QUESTION TYPES OF DATA CONTROLLERS AND PROCESSORS Should personal data only be limited to identifiable living natural persons? What happens to personal information of deceased persons? KEY DEFINITIONS Data Controllers Data Processors Public Media, government agencies; utility companies Internet Social media sites; search engines Medical Hospitals; pharmacies; medical professionals Financial/Insurance Insurance firms pension funds, banks Telecommunications ISP, MNO Retail Online stores; airlines, credit card companies School Universities: academic records Labour Trade Unions or Professional Associations The Act has several terms and definitions that are essential for the proper understanding of what is protected, what is lawful and unlawful processing and what constitutes personal information or personal data. These definitions are consistent and similar to those in other laws such as the GDPR and POPIA. Section 3 of the Act provides for most definitions. Consent For personal information to be collected, the individual concerned must agree, either directly or indirectly through their guardian if minors or legally incapacitated, or if not consenting then some other legal and lawful grounds must authorise the processing of personal information. Consent has many attributes, and it must be: • unambiguous, meaning no doubt of what the data subject intends • clear affirmative action not only ticking boxes • freely given by a capable individual or their representative • freely given, not coerced or due to external pressure • obtained on true information not on false or inaccurate information • specific and informed Data Controller This is a natural person or legal person who is approved to process personal data. To explain this, an illustration will assist. Chad Gore owns a private company, Gore Technologies, providing digital and technology services including biometric M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N data collection, facial recognition technologies and internet services. Chad Gore can be a data controller for purposes of offering his services. If the Zimbabwe Electoral Commission (ZEC) engages Gore Technologies to process voter registration information, Chad Gore, while a controller for other purposes (internet service provider), ceases to be a controller for purposes of implementing the arrangement with ZEC. Then, ZEC becomes the data controller. The controller determines the purpose for the data collection, but the duties of how the collection and any technical measures can be delegated to another entity. A data controller determines the type of data and the use of the data, but company collecting is not allowed. The controller determines the lawfulness of the data collection. Data Processor Using the scenario above, Gore Technologies once engaged by ZEC to collect information, becomes a data processor. Gore Technologies is not determining the use of the information collected, but can recommend data collection tools, for instance, which biometric reader works better or what information storage system are required to secure the information. Chad Gore might be engaged in their individual capacity or with Gore Technologies as the company since he is a sole proprietor. A data processor can also be an individual under the employment of a company. For an entity to be considered a data processor it must meet two minimum elements: C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 9