Zambia - Data Protection Overview
1. Governing Texts
Zambia has enacted various pieces of legislation that provide for a safe, secure, and effective environment for the conduct and use of electronic communications. Data privacy and protection issues in Zambia are mainly regulated by the Electronic Communications and Transactions Act No. 4 of 2021 ('the ECT Act'), the Data Protection Act No. 3 of 2021 ('the Data Protection Act'), the Cyber Security and Cyber Crimes Act No. 2 of 2021 ('the CSCC Act'), and the Information and Communications Technologies Act No. 15 of 2009 ('the ICT Act'). The stated legislation is comprehensive and provides for legal requirements for the communication of data messages, processing of personal information, recognition of authentication service providers, protection of critical databases, and domain name regulation. The legislation further has provisions that prohibit the interception of communications, the disclosure of stored communications, the unauthorised decryption of communications or release of a decryption key, and the disclosure of records or other information by the key holder. Furthermore, the legislation provides for rules relating to cyber inspections, cybercrimes, and the security of electronic communications.
Notably, on 1 April 2021 the Commencement Order for the Data Protection Act, the Commencement Order for the CSCC Act, and the Commencement Order for the ECT Act, were published in the Government Gazette as appointed by the Minister of Transport, Works, Supply and Communications ('the Minister') which caused the three Acts to enter into effect at that date that the Commencement Orders were published in line with Section 1 of the respective Acts.
The main legislations which will be addressed in this overview are as follows:
- the Constitution of Zambia ('the Constitution');
- the Data Protection Act;
- the CSCC Act;
- the ECT Act; and
- the Banking and Financial Services Act No. 7 of 2017 ('the Financial Services Act').
The Constitution does not specifically provide for data protection. However, such protection is recognised under the Constitution by the wider meaning of the right to privacy as enshrined under Article 17 of the Constitution. Said Article provides that except with their own consent, no person shall be subjected to the search of their person or their property or the entry by others on their premises. Article 17 however provides limitations with respect to its application and provides that nothing contained in or done under the authority of any law shall be held to be inconsistent with or in contravention if it is shown that the law in question:
- is reasonably required in the interests of defence, public safety, public order, public morality, public health, town and country planning, the development and utilisation of mineral resources, or in order to secure the development or utilisation of any property for a purpose beneficial to the community;
- is reasonably required for the purpose of protecting the rights or freedoms of other persons; or
- is for the purpose of enforcing the judgment or order of a court in any civil proceedings, the search of any person or property by order of a court, or entry upon any premises by such order.
An exception to the above is where the provision or, as the case may be, anything done under the authority thereof is shown not to be reasonably justified in a democratic society.
The foregoing are permitted derogations which if exercised do not amount to the violation of Constitutional protection of the right to privacy.
The ECT Act
The ECT Act is one of the main pieces of legislation that regulates data privacy and protection issues in Zambia.
Notably, the ECT Act was recently enacted to provide a safe and effective environment for electronic transactions; promote secure electronic signatures; facilitate electronic filing of documents by public authorities; provide for the use, security, facilitation, and regulation of electronic communications and transactions; promote legal certainty and confidence, and encourage investment and innovation in relation to electronic transactions; and regulate the National Public Key Infrastructure.
The ECT Act mostly builds on the repealed Electronic Communications and Transactions Act, 2009, with some notable changes being the following: the provision for time stamping services, creation of a Certification Authority, and creation of a National Public Key Infrastructure whose functions are to be performed by ZICTA on behalf of the National Root Certification Authority.
The ECT Act imposes an obligation on the Zambia Information and Communications Technology Authority ('ZICTA') to monitor the conduct, systems, and operations of an authentication service provider to ensure compliance and other obligations of authentication service providers stipulated under the Act.
Section 88(1) of the ECT Act provides that a key holder shall not disclose a record or any other personal information relating to an owner of a key held or managed by the key holder except with the consent of the owner or to a law enforcement officer pursuant to a court order.
The Financial Services Act
Section 111 of the Financial Services Act provides that, subject to the Financial Intelligence Centre Act No. 46 of 2020, a financial service provider must maintain the confidentiality of information obtained in the provision of a service to a customer and must not divulge any information except:
- in accordance with the express consent of a customer;
- in compliance with a court order;
- where the interest of the financial service provider requires disclosure;
- where the information requested is customer identification data required by another financial service provider for the purpose of conducting a due diligence; or
- where the bank, in the performance of its functions as provided in the Financial Services Act, so requests or directs.
