Cyber Security and Data Protection Bill

For optimal readability, we highly recommend downloading the document PDF, which you can do below.

Document Information:


Aii
H.B. 18, 2019.] CYBER SECURITY AND DATA PROTE CTION
DISTRIBUTED BY VERITAS
e-mail: veritas@mango.zw; website: www.veritaszim.net
Veritas makes every effort to ensure the provision of reliable information, but cannot take legal responsibility for information supplied.

B
CYBER SECURITY AND DA PROTE CTION

i
CYBER SECURITY AND DATA PROTECTION BILL, 2019M
emorandum
The purpose of this Bill is to consolidate cyber related offences and provide for
data protection with due regard to the Declaration of Rights under the Constitution
and the public and national interest, to establish a Cyber Security Centre and a Data
Protection Authority, to provide for their functions, provide for investigation and
collection of evidence of cyber crime and unauthorised data collection and breaches,
and to provide for admissibility of electronic evidence for such offences. It will create
a technology driven business environment and encourage technological development
and the lawful use of technology.
The main

provisions of the Bill are explained below:
Part 1
Clause 1

sets out the short title and date of commencement.
Clause 2

provides for the objects of the Bill which are to curb cyber crime and
promote cyber security in order to build confidence and trust in communication networks.
Clause 3

provides for the definitions of the terms used in this Bill.
Clause 4

sets out the scope of application of the Bill to include the processing of
data wholly or partly by automated means.
Part II
Clause 5

provides for the designation of the Cyber Security Centre within the
Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).
Clause 6

provides for the functions of the Cyber Security Centre which shall
be among other functions to advise Government and implement Government Policy
on cyber crime and cyber security. The Cyber Security Centre shall also promote and
coordinate activities focused on improving cyber security and prevention of cyber
crime.
Part III
Clauses

7 and 8 provides for the designation of the Postal and Telecommunications
Regulatory Authority of Zimbabwe (POTRAZ) as Data Protection Authority and the
functions thereof.
Part IV and V
Clauses 9 to 14

provides the minimum standards and general rules for a data
controller for the processing of data.
Part VI
Clauses 15 to 18

provides for the levels of security, integrity and confidentiality
of data controllers or their representatives in the protection of data from destruction,
unauthorised alteration or access and other unauthorised processing, and the notification
of the Authority of any security breaches.
Clauses 19 and 20

provides for the notification of the Authority of the processing
of data by any automated means and the scope of such notification.
Clauses 21 and 22

requires the Authority to establish the form and manner
of notification provided in clauses 19 and 20 and the keeping of a register of such
notifications.
(i)
CYBER SECURITY AND DATA PROTE CTION

ii
Clause 24 places the burden of accountability for the protection of data on the
data controller.
Part VII
Clause 25

provides for the protection of data subjects from decisions taken on the
basis of automatic data processing and the measure of recourse that is available from
such automatic data processing to the data subject.
Clauses 26 and 27

deals with the protection of the rights of data subjects who
are children or data subjects who may otherwise be incapable of exercising their rights
due to some other legal incapacitation in terms of this Act. Such persons rights may be
exercised by any such persons as are described in this part.
Part VIII
Clauses 28 and 29

outlines the rules on permissability and non-permissability
of the transfer of data outside the Republic of Zimbabwe and the require
ments for the
authorisation or non-authorisation of the same.
Part IX
Clause 30

requires the Authority to provide and approve codes of conduct and
ethics to be observed by data controller and categories of data controll
ers.
Part X
Clause 31

provides for the establishment and management of a whistle blowing
system by the Authority.
Part XI
Clause 32

provides for the Minister to make regulations in consultation with the
Authority to give effect to the Bill.
Clause 33

sets out the offences and the penalties thereof under this Bill.
Part XII
Clause 35

deals with consequential amendments to the Criminal Code by the
introduction of this Bill. This part amends the Criminal Law (Codification and reform)
Act [Chapter 9:23] by the repeal of sections 163 to 166, which are therefore expanded
in scope and application.
Part I
Clauses 163 to

163E deals with hacking and to prevent interfering, impairing the
functions on a computer system which house data vital to the country that the incapacity
of such would have debilitating impact on security. It further deals with security and
protection of data on computers so that data is not obtained, installed downloaded
or modified illegally by means of technology. It also curbs acquisition, possession,
production, selling, procuring and distribution for use imports designed or adapted for
the purpose of committing an offence.
Clause 163F
In this Part an of

fence is committed in aggravating circumstances if committed
with or in furtherance of the commission or attempted commission of a crime against
the State specified in Part 111 of the Criminal code.
Part II
Clause

164 deals with transmission of data messages inciting violence or damage
to property.
Clause 164A

deals with protection of citizens from receiving threatening messages.
(ii)
CYBER SECURITY AND DATA PROTE CTION

iii
Clause 164B Cyber bullying and harassment deals with any data message which
is send to coerce, harass or intimidate.

