For decades, there was no specific law dealing with protection of personal data in Tanzania. This led to various breaches in collection and handling of data and sometimes there has been divulge of personal information without consent of the owner.
After such breaches and disclosure, the injured people were left without any clue of how they could seek legal redress, something which had the effect of encouraging offenders. It should be noted that although there was no specific law dealing with issues of personal data protection, there were sectorial laws which had restrictions on divulging such information, unless, it was mandatorily required by law.
Examples of such laws are the Bank of Tanzania (Financial Consumer Protection) Regulations of 2019, the Bank of Tanzania (Credit Reference Bureau) Regulations of 2012, the Tourism (Accommodation facility) regulations of 2015 and the Police General Orders of 2006.
After the Personal Data Protection Act No.11 of 2022 became operational in May 2023, one of the major questions which has been lingering on many people’s minds both citizens and lawyers alike, is on the enforceability of this act in ensuring that collection and handling of personal data is well protected as guaranteed by Article 16 of the Constitution of the United Republic of Tanzania of 1977 and the forums established under this law to enforce the same.
This law has set the parameters to be observed by data collectors and processers and the mode of operation which needs to be observed while undertaking such tasks. This article focuses on how to safeguard the collection, use, disclosure and retention of personal data and the remedies available for the aggrieved people in cases of misuse of their personal data.
We deem it fit to shed some light on what amounts to personal data as defined by the Personal Data Protection Act and this act under interpretation section has categorized them in two categories namely personal data and sensitive personal data.
Personal data means data identifying a person and recorded in any form including the race, name, nationality or ethnic origin, religion, age marital status, education , medical, criminal or employment history, any identifying number, symbol or other particulars assigned to an individual such as the address, fingerprints or blood type.
Sensitive personal data includes genetic data , data related to children, data related to offences, financial transactions, security matters or biometric data, if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and affiliations, trade union membership, gender and data concerning health or sex life and any personal data otherwise considered as presenting a major risk to the rights and interests of the data subject.
The list of what amounts to personal data and sensitive personal data is very exhaustive and this sets a clear warning to all organizations, institutions or individuals who engage in collection of personal data to ensure that compliance while collecting and processing data is very crucial.
Collection, use, disclosure and retention of personal data
The guidance for collection, use, disclosure and retention of personal data is provided under part IV of the act which comprises of Section 22 to 30. This serves as a benchmark for both personal data collectors and data subject in a sense that both are forewarned of how the collection, use disclosure and retention of personal data should be handled as noncompliance or misuse of personal data has bad repercussions.
Applicability
The law is applicable for any collection and processing of personal data performed wholly or partly by manual or automated means by a controller domiciled in the United Republic of Tanzania or out of Tanzania but where the laws of Tanzania are applicable.
This law is also applicable for personal data collectors who are not domiciled in Tanzania when such data collection and processing is not for the purposes of mere transit of personal data through Tanzania to another territory. One can safely say that any collection of personal data from the United Republic of Tanzania is subjected to this law except when such collection is for transit of such data to another territory.
Conditions for collection
Section 22 of the Act puts the duty to data collectors to ensure that data collected is for a lawful purpose related to a function of data controller or where such data collection is necessary or incidental or directly related to the lawful purpose.
The data controller is prohibited from collecting personal data by unlawful means. Section 23 provides further that data controller is required to collect personal data directly from the data subject concerned, ensure that the data subject is aware of the purpose for which such data is collected, that it is for authorized purposes and any intended recipients of such personal data.
The Act requires personal data collected to be accurate and in line with the purpose for which they were collected. The data controller is supposed to ensure the accuracy of such data and is prohibited to use the collected data without taking reasonable steps to ensure that the data is complete, accurate, relevant and not misleading.
One major restriction and for which we foresee a lot of suits is provided under section 25 of the Act which requires personal data to be used for intended purposes. Although the same section has put some exceptions for the personal data to be used for other purposes, such use has to be authorized by the data subject directly and related to the purpose for which it was collected.
There is exception when such data is used in a form that the data subject is not identified or for statistical or research purposes as long as its publication cannot reasonably be expected to identify the data subject. Apart from the stipulated exceptions on section 25, the data controller is not allowed to disclose personal data in any other way.
This law has also put the duty of ensuring security of personal data on the data controller to ensure that personal data is protected against negligent loss or unauthorized destruction, alteration, access or processing.
Security measures taken shall ensure appropriate level of technology considering the state of technological advancement, nature of the personal data to be protected and potential risks to the data subject. The data controller and data processor are required to appoint a data protection officer who shall ensure that the control and security measures to protect personal data.
Further, this law has put measures for retention and disposal of personal data. One needs also to take note of the prohibition of processing sensitive personal data without obtaining prior written consent of the data subject.
This law has put in place a lot of measures which need to be complied with when data controllers collect personal data and incase of breach, this law has established personal data protection commission which is a body corporate vested with the general duty of monitoring compliance by data controllers and data processors, their registration and investigation of complaints and ensure better implementation of the provisions of this law. Since this law is new, we are not sure whether the said commission is in place or not.