DATA PROTECTION
BILL
PRESENTED BY GERTRUDE M. IMBWAE
National Legal Expert On Data Protection
The Objective of The Bill
• To govern the processing of personal information by
private and public bodies.
• To prevent unlawful use, collection, processing,
transmission and storage of personal information of
identifiable persons.
• To provide for the regulation of Data Protection Authority
and provide for matters connected therewith.
The presentation assumes that participants have read the
definitions proposed in the Bill and is confined to some
salient features in the Bill as contained in Parts I to VI.
Part II
Scope of Application
Section 4
The law will be applicable to any processing of personal
data-performed wholly or partly by automated and
unautomated means.
• Carried out in the context of effective and actual activities
of any controller permanently established in Zambia or in
a place where Zambian law applies by virtue of
international public law.
• By a controller who is not permanently established in
Zambia , if the means used, automated or not is located in
Zambia, and is not merely for the purposes of processing
personal data in transit through Zambia. In this case the
controller would designate a representative established in
Zambia(Agency relationship).
Exclusions
The law will not apply to:
• Processing of personal data by a natural person in the
course of purely personal or household activities.
• Restrict the ways of production of information which are
available according to a national law or as permitted in the
rules that govern legal proceedings for a party in any
judicial procedure.
• Restrict the power of judicial courts to constrain a witness
to testify and produce evidence.
Part III
Data Protection Authority
Section 5
An independent and Administrative Authority is to be
established and will have oversight and control of this law.
Its composition includes
• Judges appointed by their peers and one to be
president(chairman).
• Persons are appointed by national organisations for
fundamental human rights or non governmental
organisations.
• Persons appointed by national organisations for
information and communication technologies.
N.B The men once appointed will be permanent members
of the Authority.
The Authority will have substitute members who will reflect
the composition as stated above. These will replace a
permanent member when not in attendance or when their
position becomes vacant.
All members, permanent/ substitute shall have
competencies in personal data protection, privacy or
information and communication technologies.
Qualifications for Membership
• Zambian
• In full possession of civil and political rights
• Not members of an organ of SADC or parliament
• Members not to attend any deliberations of the authority
in which they have a personal interest
• Members, all personnel, consultants and contractors of
the Authority have an obligation of secrecy for purposes of
maintaining confidentiality of all facts, acts and
information that may become known to them in the
exercise of their function.
• Members appointed for a term of 3 years renewable for a
maximum of 2 consecutive terms.
• Members only removable by the organ or organisation
that appointed them in the event of breach of their duties
or an offence to the integrity of their function.
• Members have immunity for opinions expressed in the
execution of their function and cannot therefore be
removed for that.
• In exercise of their function, members shall remain
independent from the influence of instructions of any other
public/ private body.
• Quorum at meetings shall be a majority of its membership
and decisions shall be taken by absolute majority. When
there is an equal number of votes, the president/
substitute shall have a casting vote.
Section 6
Powers of the Authority include:
• procuring that data controller’s processing of personal
data is compliant with the Act.
• Issuing opinion(s) on any matter relating to the application
of fundamental principles of the protection of privacy in
relation to the processing of personal data.
• Submission to court any legislative or administrative act
not compliant with fundamental principles of the protection
of privacy in relation to the processing of personal data.
• Issuing of regulations in form of statutory instrument(s).
• Conducting inquiries either of its own accord or at the
request of a data subject or any intended person and may
carry out on-site investigations with the help of experts,
demand disclosure of any documents useful for their
investigation(s) and shall have access to all places
reasonably suspected to be the location for activities
relating to the application of this Act.
• Receiving complaints lodged against a personal data
processing and provide due response to the
complainants.
• Conducting consultations with major stakeholders on
matters appearing necessary for securing effective data
protection for any services, facilities, apparatus or
directories under this Act.
Section 8
Access to address the Authority is free of charge by any
person judicial or natural or through their lawyer or duly
appointed representative.
Section 9 Sanctions
The Authority may impose the following sanctions;
• A warning to a data controller failing to comply with the
obligations of the Act.
• A formal notice to comply issued to a relevant data
controller to cease the non-compliance with the Act.
• If controller fails to comply with the notice served, after
due hearing of the parties, the Authority may limit or
cease the processing or suspension of authorisation for a
maximum period of 3 months and or with a financial
penalty.
• In case of a serious and immediate violation of individual
rights and liberties, the Authority may rule in summary
proceedings:
 The limitation or ceasing of personal data processing.
 The temporary or definitive processing not compliant with the
provisions of this Act.
Sanctions of the Authority can be appealed against through
the courts.
Section 10 Financing of the Authority
• By grant from the parliament.
• Collection of financial sanctions pronounced against data
controllers.
Part IV
Quality of the Data
Section 11
Data controller, any person working under their authority and any
subcontractor shall ensure that personal data processed is:
• Adequate, relevant and not excessive in relation to the purposes for
which it is collected.
• Accurate and where necessary kept up to date. Reasonable steps should
be taken to ensure that inaccurate or incomplete data with respect to the
purposes for which its collected or further processed, is erased or
rectified.
• Retained in a form that allows for the identification of data subjects, for
no longer than necessary with a view to the purposes for which the data
is collected or further processed.
Exception
The Authority shall establish appropriate safeguards for personal data
retained longer for historical, statistical or scientific research purposes.
