www.misa.org 5.1.2. Limitation of the scope of application of the Cyber & Data Protection Act The Cyber and Data Protection Act should expressly indicate that it does not apply to the processing of personal data by a natural person during a purely personal or household activity, in accordance with international best standards. 5.1.3. Establishment of a truly independent National Data Protection Authority The fact that POTRAZ is subject to the executive’s control in various material respects detracts from its independence as the National Data Protection Authority envisaged by the best international standards. Further, the fact that POTRAZ is also the Cyber Security Center and the postal and telecommunications sector regulator means it is stretched thin, thus adversely affecting its ability to effectively fulfil the extensive and onerous functions reposed in the National Data Authority. Accordingly, there is a need to establish a separate and stand-alone entity as the National Data Protection Authority. 5.1.4. Separate and explicit provisions for principles relating to the processing of personal information Currently, the Cyber and Data Protection Act frames and casts the principles relating to processing personal information as duties of the data con yet principles and duties are different. This gives the impression that the Act conflates the principles relating to data processing and duties of data controllers. Accordingly, there is a need to amend the Act to make separate and explicit provisions for principles relating to the processing of personal information. 5.1.5. Enhancement of the rights of data subjects To address the currently narrow scope of the bill of data subject rights in the Cyber and Data Protection Act, the Act needs to be amended by enlarging the ambit of data subject rights such as the rights to rectification, erasure, and objection and enshrining new rights such as the rights to restriction of processing and data portability. Data controllers and processors must also be obliged to comply with obligations arising out of data subject rights without undue delay. 5.1.6. Tightening of the obligations of data controllers regarding data security breach The Cyber and Data Protection Act should be amended to oblige the data controllers to notify the data subject of security breaches. This is necessary because the breach is likely to pose a high risk to natural persons’ rights and fundamental freedoms. Misa Zimbabwe Policy Brief 15