OPENNESS OF PROCESSING The Authority is required under Section 23 to have openness in processing of personal data. This is considered as the openness principle. First, Section 23(1) requires that a register, meaning a record of all activities of automatic data processing carried out by data controllers be kept. The data controllers must inform the Authority of these cases. The register according to Section 23 (2) must contain all information contained in Section16(1). The register will be available for inspection by the public as determined by the Authority, as provided under Section 23 (3). This provision is important to enforce data subject rights to be informed. Further, Section 23 (4) allows Authority to compel data controllers to disclose any processing of information that might have taken place even if the data constitutes exempted data. The POPIA requires under the openness principle that all documentation associated with data processing be kept as they can be subject to information requests under promotion of access to information laws53. ACCOUNTABILITY At the root of data protection, is the protection of the interests of the data subject and preservation of personal privacy. This is considered as the accountability principle of data processing. Section 24 promotes accountability of the data controller in all material respects of the Act. The data controller has duties mentioned under Section 13, and in addition to that Section 24 (1) (a) emphasises that the data controller shall ‘take all the necessary measures to comply with the principles and obligations set out in this Act’. Similarly worded provisions are found in the GDPR and POPIA 54. The GDPR Articles 5 (1) and 5 (2): 53 54 Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). While under POPIA Section 8 The responsible party [data controller] must ensure that the conditions set out in this Chapter [POPIA], and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. Further, the Act under Section 24 (1) (b) compels that data controllers must ‘have the necessary internal mechanisms in place for demonstrating such compliance [24 (1) (a)] to both the data subjects and the Authority in the exercise of its powers.’ The responsibility for compliance and the burden of proof rests with the data controller to satisfy the data subject and the Authority. The accountability principle, in summary provides for the data controller to be responsible for compliance with provisions of the Act. Therefore, every data controller needs to be compliant. Lastly, the data controller must be able to demonstrate or prove that such mechanisms for compliance are in place. POPIA s17. The main difference with the GDPR is that these provisions are directly enforceable with a fine under art 83. 28 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2