a) the processing is necessary to carry out the specific obligations and rights of the controller in the field of employment law b) the processing is necessary to comply with national security laws c) the processing is necessary for the promotion and protection of public health, including medical examination of the population d) the processing is required by or by virtue of a law or any equivalent legislative act for reasons of substantial public interest e) the processing is necessary to protect the vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving his or her consent or is not represented by his or her legal, judicial or agreed representative f) the processing is necessary for the prevention of imminent danger or the mitigation of a specific criminal offence g) the processing relates to data which has apparently been made public by the data subject h) the processing is necessary for the establishment, exercise or defence or legal rights i) the processing is required for the purposes of scientific research j) the processing is necessary for the purposes of preventive medicine or medical diagnosis, the provision of care or treatment for the data subject or to one of his or her relatives, or the management of health-care services in the interest of the data subject, and the data is processed under the supervision of a health professional As health data is sensitive personal information, it must be processed under the responsibility of a health care professional, under Section 12 (4) again unless if one has consented to processing by non-health care professional or if the purpose is for prevention of imminent danger or for mitigation of a specific criminal offence. A health care professional is defined in the Act, as any individual determined as a health care professional in the Health Professions Act 41. In addition, conditions for such processing must be specified by the Authority. This means that guidelines will be produced to be used by health care professionals as provided under Section 12(5) of the Act. E EXERCISE For each of the exceptions to written consent for processing sensitive data, list any examples that would meet these lawful exceptions. Source of Health Data Health data must be collected from the data subject, unless if the data subject is incapable of providing the data. This might mean that health data might be collected from other sources such as medical insurance or attending health care professionals and past medical records. Section 12 (6) of the Act does not give what other sources for health data might be used. Q QUESTION Can a media report of a data subject’s medical data be considered as any other source for purposes of Section 12 (6) of the Act? Must this collection comply with purpose specification? Professional Secrecy, Confidentiality Health care professionals are bound by oath and secrecy. Section 12 (7) of the Act reinforces this requirement of ethics and confidentiality. This means they will not disclose or handle the health data contrary to the Health Professions Act and laws which they are sworn to uphold. Section 12 (8) of the Act requires that health data be associated with unique identifiers that do not disclose the data subject. For instance, the medical institution cannot use your national identity number for purposes of identifying your medical records. While the use of other identifiers with health data records or information is permissible, this is subject to authorisation of the Authority under Section 12(9) of the Act. 41 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R Chapter 27:19. A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 21