- File Size 317.33 KB
- File Count
- Create Date July 2, 2020
- Last Updated July 2, 2020
Cyber Security and Data Protection Bill [H.B. 18, 2019.]
CYBER SECURITY AND DATA PROTECTION BILL, 2019
The purpose of this Bill is to consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest, to establish a Cyber Security Centre and a Data Protection Authority, to provide for their functions, provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences. It will create a technology driven business environment and encourage technological development and the lawful use of technology.
The main provisions of the Bill are explained below:
Clause 1 sets out the short title and date of commencement.
Clause 2 provides for the objects of the Bill which are to curb cyber crime and promote cyber security in order to build confidence and trust in communication networks.
Clause 3 provides for the definitions of the terms used in this Bill.
Clause 4 sets out the scope of application of the Bill to include the processing of data wholly or partly by automated means.
Clause 5 provides for the designation of the Cyber Security Centre within the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).
Clause 6 provides for the functions of the Cyber Security Centre which shall be among other functions to advise Government and implement Government Policy on cyber crime and cyber security. The Cyber Security Centre shall also promote and coordinate activities focused on improving cyber security and prevention of cyber crime.
Clauses 7 and 8 provides for the designation of the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as Data Protection Authority and the functions thereof.
Part IV and V
Clauses 9 to 14 provides the minimum standards and general rules for a data controller for the processing of data. Part VI
Clauses 15 to 18 provides for the levels of security, integrity and confidentiality of data controllers or their representatives in the protection of data from destruction, unauthorised alteration or access and other unauthorised processing, and the notification of the Authority of any security breaches.
Clauses 19 and 20 provides for the notification of the Authority of the processing of data by any automated means and the scope of such notification.
Clauses 21 and 22 requires the Authority to establish the form and manner
of notification provided in clauses 19 and 20 and the keeping of a register of such notifications.
Cyber SeCurity and data ProteCtion
Clause 24 places the burden of accountability for the protection of data on the
data controller.Part VII
Clause 25 provides for the protection of data subjects from decisions taken on the basis of automatic data processing and the measure of recourse that is available from such automatic data processing to the data subject.
Clauses 26 and 27 deals with the protection of the rights of data subjects who are children or data subjects who may otherwise be incapable of exercising their rights due to some other legal incapacitation in terms of this Act. Such persons rights may be exercised by any such persons as are described in this part.
Clauses 28 and 29 outlines the rules on permissability and non-permissability of the transfer of data outside the Republic of Zimbabwe and the requirements for the authorisation or non-authorisation of the same.
Clause 30 requires the Authority to provide and approve codes of conduct and ethics to be observed by data controller and categories of data controllers.
Clause 31 provides for the establishment and management of a whistle blowing system by the Authority. Part XI
Clause 32 provides for the Minister to make regulations in consultation with the Authority to give effect to the Bill.
Clause 33 sets out the offences and the penalties thereof under this Bill.
Clause 35 deals with consequential amendments to the Criminal Code by the introduction of this Bill. This part amends the Criminal Law (Codification and reform) Act [Chapter 9:23] by the repeal of sections 163 to 166, which are therefore expanded in scope and application. Part I
Clauses 163 to 163E deals with hacking and to prevent interfering, impairing the functions on a computer system which house data vital to the country that the incapacity of such would have debilitating impact on security. It further deals with security and protection of data on computers so that data is not obtained, installed downloaded or modified illegally by means of technology. It also curbs acquisition, possession, production, selling, procuring and distribution for use imports designed or adapted for the purpose of committing an offence. Clause 163F
In this Part an offence is committed in aggravating circumstances if committed with or in furtherance of the commission or attempted commission of a crime against the State specified in Part 111 of the Criminal code.
Clause 164 deals with transmission of data messages inciting violence or damage to property.
Clause 164A deals with protection of citizens from receiving threatening messages.
Clause 164B Cyber bullying and harassment deals with any data message which is send to coerce, harass or intimidate. Clause 164C
The section seeks to punish any person who distributes, make available or broadcasts data concerning an identified or identifiable person knowing it to be false intending to cause psychological or economic harm.
Clause 164D deals with messages classified as spam and liability is excluded if the multiple electronic transmission is done within a customer or business relationship. Clause 164E deals with the transmission of data with intimate images without consent.
Clause 164F deals with Production and dissemination of racist and xenophobic material such as the use of language that tends to lower the reputation or feelings of persons for the reason that they belong to a group of persons distinguished on the grounds set out in section 56(3) of the Constitution.
