With vast quantities of data on almost every person now being collected in the modern world, as bank accounts, medical records, voter information among others, are kept in digital formats on data bases, Zimbabwe has modernised its laws on what can be collected, what permissions are needed, how data must be protected and the rights of people to see data entries pertaining to them.
The Data Protection Act, which deals both with what data can be collected, transmitted or distributed has been passed by Parliament and signed into law by President Mnangagwa.
It came into effect on Friday.
The Act concentrates on giving maximum protection of privacy and both introduces new law over the collection and storage of data and updates the criminal law by amending the Criminal Law (Codification and Reform) Act so it can deal with the offences that take place in the modern digital and online world.
The specific offences already largely exist in more general forms. For example, it is an offence to incite violence regardless of the medium used for the incitement and child pornography is banned in Zimbabwe under child protection laws, but the new Act adds to this general protection under other legislation by criminalising such activity in a specific digital environment.
The first half of the new Act, that which deals with the gathering and protection of data, will largely affect those who gather and store data as part of their duties, and they now fall under the Postal and Telecommunications Authority of Zimbabwe (Portraz), which has been made the Data Protection Authority.
Portraz has the job of setting up and enforcing the rules for data collection, protection, storage and presentation. Generally permission has to be obtained from the person whose personal information is going into a database, although there are differences between less sensitive and more sensitive information.
But there is also a list for most purposes of data that can be collected for specific purposes that does not require permission, for reasons of health, public well-being and the like. But the Act now demands that such data is properly protected and kept private, that is out of the public domain.
In many cases, generalised and non-personalised data can be made public. For example, in the health world anything that could identify in any way a particular person or patient is totally private. But, as we now are seeing, general statistical data can be issued so the owner of a public health database can tell the world how many Covid-19 tests were done in any one day, how many people tested positive, what variants they tested positive for, how many died and the like. But they cannot identify the people who took tests or tested positive.
Breaches of data security have to be reported promptly to Portraz. This means that a bank that has been hacked, for example, would have to tell the authorities immediately what happened and what data might be compromised and then follow directions on how to minimise the damage and let those whose information was accessed know.
This legislation is now becoming increasingly common around the world in the global shift to digital records on the grounds that people are entitled to protection of privacy and security of their more sensitive information.
The other half of the Act will have more effect on ordinary people as it deals with criminalising specific actions using data and digital transmission.
This is where those who use the internet, for example, or the camera on their phone, can run into trouble quite easily if they use these improperly to hurt people. While the offences might already exist under other laws in very general terms, the new Act makes them very specific.
And because they are additions to the codified criminal law there are the usual specific maximum penalties, frequently a maximum term of 10 years in prison, a fine or both.
So people who hack into other people’s systems commit a serious offence, as do those who transmit SPAM, although the sentences are lower for that offence. And a fair amount of the first part of the additions to the criminal law deals with these sort of offences.
The second half of the additions deals with the content of what is transmitted or distributed, that is with what are commonly seen as serious abuses of social media and the internet. These start with security sort of issues, like inciting violence although as people already before the court know that this offence is also covered under other law.
New specified digital crimes include transmission of intimate images without consent, production and dissemination of racist and xenophobic material, recording of private parts beneath clothing without consent, child sexual abuse material, child pornography, sending threatening data message, cyber-bullying and harassment and transmission of false data message intending to cause harm.
Again it is becoming common around the world to bring these specified digital offences into law. But things like child pornography, revenge pornography, major invasions of privacy and publicising defamation are far easier to do in a digital environment and so are included as specific digital offences.
When the Act was still before Parliament, Information and Communication Technologies, Post and Courier Services Minister Jenfan Muswere said the new law was important because current legislation in the country was limited in scope and application due to technological developments and considering that cyber-crime was borderless.
The Act also gives the court’s jurisdiction over crimes committed outside Zimbabwe if they involve Zimbabweans, permanent residents, business persons operating in the country or computer or data systems with links to or located in the country.
Ordinary people that talked to The Herald welcomed the enactment of the new law, and tended to concentrate on the sections that have caused the most individual harm, the misuse of social messaging.
Ms Priscilla Mvuri said the Act was a good development and would reduce cases of forced relationship through blackmail.
“The Government has done good work, people who send threatening messages should be punished because some people are blackmailing others forcing them to do what they want, for example, to continue a relationship in which one does not feel comfortable with,” she said.
Another Harare resident, Ms Diana Mtamzeli said the law will protect people’s dignity and urged people to end their relationships amicably if they decide to do so.
Mr Gabriel Muponda said this Act will protect victims of blackmail.
“People who send information or data intended to cause harm are a threat to one’s life, because by sharing that sensitive information they aim to destroy one’s reputation,” he said.
Mr Peter Dimingo welcomed the regulations against the abuse of the internet and social media saying it was long overdue as many people have fallen victims after their private information was shared publicly.