Clause 164C
The

section seeks to punish any person who distributes, make available or broadcasts
data concerning an identified or identifiable person knowing it to be false intending to
cause psychological or economic harm.
Clause

164D deals with messages classified as spam and liability is excluded if
the multiple electronic transmission is done within a customer or business relationship.
Clause

164E deals with the transmission of data with intimate images without
consent.
Clause 164F

deals with Production and dissemination of racist and xenophobic
material such as the use of language that tends to lower the reputation or feelings of
persons for the reason that they belong to a group of persons distinguished on the
grounds set out in section 56(3) of the Constitution.
Clause 164G

The section seeks to protect any person whose identity is acquired
transferred, possessed or used by using a computer or computer information systems
with intent to commit or assist in commission of a crime.
Part III
Clauses 165 and 165A

deals with pornography involving a child or exposing
pornography to children.
Clause 165B

deals with process in the search and seizure in electronic evidence.
Clause

165C provides the manner and form in which data is preserved for use of
investigation.
Part IV
Clause 166

provides for the obligations and immunity of the service provider
who has not initiated or modified the transmission or selected the receiver of a data
transmission.
Clause 166A

deals with jurisdiction issues of courts in Zimbabwe when dealing
with offences in this Bill.
Clause 166B

provides for the admissibility of electronic evidence.
Clause

166C provides that upon conviction under this Act the Court may order
forfeiture to the state of proceeds of such offence.
Clause 166D

provides that the Cyber Security Committee may, with the approval
of the Minister issue such guidelines as may be necessary for the carrying out of the
provisions of this Act as relates to its functions under this Bill.
(iii)
CYBER SECURITY AND DATA PROTE CTION

1
CYBER SECURITY AND DATA PROTECTION BILL, 2019
ARRANGEMENT OF SECTIONS
PA RT I
Preliminary
Section
1. Short title .

2.
Object.

3.
Interpretat
ion.

4.
Applicatio
n. PART II
establishment of Cyber SeCurity Centre
5. Designation of Postal and Telecommunications Regulatory Authority as Cyber
Security Centre.
6.

Functions of Cyber security centre. P

ART III
data ProteCtion authority
7. Designation of Postal and Telecommunications Regulatory Authority as Data
Protection Authority.
8.

Functions of Data Protection
Authority.

P

ART IV
Quality of d ata
9. Quality of data.
PA RT V
General rules on the ProCessinG of d ata
10. Generality.
1 1.
Purpose.
12.

Non-sensitive data.
13.

Sensitive i
nformation.
14.

Genetic da
ta, biometric sensitive data and health data. PART VI
duties of the d ata Controller and d ata ProCessor
15.
Disclosures when collecting data directly from data sub
ject.
16.

Disclosures when not collecting data directly from data
subject.
17.

Authority to process.
18.

Security.
19.

Security b
reach notification.
20.

Obligation
of notification to Authority.
21.

Content of
notification.
22.
Authorisation.
23.

Openness of processing.
24.

Accountability.
CYBER SECURITY AND DATA PROTE CTION

2
PART VII
data subjeCt
Section
25.

Decision t
aken on basis of Automatic Data Processing.
26.

Represent
ation of data subjection who is a child.
27.

Represent
ation of physically, mentally or legally incapacitated data subjects. PART VIII
transborder flow
28. T ransfer of personal information outside Zimbabwe.
29.
T
ransfer to a country outside the Republic of Zimbabwe which does not assure an adequate level of protection.
PART IX
Code of ConduCt
30. Code of conduct. PA RT X
whistleblowinG
31. Whistleblower.
P ART XI
General Provisions
32. Regulations.
33.
Of
fences and penalties.
34.
Appeals. PART XII
ConseQuential amendments
35. Amendme nt of Cap. 9:23.
CYBER SECURITY AND DATA PROTE CTION

3
Printed by the Government Printer, Harare
H.B. 18, 2019.] 5
10
15
BILL
An Act to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to
establish a Cyber Security Centre and a Data Protection Authority and
to provide for their functions; to create a technology driven business
environment and encourage technological development and the lawful
use of technology; to amend sections 162 to 166 of the Criminal
Code (Codification and Reform) Act [Chapter 9:23] to provide for
investigation and collection of evidence of cyber crime and unauthorised

data collection and breaches, and to provide for admissibility of
electronic evidence for such offences; and to provide for matters
connected with or incidental to the foregoing.

ENACTED by the Parliament and the President of Zimb
abwe.
PA RT I
Preliminary
1 Short title
This

Act may be cited as the Cyber Security and Data Protection Act [Chapter
11:22].
CYBER SECURITY AND DATA PROTE CTION

4
5
10
15
20
25
30
35
40
45
2 Object
The
object of this Act is to increase cyber security in order to build confidence
and trust in the secure use of information and communication technologies by data
controllers, their representatives and data subjects.