Clause 164G The section seeks to protect any person whose identity is acquired transferred, possessed or used by using a computer or computer information systems with intent to commit or assist in commission of a crime.
Clauses 165 and 165A deals with pornography involving a child or exposing pornography to children.
Clause 165B deals with process in the search and seizure in electronic evidence. Clause 165C provides the manner and form in which data is preserved for use of investigation.
Clause 166 provides for the obligations and immunity of the service provider who has not initiated or modified the transmission or selected the receiver of a data transmission.
Clause 166A deals with jurisdiction issues of courts in Zimbabwe when dealing with offences in this Bill.
Clause 166B provides for the admissibility of electronic evidence.
Clause 166C provides that upon conviction under this Act the Court may order forfeiture to the state of proceeds of such offence.
Clause 166D provides that the Cyber Security Committee may, with the approval of the Minister issue such guidelines as may be necessary for the carrying out of the provisions of this Act as relates to its functions under this Bill.
CYBER SECURITY AND DATA PROTECTION BILL, 2019
ARRANGEMENT OF SECTIONS
Preliminary Section 1. Short title.
establishment of Cyber SeCurity Centre
- Designation of Postal and Telecommunications Regulatory Authority as Cyber Security Centre.
- Functions of Cyber security centre. PART III
data ProteCtion authority
- Designation of Postal and Telecommunications Regulatory Authority as Data Protection Authority.
- Functions of Data Protection Authority.
Quality of data 9. Quality of data.
General rules on the ProCessinG of data
- Non-sensitive data.
- Sensitive information.
- Genetic data, biometric sensitive data and health data. PART VI
duties of the data Controller and data ProCessor
- Disclosures when collecting data directly from data subject.
- Disclosures when not collecting data directly from data subject.
- Authority to process.
- Security breach notification.
- Obligation of notification to Authority. 21. Content of notification.
- Openness of processing.
PART VII data subjeCt Section 25. Decision taken on basis of Automatic Data Processing.
- Representation of data subjection who is a child.
- Representation of physically, mentally or legally incapacitated data subjects. PART VIII transborder flow
- Transfer of personal information outside Zimbabwe.
- Transfer to a country outside the Republic of Zimbabwe which does not assure an adequate level of protection.
Code of ConduCt 30. Code of conduct.
PART X whistleblowinG 31. Whistleblower.
- Offences and penalties.
- Amendment of Cap. 9:23.
An Act to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to establish a Cyber Security Centre and a Data Protection Authority and
5 to provide for their functions; to create a technology driven business environment and encourage technological development and the lawful use of technology; to amend sections 162 to 166 of the Criminal Code (Codification and Reform) Act [Chapter 9:23] to provide for investigation and collection of evidence of cyber crime and unauthorised
10 data collection and breaches, and to provide for admissibility of electronic evidence for such offences; and to provide for matters connected with or incidental to the foregoing.
ENACTED by the Parliament and the President of Zimbabwe.
1 Short title
This Act may be cited as the Cyber Security and Data Protection Act [Chapter 11:22].
H.B. 18, 2019.]
Printed by the Government Printer, Harare
In this Act—
“child” means any person under the age of eighteen years;
“code of conduct” refers to the Data Use Charters drafted by the data controller in order to institute the rightful use of IT resources, the Internet, and electronic communications of the structure concerned, and which have been approved by the Data Protection Authority;
“consent” refers to any manifestation of specific unequivocal, freely given, informed expression of will by which the data subject or his or her legal, judicial or legally appointed representative accepts that his or her data be processed;
“critical database” means a computer data storage medium or any part thereof which contains critical data;
“data” means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer
device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data;
“data controller or controller” refers to any natural person or legal person who is licensible by the Authority;
“data controller’s representative or controller’s representative” refers to any natural person or legal person who performs the functions of the data controller in compliance with obligations set forth in this Act;
“data processor” refers to a natural person or legal person, who processes data for and on behalf of the controller and under the controller’s instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorised to process the data;
“data protection authority or authority” refers to Postal and Telecommunications Regulatory Authority of Zimbabwe established in terms of section 5 of the Postal and Telecommunications Act [Chapter 12:05];
“data protection officer or DPO” refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act;
“data subject” refers to an individual who is an identifiable person and the subject of data;
“disproportionate effort” means effort that is so labour intensive as to consume a lot of time, money and manpower resources;
“electronic communications network” means any electronic communications infrastructures and facilities used for the conveyance of data;
“genetic data: refers to any personal information stemming from a Deoxyribonucleic acid (DNA) analysis;
|“health professional” refers to any individual determined as such by|
The object of this Act is to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.
