• It must be a separate legal entity or individual or organisation with respect to the controller. • The processing of the personal data must be on behalf of the controller. The data processor must not exceed their mandate as this might make them a data controller or introduce joint data controllership. The above is not an exhaustive list of distinguishing a data controller from a data processor but gives a sense of whether one is a controller or processor. The duties of data controller listed in Section 13 of the Act assists to determine whether one is a controller or processor. The overall control of the purpose for collection and means of processing of the personal data distinguishes a controller from a processor. identifiable individual, who is identifiable based on the personal information collected. If one accesses the collected personal data and is not able to identify an individual or a person, then the information is not personal data. This is non-personal information or data. However, collected nonpersonal data may identify an individual when the information is combined with other details. The information becomes personal information. Identification of a data subject can also be direct or indirect using any of personal information such as numbers, mental, economic or other physical attributes15. WHAT IS PERSONAL INFORMATION? The Act provides for what constitutes personal information relating to an identifiable data subject, and this includes16: • the person’s name, address or telephone number • the person’s race, national or ethnic Controller (ZEC) Processor (Gore Technologies) origin, colour, religious or political beliefs or associations: stating that the Decides to collect Receives instructions to collect person was African, without sharing Decides the data purpose Receives the data from someone else their name does not identify a data Decides the type of personal data Directed to collect from who subject, of course it might raise other Decides who data subject is Directed type of data to collect issues of concern such as racial profiling or discrimination You gain, benefit from collecting Not aware of collection purpose • the person’s age, sex, sexual Does a legal duty exist, contract You have no data disclosure Authority orientation17, marital status or family You make decisions based on data Cannot decide on data storage status You have control on data processing Cannot decide on data end product • an identifying number, symbol or other You decide when data is destroyed You are separate from instructor particulars assigned to that person: if assigned a particular number such as national identity number; or patient number in hospital this is personal information. A number can include your internet Data Subject protocol address • fingerprints, blood type or inheritable characteristics: The Act defines a data subject as ‘an identifiable person and these are unique characteristics that identify an individual the subject of data’. The person from whom data is or a group of individuals such as a family collected is the data subject. The individual must be an CHECKLIST CONTROLLER AND PROCESSOR 15 16 17 POPIA data subject means the person to whom personal information relate. POPIA defines personal data means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The major difference is the existing juristic person. The Data Protection Act does not cover legal persons as data subjects. This might be problematic as sometimes natural persons might be legal persons for instance sole proprietors or company owners. Sexual orientation is different from same sex marriages. The law does not criminalise being attracted to someone of the different sex or being gender non-conforming 10 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2