Understanding Zambia’s Data Protection Act (DPA)

I. Introduction

The Parliament of Zambia formally passed the Data Protection Act, 2021 (the Act) on March 23, 2021. The Act specifies how personal data must be collected, transmitted, stored, and processed and elaborates on individuals' rights regarding their personal data.

The Act establishes an effective method for data protection and serves as a guideline for organizations to adhere to their data protection obligations. This article will explore the Act's central features, particularly highlighting its scope of application, data subject rights, the role of the regulatory body, penalties for non-compliance, and best practices for ensuring compliance.

II. Applicability of the Act

In terms of material scope, the Act applies to the processing of data:

1. performed totally or partially by automated means; and
2. performed by any means other than by electronic means.

However, the Act does not apply to the processing of personal data by an individual for personal purposes.

III. Definitions of Key Terms

1. Personal Data

Any information that enables the direct or indirect identification of an individual, including an individual’s name, personal identification number, location data, an online identifier, and physical, physiological, genetic, intellectual, cultural, economic, or social identity details.

2. Sensitive Personal Data

Any personal data that by its nature may be used to suppress the data subject’s fundamental rights and freedoms. It includes the individual’s race, marital status, ethnic origin or sex, genetic and biometric data, child abuse data, political or philosophical opinions, religious beliefs, affiliation to a trade union, personal criminal record, or any information in relation to the individual’s mental health or physical or mental condition.

3. Biometric Data

Personal data that results from scientific analysis of physical, psychological, or behavioral characteristics of a natural person, thus confirming their unique identification.

4. Genetic Data

Personal information related to inherited or acquired genetic characteristics of an individual that result from the analysis of an individual’s biological sample, particularly chromosomal deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or from the analysis of another element allowing the same information to be obtained.

5. Processing

A series of actions that are performed on personal data by automatic or other means, such as collecting, recording, or holding of data or performing a set of operations on the data, including organization, adaptation, alteration, retrieval, alignment, blocking, erasing, or disclosing personal data by transmission, dissemination or otherwise making available.

6. Data Subject

An individual whose personal information is being processed.

7. Data Controller

The person solely or jointly responsible with other individuals for the control and maintenance of the use of personal data on computers or in structured manual files. The data controller possesses the authority to request, collect, collate, process, or store a data subject's personal data.

8. Data Processor

The person, private or public entity that processes personal data on behalf of and according to the instruction of the data controller.

9. Code of Conduct

The data protection charter, approved and passed by the Zambia Information Communications and Technology Authority, ensures that the data controller and data processor comply with the Act and any other applicable written law.

10. Profiling

The automated processing of personal data with the objective of evaluating certain personal aspects of a natural person, such as analysis of their professional performance, economic status, health, personal preferences, interests, reliability, behaviour, location, or movements.

11. Pseudonymisation

The processing of personal data in a manner that makes it impossible to associate personal data with a specific data subject without acquiring additional information, where that additional information is kept separately while being subjected to technical and organizational measures to ensure that personal data is not attributed to natural persons.

12. Third-Party

Any person other than the data subject, data controller, or data processor who possesses the authority to process data on behalf of the data controller or data processor.

IV. Obligations for Organizations Under the Act

A. Principles Related to the Processing of Personal Data

Organizations must ensure that personal data is:

1. processed in a fair, lawful, and transparent manner;
2. collected for specific, legitimate, and explicit purposes, and not further processed in contradiction with those purposes;
3. adequate, relevant, and not excessive in nature;
4. accurate and kept up to date while ensuring that inaccurate data is deleted immediately;
5. stored in a manner that allows for the identification of the data subjects only for the necessary time period and the purpose for which it was processed;
6. processed in accordance with the rights of the data subjects; and
7. processed in a manner that guarantees appropriate security of personal data and uses suitable technical or organizational measures to ensure protection against unauthorized or unlawful processing and any loss, destruction, or damage.

B. Lawful Basis of Processing

The data controller can only process data where:

1. the data subject has consented to the processing of their personal data;
2. the processing is mandatory for the following purposes:
   1. for the performance of a contract;
   2. for compliance with legal obligations to which the data controller is subjected;
   3. to protect the vital interests of data subjects or other natural persons;
   4. for the performance of tasks carried out in the public interest or the exercise of official authority vested in the data controller;
   5. to pursue the legitimate interests of the data controller or a third party except when the interests and rights of the data subject are given priority over them; or
3. the processing is related to personal data that has been made public by the data subject.

