DLA Piper Intelligence

Data Protection
Laws of the World

Law

Zimbabwe
Zimbabwe

The protection of privacy is a principal enshrined in Zimbabwe's Constitution. Whilst there is no designated national legislation dealing with data protection for private persons in Zimbabwe yet, there are existing laws that have a bearing on the right to privacy and protection of personal information for specified types of data, or in relation to specific activities.

The Access to Information and Protection of Privacy Act (Chapter 10:247) is the law which contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies.

Other laws refer to the protection of information as a function of other activities or the protection of specific types of data such as the Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04), the Census and Statistics Act (Chapter 10:29), Banking Act (Chapter 24:20), National Registration Act (Chapter 10:17) and the Interception of Communications Act (Chapter 11:20).

In August 2016 Cabinet, which is the highest government approval body, approved the Revised ICT Policy. According to the approved ICT policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cyber security is anticipated.

Last modified 26 Jan 2017
Law
Zimbabwe

The protection of privacy is a principal enshrined in Zimbabwe's Constitution. Whilst there is no designated national legislation dealing with data protection for private persons in Zimbabwe yet, there are existing laws that have a bearing on the right to privacy and protection of personal information for specified types of data, or in relation to specific activities.

The Access to Information and Protection of Privacy Act (Chapter 10:247) is the law which contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies.

Other laws refer to the protection of information as a function of other activities or the protection of specific types of data such as the Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04), the Census and Statistics Act (Chapter 10:29), Banking Act (Chapter 24:20), National Registration Act (Chapter 10:17) and the Interception of Communications Act (Chapter 11:20).

In August 2016 Cabinet, which is the highest government approval body, approved the Revised ICT Policy. According to the approved ICT policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cyber security is anticipated.

Last modified 26 Jan 2017
Definitions

Definition of personal data

The Access to Information and Protection of Privacy Act defines personal information as recorded information about an identifiable person which includes:

  • the person's name, address or telephone number
  • the person's race, national or ethnic origin, religious or political beliefs or associations
  • the person's age, sex, sexual orientation, marital status or family status
  • an identifying number, symbol or other particulars assigned to that person
  • fingerprints, blood type or inheritable characteristics
  • information about a person's health care history, including a physical or mental disability
  • information about educational, financial, criminal or employment history
  • a third party's opinions about the individual
  • the individual's personal views or opinions, (except if they are about someone else), and
  • personal correspondence with home or family.

Definition of sensitive personal data

There is no law which defines sensitive personal data.

Last modified 26 Jan 2017
Authority

There is no data protection authority. However, the Zimbabwe Media Commission's mandate does include the following:

  • ensuring that the people of Zimbabwe have equitable and wide access to information
  • commenting on the implications of proposed legislation or programmes of public bodies on access to information and protection of privacy
  • commenting on the implications of automated systems for collection, storage, analysis or transfer of information or for the access to information or protection of privacy
  • amongst other functions.

The approved ICT Policy proposes the establishment of a quasi-government entity to monitor internet traffic. It states that all internet gateways and infrastructure will be controlled by a single company, while a National Data Centre to support both public and high security services and information will be set up.

Last modified 26 Jan 2017
Registration

There is no law that requires the registration of databases.

Last modified 26 Jan 2017
Data Protection Officers

There is no provision to appoint data protection officers.

Last modified 26 Jan 2017
Collection & Processing

There are no specific provisions for the collectors of personal data to obtain the prior approval of data subjects for the processing of their personal data.

The Census and Statistics Act contains provisions which restrict the use and disclosure of information obtained during the conducting of a census exercise. Under this act authorities are authorised to collect, compile, analyse and abstract statistical information relating to the:

  • commercial
  • industrial
  • agricultural
  • mining
  • social
  • economic
  • and general activities and conditions of the inhabitants of Zimbabwe and to publish such statistical information.
Last modified 26 Jan 2017
Transfer

The transfer of personal data to any other jurisdiction is not specifically restricted. 

Last modified 26 Jan 2017
Security

The approved ICT policy states that there will be development, implemention and promotion of appropriate security and legal systems for e-commerce including issues related to cyber security, data protection and e-transactions. The Policy states that the following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to information, computer related and cybercrime laws: (i) data protection and privacy (ii) Intellectual property protection and copyright (iii) consumer protection and (iv) child online protection.

Last modified 26 Jan 2017
Breach Notification

Breach notification

There is no law which requires data protection officers to report a breach.

Mandatory breach notification

There are no mandatory breach notification provisions.

Last modified 26 Jan 2017
Enforcement

The Constitution mandates the Human Rights Commission (HRC) to enforce a citizen's human rights where they have been violated. The right to privacy, including the right not to have the privacy of one's communication infringed is enshrined as a basic human right, which therefore falls within the purview of the HRC.  However, the Monitoring of Interception of Communications Centre (MICC), established by the Interception of Communications Act, is mandated to, among other things, monitor communications made over telecommunications, radio communications and postal systems and to give technical advice to service providers. The mandate of the MICC does not preclude it from monitoring computer based data for the purposes of enforcing an individual's right to privacy where it is found that such right has been infringed.

Last modified 26 Jan 2017
Electronic Marketing

The Government is currently working on a Consumer Protection Act, which seeks to protect consumers from unfair trade practices.  The draft Consumer Protection Bill does not make reference to electronic marketing, nor does it provide for consumer privacy rights in respect of personal data. 

Last modified 26 Jan 2017
Online Privacy

There is currently no specific online privacy legislation. 

Last modified 26 Jan 2017
Contacts
Bridget Mafusire
Bridget Mafusire
Associate
T +263 4 746 787
Lloyd Manokore
Lloyd Manokore
Partner
T +263 4 746 787
Last modified 26 Jan 2017