Addressing The Gaps In The Data Protection, Privacy And Surveillance Legislation 3.3. Designation of POTRAZ as the National Data Authority Section 5 of the Act designates the Posts and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the National Data Authority. It is submitted that such a designation is problematic in various material respects12. Firstly, since POTRAZ is also designated as the Cyber Security Centre and the regulator of the postal and telecommunications sector, its responsibilities are unwieldy and stretched thin, with the necessary corollary that its effectiveness and efficiency as a National Data Authority are likely to be compromised. Secondly, since POTRAZ is subject to the Minister of Transport 16 and Communications policy direction and, the said Minister may direct the POTRAZ Board to reverse, suspend or rescind any decision or action,13 POTRAZ is, arguably, not truly independent. In that regard, Article 52 (2) of the EU GDPR states that members of a national data authority must always be free from external influence, whether direct or indirect, and they must not receive instructions from anybody. In South Africa, there is the Information Regulator, which is subject only to the Constitution and to the law, and it is only accountable to Parliament14. It follows that POTRAZ does not pass the test of independence compatible with international best standards. Accordingly, there is a need to amend the Cyber Security and Data Protection Authority by establishing a separate and stand-alone National Data Authority, which is truly independent and not subject to the control of the Executive. 3.4. Principles relating to the processing of personal data Section 13 of the Cyber and Data Protection Act sets out data controllers and processors’ duties. However, these duties are essentially principles relating to the processing of personal data. They correspond to principles relating to processing personal data in Article 13 of the Malabo Convention and Article 5 of the EU GDPR. Conceptually, duties are different from principles. A duty is either a positive or negative obligation, but a principle is the value and spirit that must guide a person in performing the obligation. Accordingly, the so-called duties of data controllers and data processors under Section 13 of the Act must be correctly and expressly stated as principles relating to the processing of personal data. Further, the scope of principles relating to the processing of personal data, as provided for in Section 13 of the Act, is not comprehensive. For instance, it omits the integrity and confidentiality principle in Article 5 (1) (f) of the UE GDPR.15. Accordingly, there is a need to broaden the scope of principles relating to the processing of personal data set out in the Cyber and Data Protection Act by incorporating the integrity and confidentiality principle therein. 12. Useful recommendations on Data Protection Authorities include the Privacy and Personal Data Protection in Africa-Advocacy Toolkit https://africaninternetrights.org/en/resource/privacy-and-personal-data-protection-africa-advocacy-toolkit which, we think should be examined in the Zimbabwean context. 13. See section 26 of the Postal and Telecommunications Act. 14. See section 39 of the Protection Personal Information Act No.4 of 2013. 15. It defines the integrity and confidentiality principle as processing personal data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” 8 www.misa.org