Data handling refers to the management of data throughout its lifecycle, from collection to disposal. When handling data it is important to take note of the laws that govern data protection and privacy. In Zambia, the principal statute governing data privacy and protection is the Data Protection Act No. 3 of 2021 (the “Data Act”). This Act establishes a comprehensive framework for the use and safeguarding of personal data, regulating activities such as the collection, use, transmission, storage, and processing of personal data. Additionally, the Data Act outlines the rights of individuals concerning their personal data.

Further, the Data Act also establishes the office of the Data Protection Commissioner, detailing its mandate and specifying the responsibilities of data controllers and processors. This article highlights the key features of the Data Act, particularly as they pertain to data controllers and processors.

Who is a Data Collector or Processor?

Section 2 of the Data Act defines a “data controller” as a person who, either alone or jointly with others, controls or is responsible for keeping and using personal data on a computer or in structured manual files. This includes requesting, collecting, collating, processing, or storing personal data from or in respect of a data subject. In contrast, a “data processor” refers to a person or a private or public body that processes personal data on behalf of and under the instruction of a data controller. The Data Act further defines processing as follows:

an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of the data or the carrying out of any operation or set of operations on data, including—

(a) organisation, adaptation or alteration of the data;

(b) retrieval, consultation or use of the data;

(c) alignment, combination, blocking, erasure or destruction of the data; or

(d) disclosure of the information or data by transmission, dissemination or otherwise making available;

As can be seen the definitions of a data controller and data processing are wide. It should be noted that the regulations apply to personal data which is defined as data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. According to the Data Protection Commission all persons who collect, store, process and request for personal data fall within the ambit of the definition of data processors and controller and are required to register. Examples of persons who process data include employers, business that require sign ups and businesses that in put client information.

Responsibilities of Data Collectors and Processors

Being a data handler comes with significant responsibilities. Section 12 of the Data Act outlines the key responsibilities of data controllers and processors, requiring that personal data be:

1. Processed lawfully, fairly, and transparently: Ensuring that the data handling process complies with legal standards and is clear to the data subject. A data subject is an individual from, or in respect of whom, personal information is processed.
2. Collected for explicit, specified, and legitimate purposes: Personal Data should not be processed in ways that are incompatible with these purposes.
3. Adequate, relevant, and limited to what is necessary: Only the data needed for the purposes should be processed.
4. Accurate and up-to-date: Reasonable steps must be taken to ensure any inaccurate personal data is corrected or deleted promptly.
5. Stored for no longer than necessary: Data should only be kept as long as it is needed for its intended purposes.
6. Processed in accordance with the rights of data subjects: Ensuring that the rights of individuals over their data are respected.
7. Processed with appropriate security: Protecting personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage using appropriate technical or organizational measures.

It should be noted that failure to adhere to the foregoing is an offence and, upon conviction, a body corporate may be liable to a fine not exceeding one hundred million penalty units (equivalent to ZMW 400, 000) or two percent of the annual turnover of the preceding financial year, whichever is higher.

Registration of Data Collectors and Processors

In Zambia, no individual or entity shall control or process personal data without registering as a data controller or data processor under the Data Act. In terms of section 19 of the Data Act any individual or entity that contravenes this requirement commits an offence and, upon conviction, is subject to a fine not exceeding five hundred thousand penalty units (equivalent to ZMW 200, 000) , imprisonment for a term not exceeding five years, or both.

Section 20 of the Data Act stipulates that any individual or entity intending to process personal data must apply to the Data Protection Commissioner for registration as a data controller or data processor in the manner and form set out in prescribed Form I upon payment of the prescribed fee. The prescribed form is found in the Data Protection (Registration and Licensing) Regulations (the “Regulations”). In terms of the Regulations the Data Protection Commissioner is responsible for registering data controllers and data processors under the following categories:

• Micro Organisation;
• Medium Organisation;
• Large Organisation; and
• Individual.

Further, the Commissioner may request an applicant to submit additional details in relation to their application. This request, made using Form II, must be fulfilled within a specified period.

Processing of Application

The Commissioner may, within fourteen days of receiving the application, either grant or reject it. When an applicant meets the requirements of the Act, the Data Protection Commissioner will issue a certificate of registration in Form III provided in the Regulations. If the application is rejected, the Data Protection Commissioner is required to inform the applicant in writing, in Form IV set out in the Regulations, providing the reasons for the decision.

A registered data controller or data processor must prominently display the certificate of registration issued under the Data Act at their principal place of business. Additionally, a certified copy of the certificate of registration must be displayed at each subsidiary premises where the registered data controller or data processor conducts business.

All individuals and companies who process and control data are therefore, urged to register to ensure compliance. If you are unsure of whether you need to register, feel free to contact us for further information.

By Rivaldo Dos-Santos