As the technological revolution continues advancing at an exponential rate, each novel advance buttresses the correlation between technology and data. The protection of the said data has been brought into focus following various intrusions or other instances laissez-faire approaches to the protection thereof by enterprises whose business models revolve around the collection of data. It is in this context that Zimbabwe has promulgated the Data Protection Act, in the hope of regulating the collection, storage and use of personal data. Whilst there is an appropriate conversation on the merits and demerits of the substantive issues arising from the newly enacted legislation , the thrust this article will advocate that all business enterprises ought to have data protection policies over and above that which has been prescribed under national law. Data protection or lack thereof will increasingly become a risk factor to all business models hence it is suggested internal data protection policies are as critical as the provisions captured under legislation as a self regulatory tool that limits or prevents the strictures of mandatory laws under legislation. Moreover it is suggested effective data protection policies or frameworks should adopt a heterogeneous bevy of mandatory and self regulatory provisions to adequately regulate data protection at any juncture notwithstanding future technological advancement that may make such policies redundant e.g. the potential impact of block chain technology on. Below are some considerations that may be relied upon in crafting a data protection policy. The considerations have been extracted from sources such as the SADC Model Law on Data Protection 2010, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
The scope of any effective data protection policy should include the collection, retention and protection of the said data. In some instances, and particularly where there is a convergence with national law, business enterprises should also regulate the sharing of information with third parties when the law permits.
Data protection is premised on a set of fundamental principles that ought to be complied with when processing data within the scope identified above, until such a time as the aforementioned data is archived, deleted or destroyed. The data collection principles include:-
- Collection Limitation Principle which prescribes that there should be limits to the collection of personal data which should be obtained through lawful and fair means
- Data Quality- Principle which states that Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date
- Purpose Specification- The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes
- Use Limitation-Personal data should not be disclosed made
available or otherwise used except under the following
- With the consent of the data subject; or
- By the authority of law.
- Security Safeguards- Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
- Openness- There should be a general policy of openness about developments, practices and policies with respect to personal data.
- Accountability - A data controller should be accountable for complying with measures which give effect to the principles stated above.
Indeed the recently promulgated Data Protection Act was developed in line the principles outlined above. The authors hereto opine that where the legislation may present gaps, due reference to the model laws referenced above and other global standards in data protection will be essential to an effective and robust data protection provisions prescribed by legislation. However legislation is notoriously slow to amend and enact hence the authors further opine that business enterprises are better protected from the attached risks by having their own internal data protection policies that subsume the national law and go further in protecting the collected data by adopting best practices.
Further to the collection principles outlined above any competent data protection policy should remain cognisant of the rights attributed to data subjects. It follows that the collection and processing of personal data must be consistent with the fundamental freedoms provided in the Constitution of Zimbabwe. Data processors should therefore observe and implement the following rights:
- Right to withdraw consent: where the lawful basis relied upon is the data subject's consent, the right to withdraw such consent at any time without having to explain why
- Right to be informed - The right to be provided with certain information about how the data subject's personal data is collected and processed.
- Right of subject access -The right to receive a copy of the personal data that is held by the data processor.
- Right to rectification- The right to have inaccurate personal data corrected or incomplete dated completed
- Right to erasure -The right to ask the firm to delete or destroy the data subject's personal data if: the personal data are no longer necessary in relation to the purposes for which they were collected; the data.
- Right to data portability The right to request your set of personal data to be transferred to another controller or processor, provided in a commonly used and machine-readable format
- Right to object- The right to object to our processing of your data where:
- Processing is based on legitimate interest;
- Processing involves automated decision-making and profiling.
The new Data protection Act does not expressly provide for the right to data portability noted above, however such right is consistent with the right to access of information enshrined under the Constitution of Zimbabwe. Any business enterprise looking to creating or updating their data protection policy are encouraged to view such right as one offering a competitive advantage as data will become increasingly interchangeable as the technological revolution continues unravelling. More pertinently business enterprises should view ascribing to more stringent standards/or undertaking to protect data subjects rights as an assured tool to inhibit risk as opposed to an unnecessary burden.
As advancements in technology continue to manifest the protection of data continues to gain traction and business enterprises in Zimbabwe should take data protection as a key risk factor to consider alongside the sustainability of their business model. The discourse above provides a guideline in this critical exercise as the interface between businesses, customers and stakeholders becomes intensely data driven, which emphasizes the need for a competent, robust data protection policy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.