“identifiable person” means a person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more
factors specific to his or her physical, physiological, mental, economic, cultural or social identity;
“Minister” means the Minister responsible for information and communications technologies;
“personal information” means information relating to a data subject, and includes—
- the person’s name, address or telephone number;
- the person’s race, national or ethnic origin, colour, religious or political beliefs or associations;
10 (c) the person’s age, sex, sexual orientation, marital status or family status;
- an identifying number, symbol or other particulars assigned to that person;
- fingerprints, blood type or inheritable characteristics;
15 (f) information about a person’s health care history, including a physical or mental disability;
- information about educational, financial, criminal or employment history;
- opinions expressed about an identifiable person;
20 (i) the individual’s personal views or opinions, except if they are about someone else; and
(j) personal correspondence pertaining to home and family life;
“processing” refers to any operation or set of operations which are performed upon data, whether or not by automatic means, such as obtaining recording
25 or holding the data or carrying out any operation or set of operations on data, including—
(a) organisation, adaptation or alteration of the data; (b) retrieval, consultation or use of the data; or
(c) alignment, combination, blocking, erasure or destruction of the data;
30 “recipient” a natural or legal person, agency or any other body to whom personal information is disclosed by a data controller, whether a third party or not; however, persons who receive personal information in the framework of a particular legal inquiry shall not be regarded as recipients;
“sensitive data” refers to—
|(i) racial or ethnic origin;
(ii) political opinions;
(iii) membership of a political association;
(iv) religious beliefs or affiliations;
(v) philosophical beliefs;
(vi) membership of a professional or trade association;
(vii) membership of a trade union;
(viii) sex life;
(ix) criminal educational, financial or employment history;
|(x) gender, age, marital status or family status;|
35 (a) information or any opinion about an individual which reveals or contains the following—
- health information about an individual;
- genetic information about an individual; or
- any information which may be considered as presenting a major
50 risk to the rights of the data subject;
“third party” refers to any natural or legal person or organisation other than the data subject, the controller, the processor and anyone who, under the direct authority of the controller or the processor, is authorised to process the data;
“transborder flow” refers to international flows of data by the means of 5 transmission including data transmission electronically or by satellite;
“whistleblowing” refers to legal provisions permitting individuals to report the behaviour of a member of their organisation which, they consider contrary to a law or regulation or fundamental rules established by their
- This Act shall apply to matters relating to access to information, protection of privacy of information and processing of data wholly or partly by automated means: and shall be interpreted as being in addition to and not in conflict or inconsistent with
the Protection of Personal Information Act [Chapter........]. 15
- Subject to subsection (1) this Act shall be applicable—
- to the processing of data carried out in the context of the effective and actual activities of any data controller;
- to the processing of data by a controller who is not permanently established in Zimbabwe, if the means used, whether electronic or otherwise is located 20
in Zimbabwe, and such processing is not for the purposes of the mere transit of data through Zimbabwe.
(3) In the circumstances referred to in subsection (2)(b), the controller shall designate a representative established in Zimbabwe, without prejudice to legal
proceedings that may be brought against the controller. 25
establishment of Cyber seCurity Centre
5 Designation of Postal and Telecommunications Regulatory Authority as Cyber Security Centre
The Postal and Telecommunications Regulatory Authority established in terms 30 of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the Cyber Security Centre.
6 Functions of Cyber security Centre
The functions of the Cyber Security Centre shall be to—
- advise Government and implement Government policy on cyber crime 35 and cyber security;
- identify areas for intervention to prevent cyber crime;
- coordinate cyber security and establish a national contact point available
- establish and operate a protection-assured whistle-blower system that will 40
enable members of the public to confidentially report to the Committee cases of alleged cyber crime;
- promote and coordinate activities focused on improving cyber security
and preventing cyber crime by all interested parties in the public and
private sectors; 45
- provide guidelines to public and private sector interested parties on matters relating to awareness, training, enhancement, investigation, prosecution and combating cyber crime and managing cyber security threats;
- oversee the enforcement of the Act to ensure that it is enforced reasonably and with due regard to fundamental human rights and freedoms;
- provide technical and policy advice to the Minister;
- advise the Minister on the establishment and development of a
comprehensive legal framework governing cyber security matters. PART III
10 data ProteCtion authority
7 Designation of Postal and Telecommunications Regulatory Authority as Data Protection Authority
The Postal and Telecommunications Regulatory Authority established in terms of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the 15 Data Protection Authority.