• Accessible regardless of the technology used and that the evolution of
technology will not be an obstacle to the future access or processing of
such personal data.
Part V
General Rules On The Processing of
Personal Data
The data controller shall ensure that:
• Processing of personal data is necessary and that the
data is processed fairly and lawfully.
• Personal data is collected for specified, explicit and
legitimate purposes meeting reasonable expectations of
the data subject and the applicable legal and regulatory
provisions and should not be processed in a way
incompatible with such purpose(s).
N.B Under conditions established by the Authority, further
processing of data for historical statistical or scientific
research purposes is not considered incompatible.
Section 14 The Processing of non-sensitive personal data is
permitted, without consent of the data subject
• That may be material as evidence in proving an offence.
• For compliance with an obligation to which the controller is
subject by or by virtue of a law.
• In order to protect the vital interest of the data subject.
• For the performance of a task carried out in the public interest,
or in exercise of the official authority vested in the controller or
in a third party to which the data is disclosed.
• For the promotion of legitimate interests of the controller or
third party to whom the data is disclosed except where such
interests are overridden by the interests or fundamental rights
and freedoms of the data subject claiming protection under the
Act.
Section 15
The processing of sensitive personal data is prohibited
unless the data subject has consented in writing.
Sensitive personal data includes data that reveals racial or
ethnic origin, political opinions, religions or philosophical
beliefs, affiliations, trade union memberships, gender or
health. It also includes data considered in Zambia as
presenting a major risk to the rights and interests of the
data subject i.e. unlawful or arbitrary discrimination.
• The consent can be withdrawn by the data subject at any
time and without any explanation and free of charge.
Exceptions to processing of sensitive data without data
subjects consent, include:
• Where the processing is necessary to carry out the
obligations and specific rights of the controller in the field
of employment law.
• The processing is necessary to protect the vital interests
of the data subject or another person(where the data
subject is physically or legally incapable of giving their
legal, judicial or agreed representative.
• The processing is carried out by a foundation, association or
any other non-profit organisation with a political, philosophical,
religious, health insurance or trade union purpose and on
condition that the processing relates solely to the members of
the organisation or to persons who have regular contact with it
in connection with such purposes and that the data is not
disclosed to a third party without the data subject’s consent.
• The processing is necessary to comply with national security
laws.
• The processing is necessary, with appropriate quantities, for
the establishment, exercise or defense of legal claims.
• The processing relates to data which has been made public by
the data subject.
• The processing is necessary for the purposes of scientific
research(The Authority to specify conditions for carrying
out the processing)
• The processing is carried out according to the law on
public statistics.
• The processing is necessary for purposes of preventive
medicine or medical diagnosis, the provision of care or
treatment to the data subject or one of their relatives, or
the management of health care services provided in the
interest of the data subject, and when the data is
processed under the supervision of a health professional
and their agents[they will be subject to the duty of
confidentiality].
• The processing of personal data is authorised by a law or
any regulation for any other reason constituting
substantial public interest.
• The processing is carried out by associations with a legal
personality or organisations of public interest whose main
objective is the protection and promotion of human rights
and fundamental freedoms, with a view to achieving that
objective provided that the processing has been
authorised by the Authority.
Section 16 Genetic data, biometric data and health data
• The processing of genetic, biometric and health data if
processed for what it reveals or contains, is prohibited
unless the data subject has given their consent in writing.
• The consent can be withdrawn at any time without any
explanation and free of charge.
Exceptions- data subject’s consent is not necessary as
discussed under Section 15.
Section 17 Unique Patient Identifier
• Processing of genetic/health data can be processed only
if a unique patient identifier is given to the patient which is
distinct from any other identification number.
Section 18 Personal Data in Legal Proceedings
The processing of personal data relating to litigation i.e.
suspicions, prosecutions or convictions in matters of crime,
administrative sanctions or security measures is prohibited,
except if it is done:
• Under supervision of a public body or ministerial civil
servant and the processing is necessary for the fulfillment
of their duties.
Part VI Duties of the Data controller and
Data Processor
Section 21 Information when personal data collected directly
from data subject
Where personal data relating to the data subject is obtained
directly from the data subject the controller or their
representative shall provide the data subject with the following
information• name and address of the controller and their representative, if
any
• the purpose of the processing
• the existence of the right to object, free of charge, to the
intended processing of personal data relating, if is obtained for
purposes of direct marketing
• whether compliance with the request for information is
compulsory or not, as well as what the consequences of the
failure to comply are
• Taking in account the specific circumstances in which the
data is collected, any supporting information, as, as
necessary to ensure fair processing for the data subject,
such as:
• The recipients of data
• Whether it is compulsory to reply and what the possible
consequences of the failure to reply are
• The existence of the right to access and rectify personal data
Other information dependent on the specific nature of the
processing, as specified by the authority
Section 22 Information when personal data not collected to
directly from data subject
The controller or their representative must provide the data
subject with information as set out in section 21 when recording
the personal data or considering communication to a third party
when the data is first disclosed.
Exceptions
- where informing the data subject proves impossible or would
involve a disproportionate effort, in particular for data collected
for statistical purposes, historical, scientific research, for
purposes of medical examination of the population with a view
to protecting and promoting public health
- Where personal data is recorded or provided with a view to the
application of a provision laid down by or by virtue of a law
Thank You
Questions?
Gertrude M. Imbwae
National Legal Expert on Data Protection