THE Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz) has said anyone keeping personal information for more than 30 people must notify it and employ a data protection officer.
Potraz gave yesterday as the deadline for notifying it and submitting details of the data protection officer. The notice dated 13 February on data protection follows the enactment of the Data Protection Act in December last year, legislation which is meant to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.
Potraz director general Dr Gift Kallisto Machengete said all data protection officers should have at least an Advanced Level qualification.
“The Postal and Telecommunications Regulatory Authority in its capacity as the Data Protection Authority hereby notifies all Data Controllers and or Processors who hold or process personal information for individuals and have in their possession personal information belonging to more than thirty (30) people that they are required to notify the Authority that they hold or process data for more than 30 individuals, indicate the purpose for which the data is collected and processed,” said Dr Machengete.
The new law also requires data controllers to comply with the authority’s requirements regardless of whether their operations are physical or online. Dr Machengete said controllers can be companies or individuals.
“Any entity or body established in its own right including, a sole trader business, company, charity, club, association or public institution that processes personal data for any living individual including customers, potential clients or members of the public and club or association members (in the case of voluntary organisations), is a Data Controller.
“Any legal obligations imposed by the Data Protection Act and other laws including employment law, in processing personal data, on any person or entity automatically makes that person, entity or organisation, a data controller, responsible for that process, even where it is outsourced,” he said.
The regulatory authority must also be provided with full details of the Data Controller’s legal persona status if they are not an individual, their physical address and proof of residence in the form of a telephone, rates or electricity bill.
The Potraz director general said all Data Controllers and Processors must comply when called upon to do so in compliance with the requirements of the Data Protection Act and any existing Data protection legislation, including that relating to employment, anti-money laundering, record keeping of data subjects rights and record keeping of processing activities.
Potraz must also be notified of any data breaches and if information is released without the owner’s consent, a complaint must be lodged with the regulatory authority.
“Data Protection officers are required to notify the Authority of any data breaches in terms of the Act, using the email address dataprotection@potraz.gov.zw.
The Authority hereby advises members of the public, that any persons whose personal information is processed or disclosed to third parties without their consent should register a complaint on the Authority’s website link www.potraz.gov.zw or the toll free number 0800 4303 or the email address dataprotection@potraz.gov.zw”, reads the statement.
Source: https://www.chronicle.co.zw/potraz-calls-for-employment-of-data-protection-officers/