3
Interpretation
In

this Act—
“child” means any person under the age of eighteen years;
“code of conduct” refers to the Data Use Charters drafted by the d
ata controller

in order to institute the rightful use of IT resources, the Internet, and
electronic communications of the structure concerned, and which have
been approved by the Data Protection Authority;
“consent”

refers to any manifestation of specific unequivocal, freely given,
informed expression of will by which the data subject or his or her legal,
judicial or legally appointed representative accepts that his or her data
be processed;
“critical

database” means a computer data storage medium or any part thereof
which contains critical data;

data” means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form
suitable for communications, interpretation or processing in a computer
device, computer system, database, electronic communications network
or related devices and includes a computer programme and traffic data;
“data

controller or controller” refers to any natural person or legal person who
is licensible by the Authority;
“data controller

’s representative or controller’s representative” refers to any
natural person or legal person who performs the functions of the data
controller in compliance with obligations set forth in this Act;
“data

processor” refers to a natural person or legal person, who processes data
for and on behalf of the controller and under the controller’s instruction,
except for the persons who, under the direct employment or similar
authority of the controller, are authorised to process the data;
“data

protection authority or authority” refers to Postal and Telecommunications Regulatory Authority of Zimbabwe established in terms of section 5 of
the Postal and Telecommunications Act [Chapter 12:05];
“data

protection officer or DPO” refers to any individual appointed by the
data controller and is charged with ensuring, in an independent manner,
compliance with the obligations provided for in this Act;
“data

subject” refers to an individual who is an identifiable person and the
subject of data;
“disproportionate ef

fort” means effort that is so labour intensive as to consume
a lot of time, money and manpower resources;
“electronic

communications network” means any electronic communications
infrastructures and facilities used for the conveyance of data;
“genetic data: refers to any personal information stemming from a

Deoxyribonucleic acid (DNA) analysis;
“health professional” refers to any individual determined as such
by

Zimbabwean law;

identifiable person” means a person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more
CYBER SECURITY AND DATA PROTE CTION

5
5
10
15
20
25
30
35
40
45
50
factors specific to his or her physical, physiological, mental, economic,
cultural or social identity;
“Minister” means the Minister responsible for information and comm
unications

technologies;
“personal information” means information relating to a data subjec
t, and

includes—
(a)

the person’
s name, address or telephone number;
(

b)
the person’
s race, national or ethnic origin, colour, religious or
political beliefs or associations;
(c)

the person’
s age, sex, sexual orientation, marital status or family
status;
(d)

an identifyin
g number, symbol or other particulars assigned to that
person;
(e)

fingerprints, blood type or inheritable characteristics;
(

f)
inform
ation about a person’s health care history, including a physical
or mental disability;
(g)

information
about educational, financial, criminal or employment
history;
(h)

opinions expressed about an identifiable person;
(i)

the
individual’s personal views or opinions, except if they are about
someone else; and
(j)

personal correspondence pertaining to home and family life;
“processing”

refers to any operation or set of operations which are performed
upon data, whether or not by automatic means, such as obtaining recordin
g
or holding the data or carrying out any operation or set of operations on
data, including—
(a)

or
ganisation, adaptation or alteration of the data;
(b)

retrieval, co
nsultation or use of the data; or
(

c)
alignment,
combination, blocking, erasure or destruction of the data;
“recipient” a natural

or legal person, agency or any other body to whom personal
information is disclosed by a data controller, whether a third party or not;
however, persons who receive personal information in the framework of
a particular legal inquiry shall not be regarded as recipients;
“sensitive data” refers to—
(a)

information
or any opinion about an individual which reveals or
contains the following—
(i)

racial or ethnic origin;
(ii)

political opinions;
(iii)

membership of a political association;
(iv)

religious beliefs or affiliations;
(v)

philosophical beliefs;
(vi)

membership of a professional or trade association;
(vii)

membership of a trade union;
(viii)

sex life;
(ix)

criminal educational, financial or employment history;
(x)

gender
, age, marital status or family status;
(b)

health infor
mation about an individual;
(c)

genetic info
rmation about an individual; or
(d)

any informa
tion which may be considered as presenting a major
risk to the rights of the data subject;
CYBER SECURITY AND DATA PROTE CTION

6
5
10
15
20
25
30
35
40
45
“third party” refers to any natural or legal person or or ganisation other than
the data subject, the controller, the processor and anyone who, under the
direct authority of the controller or the processor, is authorised to process
the data;
“transborder

flow” refers to international flows of data by the means of
transmission including data transmission electronically or by satellite;
“whistleblowing”

refers to legal provisions permitting individuals to report
the behaviour of a member of their organisation which, they consider
contrary to a law or regulation or fundamental rules established by their
organisation.
4

Application
(1)

This Act shall apply to matters relating to access to information, protection
of privacy of information and processing of data wholly or partly by automated means:
and shall be interpreted as being in addition to and not in conflict or inconsistent with
the Protection of Personal Information Act [Chapter……..].
(2) Subject to subsection (1) this