Section 153(1) of the Financial Services Act provides for the publication of information and prohibits banks from revealing to a third person information regarding the affairs of a customer of a financial service provider that was obtained in the performance of the banks functions, unless lawfully required to do so.
The Data Protection Act
The introduction of the Data Protection Bill before the Parliament of Zambia ('the Parliament') was first approved in 2018 but with no date for enactment being set the passing of the Bill dragged until 2020 when it was reintroduced before Parliament as the Data Protection Bill 2020. Following its presentation before Parliament, the Data Protection Bill underwent the 3-stage legislative process and was assented to by the President on the 23 March 2021. On 1 April 2021, the Data Protection Act (Commencement) Order Statutory Instrument No. 22 of 2021 ('the Commencement Order'), was published in the Government Gazette as appointed by the Minister, which caused the Data Protection Act to enter into effect at that date that the Commencement Order was published in line with Section 1 of the Data Protection Act.
The Data Protection Act is now the primary legislation that regulates data privacy and protection issues in Zambia. The key objectives of this Act are to not only provide for an effective system for the use and protection of personal data but also to regulate the collection, use, transmission, storage, and otherwise processing of personal data. The Act also creates an important office within the Office of the Data Protection Commissioner ('the Office'), whose responsibility it is to oversee all issues concerning data processing and registration of data controllers and licensing of data auditors. More importantly, the Act also provides for the rights of data subjects and in the same vein it stipulates the duties of data controllers and data processors.
The Data Protection Act also provides for the protection of personal information that is obtained through electronic transactions. Section 13 provides that a data controller is required to have the express written permission of a data subject for the collection, processing, or disclosure of any information of the data subject unless the exceptions specified under the section apply. However, according to Section 12(1) of the Data Protection Act, a data controller is prohibited from electronically requesting, collecting, or storing personal information which is not necessary for the lawful purpose for which the information is required.
The Data Protection Act places a further obligation on data collectors to disclose in writing to the data subject the purpose for which any personal information is being requested, collected, processed, or stored. In addition, the Data Protection Act places an obligation on the data controller not to use any of the personal information for anything other than the disclosed purpose without the written permission of the data subject. The Data Protection Act also places a requirement on the data controller in instances where personal data is not used for a period of at least one year after the permission is granted to keep a record of the personal information and the specific purpose for which the personal information was collected. Additionally, the Data Protection Act provides that a data controller shall not disclose any personal information held by the data controller to a third party unless required or permitted by law or specifically authorised to do so in writing by the data subject. A data controller is further required to keep a record of any third party to whom personal information was disclosed, the date of disclosure, and the purpose for which it was disclosed.
The CSCC Act
Following its presentation before Parliament on 9 February 2021, the bill for the CSCC Act underwent the three-stage legislative process and was assented to by the President on 23 March 2021. On 1 April 2021, the Cyber Security and Cyber Crimes Act (Commencement) Order Statutory Instrument No. 21 of 2021 ('the CSCC Commencement Order') was published in the Government Gazette as appointed by the Minister, which caused the CSCC Act to come into effect at that date that the Commencement Order was published in line with Section 1 of the CSCC Act.
It is important to note that following the repeal and replacement of the Electronic Communications and Transactions Act No. 21 of 2009, provisions dealing with cybersecurity and cybercrime therein have been incorporated in the CSCC Act.
The CSCC Act prohibits the interception of communication. Section 26 provides that any person who intercepts communication commits an offence and is liable upon conviction to imprisonment for a period of 25 years. However, Section 28 of the ECT Act also grants power to a law enforcement officer to make an application for an interception of communication order. The application is made ex parte before a judge of the High Court. Said application is made when the law enforcement officer has reasonable grounds to believe that an offence has been committed or is about to be committed and the order is necessary for obtaining evidence of an offence under the ECT Act. The ECT Act further permits the interception of communication in order to prevent bodily harm, loss of life, or damage to property, or for the purposes of determining location in the cases of emergency. Section 31 of the ECT Act however prohibits the disclosure of intercepted communications. Moreover, Section 32 outlines that a law enforcement officer is permitted to disclose the information to another law enforcement officer where the disclosure is necessary in determining the commission of an offence or the whereabouts of a suspected offender.
