Data is arguably the most valuable and vulnerable asset of the business and there is need by organisations to ensure that data mining and data protection is within the preserve of the law.  The Zimbabwean Cyber Security and Data Protection Bill, 2019 (the Bill) is a move towards creating a more robust framework for the utilisation and protection of data.  

How the Bill seeks to protect businesses operating in Zimbabwe?

The Bill applies to corporates and other business entities

In its preamble, the Bill states that it seeks to create a technology - driven business environment and encourage technological development and the lawful use of technology.  Suffice to mention, most businesses have resorted to more usage and collection of data due to the COVID – 19 Pandemic and resultant national lockdowns. Technology is now the medium of trade and it identifies the distinctiveness of the business. The increase in business data usage through technology cannot be alienated from the associated risks such as hacking and corruption of data. The Bill is a realisation that the operation of a modern business is inseparable from the use of technology devices and infrastructure.

The object of the Bill as enunciated in section 2 is to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects. The confidence and trust of a target market are key for every business.

Designation of Postal and Telecommunications Regulatory Authority as the Data Protection Authority

Section 7 of the Bill designates the Postal and Telecommunications Regulatory Authority established in terms of the Postal and Telecommunications Act [Chapter 12:05] as the Data Protection Authority (DPA). In terms of section 8 of the Bill, the DPA is granted regulatory powers to establish conditions for the lawful processing of data through publishing of guidelines on data processing and data protection. By giving DPA regulatory powers, the Bill offers a platform for flexibility in changes in technology.

 Further, corporates may lodge any complaints that they have with regards to data processing or related issues to the DPA which has powers to receive such complaints and investigate.

Designation of Postal and Telecommunications Regulatory Authority as the Cyber Security Centre

In terms of section 5, the Postal and Telecommunications Regulatory Authority is designated as the Cyber Security Centre (SCC).In order to safeguard the security, integrity and confidentiality of the data, the SCC is enjoined to take the appropriate technical and organisational measures that are necessary to protect data from negligent Cyber Security and Data Protection or unauthorised destruction, negligent loss, unauthorised alteration or access and any other unauthorised processing of the data.

Amendment of Criminal Law (Codification and Reform) Act [Chapter 9:23]

Part XII of the Bill seeks to amend the Criminal Law (Codification and Reform) Act [Chapter 9:23] (the Code). The Bill defines various computer related crimes by giving them a scope that is consonant with modern technology.  The following are computer related crimes defined by the Bill: Hacking (section 163), Unlawful acquisition of data (section 163A), Unlawful interference with data or data storage medium (section 163 B), Unlawful interference with computer system (section 163C), Unlawful disclosure of data code (section 163D) and Unlawful use of data or devices (section 163DE). Most of these crimes attracts a maximum fine of level 14 (ZWD 120, 000.00) and imprisonment not exceeding 10 years. The Bill therefore does not categorise these   as petty crimes. The criminalisation of such acts provides a deterrent for breach of data. This supplements the data protection that is offered by the Bill.

Compliance regime

 The Bill establishes an office of the Data Protection Officer (DPO) who is an any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in Bill. It is incumbent upon the DPA to craft guidelines on the qualifications of the DPO.

Conclusion

The Cyber Crime and Data Protection Bill is a welcome development to businesses operating in Zimbabwe. Its aim is to create a technology driven business environment which is in sync with modern day business operations and in alignment with the now globally recognised General Data Protection Regulations.

Authors: Farai Nyabereka and Allen Kadye.