What if codes of conduct already exist? What is the importance of code of conduct? The Act is not the only law regulating data processing in Zimbabwe, and associations might already exist with codes of conduct. For instance, data controllers in banking institutions or health institutions. If these are in existence, they can be amended or extended under Section30 (2). The Authority must approve codes of conduct based on the provisions of the Act and other considerations as per Section 30 (3). In terms of Section 30 (4), the Authority may consult data subjects or representatives likely to be affected by the code of conduct. Data subjects will benefit from associations adopting codes of conduct as they will receive and expect a fair and balanced processing of personal information. The Authority will also benefit from codes of conduct as it will reduce the number of disputes, and complaints to adjudicate. Signing up to a code of conduct for data controllers shows compliance with data protection laws and a good practice for transparency, accountability and openness in data processing. What must be contained in a code of conduct? WHISTLE-BLOWER The Act is not exhaustive in this respect, and this will certainly be covered by statutory instruments. However, POPIA sections 60 (1)-(4) provides guidance on provisions and application of codes of conduct. For instance, the code must: • incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and • prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating. Further the code must also specify appropriate measures for: • information matching programmes if such programmes are used within a specific sector; or • protecting the legitimate interests of data subjects insofar as automated decision making, as referred to in Section 71, is concerned Part IX of the Act provides for rules authorising and governing the whistleblowing system. Section 31(1) of the Act gives power to the Authority to establish rules giving the authorisation and governing of the whistleblowing system. This Section is important and will require further clarification from the Authority. And lastly the code of conduct must provide for the review of the code by the Information Regulator [Authority]; and provide for the expiry of the code. 34 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2