The CSCC Act also criminalises the publication of personal information and provides that any person who, with intent to compromise the safety and security of any other person, publishes information or data presented in a picture, image, text, symbol, voice, or any other form in a computer system, commits an offence. The penalty for the commission of this offence is a fine not exceeding 500,000 penalty units (ZMW 150,000 (approx. €8,350) or imprisonment for a period not exceeding five years or both.
In order to ensure the protection of critical information, the CSCC Act mandates the controller to store all critical information on a server or data centre located in Zambia. The CSCC Act further states that the Minister may, as prescribed by law in a statutory instrument to be issued, authorise the controller to externalise the critical information outside the Republic.
The CSCC Act
Following the enactment of the CSCC Act, the Minister on 14 May 2021 issued regulations in form of a statutory instrument to supplement the operation of the CSCC Act. The Cyber Security and Cyber Crimes (National Cyber Security, Advisory and Coordinating council) Regulations, 2021 S.I. 52 of 2021 ('the Council Regulations') were issued in order to provide for the composition of the National Cyber Security Advisory and Coordinating Council which is provided for under section 7 of the CSCC Act. The Council Regulations include provisions on the composition of the council, tenure, and vacancy of council positions as well as provisions relating to prohibition of publication or disclosure of information to unauthorised persons which is obtained through matters relating to the council.
The Data Protection Act
After the Data Protection Act entered into effect on 1 April 2021, regulations have since been issued pursuant to section 82 of the Data Protection Act to help with better administration of the Act. The Data Protection (Registration and Licensing) Regulations, 2021 ('the Data Protection Regulations') provide for the registration of organisations who have a specified number of employees to be registered as data controllers, data auditors, and data processors. The Data Protection Regulations provides that any organisation dealing in the above is required to be registered with the Office who has the duty to issue certificates to applicants which shall be valid for a period of one year. The Data Protection Regulations further provide for the prescribed forms used for the application process as well as the fees for registration which range from ZMW 50,000 (approx. €2,810) to ZMW 300,000 (approx. €16,890) for the application and ZMW 500 (approx. €28) to ZMW 3,000 (approx. €168) for the Certificate of Registration.
1.3. Case law
2. Scope of Application
The ECT Act
The ECT Act does not clarify its personal scope.
The Data Protection Act
The Data Protection Act defines a data subject as an individual from, or in respect of whom, personal information is processed. Although it does not define 'individual', the Data Protection Act does define personal information as information that identifies a natural person. Therefore, the personal scope of the Data Protection Act is limited to natural persons.
The ECT Act
Zambia's data privacy laws do apply on an extra-territorial basis as Section 100(1) of the ECT Act provides that 'subject to subsection (2), this Act shall have effect in relation to any person, whatever the person's nationality or citizenship, outside as well as within Zambia, and where an offence under the ECT Act is committed by a person in any place outside Zambia, the person shall be dealt with as if the offence has been committed within Zambia.'
The Data Protection Act
The Data Protection Act does not clarify its territorial scope.
The ECT Act
In terms of material, the ECT Act applies in respect of any electronic transaction or data message.
The Data Protection Act
In terms of material scope the Data Protection Act applies to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means. However, the Data Protection Act does not apply to the processing of personal data by an individual for personal use.
3.1. Main regulator for data protection
The Data protection Act creates the Office, which is responsible for the regulation of data protection and privacy in the Republic.
3.2. Main powers, duties and responsibilities
The main functions of the Office are as set out in Section 4(2) of the Data Protection Act. Said section lists the mandates of the Office as follows:
- register controllers and data processors;
- licence data auditors;
- disseminate information and promotion of the participation of stakeholders in the process of data protection in the Republic;
- advise the Government of Zambia ('the Government') on matters relating to data protection;
- keep and maintain a register of data controllers, data processors, and data auditors;
- represent the Government internationally on matters relating to data protection;
- conduct research and development relating to data protection;
- ensure proper and effective coordination and collaboration with similar regional and international authorities;
- receive and investigate complaints under the Data Protection Act; and
- vary conditions and terms of a licence issued under the Data Protection Act.
4. Key Definitions
Data controller: Any person, either alone or in jointly with other persons, controls and is responsible for keeping and using personal data on a computer, or in structured manual files, and requests, collects, collates, processes, or stores personal data from or in respect of a data subject (Section 2 of the Data Protection Act).
