Vide Government Notice no 326 of the 28th of April, 2023 the Minister for Information, Communication and Information Technology Mr.Nape Nnauye has pronounced the 1st of May 2023 as the operational date for the most awaited Act on personal data Protection.
The Personal Data Protection Act No. 11 of 2022 sets conditions for the protection of personal information with the aim of setting a minimum level of requirements for the collection and processing of personal information, establishing a Commission for the Protection of Personal Information, strengthening the protection of personal information processed by Government agencies and institutions personal, and other related issues. The law will be used in Tanzania Mainland and Tanzania Zanzibar except for Tanzania Zanzibar it will not be used for non-union
matters.
The Personal Data Protection law as anticipated by most sets out what should be done to make sure everyone’s data is safe, used properly, and fairly. Key pieces of information that are commonly stored by businesses, be that employee records, transaction data, customer details, or data collection, need to be protected. The protection allows for the data from being misused by third parties for fraud, such as phishing scams, identity theft, and other forms of misuse.
Personal Data Protection Commission (PDPC) of Tanzania
The Personal Data Protection Commission (PDPC) of Tanzania is an independent authority established under the Personal Data Protection Act No. 11 of 2022. It has the power to own movable and immovable properties, enter into contracts, sue or be sued, and perform any other duty that any legal entity may perform for the purpose of better performance of its duties under the Act.
The Commission will have the following key duties:
(a) monitor the implementation of this Law for collectors and processors;
(b) to register collectors and processors in accordance with this Act;
(c) receive, investigate, and process complaints about alleged violations of the protection of personal information and people’s privacy;
(d) investigate and take action against anything that the Commission deems to affect the protection of personal information and privacy of people;
(e) provide education to the public as appropriate for the purpose of implementing this Act;
(f) conducting research and monitoring the development of technology related to information processing;
(g) establish a cooperation mechanism with the authorities of other countries that manage the protection of personal information and advise the Government on various issues related to the implementation of this Law; and
(h) to carry out other duties of the Commission for the better implementation of the provisions of this Law.
The Act gives authority to the Commission when investigating a complaint, to summon and require a person to appear before the Commission, receiving and accept evidence and other information, on oath or by affidavit or otherwise, to enter any building owned by any collector or processor in order to satisfy himself if the building meets the security requirements, (questioning any person or leaving any device with personal information in any building entered in accordance with paragraph and examine or obtain copies of, or extracts from books, documents or other records found in the building with any issue related to the investigation. However, During the investigation of a complaint the complainant and the collector or processor complained of may be given an opportunity to make representations to the Commission.
Notwithstanding any other law, the Commission may examine personal information recorded in any form held by the collector or processor, and in doing so, the Commission shall not be prevented from obtaining any information according to Section 42(3)of The Personal Data Protection Act No. 11 of 2022. Any document or document produced by the collector or processor or any other person shall be returned by the Commission within ten working days after the application is submitted to the Commission by the collector or processor or such person, but nothing will prevent the Commission from requiring that document or text to be submitted again in accordance with the Act.
Offenses of unlawful disclosure of personal information
According to Section 60 of the Act, a collector who, without good reason, discloses personal information in any way that is inconsistent with the purpose for which the information was collected commits an offense. A processor who, without reasonable cause, discloses personal information processed by the processor without the prior consent of the collector commits an offense. A person who obtains personal information, or obtains any information consisting of personal information, without the consent of the collector or processor that stores the information or will disclose personal information to another person, he commits a mistake. A person who sells personal information obtained in violation of this act commits an offense. An advertisement showing that personal information is being sold or can be sold will be considered an offer to sell personal information which is also an offense.
Offenses of illegal destruction, deletion, concealment, or alteration of personal information
A person who destroys, searches, misrepresents, hides, or changes personal information against the law commits an offense and when convicted will be liable to pay a fine of not less than one hundred thousand shillings (TZS 100,000 approximately USD 44) and not more than ten million shillings (TZS 10,000,000 approximately USD 4,400) or imprisonment not exceeding five years or both.
Offenses committed by a company or organization
Where an offense under the Act has been committed by a company or organization, the company or organization and every officer of the organization who knowingly and intentionally authorizes or permits the violation shall be responsible for the offense.
Fines
The maximum penalty that can be issued by the Commission in a penalty notice in relation to the violation of the provisions of this Act, is one hundred million shillings which is equivalent to fifty thousand United States Dollars.
A person found to have committed an offense under this section shall be liable-(a) if it is an individual, to pay a fine of not less than one hundred thousand shillings ( TZS 100,000 approximately USD 44) and not more than twenty million shillings (TZS 20,000,000 (approximately USD 8,700) or imprisonment for a period not exceeding ten years or both; and
(b) if it is a company or organization, to pay a fine of not less than one million shillings (TZS 1,000,000 (approximately USD 440)and not more than five billion shillings(TZS 5,000,000,000 approximately USD 2,127,700).
