There is no one specific standalone law on data protection in Tanzania. Article 16 of the Constitution of the United Republic of Tanzania, 1977 (“Constitution”) affords a fundamental right to privacy. This right encompasses private and family life, home and private communication including mail, telephone communications and emails in the workplace and has wide ranging applications including data protection.
As a result, there are sector specific legislations which impose data protection principles and rules that should be followed by those engaged in the processing of personal data, e.g., in the electronic and postal communication sector and the financial sector, the health sector. Below are examples of some of the applicable laws:
- The Electronic and Postal Communications Act, 2010 (“EPOCA”)
- The Electronic and Postal Communications (Consumer Protection) Regulations, GN. No. 61 of 2018 (“Consumer Protection Regulations”)
- The Electronic and Postal Communications (Licensing) Regulations, 2018 (“Licensing Regulations”)
- The Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018 (“CERT Regulations”)
- The National Payment System Act, 2015 (“NPS Act”)
- The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 (“Financial Consumer Protection”)
There is no one specific standalone law on data protection in Tanzania. Article 16 of the Constitution of the United Republic of Tanzania, 1977 (“Constitution”) affords a fundamental right to privacy. This right encompasses private and family life, home and private communication including mail, telephone communications and emails in the workplace and has wide ranging applications including data protection.
As a result, there are sector specific legislations which impose data protection principles and rules that should be followed by those engaged in the processing of personal data, e.g., in the electronic and postal communication sector and the financial sector, the health sector. Below are examples of some of the applicable laws:
- The Electronic and Postal Communications Act, 2010 (“EPOCA”)
- The Electronic and Postal Communications (Consumer Protection) Regulations, GN. No. 61 of 2018 (“Consumer Protection Regulations”)
- The Electronic and Postal Communications (Licensing) Regulations, 2018 (“Licensing Regulations”)
- The Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018 (“CERT Regulations”)
- The National Payment System Act, 2015 (“NPS Act”)
- The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 (“Financial Consumer Protection”)
Definition of Personal Data
None. There is no law which defines personal data.
Definition of Sensitive Personal Data
None. There is no which defines sensitive personal data.
There is no specific national data protection authority. The relevant authority depends on the affected sector. For instance, Tanzania Communications Regulatory Authority (TCRA) is the national data protection authority in relation to electronic and postal communications and the Bank of Tanzania (BOT) is the national data protection authority for financial services.
None. There are no legal obligations for data controllers or processors to register with a supervisory authority.
None. There are no legal requirements on data controllers or processors to designate a data protection officer.
The collection, storage and disclosure of information relating to private life interferes with the fundamental right to privacy. Article 16(2) of the Constitution provides that any interference requires justification and must be in accordance with the law (i.e., legal procedures laid down by state authority).
For instance, EPOCA requires electronic communications services and postal services licensees to collect, process and store personal data of customers in a manner which is:
- lawful and fair;
- for identified purposes;
- accurate;
- protects against improper or accidental disclosure;
- in accordance with the consumer’s other rights.[1]
Financial services providers are required to collect personal data of consumers within the limits established by the regulations and with the consumer’s consent, where applicable. Such data must be used exclusively for the purpose for which data is collected.[2] A financial service provider must make rules for collection and usage of data including means, purpose and types of data that maybe collected and retained.
Any collection and processing of personal data involving in any other sector must be carried out in accordance with the laws applicable to that sector.
Footnotes
[1] Regulation 6, Consumer Protection Regulations
[2] Regulation 37 of Financial Consumer Protection Regulations
Any transfer of personal data requires justification and must be in accordance with the law (i.e., legal procedures laid down by state authority).
For instance, EPOCA restricts transfers of personal data (including outside Tanzania) by electronic communications services and postal services licensees. Such data may only be transferred if the following conditions are met:
- the transfer is in accordance with the terms and conditions agreed with the data subject; and either
- the TCRA has approved or permitted the transfer; or
- the transfer is permitted or required by any applicable law.
Financial service providers can only transfer personal data of consumers with the consent of the data subject unless otherwise authorized by the law or court order.
Article 16 of the Constitution infers that personal data must be collected, processed, and stored in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful disclosures, processing, accidental loss, destruction, or damage.
Generally, data controllers are expected notify any personal data breach to the relevant national supervisory authority and, in certain cases, the affected data subject.
Mandatory breach notification
Electronic communication services providers are required to notify any data security breaches to the Computer Emergency Response Team and measures undertaken to prevent recurrence of the threat.
Enforcement powers are found in specific sector legislations. National supervisory authorities have a number of investigative powers and corrective.
Electronic marketing is prohibited unless the consumer consents to the communication and the person sending the same discloses its identity and purpose at the beginning of the communication and gives an opt-out option to reject further communication.[1]
Financial services providers are prohibited from sharing consumers’ information with a third party for any purpose, including electronic marketing, unless such information is used for the purpose that is consistent with the purpose for which it was originally collected and obtains prior written consent of the consumer before using such information for future promotional offers.[2]
Footnotes
[1] Section 32(1), Electronic Transactions Act, 2015 and Regulation 9(3), VAS Regulations
[2] Regulation 39(b) and (c), Financial Consumer Protection Regulations
Every data collector and processor has a general obligation to ensure any confidential information it collects, maintains or processes is protected against improper or accidental disclosure.
Licensed online content service providers are required to ensure that online contents are safe, secure and do not contravene the provisions of any law. They are also required to use passwords to protect any user equipment, access equipment or hardware and prevent unauthorized access or use by unintended persons.[1]
Payment system providers are required to protect privacy of any participant and customer information and not disclose such information unless the disclosure is in compliance with the law, an order of a court or with the express consent of the system participant or consumer concerned.[2]