Personal data: Data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Sensitive data: Under the Data Protection Act sensitive data has been termed as 'sensitive personal data' and means personal data which by its nature may be used to suppress the data subject's fundamental rights and freedoms and includes:
- the race, marital status, ethnic origin, or sex of a data subject;
- genetic data and biometric data;
- child abuse data;
- a data subject's political opinions;
- a data subject's religious beliefs or other beliefs of a similar nature;
- whether a data subject is a member of a trade union; or
- a data subject's physical or mental health, or physical or mental condition.
Biometric data: Personal data resulting from scientific analysis relating to the physical, physiological, or behavioural characteristics of a natural person, which confirm the unique identification of that natural person.
Pseudonymisation: Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Data Subject: An individual from, or in respect of whom, personal information is processed (Section 2 of the Data Protection Act).
5. Legal Bases
A data controller can process the personal data of a data subject where the data subject has given consent to the processing of their personal data.
The Data Protection Act entitles a data controller to process personal data where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
A data controller under Zambian data protection laws can process the personal data of a data subject where it is acting in compliance with a legal obligation to which it is subject.
This legal base applies in this jurisdiction as a data controller can process personal data in an instance where it is necessary to protect the vital interests of a data subject or of another natural person.
Data protection laws in Zambia permit a data controller to process information where the processing relates to the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
This legal base applies in Zambia as the data protection laws allow a data controller to process personal data for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child; or where the processing relates to personal data which is manifestly made public by the data subject.
A data controller can process personal information of a data subject without their consent where the processing relates to personal data which is manifestly made public by the data subject.
A controller is responsible for and must be able to demonstrate compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Section 12 of Data Protection Act):
- processed lawfully, fairly, and in a transparent manner (transparency principle);
- collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle);
- adequate, relevant, and limited to what is necessary in relation to the purpose(s) for which it is processed (data minimisation principle);
- accurate and where necessary kept up to date with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay (accuracy principle);
- stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation principle); and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical and organisational measures (confidentiality principle).
7. Controller and Processor Obligations
The Data Protection Act makes it mandatory for any person who intends to process personal data to apply to the Office for registration as a data controller or data processor. This is in line with Section 19(1) of the Data Protection Act which prohibits the controlling or processing of personal data without registration.
The Data Protection Act under Section 70(1) sets a general restriction on cross-border transfers of personal data. It specifically provides that a data controller shall process and store personal data on a server or data centre located in the Republic. However, it does give an exception where the Minister has prescribed that certain categories of personal data may be stored outside the Republic. Further, transfers of personal data by a controller or a processor to countries outside of the Republic are only permitted where the conditions laid down in Section 71 of the Data Protection Act are met. The Section lists the following context specific situations where a transfer can be made, that is:
- where the data subject has consented and the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Office; or the Minister has prescribed that transfers outside the Republic is permissible; or the Office approves a particular transfer or set of transfers as permissible due to a situation of necessity;
- in case of an emergency, to a particular person or entity engaged in the provision of health services or emergency services;
- where the data subject has explicitly consented to that transfer of sensitive personal data; and
- to a particular international organisation or country which complies with subsection (1)(a)(ii), where the Office is satisfied that the transfer or class of transfers is necessary for any class of data controllers or data subjects and does not hamper the effective enforcement of the Data Protection Act.
It is worth noting that the Data Protection Act does have a localisation requirement concerning sensitive data as it provides that sensitive personal data shall be processed and stored in a server or data centre located in the Republic (Section 70(3)).
Data controllers or processors are required to keep data processing records as per Section 45 of the Data Protection Act. The Section specifically requires a data controller to keep and maintain, in writing, a record of processing activities and metadata under its responsibility in the prescribed manner and form, as well as all categories of processing activities carried out in the prescribed manner and form.
A data controller is mandated to carry out a Data Protection Impact Assessment ('DPIA'), where a type of processing uses new technologies and which, taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of an individual. Such DPIA shall be carried out prior to the processing and must assess the impact of the envisaged processing operations on the protection of personal data.
A DPIA is triggered where:
- a systematic and extensive evaluation of personal aspects relating to a natural person which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affects that natural person;
- processing on a large scale of sensitive personal data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
The Data Protection Act requires the appointment of a data protection officer to be by a data controller and data processor. However, the appointment is subject to the guidelines of appointment issued by the Office.