8 Functions of Data Protection Authority
(1) The Authority shall perform the following functions—
(a) to regulate the manner in which personal information may be processed through the establishment of conditions for the lawful processing of data;
20 (b) to promote and enforce fair processing of data in accordance with this Act;
(c) to issue its opinion either of its own accord, or at the request of any person with a legitimate interest, on any matter relating to the application of the fundamental principles of the protection of privacy, in the context of this
(d) to submit to any Court any administrative act which is not compliant with the fundamental principles of the protection of the privacy in the framework of this Act as well as any law containing provisions regarding the protection of privacy in relation to the processing of data
30 in consultation with Minister responsible for Information, Publicity and Broadcasting Services;
- to advise the Minister on matters relating to right to privacy and access to information;
- to conduct inquiries or investigations either of its own accord or at the
35 request of the data subject or any interested person, and in relation thereto may call upon the assistance of experts to carry out its functions and may request the disclosure of any documents that may be of use for their inquiry or investigation;
- to receive, by post or electronic means or any other equivalent means, 40 the complaints lodged against data processing and give feed-back to the claimants or complainants;
- to investigate any complaint received in terms of this Act howsoever received;
- to conduct research on policy and legal matters relating to the development
45 of international best practices on the protection of personal information in Zimbabwe and advise the Minister accordingly;
(j) in consultation with the Minister, to facilitate cross border cooperation in the enforcement of privacy laws and participating at national, regional
and international forums mandated to deal with the protection of personal
(2) Subject to this Act, the Authority shall not, in the lawful exercise of its
functions under this Act, be subject to the direction or control of any person or authority.
PART IV 5
Quality of data
- Quality of Data
- The data controller shall ensure that data processed is—
- adequate, relevant and not excessive in relation to the purposes for which
it is collected or further processed; 10
- accurate and, where necessary, kept up-to-date;
- retained in a form that allows for the identification of data subjects, for
no longer than necessary with a view to the purposes for which the data
is collected or further processed.
- The data controller shall take all appropriate measures to ensure that data 15
processed shall be accessible regardless of the technology used and ensure that the
evolution of technology shall not be an obstacle to the access or processing of such
- The controller shall ensure compliance with the obligations set out in
subsections (1) and (2) by any person working under his or her authority and any 20
General rules on the ProCessinG of data
The data controller shall ensure that the processing of data is necessary and that 25
the data is processed fairly and lawfully.
- The data controller shall ensure that data is collected for specified, explicit
and legitimate purposes and, taking into account all relevant factors, especially the
reasonable expectations of the data subject and the applicable legal and regulatory 30
provisions, that the data is not further processed in a way incompatible with such
- Under the conditions established by the Authority, further processing of data
for historical, statistical or scientific research purposes is not considered incompatible.
- Non-sensitive data 35
- Personal information may only be processed if the data subject or a
competent person, where the data subject is a child, consents to the processing of such
- The consent referred to in subsection (1) may be implied where the data
subject is an adult natural person or has a legal persona and has full legal capacity to 40
- The processing of non-sensitive data is permitted, without the consent of the data subject, where necessary for purposes of—
- being material as evidence in proving an offence; or
- compliance with an obligation to which the controller is subject by or by virtue of a law; or
- protecting the vital interests of the data subject; or
- performing a task carried out in the public interest, or in the exercise of
the official authority vested in the controller, or in a third party to whom the data is disclosed; or
10 (e) promoting the legitimate interests of the controller or a third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under this Act.
(4) The Authority may specify the circumstances in which the condition 15 stipulated under subsection (3)(e) are considered as having been met.
13 Sensitive information
(1) In relation to the processing of sensitive personal information—
(a) the processing of sensitive data is prohibited unless the data subject has given consent in writing for such processing;
20 (b) the consent may be withdrawn by the data subject at any time and without any explanation and free of charge;
(c) the Authority shall determine the circumstances in which the prohibition to process the data referred to in this section cannot be lifted even with the data subject’s consent “taking into account the factors surrounding 25 the prohibition and the reasons for collecting the data”. (2)