The processing of sensitive personal data is not permitted except where:

1. processing is necessary for claims of legal rights or the defence has to be established or when the court is exercising a judicial function;
2. processing is necessary for the objective of preventive or occupational medicine, to assess the working capacity of an employee, medical diagnosis, or for the provision or management of health and social care systems and services; or
3. processing is vital for reasons that serve the public interest.

If the data subject is a child or vulnerable person, the data subject’s parents, legal guardian, or a person assuming parental responsibility may exercise the data subject’s rights. The data of such data subjects cannot be processed unless their parents or legal guardians provide consent.

However, it must be noted that the data subjects possess the right to withdraw their consent at any time.

C. Registration

The Act prohibits any person from acting as a data controller or a data processor unless they have registered themselves with the Data Protection Commissioner (DPC). The Data Protection Commissioner will keep and maintain a register containing any information they wish to add. DPC will also determine where to keep the register, and the public will be granted access to it during regular working hours after paying a prescribed fee.

D. Privacy Notice

Under the Act, entities collecting personal data are required to provide data subjects with prior notice regarding the collection, processing, and use of their personal information. This notice should include details such as the purpose of data collection, how it will be used, and any third parties with whom the data will be shared.

E. Methods to Ensure Security of Processing

1. It is the responsibility of the data controller or data processor to ensure that not only the necessary technical and organizational security measures to protect personal data are in place but also that strict adherence to these measures is ensured.
2. After considering the nature, scope, and purpose of processing personal data, the risks of processing such data, and the likelihood and extent of harm that can result from such processing, the data controller or data processor must implement the following security measures:
   • use pseudonymization and encryption to maintain the integrity of personal data;
   • undertake steps that ensure confidentiality, integrity, and implementation of measures to protect the integrity of personal data;
   • minimize exploitation, unauthorized access, alteration, disclosure, and destruction of personal data through appropriate measures; and
   • implement suitable and necessary data protection policies.
3.  The data controller or processor must periodically review security measures according to the guidelines provided by the Data Protection Commissioner.
4. If the processing is to be carried out on behalf of the data controller, the data controller should only use the data processors that protect the rights of the data subject by implementing appropriate safeguards and technical and organizational measures in accordance with the requirements laid down in the Act.

F. Data Breach

The data controller must inform the Data Protection Commissioner within twenty-four (24) hours of a data breach. Additionally, the data processor must promptly notify the data controller of any security breach involving personal data they processed on behalf of the data controller. Similarly, the data controller or data processor must inform the data subject of any security breach involving their personal data as soon as possible.

G. Data Protection Officer

Subject to section 48 subsection (2) of the Act, the data controller and data processor are required to appoint a Data Protection Officer while complying with the guidelines set out by the Data Protection Commissioner.

H. Data Protection Impact Assessment

1. Where a type of processing uses new technologies, considering the nature, scope, context, and purpose of the processing, is the one that is likely to pose a high risk to the data subject’s rights and freedoms, the data controller shall carry out an assessment of the impact of the proposed processing operations on the protection of personal data.
2.  A data protection impact assessment is required when:
   • an automated processing system such as profiling is used to process personal data, resulting in significant legal effects or similarly significant impacts for the natural person;
   • large-scale processing of sensitive personal data or data related to criminal convictions and offences is undertaken; or
   • large-scale systematic monitoring of a publicly accessible area is undertaken.
3. The Data Protection Commissioner shall craft a public list of the processing operations that require implementing a data protection impact assessment.
4. The impact assessment must be conducted in the manner and form specified in the Act.
5. In case of a change in the risk associated with processing operations, the data controller shall review to determine whether the processing has been performed according to the data protection impact assessment.

I. Record of Processing Activities

A written record detailing the following must be kept and maintained by the data controller:

1. processing activities and metadata in the specified format; and
2. all categories of processing activities in the specified format.

Upon request, the Data Protection Commissioner shall be granted access to the record by the data controller.

J. Cross Border Data Transfer Requirements

A data controller is required to process and store personal data within a server or data center in the Republic of Zambia. However, the Minister may specify categories of personal data that can be stored outside the Republic of Zambia, provided that the sensitive personal data shall always be processed and stored in a data center located in Zambia.

The Act specifies the following conditions where certain categories of personal data, except sensitive personal data, may be transferred outside Zambia:

1. the data subject has provided their consent for data transfer and the transfer is contingent upon standard contracts or intra-group schemes approved by the Data Protection Commissioner; or
2. the data subject has provided their consent for data transfer and the Minister has permitted the transfers outside the Republic of Zambia; or
3. a specific transfer or set of transfers has been permitted by the Data Protection Commissioner as per necessity.

