DATA PROCESSING PRINCIPLES Part IV of the Act covers areas of the general rules on processing of data, which include generality; purpose, nonsensitive data; sensitive information; Data Processing Principles. The Act contains several data processing principles as reflected in most national and regional data protection laws28. While other laws list the eight principles in clear order, the Act has placed them in different sections, and might not be clearly outlined as data processing principles. GENERALITY Section 8 of the Act requires that the Data controller ensures that processing of data is necessary, and that data is processed fairly and lawfully. What is the meaning of necessary; fairly; and lawfully? Necessary: is the data required and if so, what purposes is the data required for. Before processing commences, the data controller must identify the necessity of the data to be processed. In addition, the data collected must not be more than is required. For instance, if the purpose of the data is for opening a bank account, there is no necessity for asking personal information on data subject’s trade union affiliations. Lawfully: This means that processing must comply with the provisions of the Act. However, lawfulness goes beyond a single law or the Act, but to include the Constitution, other laws for instance FOIA, or if it is sector specific, the Banking Act or the National Registration Act. In addition, lawfulness covers other international obligations and instruments that Zimbabwe has ratified and domesticated. Do you satisfy only one condition therefore proceed with processing information? Compliance with one condition is not sufficient. If the processing of data is necessary, it should be lawfully and fairly processed. If it is not necessary, then it cannot be lawful as the information is outside the legal scope of what is required. PURPOSE Section 9 of the Act requires that the data controller ensures that data collection is specified, explicit and for legitimate purposes. Again, to satisfy this provision the data controller must ensure that: • Specified: • Explicit: • Legitimate: The type of data to be collected is known, or clear The data controller must be clear why they are collecting personal data The data controller must indicate what they will use the data for. In addition to the above, the data controller must: Fairly: in processing data, the data controller must abide by principles of natural justice which allows for a data subject to know of the decisions made; identity of the data controller; reasons for the data processing. Fairness requires one to consider all different issues in relation on how data processing is handled. Being informed of the data collection and providing consent if required constitutes fair processing 29 . 28 • document compliance with all the requirements for processing • meet and comply with the expectations of the data subject as laid out in legal provisions for lawfulness, and fairness The GDPR and POPIA lists them as clear conditions of processing. Article 5 of GDPR lays out the principles as follows; lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability. 29 See GDPR Preamble, GDPR Article 20. 16 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2