INTRODUCTION
Tanzania has introduced The Personal Data Protection Act (Act No. 11 of 2022) which is the principal Act for the protection of the right to privacy and personal security enriched in the Constitution of The United Republic of Tanzania, 1977. On 27th November 2022 the Personal Data Protection Act was passed into law and the Act came into force on 1st May 2023 through
Government Notice No. 326 of 28th April 2023 which was published by the Minister for Information, Communication, and Information Technology.
This publication, therefore, reviews and highlights the silent features including the new compliance and regulatory requirements brought by this Act.
SCOPE AND APPLICATION OF THE ACT
According to Section 2, the new Personal Data Protection Act shall apply to Mainland Tanzania as well as Tanzania Zanzibar save that in Tanzania Zanzibar this Act shall not apply to non-union matters.
KEY TERMS
The following are the key terms which have been defined in the Act:
a) Personal Data means data about an identifiable person that is recorded in any form, includingi).
- Personal data relating to the race, national or ethnic origin, religion, age, or marital status of the individual.
- Personal data relating to the education, the medical, criminal or employment history.
- Any identifying number, symbol or other particular assigned to the individual.
- The address, fingerprints, or blood type of the individual.
- The name of the individual appearing on the personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual.
- Correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence and the views or opinions of any other person about the data subject.
b) Data Processor means a natural person, legal person or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative.
c) Data Subject means the subject of personal data which are processed under this Act.
d) Data Controller means a natural person, legal person, or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, “data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative.
e) Recipient means a natural person, legal person, public body, or any other person who receives personal data from a data controller.
f) Data Protection Officer means an individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in this Act.
g) Commission means the Personal Data Protection Commission established under section 6 of the Act.
h) Transborder flow means any international cross-border flow of personal data by means of electronic transmission or other means.
OBJECTIVES OF THE ACT
For the purpose of protecting Personal Data, the new Act is here to regulate the collection and processing of personal data, to ensure that the collection and processing of personal data of a data
subject is guided by the principles set out in this Act, to protect the privacy of individuals, to establish a legal and institutional mechanism to protect personal data and to provide data subjects with rights and remedies to protect their personal data from collection and processing that is not in accordance with this Act.
PRINCIPLES OF PERSONAL DATA PROTECTION
Among other things, the new Act requires Data Controllers and Data Processors to ensure that;
a) Personal data is processed lawfully, fairly, and transparently.
b) Personal data is collected for explicit, specified, and legitimate purposes and not further processing in a manner incompatible with those purposes.
c) Personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
d) Personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against any loss, destruction, or damage, using appropriate technical or organizational measures.
PERSONAL DATA PROTECTION COMMISSION
To ensure personal data protection, the new Act establishes the Commission which has various functions such as monitoring compliance by data controllers and data processors, registering data controllers and data processors in accordance with the new Act, receiving, investigating and dealing with complaints about alleged violations of the protection of personal data and privacy of persons and to inquire into and take measures against any matter, that appears to the Commission to affect the protection of personal data and infringe the privacy of the individuals.
REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS
The new Act provides that a person shall not collect or process personal data without being registered as a data controller, or a data processor and the period of registration is five years from the date of issuance of the certificate of registration information during registration or renewal, commits an offence and upon conviction shall be fined Tanzania Shillings Five Million or imprisonment for a term not exceeding five years. However, both a fine and imprisonment may be imposed at once.
SOURCE AND NOTIFICATION OF PERSONAL DATA
Under the new Act, the data controller is required to collect personal data directly from the data subject concerned. However, before collecting such data, a data controller shall ensure that the data subject is aware of the purposes for which the personal data is collected, the fact that collection of the personal data is for authorized purposes and any intended recipients of the personal data.
LIMITATION ON DISCLOSURE OF PERSONAL DATA
The new Act provides that, where the data controller holds personal data, he shall not disclose the personal data to a person, other than the data subject however data controller may use that personal data for other purposes if the data subject authorizes the use of the personal data for that other purpose, use of the personal data for that other purpose is authorized or required by law, the purpose for which the personal data is used is directly related to the purpose for which the personal data was collected.
SECURITY OF PERSONAL DATA
The Act provides the security of personal data, as it requires that a data controller and his representatives shall ensure that personal data is protected, by such security safeguards that is reasonable in the circumstances necessary for the personal data protection against negligent loss or unauthorized destruction, alteration, access, or processing of the personal data.
PROHIBITION ON PROCESSING OF SENSITIVE PERSONAL DATA
Under the new Act, the person shall not process sensitive personal data without obtaining prior written consent of the data subject.
TRANSBORDER DATA FLOW
The new Act provides that subject to the provision of the Act, the Commission may prohibit the transfer of personal data to a place outside the country. However, on the other hand, Personal data can be transferred to a country that has a legal framework that provides for adequate data protection, if the recipient establishes that the personal data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller, or the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject’s legitimate interests might be prejudiced by the transfer or the processing in the recipient country.
RIGHTS OF DATA SUBJECTS
The new Act provides for the rights of data subjects such as the right to access personal data, the right to prevent processing likely to affect the data subject, the right to prevent processing of personal data for direct marketing purposes, the right in relation to automated decision making and the right to compensation.
OFFENCES AND GENERAL PENALTY
The new act provides for various offences such as offences of unlawful disclosure of personal data, offences of unlawful destruction, deletion, concealment or alteration of personal data, and offences by a company or corporation and a person who commits such offences upon conviction shall be liable to a fine of Tanzania Shillings Five million or imprisonment for a term not exceeding five years or both.