – Preliminary
1. Short title
This Act may be cited as the Cyber and Data Protection Act [Chapter 12:07].2. Object
The object of this Act is to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.3. Interpretation
In this Act—"child" means any person under the age of eighteen years;"code of conduct" refers to the Data Use Charters drafted by the data controller in order to institute the rightful use of IT processes, the Internet, and electronic communications of the structure concerned, and which have been approved by the Data Protection Authority;"consent" refers to any manifestation of specific unequivocal, freely given, informed expression of will by which the data subject or his or her legal, judicial or legally appointed representative accepts that his or her data be processed;"critical database" means a computer data storage medium or any part thereof which contains critical data;"data" means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data;"data controller" or "controller"—(a)refers to any natural person or legal person who is licensable by the Authority;(b)includes public bodies and any other person who determines the purpose and means of processing data;"data controller’s representative" or "controller’s representative" refers to any natural person or legal person who performs the functions of the data controller in compliance with obligations set forth in this Act;"Data processor" refers to a natural person or legal person, who processes data for and on behalf of the controller and under the controller’s instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorised to process the data;"Data Protection Authority" or "Authority" refers to Postal and Telecommunications Regulatory Authority of Zimbabwe established in terms of section 5 of the Postal and Telecommunications Act [Chapter 12:05];"data protection officer" or "DPO" refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act;"data subject" refers to an individual who is an identifiable person and the subject of data;"disproportionate effort" means effort that is so labour intensive as to consume a lot of time, money and manpower resources;"electronic communications network" means any electronic communication infrastructure and facilities used for the conveyance of data;"genetic data" refers to any personal information stemming from a Deoxyribonucleic acid (DNA) analysis;"health professional" refers to any individual determined as such by Zimbabwean law;"identifiable person" means a person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity;"Minister" means the Minister responsible for information and communications technologies;"personal information" means information relating to a data subject, and includes—(a)the person’s name, address or telephone number;(b)the person’s race, national or ethnic origin, colour, religious or political beliefs or associations;(c)the person’s age, sex, sexual orientation, marital status or family status;(d)an identifying number, symbol or other particulars assigned to that person;(e)fingerprints, blood type or inheritable characteristics;(f)information about a person’s health care history, including a physical or mental disability;(g)information about educational, financial, criminal or employment history;(h)opinions expressed about an identifiable person;(i)the individual’s personal views or opinions, except if they are about someone else; and(j)personal correspondence pertaining to home and family life;"processing" refers to any operation or set of operations which are performed upon data, whether or not by automatic means, such as obtaining recording or holding the data or carrying out any operation or set of operations on data, including—(a)organisation, adaptation or alteration of the data;(b)retrieval, consultation or use of the data; or(c)alignment, combination, blocking, erasure or destruction of the data;"recipient" a natural or legal person, agency or any other body to whom personal information is disclosed by a data controller, whether a third party or not; however, persons who receive personal information in the framework of a particular legal inquiry shall not be regarded as recipients;"sensitive data" refers to—(a)information or any opinion about an individual which reveals or contains the following—(i)racial or ethnic origin;(ii)political opinions;(iii)membership of a political association;(iv)religious beliefs or affiliations;(v)philosophical beliefs;(vi)membership of a professional or trade association;(vii)membership of a trade union;(viii)sex life;(ix)criminal educational, financial or employment history;(x)gender, age, marital status or family status;(b)health information about an individual;(c)genetic information about an individual; or(d)any information which may be considered as presenting a major risk to the rights of the data subject;"third party" refers to any natural or legal person or organisation other than the data subject, the controller, the processor and anyone who, under the direct authority of the controller or the processor, is authorised to process the data;"transborder flow" refers to international flows of data by the means of transmission including data transmission electronically or by satellite;"whistleblowing" refers to legal provisions permitting individuals to report the behaviour of a member of their organisation which, they consider contrary to a law or regulation or fundamental rules established by their organisation.4. Application
Part II – Data Protection Authority
5. Designation of Postal and Telecommunications Regulatory Authority as Data Protection Authority
The Postal and Telecommunications Regulatory Authority established in terms of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the Data Protection Authority.6. Functions of Data Protection Authority
Part III – Quality of data
7. Quality of data
Part IV – General rules on the processing of data
8. Generality
The data controller shall ensure that the processing of data is necessary and that the data is processed fairly and lawfully.9. Purpose
10. Non-sensitive data
11. Sensitive information
12. Genetic data, biometric sensitive data and health data
Part V – Duties of data controller and data processor
13. Duties of data controller
Every data controller or data processor shall ensure that personal information is—14. Rights of data subject
A data subject has a right to—15. Disclosures when collecting data directly from data subject
16. Disclosures when not collecting data directly from data subject
17. Authority to process
Any person having access to the data and acting under the authority of the controller or of the processor, as well as the processor himself or herself, may process data only as instructed by the controller, without prejudice to any duty imposed by law.18. Security
19. Security breach notification
The data controller shall notify the Authority within twenty-four (24) hours of any security breach affecting data he or she processes.20. Obligation of notification to Authority
21. Content of notification
22. Authorisation
23. Openness of processing
24. Accountability
The data controller shall—Part VI – Data subject
25. Decision taken on basis of Automatic Data Processing
26. Representation of data subject who is child
Where the data subject is a child, his or her rights pursuant to this law may be exercised by his or her parents or legal guardian.27. Representation of physically, mentally or legally incapacitated data subjects
Part VII – Transborder flow
28. Transfer of personal information outside Zimbabwe
29. Transfer to country outside Zimbabwe which does not assure adequate level of protection
A transfer or a set of transfers of data to a country outside Zimbabwe which does not assure an adequate level of protection may take place in one of the following cases—Part VIII – Code of Conduct
30. Code of Conduct
Part IX – Whistleblowing
31. Whistleblower
Part X – General provisions
32. Regulations
33. Offences and penalties
34. Appeals
Any person aggrieved by the decision of the Authority may appeal to the Administrative Court.Part XI – Consequential amendments
35. Amendment of Chapter VIII of Cap. 9:23
"PART I - Offences relating to computer systems, computer data, data storage mediums, data codes and devices
Part II - Offences relating to electronic communications and materials
Part III - Offences against children and procedural law
36. Amendment of Cap. 9:07
The Criminal Procedure and Evidence Act [Chapter 9:07] is amended by the insertion after Part XX of the following Part—"PART XXA - Provisions relating to cyber crime
37. Amendment of Cap. 11:20
"Schedule (Section 4B(5))
Provisions applicable to Cyber Security Committee
History of this document
11 March 2022 this version
Published
Commenced
Cited documents 0
Documents citing this one 2
Gazette 1
1. | Zimbabwe Government Gazette dated 2022-03-18 number 27 |
Journal article 1
1. | Final Papers of the 2021 National Symposium on Human Rights Implications of Social, Political,Economic and Legal Responses to the COVID-19 Pandemic |
Subsidiary legislation
Title
|
Date
|
|
---|---|---|
Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 | Statutory Instrument 155 of 2024 | 13 September 2024 |