Comparative appointment processes of data protection authorities In Kenya, the Data Protection Act provides for the position of the Data Commissioner who is appointed after a public open and transparent process with interviews led by the Public Service Commission 24 . A list of the final three candidates is sent to the President in order of merit. Section 6 (4) of the Kenyan Act requires that the President nominates from the list and, with approval of the National Assembly, appoints the Data Commissioner. The data commissioner has a six-year non-renewable term. The Data Protection Commissioner qualifications are provided in terms of the law. The Data Commissioner is an independent office, and reports to the National Assembly annually through the relevant ministry 25. Procedure for removal from office is clearly stipulated including the grounds such as failure to abide by requirements of leadership integrity. South Africa has an Information Regulator established under Section 39 of POPIA. The information regulator is an independent office, subject to the constitution and reports to the National Assembly. The POPIA’s Section 41 outlines details on the appointment, qualifications and removal of the information regulator. The information regulator consists of a chairperson and four other members. At least one member must be a practising advocate or attorney or a professor of law at a university; or possess any other “qualifications, expertise and experience relating to the objects of the Regulator”. The term of office is five years with reappointment eligibility26. The Information Regulator is also responsible for processing of access to information requests under the Promotion of Access to Information Act (PAIA) 27 . 24 Kenya Data Protection Act s 6 (1)-(3). 25 Kenya Data Protection Act s70 (1)-(3). 26 These were part of submissions made to the Parliament of Zimbabwe during the discussions on the Data Protection Bill, by MISA Zimbabwe, and the author made similar submissions to the Portfolio Committee on Media. 27 Zimbabwe has a separate body attending to access to information requests under the FOIA. This is not unusual but can create implementation challenges of both laws. 14 M I S A Z I M B A B W E • G U I D E T O T H E Q QUESTION From the above comparative appointment of data protection authorities, is POTRAZ as the data protection Authority in Zimbabwe independent? If so, what are the elements of independence, and if not, how can that be a risk to data protection? CAN DECISIONS OF THE DATA PROTECTION AUTHORITY BE CHALLENGED? If anyone is aggrieved by the decision of the Authority in its mandate as a Data Protection Authority, they can approach the courts. The POTRAZ as the Authority is obliged under Section 68 of the Constitution and provisions of the Administration of Justice Act to adhere to procedural fairness, and lawful administrative action. Section 68 (1) and (2) of the Constitution provides that: Every person has a right to administrative conduct that is lawful, prompt, efficient, reasonable, proportionate, impartial and both substantively and procedurally fair…Any person whose right, freedom, interest or legitimate expectation has been adversely affected by administrative conduct has the right to be given promptly and in writing the reasons for the conduct. Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2