The Data Protection Act contains a general requirement for a personal data breach to be notified by the controller to the Office, and the affected data subjects. The Data Protection Act stipulates that the Office must be notified within 24 hours of any security breach affecting personal data processed. It also provides that the data subject should be notified as soon as practicable. The Data Protection Act places an obligation on a data processor to notify the data controller, as soon as practicable of any security breach affecting personal data processed on behalf of the data controller.
The Data Protection Act sets conditions for the retention of personal data under Section 51, wherein it states that a data controller and data processor shall keep personal information for as long as that personal information is used for the specific purpose for which the personal information was collected and for as long as the personal information is relevant for that purpose and for a period of at least one year thereafter or other period that may be prescribed.
It further requires a data controller and a data processor to keep a record of the process and a record of the purpose for which the personal information was collected and third parties to whom and when the personal information was disclosed.
The law specifically regulates the processing of children's data under Section 17 of the Data Protection Act, which stipulates that where a data subject is a child or a vulnerable person, that data subject's right may be exercised by that data subject's parents, legal guardian, or a person exercising parental responsibility as the case may be. The Data Protection Act further prohibits the processing of children's personal data unless consent is given by the child's or vulnerable person's parent, legal guardian, or a person exercising parental responsibility. Additionally, a data controller is required to incorporate appropriate mechanisms for age verification and parental consent in the processing of personal data of a child. It is worth noting that the Data Protection Act places the responsibility of verifying that consent has been given on the data controller.
Where special categories of data are intended to be processed, the Data Protection Act requires that a DPIA is carried out where the processing is on a large scale and relates to sensitive personal data, or of personal data relating to criminal convictions.
Section 52 of the Data Protection Act requires that processing by a data processor should be governed by a contract that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller, and any other mater, as prescribed.
8. Data Subject Rights
A data subject has the right to be notified of all third parties to whom that data subject's personal data has been disclosed and the measures put in place to safeguard personal information of that data subject.
A data subject is entitled to request access to and obtain a copy of their personal data, together with prescribed information about why and how the personal data may have been processed by the controller.
Data subjects are entitled to require inaccurate or incomplete personal data to be corrected or completed as soon as practicable.
Data subjects may request erasure of their personal data. The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they collected it or otherwise lawfully processed, or as a consequence of the successful exercise of the right to object to the processing of the data subject's personal data, or of the withdrawal of consent.
Data subjects have the right to object to processing of that data subject's personal data. Data controllers will then have to stop processing of the data unless they are permitted to process the data by any written law, as such an instance overrides the rights of the data subject. Additionally, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time.
Where a data subject requests their personal information from a data controller, they have a right to receive that personal data in a structured, commonly used, machine readable, or otherwise legible format and may transmit that data to another data controller. A further, right is that a data subject has a right to request the direct transfer of their personal data from one data controller to another where technically or otherwise feasible.
A data subject is entitled to not be subjected to automated decision-making including profiling which produces legal effects concerning the data subject or similarly affects the data subject. However, automated decision making is only permitted where:
- necessary for entering into or performing a contract between the data subject and data controller;
- authorised by any written law; or
- the data subject has given their explicit consent.
Further, where automated decisions are made on the basis of the grounds above, the data subject has the right to obtain human intervention on the part of the data controller, to contest the decision, and to express the data subject's point of view. Further safeguards for automated decisions are provided for in respect of sensitive personal data. Section 63(4) of Data Protection Act provides that sensitive personal data shall not be processed by automated means unless:
- the data subject expressly consents to the processing;
- the processing is in the public interest; or
- the processing is permitted by any written law and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Right to restriction of processing
Data subjects enjoy a right to restrict processing of their personal data in well-defined circumstances. These include where the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data, where the data controller no longer needs the personal data for processing save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested pending the verification of whether the legitimate grounds override those of the data subject.
General penalties under the Data Protection Act include:
- a fine not exceeding three 100,000 penalty units (ZMW 30,000 (approx. €1,690)) or to imprisonment for a term not exceeding three years, or to both; and
- forfeiture where there has been a conviction for any of the offences under the Data Protection Act and the power is given to the court to pronounce the forfeiture of the medium containing the personal data to which the offence relates.