DATA PROTECTION ACT

to provide an effective system for the use and protection of personal data; regulate the collection, use, transmission, storage and otherwise processing of personal data; establish the Office of the Data Protection Commissioner and provide for its functions; the registration of data controllers and licencing of data auditors; provide for the duties of data controllers and data processors; provide for the rights of data subjects; and provide for matters connected with, or incidental to, the foregoing.

[1st April, 2021]

Act 3 of 2021,

SI 22 of 2021.

PART I
PRELIMINARY

1. Short title

This Act may be cited as the Data Protection Act.

2. Interpretation

In this Act, unless the context otherwise requires-

"anonymisation" means the process of removing direct and indirect personal identifiers that may lead to an individual being identified;

"Authority" means the Zambia Information Communications and Technology Authority established by the Information Communications and Technologies Act;

"automated" in relation to data, means electronically transmitted in whole or in part, by means of a data message in which the conduct of a data message of one or more parties are not reviewed by a natural person in the operation of the electronic system, in the ordinary course of that natural person's business or employment;

"biometric data" means personal data resulting from scientific analysis relating to the physical, physiological or behavioural characteristics of a natural person, which confirm the unique identification of that natural person;

"child" has the meaning assigned to the word in the Constitution;

"child abuse" includes physical and emotional neglect, physical injury, other than accidental injury, ill-treatment and sexual abuse of a child;

"child abuse data" means personal data consisting of information as to whether the child data subject is or has been the subject of, or may be at risk of, child abuse;

"code of conduct" means a data protection charter approved by the Authority which regulates the conduct of a data controller or data processor, in order to ensure that the data controller or data processor of personal data complies with this Act and any other applicable written law;

"Commission" means the Competition and Consumer Protection Commission established by the Competition and Consumer Protection Act;

"consent" means any written, freely given, specific, informed and unambiguous indication of the data subject's wishes by which such data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to that data subject;

"consumer" has the meaning assigned to the word in the Competition and Consumer Protection Act;

"data" means numbers, letters, alphabetic or numeric strings, symbols or codes in any form;

"data auditor" means a person licensed as a data auditor under section 29;

"data controller" means a person who, either alone or jointly with other persons, controls and is responsible for keeping and using personal data on a computer, or in structured manual files, and requests, collects, collates, processes or stores personal data from or in respect of a data subject;

"data processor" means a person, or a private or public body that processes personal data for and on behalf of and under the instruction of a data controller;

"Data Protection Commissioner" means a person appointed as Data Protection Commissioner under section 5;

"data retention" means a process of retention of personal data for a specified purpose for a defined period;

"data subject" means an individual from, or in respect of whom, personal information is processed;

"genetic data" means any personal information relating to the inherited or acquired genetic characteristics of an individual which result from the analysis of a biological sample from the individual in question, in particular chromosomal deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained;

"health practitioner" has the meaning assigned to the word under the Health Professions Act;

"Independent Broadcasting Authority" means the Independent Broadcasting Authority established by the Independent Broadcasting Authority Act;

"information system" means a system for the generation, sending, reception, storage, display or other processing of data messages, and includes the internet;

"joint controllers" means two or more data controllers who jointly determine the purposes for which and the means by which personal data is processed;

"law enforcement officer" means-

(a) a police officer above the rank of sub-inspector;

(b) an officer of the Anti-Corruption Commission;

(d) an officer of the Zambia Security Intelligence Service; and

(e) any other person appointed by the Minister for purposes of this Act;

"legally disqualified" has the meaning assigned to the words in the Mental Health Act;

"legal practitioner" has the meaning assigned to the words in the Legal Practitioners Act;

"meta data" means data that describes other data;

"personal data" means data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"processing" means an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of the data or the carrying out of any operation or set of operations on data, including-

(a) organisation, adaptation or alteration of the data;

(b) retrieval, consultation or use of the data;

(d) disclosure of the information or data by transmission, dissemination or otherwise making available;

"profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, including analysis or prediction of the data subject's aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

"pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

"public body" has the meaning assigned to the words in the Public Finance Management Act;

"recipient" means a person to whom data is disclosed, including an employee or agent of a data controller, a data processor or an employee or agent of a data processor in the course of processing the data for the data controller, but does not include a person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;

"Register" means the Register kept and maintained under section 80;

"sensitive personal data" means personal data which by its nature may be used to suppress the data subject's fundamental rights and freedoms and includes-

(a) the race, marital status, ethnic origin or sex of a data subject;

(b) genetic data and biometric data;

(d) a data subject's political opinions;

(e) a data subject's religious beliefs or other beliefs of a similar nature;

(f) whether a data subject is a member of a trade union; or

(g) a data subject's physical or mental health, or physical or mental condition;

"third party" means a person other than-

(a) a data subject;

(b) a data controller; or

"vulnerable person" means a person aged 18 or above and whose ability to make informed decisions about their rights and well-being is temporarily or permanently impaired through physical or medically certified hindrance or impairment.

3. Application

(1) This Act applies to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means.

(2) This Act does not apply to the processing of personal data by an individual for personal use.

PART II
OFFICE OF THE DATA PROTECTION COMMISSIONER

4. Establishment of Office of Data Protection Commissioner

(1) There is established in the Ministry responsible for communications the Office of the Data Protection Commissioner which is responsible for the regulation of data protection and privacy in the Republic.

(2) The functions of the Office of the Data Protection Commissioner are to-

(a) register controllers and data processors;

(b) licence data auditors;

(c) disseminate information and promotion of the participation of stakeholders in the process of data protection in the Republic;

(d) advise Government on matters relating to data protection;

(e) keep and maintain a register of data controllers, data processors and data auditors;

(f) represent Government internationally on matters relating to data protection;

(g) conduct research and development relating to data protection;

(h) ensure proper and effective co-ordination and collaboration with similar regional and international authorities;

(i) receive and investigate complaints under this Act; and

(j) vary conditions and terms of a licence issued under this Act.

5. Data Protection Commissioner

(1) The President, through the Civil Service Commission, shall appoint a Data Protection Commissioner who shall be a public officer with the following skills, qualifications and expertise-

(a) minimum university degree level in information communication technologies;

(b) data protection rules and operations;

(d) at least four years at senior management level in a related field.

(2) The Data Protection Commissioner is responsible for the day to day administration of the Office of the Data Protection Commission.

6. Appointment of Deputy Data Protection Commissioners and other staff

(1) The Civil Service Commission shall, on the recommendation of the Office of the Data Protection Commissioner, appoint as public officers two Deputy Data Protection Commissioners and other staff as may be necessary for the performance of the functions of the Office of the Data Protection Commission.

(2) The two Deputy Data Protection Commissioners are responsible for the formulation of policies and planning and for data processing system.

PART III
INSPECTORATE

7. Inspector

(1) The Civil Service Commission may appoint a suitably qualified person to be an inspector for the purposes of ensuring compliance with this Act.

(2) The Civil Service Commission shall issue an inspector with an identification card and a certificate of appointment in the prescribed form which are prima facie evidence of the inspector's appointment.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

{{{_source.title}}} {{#_source.showPrice}} {{{_source.displayPrice}}} {{/_source.showPrice}}