Q&A on the provisions of the Tanzania Personal Data Protection Act
What are the consequences of violating the Act?
First, the Commission may issue an enforcement notice directing the respective person to remedy such violation within a certain period.
Second, the Commission may issue a notice of penalty where the respective party has failed to remedy the violation within the given period. The severity of the breach determines the fine imposed.
Third, unconsented disclosure of personal data by an individual shall be punishable by a fine of not less than TZS 100,000 and not more than TZS 20,000,000 or imprisonment for a term not exceeding ten years or condemned to a fine and imprisonment. For body corporate, the Act imposes a fine of not less than TZS 1,000,000 and not more than TZS 5,000,000,000.
Fourth, unlawful destruction, deletion, concealment or conversion of personal data shall be punishable by a fine of not less than TZS 100,000 and not more than TZS 10,000,000 or imprisonment for a term not exceeding five years or condemned to a fine and imprisonment.
Fifth, the Act imposes direct liability on all officers of a corporate body who intentionally authorised or allowed a crime to be committed. Finally, where the Act does not explicitly stipulate a punishment, a general fine of not less than TZS 100,000 and not more than TZS 5,000,000 or imprisonment for a term not exceeding five years or to both (a fine and imprisonment) may be imposed.
What steps can be taken now if the right to protect personal information is violated?
First, you can make a complaint to the Commission. If it is satisfied that there are good reasons to investigate, the Commission will initiate a confidential investigation. The investigation runs for a maximum of 90 days or beyond in case of an extension.
Second, the victim can report a crime to the police or other authorities for investigation, depending on the applicable sectoral law.
Third, the Public Prosecutor may open a criminal case if there is unlawful transfer of personal data outside the country, especially without the consent of the Commission or data subject. Finally, a data subject can engage a lawyer to institute a civil case and demand civil law remedies.
What rules should be followed to ensure compliance?
Personal data must be collected only for specified, explicit and lawful purposes; processed lawfully, fairly and in a transparent manner; adequate, relevant and limited to what is necessary; accurate and kept up to date; kept only for as long as it is needed and no longer; and protected in a manner that ensures its security and integrity.
What rights of a data subject does the Act consider fundamental?
The Act vests the following rights to the data subject: the right to be informed (written consent), the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, the right not to be subjected to automated decision-making and profiling, and the right to legal remedies.
What responsibilities do individuals and entities have under the Act?
Whenever they process personal data, individuals and organisations must, among other things, ensure that their use of personal data is lawful, fair and transparent. They should also protect it from misuse, exploitation (commercialisation), and report any data breaches or loss to the relevant authorities; seek and obtain the consent of the Commission or the person concerned to provide information about any Tanzanian abroad; and register as data collectors or processors.
Who ensures compliance in an organisation?
Everyone in an entity must protect personal data and guarantee the privacy of a data subject. Nonetheless, it is compulsory for the data collector or the data processor (organisations) to appoint a data protection officer who will ensure data security.
Is there sectoral legislation that supplements the Act?
The country has several laws that complement the Act. These include the Banking and Financial Institutions Act 2006, the Anti Money Laundering Act 2006, the HIV and AIDS (Prevention and Control) Act 2008, the Hotels Act (RE 2006), the Tourism Act 2008, the National Payment System Act 2015, the Statistics Act (RE 2019), the Tax Administration Act (RE 2009), the Employment and Labour Relations Act 2004, the Tanzania Commission for Science and Technology Act (RE 2002), the Registration and Identification of Persons Act 1986, the Tanzania Passport and Travel Documents Act 2002, the Electronic and Postal Communications Act 2010, the Public Health Act 2009, the Human DNA Regulation Act 2009, the Cybercrimes Act 2015, the Law of the Child Act 2009, the Electronic Transactions Act 2022, and the Access to Information Act 2016.
The key subsidiary legislation includes the Police General Orders 2006, the Bank of Tanzania (Financial Consumer Protection) Regulations 2019, the Bank of Tanzania (Credit Reference Bureau) Regulations 2012, the Tourism (Accommodation Facility) Regulations 2015, the Electronic and Postal Communications (Consumer Protection) Regulations 2018, the Electronic and Postal Communications (Online Content) Regulations 2020, the Electronic and Postal Communications (SIM Card Registration) Regulations 2020, and the Electronic and Postal Communications (Radio Communication and Frequency Spectrum) Regulations 2018.
In a nutshell, the above laws and many others require service providers to collect, process and store customers’ personal and sensitive data and impose the duty of secrecy and confidentiality upon them.
Are there international standards grandfathering the Act?
Tanzania has domesticated several subregional, regional, and global legal instruments that have a bearing on data protection and the right to privacy. These include the Universal Declaration of Human Rights (1948), the International Covenant on Civil and Political Rights (1966), the UN Convention on the Rights of the Child (1989), the African Charter on Human and Peoples’ Rights (1981), African Charter on the Rights and Welfare of the Child (1990), the African Union Convention on Cybersecurity and Personal Data Protection (the Malabo Protocol of 2014), Treaty for the establishment of the East African Community (1999), EAC Legal Framework for Cyber Laws (2008), SADC Model Law on Data Protection (2013).
Is there any subsidiary legislation made under the Act?
Yes. There are two Regulations made under the Act, namely the Data Protection (Collection and Processing of Personal Data) Regulations, GN No. 349 and the Data Protection (Complaints Handling Procedure) Regulations, GN No 350. The two Regulations were published on 12 May 2023.
Is there any Court decision that interprets the Act?
No, there is no such a decision.
The Act is yet to be tested in the Courts of Law. However, some relevant court decisions predate the Act and have a bearing on privacy and data protection. These decisions include Jamii Media Company Ltd v. The Attorney General (2017) TLS LR 447; Deogras John Marando v Managing Director, Tanzania Beijing Huayuan Security Guard Service Co. Ltd, High Court of Tanzania, Civil Appeal No 110 of 2018 (unreported); Raymond Paul Kanegene and Bob Chacha Wangwe v. The Attorney General, High Court of Tanzania, Consolidated Misc. Civil Cause No. 15 of 2019 & No. 5 of 2020; Kisonga Ahmed Issa and Another v. Republic, Court of Appeal of Tanzania, Consolidated Criminal Appeal No. 17 of 2016 and 362 of 2017; and Francis Nyandindi v. Republic, High Court of Tanzania (at Dar es Salaam), Criminal Appeal No. 173 of 2021 (unreported).
What steps can be taken now if the right to protect personal information is violated?
First, you can make a complaint to the Commission. If it is satisfied that there are good reasons to investigate, the Commission will initiate a confidential investigation. The investigation runs for a maximum of 90 days or beyond in case of an extension.
Second, the victim can report a crime to the police or other authorities for investigation, depending on the applicable sectoral law.
Third, the Public Prosecutor may open a criminal case if there is unlawful transfer of personal data outside the country, especially without the consent of the Commission or data subject. Finally, a data subject can engage a lawyer to institute a civil case and demand civil law remedies.
--
Read the original publication at FB Attorneys.