Act shall be applicable—
(a)

to the processing of data carried
out in the context of the effective and
actual activities of any data controller;
(

b)
to the processing of data by a controller who is not permanently establi
shed

in Zimbabwe, if the means used, whether electronic or otherwise is locat
ed
in Zimbabwe, and such processing is not for the purposes of the mere
transit of data through Zimbabwe.
(3) In the circumstances

referred to in subsection (2)(b), the controller shall
designate a representative established in Zimbabwe, without prejudice to legal
proceedings that may be brought against the controller.
PART II
establishment of Cyber seCurity Centre
5 Desi

gnation of Postal and Telecommunications Regulatory Authority
as Cyber Security Centre
The Postal and

Telecommunications Regulatory Authority established in terms
of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the
Cyber Security Centre.
6

Function

s of Cyber security Centre
The functi

ons of the Cyber Security Centre shall be to—
(a)

advise Government and implement
Government policy on cyber crime
and cyber security;
(b)

identify areas for

intervention to prevent cyber crime;
(c)

coordinate cyber security and establish a national contact point availab
le
daily around-the-clock;
(

d)
establish and operate a protection-assured whistle-blower system that wi
ll

enable members of the public to confidentially report to the Committee
cases of alleged cyber crime;
(e)

promote and coordinate activities
focused on improving cyber security
and preventing cyber crime by all interested parties in the public and
private sectors;
CYBER SECURITY AND DATA PROTE CTION

7
5
10
15
20
25
30
35
40
45
( f) p rovide guidelines to public and private sector interested parties on matters
relating to awareness, training, enhancement, investigation, prosecution
and combating cyber crime and managing cyber security threats;
(

g)
oversee the enforcement of the
Act to ensure that it is enforced reasonably
and with due regard to fundamental human rights and freedoms;
(h)

provide technical
and policy advice to the Minister;
(

i)
advise the Minister on the establishment and development of a

comprehensive legal framework governing cyber security matters.
PA RT III
data ProteCtion authority
7 Desi gnation of Postal and Telecommunications Regulatory Authority
as Data Protection Authority
The Postal and

Telecommunications Regulatory Authority established in terms
of the Postal and Telecommunications Act [Chapter 12:05] is hereby designated as the
Data Protection Authority.
8

Function
s of Data Protection Authority

(1)

The Authority shall perform the following functions—
(a)

to
regulate the manner in which personal information may be processed
through the establishment of conditions for the lawful processing of dat
a;
(b) to promote and enforce fair processing of data in accordance

with this
Act;
(

c)
t
o issue its opinion either of its own accord, or at the request of any person
with a legitimate interest, on any matter relating to the application of the
fundamental principles of the protection of privacy, in the context of this
Act;
(d) to submit to any Court any administrative

act which is not compliant
with the fundamental principles of the protection of the privacy in
the framework of this Act as well as any law containing provisions
regarding the protection of privacy in relation to the processing of data
in consultation with Minister responsible for Information, Publicity and
Broadcasting Services;
(e) to advise the Minister on matters relating

to right to privacy and access
to information;
(f) to conduct

inquiries or investigations either of its own accord or at the
request of the data subject or any interested person, and in relation thereto
may call upon the assistance of experts to carry out its functions and
may request the disclosure of any documents that may be of use for their

inquiry or investigation;
(g) to receive,

by post or electronic means or any other equivalent means,
the complaints lodged against data processing and give feed-back to the
claimants or complainants;
(h) to

investigate any complaint received in terms of this Act howsoever
received;
(

i)
t
o conduct research on policy and legal matters relating to the development
of international best practices on the protection of personal information
in Zimbabwe and advise the Minister accordingly;
(j)

in consultation
with the Minister, to facilitate cross border cooperation
in the enforcement of privacy laws and participating at national, regional
CYBER SECURITY AND DATA PROTE CTION

8
5
10
15
20
25
30
35
40
and international forums mandated to deal with the protection of personal
information initiatives.
(2) Subject
to this Act, the Authority shall not, in the lawful exercise of its
functions under this Act, be subject to the direction or control of any person or authority.
PART IV
Quality of d ata
9 Quality of Data
(1)

The data controller shall ensure that data processed is—
(a)

adequate, relevant and not excessive in relation to the purposes for whi
ch
it is collected or further processed;
(b)

accurate and, whe
re necessary, kept up-to-date;
(c)

retained
in a form that allows for the identification of data subjects, for
no longer than necessary with a view to the purposes for which the data
is collected or further processed.

