Addressing The Gaps In The Data Protection, Privacy And Surveillance Legislation The International Principles on the Application of Human Rights to Communications Surveillance provides that: States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance. Oversight mechanisms should have the authority to access all potentially relevant information about State actions, including, where appropriate, access to secret or classified information; to assess whether the State is making legitimate use of its lawful capabilities, to evaluate whether the State has been transparently and accurately publishing information and scope of communications surveillance techniques and powers, and to publish periodic reports and other information relevant to communications surveillance”. The Cyber Security and Monitoring of Interceptions of Communications Centre is established as a unit in the Office of the President, so it is clear that it does not have the independence and capacity to discharge the mandate contemplated by the International Principles on the Application of Huma Rights to Communications Surveillance. Accordingly, a truly independent and able authority must oversee the conduct of communications surveillance in Zimbabwe. Alternatively, such an oversight mandate may be given to Parliament 42. 4.2. The Postal & Telecommunications Act In terms of Section 98 of the Postal and Telecommunications Act, a postal or telecommunication licensee or employee of such licensee in charge of a telegraph office is allowed to intercept or detain any telegram which he suspects of having contents that provide evidence of the commission of a criminal offence or of being sent to assist the commission of a crime; or upon request by a commissioned police officer who suspects it of having contents that provide evidence of the commission of a criminal offence or of being sent to assist the commission of a crime. Firstly, Section 98 of the Act does not qualify the suspicion based on which a licensee or employee thereof may act to intercept a telegram. In that regard, the licensee or its employee must be required to act based on reasonable suspicion. This is necessary to introduce a safeguard in the form of an objective test against which the lawfulness of interception of a telegram in terms of the Act may be measured. Secondly, the regime for the interception of telegrams set out in Section 98 of the Act is defective in that it lacks the safeguards mentioned above in relation to the Interception of Communications Act, such as judicial oversight and notification requirements. Accordingly, Section 98 of the Postal and Telecommunications Act needs to be amended in those respects. 5. Recommendations Considering the preceding, there are various yawning gaps in Zimbabwe’s data protection, privacy and surveillance legislation. Accordingly, the following measures are proposed to improve the current state of the relevant legislation. 5.1. Data protection and privacy legislation 5.1.1. Broadening of the scope of sensitive data The Cyber and Data Protection Act should expressly include biometric data as part and parcel of sensitive data. By the same token, the Act should provide a definition of the term biometric data to avoid doubt. 14 www.misa.org