3. Excessive Data collection and retention provisions without adequate data
protection laws
3.1. Section 42 requires telecommunication network owners to register users. Section
43 requires telecommunication network owners to keep subscriber records, copies
of which POTRAZ will maintain. Subscriber information must be kept in these
registers for up to 5 years after deactivation of a user’s SIM card.

3.2. This is problematic because Zimbabwe currently has inadequate data protection
laws. There is therefore, no guarantee on how confidentially such user data will be
kept and whether it will be protected from abuse by the telecommunication
network owners or any other third parties affiliated to them.

3.3. Zimbabwean users hardly ever deactivate SIM cards, this will make it hard to
determine when to start calculating the 5 year period before disposing of a user’s
records. This means that users’ records will potentially be kept indefinitely.

3.4. There is no restriction in the Bill on how the user records will be used either by
telecommunication network owners or by POTRAZ. These provisions in their
current state contradict users’ right to privacy which is protected in section 57 of
the Constitution.

3.5. Recommendations: Zimbabwe needs to put in place a Data Protection Act which
matches globally accepted data protection principles.

3.6. There should be periodic transparency reports issued both by telecommunication
network owners and POTRAZ. These reports would outline the number of requests
to access user information received from State organs and other third parties within
a specified period. This would help users know who has access to their data and
what it is possibly used for.

3.7. The length of time for which user data is retained should be limited to about 24 to
30 months at most. This period should not be calculated from the time a user

Select target paragraph3