(2)

The data controller shall take all appropriate measures to ensure that data
processed shall be accessible regardless of the technology used and ensure that the
evolution of technology shall not be an obstacle to the access or processing of such
data.
(3)

The controller shall ensure compliance with the obligations set out in
subsections (1) and (2) by any person working under his or her authority and any
subcontractor.
PA RT V
General rules on the ProCessinG of d ata
10 Generality
The
data controller shall ensure that the processing of data is necessary and that
the data is processed fairly and lawfully.
1

1
Purpose
(1)

The data controller shall ensure that data is collected for specified, explicit
and legitimate purposes and, taking into account all relevant factors, especially the
reasonable expectations of the data subject and the applicable legal and regulatory
provisions, that the data is not further processed in a way incompatible
with such
purposes.
(2

) Under the conditions established by the Authority, further processing of data
for historical, statistical or scientific research purposes is not considered incompatible.
12

Non-sensitive data
(1) Pe

rsonal information may only be processed if the data subject or a
competent person, where the data subject is a child, consents to the processing of
such
data.
(2)

The consent referred to in subsection (1) may be implied where the data
subject is an adult natural person or has a legal persona and has full legal capacity to
consent.
CYBER SECURITY AND DATA PROTE CTION

9
5
10
15
20
25
30
35
40
45
(3) The processing of non-sensitive data is permitted, without the consent of
the data subject, where necessary for purposes of—
(a)

being material as
evidence in proving an offence; or
(b) compliance

with an obligation to which the controller is subject by or by
virtue of a law; or
(c)

protecting the vit
al interests of the data subject; or
(d)

performing
a task carried out in the public interest, or in the exercise of
the official authority vested in the controller, or in a third party to whom
the data is disclosed; or
(e)

promoting the legitimate
interests of the controller or a third party to
whom the data is disclosed, except where such interests are overridden
by the interests or fundamental rights and freedoms of the data subject
claiming protection under this Act.
(4)

The Authority may specify the circumstances in which the condition
stipulated under subsection (3)(e) are considered as having been met
.
13

Sensitive information
(1) In relation to the processing of sensitive personal information—

(a)

the processing of sensitive data is prohibited unless the data subject h
as
given consent in writing for such processing;
(

b)
the consent may be withdrawn by the data subject at any time and without

any explanation and free of charge;
(c)

the
Authority shall determine the circumstances in which the prohibition
to process the data referred to in this section cannot be lifted even with
the data subject’s consent “taking into account the factors surrounding
the prohibition and the reasons for collecting the data”.
(2)

The provisions of subsection (1) shall not apply where—
(

a)
the
processing is necessary to carry out the obligations and specific rights
of the controller in the field of employment law; or
(

b)
t
he processing is necessary to protect the vital interests of the data subject
or of another person, where the data subject is physically or legally
incapable of giving his or her consent or is not represented by his or her
legal, judicial or agreed representative; or
(c)

the processing is carried
out in the course of its legitimate activities by
a foundation, association or any other non-profit organisation with a
political, philosophical, religious, health-insurance or trade-union purpose
and on condition that the processing relates solely to the members of the
organisation or to persons who have regular contact with it in connection
with such purposes and that the data is not disclosed to a third party
without the data subjects’ consent; or
(d)

the processing is
necessary to comply with national security laws; or
(

e)
t
he processing is necessary, with appropriate guarantees, for the
establishment, exercise or defence of legal claims; or
(f)

the processing relates to data which has been made public by the data
subject; or
(g)

the processing is
necessary for the purposes of scientific research:

Provided the
Authority shall be entitled to specify the conditions
under which such processing may be carried out; or
CYBER SECURITY AND DATA PROTE CTION

10

5
10
15
20
25
30
35
40
45
(h) the processing of data is authorised by a law or any regulation for any
other reason constituting substantial public interest.
(3)

Without prejudice to the application of sections 5 to 8, the processing of
data relating to sex life is authorised if—
(

a)
it is carried out by an association with a legal personality or by an

organisation of public interest whose main objective, according to its
Memorandum and Articles of Association, is the evaluation, guidance
or treatment of persons of such sexual conduct, and who is recognised
by a competent public body as being responsible for the welfare of such
persons;
(

b)
t
he objective of the processing of the data consist of the evaluation,
guidance and treatment of the persons referred to in this section, and the
processing of data relates only to the aforementioned persons:
Provided that

the competent public body referred to in paragraph (a) grants a
specific, individualised authorisation, having received the opinion of the Authority.
(4)

The authorisation referred to in this section shall specify the duration of the
authorisation, the conditions for supervision of the authorised associat
ion or organisation
by the competent public body, and the way in which the processing must be reported
to the Authority.
14

Genetic data, biometric sensitive data and heal
th data
(1)

The processing of genetic data, biometric data and health data is prohibited
unless, the data subject has given consent in writing to the processing.
(2)

The consent referred to in subsection (1) can be withdrawn by the data

subject at any time without any reasons and free of charge.
(3)

