National Security Sensitive Information Section 11 (4) of the Act allows the minister responsible36 for the Act to issue directions on how sensitive information relating to national security or state interests is processed through the Cyber Security and Monitoring Centre.37 This Section shows that surveillance and monitoring occur, and the sensitive information will be collected. Consent is not the only condition for processing Section 11(5) does not require the application of Section11 (1) on consent for controller processing of sensitive information if: (a) the information is for employment purposes such as complying with tax requirements (b) the information is for protecting vital interest of data subject e.g., medical emergencies or life threatening should be deemed as vital; or data subject is not capable (c) the processing is for purposes associated with legitimate activities of the processing institution such as trade unions, political parties, provided the information is not shared with third parties (d) the processing is for compliance with national security law for instance such as national security locations, fingerprints collection or biometrics access (e) the processing is for legal claims or defence of claims for instance financial records in a dispute about loans (f) data subject has already disclosed the sensitive data for instance if medical records were public for health campaigns (g) data is processed for scientific research; this relates to medical or other sensitive data, but conditions must be put in place such as how to make information not identifiable to a natural person (h) the processing is authorised by law or other regulation for substantial public interest38 36 37 38 39 40 GENETIC DATA, BIOMETRIC SENSITIVE DATA AND HEALTH DATA Section 12 (1) of the Act prohibits the processing of genetic, biometric and health data without written consent as they constitute sensitive data. The Act defines genetic data as any personal information stemming from a Deoxyribonucleic acid (DNA) analysis.39 Biometric data is not defined in the Act. Under GDPR biometric data means ‘Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Health data under the GDPR is defined as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.40 The data controller or data processor must receive an express written permission to collect the genetic, biometric sensitive personal data. As part of the data subject’s right, consent can be withdrawn anytime, at no cost, Section12(2). It is important to note that consent is not the only ground for processing personal and sensitive information. Section12(3) lists several exceptions to the Section12(1) on written consent. The minister responsible for the Act means the minister responsible for information and communication technologies. The Cyber Security and Monitoring Centre is established through the Interception of Communications Act The Act has no definition of substantial public interest. However, substantial public interest should be considered as such if processing is lawful, necessary, and proportionate and there are sufficient safeguards for data protection and privacy. This definition is not entirely complete, and the GDPR definition might be helpful. Under GDPR Article 4 (13) and recitals 34, ‘genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained’. GDPR article 4 (15) 20 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2