Zimbabwe enters data protection minefield with new proposals
By Nqaba Matshazi
There is a rise in the use of technology in Zimbabwe. This increase in the use of technology often affects how citizens enjoy and exercise their fundamental rights. Digital rights is a broad term that refers to “the human rights that allow individuals to access, use, create, and publish digital media or to access and use computers, other electronic devices, or communications networks.”
Unfortunately, digital rights issues barely get coverage in local media, which is indicative of a lack of a cohesive debate or at least knowledge about digital rights, despite new technologies increasingly becoming pervasive and ubiquitous.
One example was when announcing the 2019 national budget, Finance minister Mthuli Ncube made a proposal to use DNA and other biometric methods to obtain data from civil servants, an issue that barely had any mention in the national media, but could be illustrative of the government stepping up surveillance of locals.
While the drive to eliminate ghost workers is noble, using DNA to keep a register of workers presents a minefield of its own, and there is need to take a step back before implementing what could be a populist move, but quite detrimental to rights such as the right to privacy.
Ncube’s announcement reminded of me of the episode before elections, where the Zimbabwe Electoral Commission (Zec) was accused of forwarding people’s phone numbers to one of the parties, Zanu PF, so they could use direct campaign methods.
To this day, no one has provided a satisfactory response on how one of the parties was able to get so much information about people on the voters’ roll without their consent.
Just as the idea to use DNA to identify people might seem like a foolproof way of ensuring an end to ghost voters, there is so far no guarantee that one day, civil servants may not wake up to emails or telemarketers offering medical help based on the DNA profiles that would have been given to the government.
Data protections laws should ensure that the state and by extension, other quasi-government bodies that collect people’s personal data do not abuse it, for example by selling it to third parties, who only want to send unsolicited marketing messages.
Section 57 of the constitution guarantees the right to privacy and the government ought to be prioritising that before coming up with laws that may infringe on this law.
The government should be coming up with and implementing regulations that strengthen the right to privacy so that Zimbabweans are guaranteed that whatever information they share with authorities, it is not passed onto third parties.
At the moment, anyone with an appreciation of digital rights could be wary of the government’s intentions, as there is a trust deficit and the Zec episode left a sour taste in the mouth.
Compounding this lack of trust is that the government is also planning on increasing the use of surveillance technology in the name of national security, but again there are valid concerns that authorities may go beyond this and use it as a tool to spy on citizens.
The Media Institute of Southern Africa Zimbabwe chapter (Misa Zimbabwe) has pointed out that while surveillance technology is used in countries such as South Africa, the United Kingdom and the United States, Zimbabwe does not have an adequate data protection regime to ensure that the massive trove of the data they collect is not abused or misused.
In its analysis of data protection laws, Misa Zimbabwe points out that the current laws governing data protection are outdated and need to be modernised to make them more relevant to an ever changing digital world.
For example, the Access to Information and Protection of Privacy Act (AIPPA), which was promulgated in 2002, is meant to promote data protection. However, it was crafted at a very different time, when technological adoption was quite nascent, rendering that part of the law irrelevant.
Zimbabwe has also flirted with the idea of adopting a data protection law, with President Emmerson Mnangagwa hinting that such a regulation could be on the horizon.
However, the last attempt – the Data Protection Bill – fell woefully short of meeting the demands of a modern law of adequately guaranteeing the protection of Zimbabweans’ data.
In the proposed bill that first came up in 2015, there was a proposal to come up with a Data Protection Board, which would be appointed by the President in consultation with the minister, but this was a red flag. Remember the trust deficit issue raised earlier.
There were also issues to do with the classification of “sensitive” and “non-sensitive” data and in the end, three years later, the bill has not seen the light of day.
There have been suggestions that Zimbabwe could look at best practice in the formulation of a data protection law, with the European Union’s General Data Protection Regulations, providing a good example.
In a nutshell, what these regulations do is to give individuals primary control over their data and to simplify the regulatory environment. Under these regulations, anyone who receives an individual’s personal data should ensure they use the highest-possible privacy settings by default, so that the data is not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.
Additionally, no personal data may be processed unless it is done under a lawful with express, “unambiguous and individualised affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time”.
Therefore, it is incumbent for the government to put in place strong laws that ensure high levels of data protection before thinking of using interventions like DNA, as anything else would be tantamount to putting the cart before the horse.
18 Feb 2019
13 Feb 2019
13 Feb 2019