The provisions of subsection (1) shall not apply where—
(

a)
the
processing is necessary to carry out the specific obligations and rights
of the controller in the field of employment law; or
(b)

the processing is
necessary to comply with national security laws; or
(c)

the
processing is necessary for the promotion and protection of public
health, including medical examination of the population; or
(d)

the processing is required by or by virtue of a law or any equivalent
legislative act for reasons of substantial public interest; or
(

e)
t
he processing is necessary to protect the vital interests of the data subject
or another person, where the data subject is physically or legally incap
able
of giving his or her consent or is not represented by his or her legal,
judicial
or agreed representative; or
(f)

the processing is necessary for the prevention
of imminent danger or the
mitigation of a specific criminal offence; or
(g)

the processing relates to data which has apparen
tly been made public by
the data subject; or
(h)

the processing is necessary for the establishmen
t, exercise or defense of
legal rights; or
(i)

the processing is
required for the purposes of scientific research; or
(j)

the
processing is necessary for the purposes of preventive medicine or
medical diagnosis, the provision of care or treatment for the data subject
or to one of his or her relatives, or the management of health-care services
CYBER SECURITY AND DATA PROTE CTION

11
5
10
15
20
25
30
35
40
in the interest of the data subject, and the data is processed under the

supervision of a health professional.
(4)

Health-related data may only be processed under the responsibility of a
health-care professional, except if the data subject has given his or her written consent
or if the processing is necessary for the prevention of imminent danger
or for the
mitigation of a specific criminal offence.
(5)

The Authority shall be entitled to specify the conditions under which such
processing may be carried out.
(6) Health

related data may only be collected from other sources where the
data subject is incapable of providing the data.
(7) For

the purposes of processing personal information under this section, the
health professional and his or her agents are subject to the duty of pro
fessional secrecy.
(8)

The processing of genetic data, shall be authorised if it is processed f
or what
it reveals or contains and data concerning health shall be processed only if a unique
patient identifier is given to the patient which is distinct from any other identification
number, issued by the public authority established for this purpose.
(9)

The association of the unique patient identifier with any other identifier
which permits the identification of the data subject as provided for in section 8 is
permissible only with the express authorisation of the Authority.
(10)

The data of a child shall be processed subject to section 26. PART VI
duties of the d ata Controller and d ata ProCessor
15 Disclosures when collecting data directly from data subject
(1)

When obtaining data directly from the data subject, the controller or the
controller’s representative shall provide the data subject with at least the following
information, unless the data subject has already received such informati
on—
(a)

the
name and address of the controller and of his or her representative, if
any;
(b)

the purposes of the processing;
(c)

the existence
of the right to object, by request and free of charge, to the
intended processing of data relating to him or her, if it is obtained for the
purposes of direct marketing;
(d)

whether complian
ce with the request for information is compulsory or
not, as well as what the consequences of the failure to comply are;
(

e)
taking
into account the specific circumstances in which the data is
collected, any supporting information, as necessary to ensure fair
processing for the data subject, such as—
(i)

the recipien
ts or categories of recipients of the data;
(

ii)
w
hether it is compulsory to reply, and what the possible consequences
of the failure to reply are;
(iii)

the existence of the right to access and rectify the data relating to
him

or her except where such additional information, taking into
account the specific circumstances in which the data is collected is
not necessary to guarantee accurate processing.
CYBER SECURITY AND DATA PROTE CTION

12
5
10
15
20
25
30
35
40
45
(f) other information dependent on the specific nature of the processing, as
specified by the Authority.
16

Disclosures when not collecting data directly fr
om data subject
(1)

Where the data is not collected from the data subject, the controller or his
or her representative shall provide the data subject with at least the information set out
below when recording the data or considering communication to a third party, unless
it is established that the data subject is in receipt of such informatio
n—
(a)

the
name and address of the controller and of his or her representative, if
any;
(b)

the purposes of the processing;
(c)

whether complian
ce with the request for information is compulsory or
not, as well as what the consequences of the failure to comply are;
(d)

the existence
of the right to object, by request and free of charge, to the
intended processing of data relating to him or her, if it is obtained for
the purposes of direct marketing; in which case, the data subject shall be
informed prior to the first disclosure of the data to a third party or prior
to the first use of the data for the purposes of direct marketing on behalf
of third parties;
(

e)
taking
into account the specific circumstances in which the data is
collected, any supporting information, as necessary to ensure fair
processing such as—
(i)

the categori
es of data concerned;
(ii)

the recipien
ts or categories of recipients of the data;
(iii)

the existence of the right to access and rectify the data relating to
him/her

, unless such additional information, taking into account the
specific circumstances in which the data is provided, is not necessary
to guarantee fair processing with respect to the data subject;
(f)

other
information dependent on the specific nature of the processing,
which is specified by the Authority.
(2)

The provisions of subsection (1) shall not apply where—
(

a)
informing the data subject proves impossible or would involve a

disproportionate effort, in particular for data collected for statistical
purposes or for the purpose of historical or scientific research, or for the
purpose of medical examination of the population with a view to protecting
and promoting public health; or
(b)

data is recorded o
r provided in terms of the law.
(3)

