Parliament this week is conducting public consultations on the Cyber security and Data Protection Bill to gather views of the public on the Bill. Three joint Committees- thematic Committee on Peace and Security, Portfolio Committee on ICT, Postal and Courier Services and Committee on Information, Media and Broadcasting Services are currently moving around the country as a way of fostering citizen engagement and participation on issues before Parliament.
This is line with Section 141 of the Constitution which provides for public access to and involvement in parliament and states that… “Parliament must –facilitate public involvement in its legislative and other processes and in the processes of its committees; ensure that interested parties are consulted about Bills being considered by Parliament, unless such consultation is inappropriate or impracticable.”
Gazzetted on 15 May, 2020, the Bill seeks to consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest. It also proposes to establish a Cyber Security Centre and a Data Protection Authority, sets out the guidelines for data processing by a data controller, regulates protection of data subjects and sets out acts that constitute offences among other things. Overally, the Bill is meant to curb cyber-crime and promote cyber security in order to build confidence and trust in communication networks.
In this Article, emphasis will be on the establishment of a Cyber Security Centre and a Data Protection Authority. Clause 5 and 7 of the Bill will seek to establish the Postal and Telecommunications Regulatory Authority (POTRAZ) as the Cyber Security Centre and the Data Protection Authority. This translates to POTRAZ taking three roles of being the cyber security centre, data protection authority and telecommunications industry regulator. It is important to note that the Bill proposes that POTRAZ should not be subject to the direction or control of any person or authority.
Some of the functions of the Cyber Security Centre include to:
(a) advise Government and implement Government policy on cyber-crime and cyber security;
(b) identify areas for intervention to prevent cyber-crime;
(c) coordinate cyber security and establish a national contact point available daily around-the-clock; (d) establish and operate a protection-assured whistle-blower system that will enable members of the public to confidentially report to the Committee cases of alleged cyber-crime;
(e) promote and coordinate activities focused on improving cyber security and preventing cyber-crime by all interested parties in the public and private sectors;
(f) provide guidelines to public and private sector interested parties on matters relating to awareness, training, enhancement, investigation, prosecution and combating cyber-crime and managing cyber security threats;
(g) oversee the enforcement of the Act to ensure that it is enforced reasonably and with due regard to fundamental human rights and freedoms;
(h) provide technical and policy advice to the Minister;
(i) advise the Minister on the establishment and development of a comprehensive legal framework governing cyber security matters.
To sum it up, the Cyber Security Centre’s main thrust is to advise Government and implement Government Policy on cyber-crime and cyber security. It shall also promote and coordinate activities focused on improving cyber security and prevention of cyber-crime.
The functions of the Data Protection Authority are laid out as follows:
(a) to regulate the manner in which personal information may be processed through the establishment of conditions for the lawful processing of data;
(b) to promote and enforce fair processing of data in accordance with this Act;
(c) to issue its opinion either of its own accord, or at the request of any person with a legitimate interest, on any matter relating to the application of the fundamental principles of the protection of privacy, in the context of this Act;
(d) to submit to any Court any administrative act which is not compliant with the fundamental principles of the protection of the privacy in the framework of this Act as well as any law containing provisions regarding the protection of privacy in relation to the processing of data in consultation with Minister responsible for Information, Publicity and Broadcasting Services;
(e) to advise the Minister on matters relating to right to privacy and access to information;
(f) to conduct inquiries or investigations either of its own accord or at the request of the data subject or any interested person, and in relation thereto may call upon the assistance of experts to carry out its functions and may request the disclosure of any documents that may be of use for their inquiry or investigation;
(g) to receive, by post or electronic means or any other equivalent means, the complaints lodged against data processing and give feed-back to the claimants or complainants;
(h) to investigate any complaint received in terms of this Act howsoever received;
(i) to conduct research on policy and legal matters relating to the development of international best practices on the protection of personal information in Zimbabwe and advise the Minister accordingly;
(j) in consultation with the Minister, to facilitate cross border cooperation in the enforcement of privacy laws and participating at national, regional and international forums mandated to deal with the protection of personal information initiatives.
In essence, the Data Protection Authority will regulate the processing of data. It will also work closely with the Minister of Information, Media and Broadcasting Services in a consultative and advisory capacity regarding policy and legal matters, both locally and internationally.
In this era of technological advancement, with Zimbabwe having recorded over 8.7 million internet subscribers in 2018, the Cyber Security and Data protection Bill is an important piece of legislation that will govern our day to day interaction. The roles and responsibilities of POTRAZ and the proposed Cyber Security Centre and Data Protection Centre should be clearly defined to avoid duplication and to ensure the body carries out its mandate. Independence of the Authority will also ensure transparency and accountability to the public.