In addition to the aforementioned conditions related to the cross-border data transfers, the Minister has the authority to define the criteria for cross-border data transfers under section 71 subsection (1)(a)(ii) of the Act through statutory instruments, ensuring that:

• the relevant personal data involved receives an adequate level of protection, taking into account relevant laws and international agreements; and
• the enforcement of data protection laws by authorities with suitable jurisdiction is effective.

Moreover, the Data Protection Commissioner may monitor the conditions pertinent to data transferred outside the Republic of Zambia under section 71 subsection (1)(a)(ii) of the Act with the objective of reviewing decisions made in accordance with the Act.

Despite the Minister’s powers concerning the establishment of criteria for cross-border data transfer, there are certain situations in which personal data may be transferred outside the Republic of Zambia:

• when there is an emergency and a particular person or entity providing health or emergency services requires access to data;
• when the data subject has clearly agreed to the transfer of sensitive personal data; and
• when data has to be transferred to a specific international organization or country that is accordance with section 71 subsection (1)(a)(ii) of the Act, and the Data Protection Commissioner determines that such transfers are essential for certain classes of data controllers or data subjects and do not impede the effective enforcement of the Act.

Under the Act, the Data Protection Commissioner shall approve standard contracts or intra-group schemes that effectively safeguard the rights of data subjects under section 71 subsection (1)(a) as well as subsequent transfers of personal data to other persons or entities under this subsection. However, when a data controller decides to transfer personal data according to a standard contract or intra-group scheme, as stated above, they must provide periodic notice to the Data Protection Commissioner that the transfer complies with a contract that fulfills these standard contractual clauses or intra-group schemes and that they will take complete responsibility for any harm that results from non-compliance with the standard contractual clauses or intra-group schemes by the transferee.

V. Data Subject Rights

The Act grants the following exercisable rights to data subjects in relation to their personal data:

A. Right of Access and Notification

The data subject has the right to obtain confirmation from the data controller of whether or not their personal data is being processed, to be provided with:

• the purpose of data processing, the category of data being processed, and the categories of recipients to whom the data subject’s personal data has been disclosed;
• the expected period of data storage, where possible or if not possible, and the criteria for determination of such period;
• sources and categories of personal data being processed; and
• information about the logic behind the automatic processing of their personal data.

Where a data controller has processed sensitive personal data of a data subject for scientific research purposes, the data controller may delay the provision of information to the data subject unless the research is concluded, if:

• providing information to the data subject would prejudice the research;
• there is no risk to the data subject’s right to protection of privacy; and
• the data was collected with the consent of the data subject.

B. Right to Rectification

The data subject has the right to request that inaccurate and incomplete personal data be corrected and completed without delay.

C. Right to Erasure

The data subject has the right to request deletion of their personal data. Such a request must be immediately fulfilled by the data controller when:

• personal data is no longer needed for the objective for which it was collected;
• the data subject or an individual possessing parental rights, where the data subject is a child, withdraws consent or objects to the processing of data and there is no other legitimate basis for processing;
• unlawful practices have been used to process personal data; or
• personal data must be deleted in order to comply with a legal requirement in the Republic of Zambia that applies to the data controller.

Where the data controller has made the data subject’s personal data public, it shall take all reasonable steps to notify any data processor and any third party processing the personal data as a result of the publication that the data subject has requested the erasure of any links to, or copies or replications of, such personal data.

D. Right of Objection

The data subject has the right to object to the processing of their personal data unless the data controller is obligated and permitted by law to do so. The data subject can also object to the use of their personal data for direct marketing purposes. The Act further obligates the data controller to clearly inform the data subject about their rights during their first communication with the data subject. This information should be presented separately and in a straightforward manner.

E. Right to Restriction of Processing

A data subject has the right to restrict a data controller from processing their personal data if:

1. the data’s accuracy has been challenged by the data subject up until the time required by the data controller to verify the accuracy of the personal data;
2. the purpose for which the data was collected is no longer applicable but is required by the data subject to establish, exercise, or defend legal claims;
3. the data subject has opted out of the processing of their personal data compatible with section 60(1)(c) of the Act, awaiting confirmation on whether the legitimate interests of the data controller outweigh those of the data subject.

F. Right to Data Portability

The data subject has the right to obtain their data in a structured, commonly used, machine-readable or any other legible format. The data subject can also transfer their data to another data controller.

