On 24 February 2021 President Emmerson Mnangagwa launched the National Data Centre in Harare.
The launch is a critical step towards the fulfilment of some of the objectives under the National Development Strategy.
This entails the development of e-government enterprise, architecture and an interoperability framework among others, for improved efficiency and effectiveness in government internal operations and administration.
The launch of the National Data Centre is thus a step in the right direction as it pertains to access and usage of ICTs at the government level, which of course also needs to be facilitated for ordinary citizens including those in rural and marginalised communities.
Purpose of the National Data Centre
The centre seeks to consolidate services, applications and infrastructure in order to provide efficient electronic services among government departments, between government and citizens, as well as between the government and businesses.
Such developments, however, do not operate in a vacuum, with the critical factor being that of reshaping and refining the country’s approach to human rights. This also includes the role that such facilities can play in either facilitating or restricting the right to privacy and freedom of expression, among other fundamental rights.
One critical gap in that regard is the absence of an effective data protection and data privacy framework.
The need for a robust cybersecurity framework
Data protection will regulate the lawful access and use of data collected and stored. Data privacy will clarify how data is collected and shared, which government agencies will have access to the data and the process of doing so as well as under what circumstances such data can be used by or shared with other parties.
A cybersecurity framework and complementary technology will also be imperative for digital safety and security. This will serve to address concerns relating to the right to privacy and personal data protection, surveillance, cross border transfers of personal information and data retention issues among others.
In that regard, there is an urgent need for complementary legislation, policies and guidelines that will guide the acquisition, transfer and storage of data in Zimbabwe. This is particularly crucial in promoting public trust and confidence, and that the Centre will not be used for unlawful surveillance.
Cybersecurity and Data Protection Bill may not be sufficient
In Zimbabwe, that framework is not yet in place as the Cybersecurity and Data Protection Bill gazetted in May 2020, is still to be enacted into law. Be that as it may, the existing provisions in the proposed Bill do not provide sufficient mechanisms for the protection of data and the right to privacy.
For instance, the Bill does not explicitly provide for the rights of data subjects which rights include the right to rectification, the right to erasure or right to be forgotten, right to data portability among others. The Bill also does not have provisions on data retention periods and neither does it explicitly provide for data protection principles applicable to data controllers.
It should also be noted that the enjoyment of the right to privacy in Zimbabwe is being hampered by other issues that include the lack of control over one’s personal data, obscurity on who has access to personal data and lack of clarity on how one’s personal data is processed.
Need for transparency and accountability with regards to data
MISA Zimbabwe, therefore, urges the government to promote transparency and accountability on the nature of data and information that will be in its custody through the National Data Centre.
It is imperative for the data subjects concerned to have an understanding of key issues relating to the acquisition, processing, use, distribution and storage of the data as well as the safety mechanisms that will be put in place for the protection of the right to privacy.
If such data is to be shared with third parties, it is crucial that the data subjects be duly informed considering the privacy and surveillance concerns in Zimbabwe. In 2018, concerns were raised following a newspaper article that disclosed that Zimbabwe would send vast amounts of biometric and personal data to CloudWalk Technology, a Chinese-based entity that was providing Zimbabwe with facial recognition technology.
This was a violation of people’s right to privacy because such transfer was not lawful, in terms of having been authorised by an Act of Parliament and also no one had knowledge of or consented to the cross border transfer of their data.
Any sharing of the data with third parties should therefore be done in accordance with the law and for a legitimate purpose. Instances that will allow for cross border transfer of data should be within the ambit of international laws and standards.
Need for application of best practices from the region
Going forward, MISA Zimbabwe urges the government to also implement the remaining objectives in the National Development Strategy more so at it pertains to human rights and freedoms.
In the strategy document, the government expressed its intention to domesticate and comply with international and regional human rights obligations.
In so doing, the Cybersecurity and Data Protection Bill should be guided by the African Union Convention on Cybercrime and Data Protection. The domestication of the Malabo Convention will also go a long way in strengthening Zimbabwe’s approach to ICTs and human rights.
The Convention which was adopted in June 2014 has strong provisions on data protection which include the establishment of an independent Data Protection Authority accountable to Parliament, explicit provisions on the rights of data subjects and clear data protection principles that data controllers should adhere to.