Q QUESTION
Can individuals from government
departments seconded to assist with
vaccinations, or testing for COVID19 be defined as health care
professionals? Can these individuals
be bound by the provisions of the
Health Professions Act, or guidelines
issued for Health Professionals?

DUTIES OF DATA
CONTROLLER
Part V of the Act is titled duties of data controller and data
processor. To safeguard data privacy and protection of data
subject rights, data controllers and data processors must be
accountable in the performance of their duties. Under Section
13 of the Act, processing of personal information shall ensure
that:
(a) processing is in accordance with the right to privacy of
the data subject, meaning the first priority is privacy
preservation before pursuit of data controller interests
(b) processing is lawful, fair, and transparent for the data
subject: these are fundamental provisions of
data processing
(c) processing of data is for explicit, specified, and legitimate
purposes and not further processed for original
incompatible processes
(d) processing is adequate, relevant, limited to what is
necessary in relation to the purposes for which it
is processed
(e) collection is only where valid explanation is given for
family and private affairs
(f) personal or sensitive data must be accurate, and
42
43

44

inaccurate personal data is erased or rectified
without delay;
(g) data or information must be kept in eligible format but
not beyond the purposes of the collection, meaning that
any further storage should be anonymised

DATA SUBJECT
RIGHTS
As indicated, data protection laws are about protection of
individual data subject rights as provided in the Constitution
or other international instruments that protect the right to
privacy, and equally, right to freedom of expression, or access
to information. Under the GDPR, there are over eight data
subject rights; being the right to information; right of access;
right to rectification; right to erasure; right to restriction of
processing; right to data portability42, right to object; right
to not be subjected to automated processing.
Some of the rights are covered in the Act, but not in sequence.
Section14 of the Act provides for some of the rights as
follows:
(a) right to be informed: requiring that the use of the personal
information is known to the data subject
(b) rights to access personal information in custody of data
controller or processor: this is part of enforcing privacy
right but also access to information43
(c) right to object to processing, allowing for data subject
to object or refuse to have their personal data processed
(d) right to correction of false or misleading information,
requires that if information is incorrect, inaccurate then
it must be corrected
(e) right to deletion of false or misleading data44

This is not reflected in any parts of the Act.
One might argue that this right includes right to information and access. Right of access to information is controlled by another act, the Freedom of Information Act. This
means that the Data Protection Authority and the Freedom of Information Authority (or Commission) must develop clear and shared processes on how the information will
be accessed.
The use of false and misleading information is an unusual addition in the Act. The information might be true but when collected for a different purpose and used for
incompatible purposes then it becomes unlawful but not necessarily false.

22

M I S A

Z I M B A B W E

•

G U I D E

T O

T H E

Z I M B A B W E A N

C Y B E R

A N D

D A T A

P R O T E C T I O N

A C T

-

2 0 2 2

Select target paragraph3