Q QUESTION Can individuals from government departments seconded to assist with vaccinations, or testing for COVID19 be defined as health care professionals? Can these individuals be bound by the provisions of the Health Professions Act, or guidelines issued for Health Professionals? DUTIES OF DATA CONTROLLER Part V of the Act is titled duties of data controller and data processor. To safeguard data privacy and protection of data subject rights, data controllers and data processors must be accountable in the performance of their duties. Under Section 13 of the Act, processing of personal information shall ensure that: (a) processing is in accordance with the right to privacy of the data subject, meaning the first priority is privacy preservation before pursuit of data controller interests (b) processing is lawful, fair, and transparent for the data subject: these are fundamental provisions of data processing (c) processing of data is for explicit, specified, and legitimate purposes and not further processed for original incompatible processes (d) processing is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed (e) collection is only where valid explanation is given for family and private affairs (f) personal or sensitive data must be accurate, and 42 43 44 inaccurate personal data is erased or rectified without delay; (g) data or information must be kept in eligible format but not beyond the purposes of the collection, meaning that any further storage should be anonymised DATA SUBJECT RIGHTS As indicated, data protection laws are about protection of individual data subject rights as provided in the Constitution or other international instruments that protect the right to privacy, and equally, right to freedom of expression, or access to information. Under the GDPR, there are over eight data subject rights; being the right to information; right of access; right to rectification; right to erasure; right to restriction of processing; right to data portability42, right to object; right to not be subjected to automated processing. Some of the rights are covered in the Act, but not in sequence. Section14 of the Act provides for some of the rights as follows: (a) right to be informed: requiring that the use of the personal information is known to the data subject (b) rights to access personal information in custody of data controller or processor: this is part of enforcing privacy right but also access to information43 (c) right to object to processing, allowing for data subject to object or refuse to have their personal data processed (d) right to correction of false or misleading information, requires that if information is incorrect, inaccurate then it must be corrected (e) right to deletion of false or misleading data44 This is not reflected in any parts of the Act. One might argue that this right includes right to information and access. Right of access to information is controlled by another act, the Freedom of Information Act. This means that the Data Protection Authority and the Freedom of Information Authority (or Commission) must develop clear and shared processes on how the information will be accessed. The use of false and misleading information is an unusual addition in the Act. The information might be true but when collected for a different purpose and used for incompatible purposes then it becomes unlawful but not necessarily false. 22 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2