DLA Piper Intelligence

Data Protection
Laws of the World

Law

Zimbabwe
Zimbabwe

The protection of privacy is a principal enshrined in Zimbabwe's Constitution. While there is no designated national legislation dealing with data protection for private persons in Zimbabwe yet, there are existing laws that have a bearing on the right to privacy and protection of personal information for specified types of data, or in relation to specific activities.

The Access to Information and Protection of Privacy Act (Chapter 10:247) contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies.

Other laws refer to the protection of information as a function of other activities or the protection of specific types of data, such as the Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04), the Census and Statistics Act (Chapter 10:29), Banking Act (Chapter 24:20), National Registration Act (Chapter 10:17) and the Interception of Communications Act (Chapter 11:20).

In August 2016, Cabinet, which is the highest government approval body, approved the Revised National Policy for Information Communication Technology (“ICT Policy”). According to the approved ICT Policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cybersecurity is anticipated.

Last modified 28 Jan 2019
Law
Zimbabwe

The protection of privacy is a principal enshrined in Zimbabwe's Constitution. While there is no designated national legislation dealing with data protection for private persons in Zimbabwe yet, there are existing laws that have a bearing on the right to privacy and protection of personal information for specified types of data, or in relation to specific activities.

The Access to Information and Protection of Privacy Act (Chapter 10:247) contains the most provisions on data protection. However, this generally only regulates the use of personal data by public bodies.

Other laws refer to the protection of information as a function of other activities or the protection of specific types of data, such as the Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04), the Census and Statistics Act (Chapter 10:29), Banking Act (Chapter 24:20), National Registration Act (Chapter 10:17) and the Interception of Communications Act (Chapter 11:20).

In August 2016, Cabinet, which is the highest government approval body, approved the Revised National Policy for Information Communication Technology (“ICT Policy”). According to the approved ICT Policy, the establishment of an institutional framework for enacting legislation dealing specifically with digital data protection matters and cybersecurity is anticipated.

Last modified 28 Jan 2019
Definitions

Definition of personal data

The Access to Information and Protection of Privacy Act defines personal information as recorded information about an identifiable person which includes:

  • The person's name, address or telephone number
  • The person's race, national or ethnic origin, religious or political beliefs or associations
  • The person's age, sex, sexual orientation, marital status or family status
  • An identifying number, symbol or other particulars assigned to that person
  • Fingerprints, blood type or inheritable characteristics
  • Information about a person's healthcare history, including a physical or mental disability
  • Information about educational, financial, criminal or employment history
  • A third party's opinions about the individual
  • The individual's personal views or opinions (except if they are about someone else)
  • Personal correspondence with home or family

Definition of sensitive personal data

There is no law that defines sensitive personal data.

Last modified 28 Jan 2019
Authority

There is currently no data protection authority, however, a provision in the Draft Data Protection Bill ("Draft Bill") that has been placed on the Government's Legislative Agenda for 2018-2019, creates a Data Protection Authority. According to the Draft Bill, this Authority will promote and enforce the fair processing of personal data and advise the Minister of Information Communication Technology on matters relating to privacy rights. The Authority will also conduct inquiries and investigations either on its own accord or on the request of any interested person in relation to data protection rights.

Under the Draft Bill, a data protection officer must be appointed to ensure the compliance with all obligations provided for in the Draft Bill. The Draft Bill further provides for the definition of sensitive data, which includes political opinions, religious beliefs and affiliations, and any information which may present a major risk to the risks of the data subject.

The Zimbabwe Media Commission's mandate does the following:

  • Ensures that the people of Zimbabwe have equitable and wide access to information
  • Comments on the implications of proposed legislation or programs of public bodies on access to information and protection of privacy
  • Comments on the implications of automated systems for collection, storage, analysis or transfer of information or for the access to information or protection of privacy

The Revised ICT Policy proposes the establishment of a quasi-government entity to monitor Internet traffic. It states that all Internet gateways and infrastructure will be controlled by a single company, while a National Data Centre to support both public and high security services and information will be established.

Last modified 28 Jan 2019
Registration

There is no law that requires the registration of databases.

Last modified 28 Jan 2019
Data Protection Officers

There is no provision to appoint data protection officers.

Last modified 28 Jan 2019
Collection & Processing

There are no specific provisions for the collectors of personal data to obtain the prior approval of data subjects for the processing of their personal data.

The Census and Statistics Act contains provisions which restrict the use and disclosure of information obtained during the conducting of a census exercise. Under this Act, authorities are able to collect, compile, analyze and abstract statistical information relating to any of the following:

  • Commercial
  • Industrial
  • Agricultural
  • Mining
  • Social
  • Economic 
  • General activities and conditions of the inhabitants of Zimbabwe and to publish such statistical information
Last modified 28 Jan 2019
Transfer

The transfer of personal data to any other jurisdiction is not specifically restricted.

Last modified 28 Jan 2019
Security

The Revised ICT Policy states that there will be development, implementation and promotion of appropriate security and legal systems for e-commerce, including issues related to cybersecurity, data protection and e-transactions. The Policy states that the following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to information, computer related and cybercrime laws: (i) data protection and privacy, (ii) intellectual property protection and copyright, (iii) consumer protection and (iv) child online protection.

Last modified 28 Jan 2019
Breach Notification

Breach notification

There is no law which requires data protection officers to report a breach.

Mandatory breach notification

There are no mandatory breach notification provisions.

Last modified 28 Jan 2019
Enforcement

The Constitution mandates the Human Rights Commission (HRC) to enforce a citizen's human rights where they have been violated. The right to privacy, including the right not to have the privacy of one's communication infringed, is a basic human right and, thus, falls within the purview of the HRC. However, the Monitoring of Interception of Communications Centre (MICC), established by the Interception of Communications Act, is mandated to, among other things, monitor communications made over telecommunications, radio communications and postal systems and to give technical advice to service providers. The mandate of the MICC does not preclude it from monitoring computer-based data for the purposes of enforcing an individual's right to privacy where it is found that such right has been infringed.

Last modified 28 Jan 2019
Electronic Marketing

The government is currently working on a Consumer Protection Act, intended to introduce requirements to protect consumers from unfair trade practices. The draft Consumer Protection Act does not make reference to electronic marketing, nor does it provide for consumer privacy rights with respect to personal data.

Last modified 28 Jan 2019
Online Privacy

There is currently no specific online privacy legislation.

Last modified 28 Jan 2019
Contacts
Farai Nyabereka
Farai Nyabereka
Partner
T T +263 4 746 787
Lloyd Manokore
Lloyd Manokore
Partner
T +263 4 746 787
Last modified 28 Jan 2019