DATA PROTECTION BILLPRESENTED BY GERTRUDE M. IMBWAENational Legal Expert On Data Protection

The Objective of The Bill• To govern the processing of personal information by

private and public bodies.• To prevent unlawful use, collection, processing,

transmission and storage of personal information of identifiable persons.

• To provide for the regulation of Data Protection Authority and provide for matters connected therewith.

The presentation assumes that participants have read the definitions proposed in the Bill and is confined to some salient features in the Bill as contained in Parts I to VI.

Part IIScope of ApplicationSection 4The law will be applicable to any processing of personal data-performed wholly or partly by automated and unautomated means.• Carried out in the context of effective and actual activities

of any controller permanently established in Zambia or in a place where Zambian law applies by virtue of international public law.

• By a controller who is not permanently established in Zambia , if the means used, automated or not is located in Zambia, and is not merely for the purposes of processing personal data in transit through Zambia. In this case the controller would designate a representative established in Zambia(Agency relationship).

ExclusionsThe law will not apply to:• Processing of personal data by a natural person in the

course of purely personal or household activities.• Restrict the ways of production of information which are

available according to a national law or as permitted in the rules that govern legal proceedings for a party in any judicial procedure.

• Restrict the power of judicial courts to constrain a witness to testify and produce evidence.

Part IIIData Protection AuthoritySection 5An independent and Administrative Authority is to be established and will have oversight and control of this law.Its composition includes• Judges appointed by their peers and one to be

president(chairman).• Persons are appointed by national organisations for

fundamental human rights or non governmental organisations.• Persons appointed by national organisations for information

and communication technologies.N.B The men once appointed will be permanent members of the Authority.

The Authority will have substitute members who will reflect the composition as stated above. These will replace a permanent member when not in attendance or when their position becomes vacant.All members, permanent/ substitute shall have competencies in personal data protection, privacy or information and communication technologies.

Qualifications for Membership• Zambian• In full possession of civil and political rights• Not members of an organ of SADC or parliament• Members not to attend any deliberations of the authority

in which they have a personal interest• Members, all personnel, consultants and contractors of

the Authority have an obligation of secrecy for purposes of maintaining confidentiality of all facts, acts and information that may become known to them in the exercise of their function.

• Members appointed for a term of 3 years renewable for a maximum of 2 consecutive terms.

• Members only removable by the organ or organisation that appointed them in the event of breach of their duties or an offence to the integrity of their function.

• Members have immunity for opinions expressed in the execution of their function and cannot therefore be removed for that.

• In exercise of their function, members shall remain independent from the influence of instructions of any other public/ private body.

• Quorum at meetings shall be a majority of its membership and decisions shall be taken by absolute majority. When there is an equal number of votes, the president/ substitute shall have a casting vote.

Section 6Powers of the Authority include:• procuring that data controller’s processing of personal

data is compliant with the Act.• Issuing opinion(s) on any matter relating to the application

of fundamental principles of the protection of privacy in relation to the processing of personal data.

• Submission to court any legislative or administrative act not compliant with fundamental principles of the protection of privacy in relation to the processing of personal data.

• Issuing of regulations in form of statutory instrument(s).

• Conducting inquiries either of its own accord or at the request of a data subject or any intended person and may carry out on-site investigations with the help of experts, demand disclosure of any documents useful for their investigation(s) and shall have access to all places reasonably suspected to be the location for activities relating to the application of this Act.

• Receiving complaints lodged against a personal data processing and provide due response to the complainants.

• Conducting consultations with major stakeholders on matters appearing necessary for securing effective data protection for any services, facilities, apparatus or directories under this Act.

Section 8Access to address the Authority is free of charge by any person judicial or natural or through their lawyer or duly appointed representative.Section 9 SanctionsThe Authority may impose the following sanctions;• A warning to a data controller failing to comply with the

obligations of the Act.• A formal notice to comply issued to a relevant data

controller to cease the non-compliance with the Act.

• If controller fails to comply with the notice served, after due hearing of the parties, the Authority may limit or cease the processing or suspension of authorisation for a maximum period of 3 months and or with a financial penalty.

• In case of a serious and immediate violation of individual rights and liberties, the Authority may rule in summary proceedings:The limitation or ceasing of personal data processing.The temporary or definitive processing not compliant with the

provisions of this Act.

Sanctions of the Authority can be appealed against through the courts.Section 10 Financing of the Authority• By grant from the parliament.• Collection of financial sanctions pronounced against data

controllers.

Part IVQuality of the DataSection 11Data controller, any person working under their authority and any subcontractor shall ensure that personal data processed is:• Adequate, relevant and not excessive in relation to the purposes for which it is

collected.• Accurate and where necessary kept up to date. Reasonable steps should be

taken to ensure that inaccurate or incomplete data with respect to the purposes for which its collected or further processed, is erased or rectified.

• Retained in a form that allows for the identification of data subjects, for no longer than necessary with a view to the purposes for which the data is collected or further processed.