The Authority shall establish the conditions for the application of this
section.
17

Authority to process
Any pe

rson having access to the data and acting under the authority of the controller
or of the processor, as well as the processor himself or herself, may process data only
as instructed by the controller, without prejudice to any duty imposed by law.
18
Security
(1)

In order to safeguard the security, integrity and confidentiality of the data, the
controller or his or her representative, if any, or the processor, shall take the appropriate
technical and organisational measures that are necessary to protect data from negligent
CYBER SECURITY AND DATA PROTE CTION

13
5
10
15
20
25
30
35
40
or unauthorised destruction, negligent loss, unauthorised alteration or access and any
other unauthorised processing of the data.
(2)
These measures referred to in subsection (1) must ensure an appropriat
e
level of security taking into account the state of technological development and the
cost of implementing the measures on the one hand, and the nature of the data to be
protected and the potential risks to the data subject on the other hand.
(3)

The Authority may issue appropriate standards relating to information
security for all or certain categories of processing.
(4)

The data controller shall appoint data processor who provide sufficient
guarantees regarding the technical and organisational security measures employed to
protect the data associated with the processing undertaken and ensure strict adherence
to such measures.
(5)

The data controller shall enter into a written contract or any other legal
instrument with the data processor which ensures that the data processor maintains
security measures on data.

19

Security breach notification
The

data controller shall notify the Authority, without any undue delay of any
security breach affecting data he or she processes.
20 Obligation
of notification to
Authority
(1) Prior to any wholly or partly automated operation or set of operat
ions

intended to serve a single purpose or several related purposes, the controller or his or
her representative, if any, must notify the Authority.
(2)

Any modification to the information provided according to section 16 must
be notified to the Authority.
(3)

The provisions of subsection (1) shall not apply to operations having the
sole purpose of keeping a register that is intended to provide information to the public
by virtue of operation of law and that is open to access by the general public or by any
person demonstrating a legitimate interest.
(4)

The Authority may exempt certain categories from notification under this
section if—
(a)

taking
into account the data being processed, there is no apparent risk of
infringement of the data subjects’ rights and freedoms, and if the purposes
of the processing, the categories of data being processed, the categories
of data subjects, the categories of recipients and the data retention period
are specified;
(b)

the data controlle
r has appointed a data protection officer.
(5)

The appointment of the data protection officer shall be duly notified to the
Authority.
(6)

The Authority shall provide guidelines that provide for the qualifications
and functions of data protection officer.
(7)

If exemption from the duty of notification has been granted for automatic
processing in accordance with the subsection 3, the data controller may disclose the
items of information mentioned in section 16 to any person entitled to receive such
information.
CYBER SECURITY AND DATA PROTE CTION

14
5
10
15
20
25
30
35
40
45
21 Content of notification
(1)
The notification referred to in section 20 shall state, at least—
(a)

the
date of notification and the law or regulatory instrument permitting
the automatic processing of data;
(

b)
the
surname, first names and complete address or the name and registered
offices of the controller and of his or her representative, if any;
(c)

the denomination
of the automatic processing;
(d)

the purpose or the
set of related purposes of the automatic processing;
(e)

the categories
of data being processed and a detailed description of the
sensitive data being processed;
(f)

a description of th
e category or categories of the data subjects;
(g)

the
safeguards that must be linked to the disclosure of the data to third
parties;
(

h)
the
manner in which the data subjects are informed, the service providing
for the exercise of the right to access and the measures taken to facilitate
the exercise of that right;
(i)

the
inter-related processing planned or any other form of linking with
other processing;
(j)

the
period of time after the expiration of which the data may no longer
be stored, used or disclosed;
(k)

a
general description containing a preliminary assessment of whether the
security measures provided for pursuant to section 13 above are adequate
;
(l)

the recourse to a
data processor, if any;
(m)

the transfers of da
ta to a third country as planned by the data controller.
(2)

The Authority may prescribe other information which shall be mentioned
in the notification.
(3)

Where the Authority is of the opinion that the processing or transfer of
data by a data controller entails specific risks to the privacy rights of data subjects, he
or she may inspect and assess the security and organisational measures prior to the
commencement of the processing or transfer.
(4)

The Authority may, during working hours, carry out further inspection and
assessment of the security and organisational measures employed by a data controller
subject to reasonable notification to the data controller of the Authority’s intended
inspection and assessment.
22
Authorisation
(

1) The Authority shall establish the categories of data processing which
represent specific risks to the fundamental rights of the data subject and which require
specific authorisation from the Authority.
(2)

Such authorisation shall only be provided following receipt of notification
from the data controller or from the data protection officer pursuant to sections 15 and
16.
23

Openness of Processing
(1)

The Authority shall keep a register of all automatic processing operations
of data.
(2)

