DPO Appointment Considerations • Is the DPO independent, capable and qualified for this position; remember the DPO must report to senior management and has independence to ensure compliance of the Act by the data controller; • Is DPO able to deal with requests made to the data controller; the DPO must be involved in all critical processes relating to protection of personal data so that they are able to respond to requests. • Is the DPO a staff of the organisation; if so then they must be well resourced to play this role and must not be penalised for either whistleblowing or in the performance of their duties. • Is the DPO accessible, known and contactable; this is important as the DPO will be the contact person for data subjects, data controller or data representative officials/employees or for the Authority. CONTENT OF NOTIFICATION If required to notify the Authority on certain automated data processing provided under Section 20, the data controller must meet the requirements of Section 21(1)(a)-(m). The notification must include information that makes it possible for the Authority and the data subject to exercise their oversight and enforcement of their rights respectively. The notification must include: • the date of notification and the law authorising the automatic data processing • the contact details of the data controller or processor of their representative • the denomination of the automatic processing • the purpose or the set of related purposes of the automatic processing • the categories of data being processed, and a detailed description of the sensitive data being processed • a description of the category or categories of the data subjects • the safeguards that must be linked to the disclosure of the data to third parties M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N • the manner in which the data subjects are informed, the service providing for the exercise of the right to access, and the measures taken to facilitate the exercise of that right • the inter-related processing planned or any other form of linking with other processing • the period of time after the expiration of which the data may no longer be stored, used or disclosed • a general description containing a preliminary assessment of whether the security measures are adequate 52 • the recourse to a data processor, if any • the transfers of data to a third country as planned by the data controller (see Section on data transfers) The Authority is allowed to prescribe other information to be included in the notification, as per Section 20 (2) of the Act. Furthermore, the Authority can inspect and assess security and organisational measures before processing or transfer of the data commences. This provision is important as this process constitutes a data privacy impact assessment (DPIA), designed to establish the level of safeguards and privacy protection for the data subject. The Act empowers the Authority to inspect and assess security and organisational measures taken by data controller. AUTHORISATION The processing of certain classes of personal data might require specific authorisation before processing commences. The Authority under Section 22 of the Act is empowered to establish the various categories of data that requires authorisation based on the specific risks to the fundamental rights of the data subject. 52 C Y B E R Section 13 does not seem to speak to issues raised here. This might be a drafting error. A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 27