General punishment
Any person who violates the provisions of the Act commits an offense and where there is no specific punishment specified when convicted, he will be liable to pay a fine of not less than one hundred thousand shillings ( TZS 100,000 approximately USD 44) and not more than five million shillings (TZS 5,000,000 approximately USD 2,300)or imprisonment not exceeding five years or both.
After a person has been convicted of any offense under the Act, the court may order the seizure of his equipment containing personal information involved in the commission of the offense.
Appeal
A person who is not satisfied with any administrative action taken by the Commission, including the directions given in the enforcement notice or the penalty given in the penalty notice, may appeal to the High Court of the United Republic of Tanzania.
Payment of compensation
In accordance with the provisions of section 37 of the Act, the Commission may, in addition to other penalties provided under this Law, order the collector or processor who caused harm to the subject of the information due to the violation of the provisions of this Law to pay compensation to the subject of the information.
Circumstances excluded from the scope of this Law
The collector or processor is to comply with the legal principles in the collection and processing of personal information and to take the necessary steps to ensure the protection and security of the personal information they have except in the following circumstances;
If the processing-
(a) is carried out by the subject of the information in his personal activities;
(b) is made in accordance with the provisions of any law or court order;
(c) it is done for the purpose of protection and security of the Nation and public interest;
(d) is conducted for the purpose of preventing or detecting crime;
(e) is carried out with the aim of identifying or preventing tax evasion;
(f) takes place in the audit of the embezzlement of public funds; or
(g) is for the purpose of searching for an appointment in the position of public service.
(3) The Minister may include other circumstances that may be removed from the scope of the provisions of this Act and other provisions regarding the implementation of section 58 of the Act.
Conservation Order
According to Section 59(1),(2) and( 3)The Commission may request a court order for the immediate storage of any personal information, including personal information passing through the system if there are fundamental reasons that the information is at risk of being lost or changed. If the court is satisfied it will issue a preservation order specifying a period not exceeding ninety days during which the order will be implemented. The court may, on the application of the Commission, extend the period for such period as the court deems appropriate.
Key Elements of the Act
Key elements of this Act are confidentiality, integrity, and availability. Confidentiality means the data is retrieved only by authorized operators of collectors with appropriate credentials. Integrity means all the data stored within an organization is reliable, precise, and not subject to any unjustified changes and availability means the data stored is safely and readily available whenever needed. Those providing data should be made aware that their data is being collected, the purpose and they should be able to access their data should they need to.
Impact of the Personal Data Protection Act on Businesses
As the number of organizations that process personally identifiable information increases, so does the need for such organizations to ensure the safety and privacy of data. It is essential for organizations to implement a data protection framework that provides guidance on the protection of personal information. The framework will help an organization to ensure that all data stored in their servers are protected and reasonably used. It will also give the organization guidance and structure on any changes needed and the specific use of such changes.
Data protection standards may help you and your organization to better manage your customer’s data.
It is key to have a data controller within your organization and make sure that all the processes and requirements of the Act are met.
For purposes of clarity, a Data collector is a person, body corporate or a public institution that either alone or in conjunction with another institution determines the purpose and methodology of personal data processing and where such methods have been prescribed by law and a Data processor is a person, body corporate or public institution which processes personal data for and on behalf of the data collector under the guidance of the data collector, except persons under the direct control of the data collector, and includes their agents.
We at ABC Attorneys commend that Companies should develop data protection and privacy notices with an emphasis on ensuring that information provided to data subjects is: concise, transparent, intelligible, easily accessible; and written in clear and plain language. The key is to have the aim of ensuring that the data subject really understands in detail how their data will be used.
Your privacy notice should detail the different categories of personal data that your business is collecting and the reasons why it is doing so. A key consideration for most businesses will be the lawful basis on which they are relying in order to process particular categories of data. Such bases can include processing based on:
(a)the data subject’s consent;
(b)the business’ legitimate interests; or
(c) the performance of a contract.
Do Personal data protection apply to data about a company?
The Act only applies to personal data about individuals, they don’t govern data about companies or any other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. The Act also applies to all personal data relating to natural persons in the course of professional activity, such as the employees of a company/organization, business email addresses like ‘forename.surname@company.co.tz’, or employees’ business telephone numbers.
The Personal Data Protection Act 2022, Act No. 11 of 2022 was passed on 1 November 2022 is only available in Swahili language. The regulations however are not available.
--
Read the original publication at ABC Attorneys .