Exception The Authority shall establish appropriate safeguards for personal data retained longer for historical, statistical or scientific research purposes.• Accessible regardless of the technology used and that the evolution of

technology will not be an obstacle to the future access or processing of such personal data.

Part VGeneral Rules On The Processing of Personal Data

The data controller shall ensure that:• Processing of personal data is necessary and that the

data is processed fairly and lawfully.• Personal data is collected for specified, explicit and

legitimate purposes meeting reasonable expectations of the data subject and the applicable legal and regulatory provisions and should not be processed in a way incompatible with such purpose(s).

N.B Under conditions established by the Authority, further processing of data for historical statistical or scientific research purposes is not considered incompatible.

Section 14 The Processing of non-sensitive personal data is permitted, without consent of the data subject• That may be material as evidence in proving an offence.• For compliance with an obligation to which the controller is

subject by or by virtue of a law.• In order to protect the vital interest of the data subject.• For the performance of a task carried out in the public interest,

or in exercise of the official authority vested in the controller or in a third party to which the data is disclosed.

• For the promotion of legitimate interests of the controller or third party to whom the data is disclosed except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under the Act.

Section 15The processing of sensitive personal data is prohibited unless the data subject has consented in writing.Sensitive personal data includes data that reveals racial or ethnic origin, political opinions, religions or philosophical beliefs, affiliations, trade union memberships, gender or health. It also includes data considered in Zambia as presenting a major risk to the rights and interests of the data subject i.e. unlawful or arbitrary discrimination.• The consent can be withdrawn by the data subject at any

time and without any explanation and free of charge.

Exceptions to processing of sensitive data without data subjects consent, include:• Where the processing is necessary to carry out the

obligations and specific rights of the controller in the field of employment law.

• The processing is necessary to protect the vital interests of the data subject or another person(where the data subject is physically or legally incapable of giving their legal, judicial or agreed representative.

• The processing is carried out by a foundation, association or any other non-profit organisation with a political, philosophical, religious, health insurance or trade union purpose and on condition that the processing relates solely to the members of the organisation or to persons who have regular contact with it in connection with such purposes and that the data is not disclosed to a third party without the data subject’s consent.

• The processing is necessary to comply with national security laws.

• The processing is necessary, with appropriate quantities, for the establishment, exercise or defense of legal claims.

• The processing relates to data which has been made public by the data subject.

• The processing is necessary for the purposes of scientific research(The Authority to specify conditions for carrying out the processing)

• The processing is carried out according to the law on public statistics.

• The processing is necessary for purposes of preventive medicine or medical diagnosis, the provision of care or treatment to the data subject or one of their relatives, or the management of health care services provided in the interest of the data subject, and when the data is processed under the supervision of a health professional and their agents[they will be subject to the duty of confidentiality].

• The processing of personal data is authorised by a law or any regulation for any other reason constituting substantial public interest.

• The processing is carried out by associations with a legal personality or organisations of public interest whose main objective is the protection and promotion of human rights and fundamental freedoms, with a view to achieving that objective provided that the processing has been authorised by the Authority.

Section 16 Genetic data, biometric data and health data• The processing of genetic, biometric and health data if

processed for what it reveals or contains, is prohibited unless the data subject has given their consent in writing.

• The consent can be withdrawn at any time without any explanation and free of charge.

Exceptions- data subject’s consent is not necessary as discussed under Section 15.

Section 17 Unique Patient Identifier• Processing of genetic/health data can be processed only

if a unique patient identifier is given to the patient which is distinct from any other identification number.

Section 18 Personal Data in Legal ProceedingsThe processing of personal data relating to litigation i.e. suspicions, prosecutions or convictions in matters of crime, administrative sanctions or security measures is prohibited, except if it is done:• Under supervision of a public body or ministerial civil

servant and the processing is necessary for the fulfillment of their duties.

Part VI Duties of the Data controller and Data Processor

Section 21 Information when personal data collected directly from data subjectWhere personal data relating to the data subject is obtained directly from the data subject the controller or their representative shall provide the data subject with the following information-• name and address of the controller and their representative, if any• the purpose of the processing• the existence of the right to object, free of charge, to the intended

processing of personal data relating, if is obtained for purposes of direct marketing

• whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are

• Taking in account the specific circumstances in which the data is collected, any supporting information, as, as necessary to ensure fair processing for the data subject, such as:• The recipients of data• Whether it is compulsory to reply and what the possible

consequences of the failure to reply are• The existence of the right to access and rectify personal data

Other information dependent on the specific nature of the processing, as specified by the authority

Section 22 Information when personal data not collected to directly from data subjectThe controller or their representative must provide the data subject with information as set out in section 21 when recording the personal data or considering communication to a third party when the data is first disclosed.Exceptions- where informing the data subject proves impossible or would

involve a disproportionate effort, in particular for data collected for statistical purposes, historical, scientific research, for purposes of medical examination of the population with a view to protecting and promoting public health

- Where personal data is recorded or provided with a view to the application of a provision laid down by or by virtue of a law

Thank You Questions?

Gertrude M. Imbwae National Legal Expert on Data Protection