Most data protection laws seem to focus on this aspect, as it relates to digital or computerised processing, however, non-automated processing is still used. Non-automated relates to use of manually collected information in documents and may be part of a filling system or records or manual archives. WHAT IS A DATA PROTECTION AUTHORITY? The word ‘processing’ is very wide to cover anything that a data processor, or data controller can do with personal information or personal data. Part II of the Act provides for a Data Protection Authority (Authority). The Act stipulates that the Postal and Telecommunications Regulatory Authority (POTRAZ), is designated as the data protection Authority under Section 5. The Authority is usually an independent, public institution that is capable of enforcing, supervising, and monitoring the application of the data protection law in a country. In some countries, the Authority provides guidance on key issues or approves codes of conducts, among other functions. Section 6 of the Act provides for the function of the Authority. Reading through the functions of the Authority under Section 6, considerable powers have been conferred to POTRAZ. This means that POTRAZ has become a super-regulatory agency, accountable to the Executive21. Examples of Processing • Collecting current and historical medical information during COVID-19 testing. • Recording in public spaces through video surveillance cameras. • Storing the information in data centres, or storage even in simple formats such a spreadsheet. • Using of data in making decisions based on data collected for informing policy or interests of the data subject. • Disclosing whether the public or private disclosure is lawful or unlawful. • Deleting of the information before or after use or during use, which can also be lawful or unlawful. • Uploading on internet of personal details to open a webpage or registration. • Recording of biometrics when issuing digital identity cards or records. • Registration of SIM cards by mobile telephone operators20. The Act provides for the Authority to be working with different ministries. For instance, Section 6 (d) of the Act requires the Authority to consult the Ministry of Information when submitting court complaints on administrative acts that are inconsistent with the protection of personal information. Equally, the Authority must advise the minister on right to privacy and access to information under Section 6 (e)22. Further, the Act provides under Section 11 (4) on processing of sensitive information that the Minister responsible for cyber security and monitoring centre, the Minister of state security and intelligence in the presidency and responsible minister may give directions [to the Authority, data controllers] on processing of sensitive information affecting national security or interests of the state. The independence, and functions of the Authority were taken lightly, however this is an area that leads to certification of a country as not providing adequate protection23. 20 Collection of traffic calls and call data is contested as some argue that metadata is not personal data, but data about data. 21 Sections 6 -7 of Postal and Telecommunications Act, POTRAZ is presided over by 5 -7 members appointed by the President after consultation with the Minister. The Board in consultation with the Minister appoints a Director General, who is responsible for the day-to-day operations of the Authority. 22 The minister responsible is information communication technologies which is the line ministry for POTRAZ. 23 This is a longer discussion that cannot be exhausted in this commentary. M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 13