G. Right to Not Be Subject to Automated Data Processing

A data subject has the right not to be subject to a decision based solely on automated processing. This involves profiling, which may produce legal consequences for the data subject. However, this right is not applicable if the decision is:

• Necessary for entering or performance of a contract between the data subject and data controller;
• Authorized by a written law;
• Based on the data subject’s explicit consent.

A data controller must implement all necessary measures to safeguard the data subject’s rights and freedoms, including their right to obtain human intervention from the data controller to enable the data subject to express their view and challenge a decision.

Automated data processing must not be undertaken when the processing involves sensitive personal data unless:

• Data subject has expressly consented to that processing;
• The processing is in the public interest;
• The processing is permitted by written law and suitable measures are in place to protect the data subject’s rights and freedoms.

VI. Regulatory Authority

The Ministry has established the Office of the Data Protection Commissioner, the body responsible for regulating data protection and privacy in the Republic of Zambia. The Office of the Data Protection Commissioner is required to perform the following duties:

1. undertake registration of data controllers and processors;
2. authorize data auditors;
3. circulate information and encourage stakeholders to engage in data protection in the Republic of Zambia;
4. offer guidance to the government on matters related to data protection;
5. maintain a register comprising data controllers, data processors, and data auditors;
6. internationally represent the government on matters related to data protection;
7. carry out research and development related to data protection;
8. facilitate appropriate and effective coordination and collaboration with similar regional and international authorities;
9. obtain and examine complaints under the DPA; and
10. alter license terms and conditions issued under the DPA as required.

VII. Penalties for Non-Compliance

The Civil Service Commission has the authority to designate a sufficiently qualified individual as an inspector to oversee adherence to this Act.

The inspector has the right to arrest a person without a warrant if the inspector has reasonable grounds to believe that the person:

• has committed an offence under this Act;
• plans to commit an offence under this Act and this is the only way to prevent it; or
• is intentionally creating obstacles for the inspector to fulfill his responsibilities.

The inspector is authorized to take the arrested person to a police station without delay. If the inspector considers any property suspected of being used for the commission of an offence under this Act, the law enforcement officer can confiscate it until the court passes an order regarding its disposal.

Additionally, the Act specifies varying penalties for different acts of non-compliance with the Act:

• If an offense does not have a specified penalty under this Act, the person responsible for committing such offense is liable to a maximum fine of 300,000 penalty units, or to imprisonment for not more than three years, or to both.
• Any person who engages in the disclosure of sensitive personal data to another person is liable, on conviction, to a maximum fine of 200,000 penalty units, or to imprisonment for not more than two years, or both.
• Any person who controls or processes data without registering as a data controller or data processor is liable, on conviction, to a maximum fine of 500,000 penalty units or to imprisonment for not more than five years or to both.
• Any corporate entity that violates any principles or rules relating to the processing of personal data under this Act may face conviction, resulting in either a fine of up to 100,000,000 penalty units or two percent of its annual turnover from the preceding financial year, whichever is higher.
• Any corporate entity that violates its duties as a data controller or data processor, upon conviction, may be fined an amount equal to two percent of its annual turnover from the preceding financial year or 2,000,000 penalty units, whichever is higher. Additionally, if a natural person commits the same offense, upon conviction, may be subject to a maximum fine of 1,000,000 penalty units or imprisonment for not more than ten years, or both.

VIII. How Can an Organization Operationalize the DPA

Organizations can operationalize the Act by:

1. establishing thorough measures that guarantee strict compliance with the specified obligations under the Act;
2. crafting a culture of data protection and fostering awareness within the organization;
3. running frequent internal audits;
4. training staff on data privacy practices; and
5. assigning a dedicated Data Protection Officer to ensure compliance with the Act.

Such measures will encourage all relevant parties to abide by the Act while also strengthening the data subjects’ trust and confidence and protecting the organization against potential legal consequences.

IX. How Securiti Can Help

Securiti’s advanced enterprise data compliance and governance solutions, backed up by state-of-the-art artificial intelligence and machine-learning algorithms, provide the ideal path for organizations aiming to meet the requirements of Zambia’s Data Protection Act 2021.

Taking advantage of features like PI data discovery, DSR automation, documented accountability, and AI-process automation, Securiti’s comprehensive PrivacyOps platform facilitates swift compliance with various sections of Zambia’s DPA. Organizations can automate the handling and secure fulfillment of consumer data access requests, monitor and track consent, assess readiness, map data flows, generate reports, and much more!

Request a demo to learn more.