Any entry in the register referred to in subsection (1) must include the
information mentioned in section 16(1).
CYBER SECURITY AND DATA PROTE CTION

15
5
10
15
20
25
30
35
40
(3) The register shall be available for inspection by members of the public, in
the manner determined by the Authority.
(4)
In case of the processing of data exempted from notification by this Act, the
Authority may, either by virtue of its office or at the data subject’s request, impose upon
the controller the obligation to disclose to the data subject all or part of the information
mentioned in section 16(1).
24
Accountability
(1)

The data controller shall—
(

a)
take
all the necessary measures to comply with the principles and
obligations set out in this Act; and
(b)

have
the necessary internal mechanisms in place for demonstrating such
compliance to both the data subjects and the Authority in the exercise of
its powers.
PART VII
data subjeCt
25 Decision taken on basis of Automatic Data Processing
(1)

The data subject shall have the right not to be subject to a decision based
solely on automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her.
(2)

The right referred to in subsection (1) shall not be applicable if the decision
based solely on automated processing is taken on the basis of the data subject having
consented to such decision or is based on a provision established by law
.
26

Represe
ntation of data subject who is a child
Where

the data subject is a child, his or her rights pursuant to this law may be
exercised by his or her parents or legal guardian.
27

Represe
ntation of physically, mentally or legally incapacitated data
subjects
(1)

A data subject who is physically, mentally or legally incapable of exercising
the rights given under this Act and who is not subject to the provisions of section 27,
may exercise such rights through a parent or guardian or as provided for by law or as
designated by a Court of competent jurisdiction.

(2) Incapacity

as referred to in subsection (1) shall be proven by a physician
or a person legally competent to do so.
PART VIII
transborder flow
28 Transfer of personal information outside Zimbabwe
(1) Subject

to the provisions of this Act, a data controller may not transfer
personal information about a data subject to a third party who is in a foreign country
unless an adequate level of protection is ensured in the country of the recipient or within
the recipient international organisation and the data is transferred solely to allow tasks
covered by the competence of the controller to be carried out.
CYBER SECURITY AND DATA PROTE CTION

16
(2) The adequacy of the level of protection afforded by the third country
or international organisation in question shall be assessed in the light of all the
circumstances surrounding a data transfer operation or set of data transfer operations
;
with particular consideration being given to the nature of the data, the purpose and
duration of the proposed processing operation or operations, the recipie
nt third country
or recipient international organisation, the laws relating to data protection in force in
the third country or international organisation in question and the professional rules
and security measures which are complied with in that third country or international
organisation.
(3)
The Authority shall lay down the categories of processing operations for
which and the circumstances in which the transfer of data to countries outside the
Republic of Zimbabwe is not authorised.
29

T
ransfer to a country outside the Republic of Zimbabwe which does
not assure an adequate level of protection
(1)

A transfer or a set of transfers of data to a country outside the Zimbabwe
which does not assure an adequate level of protection may take place in one of the
following cases—
(

a)
the data subject has unambiguously given his or her consent to the

proposed transfer;
(b)

the transfer is necessary for the performance of a contract between the
data

subject and the controller or the implementation of pre-contractual
measures taken in response to the data subject’s request;
(c)

the
transfer is necessary for the conclusion or performance of a contract
concluded or to be concluded between the controller and a third party in

the interest of the data subject;
(d)

the
transfer is necessary or legally required on important public interest
grounds, or for the establishment, exercise or defense of legal claims;
(e)

the transfer is necessary in order to protect
the vital interests of the data
subject;
(

f)
the transfer is made from a register which, according to acts or regulat
ions,

is intended to provide information to the public and which is open to
consultation either by the public in general or by any person who can
demonstrate a legitimate interest, to the extent that the conditions laid
down in law for consultation are fulfilled in the case at hand.
PART IX
Code of ConduCt
30 Code of Conduct
(1)

The Authority shall provide guidelines and approve codes of conduct and
ethics governing the rules of conduct to be observed by data controllers and categories
of data controllers.
(2) In ef

fecting (1) above, the Authority shall consider trade associations and
other bodies representing other categories of controllers who have national codes or
have the intention of amending or extending existing national codes and allow them
to submit such codes for the approval of the Authority.
(3)

The Authority in considering codes of conduct for approval, shall ascertain,

among other things, whether the Codes submitted comply with the provisions of this
5
10
15
20
25
30
35
40
45
CYBER SECURITY AND DATA PROTE CTION

17
Act.
(4)
If it deems it fit, the Authority shall seek the views of affected data subjects
or their representatives.
PA RT X
whistleblowinG
31 Whistleblower
(1)

The Authority shall establish rules giving the authorisation for and governing
the whistleblowing system.

(2) Rules established in terms of subsection (1) must preserve—
(a)

the principles of f
airness, lawfulness and purpose of the processing;
(b)

the principles related to the proportionality on the limitation of the s
cope,
accuracy of the data which will be processed;
(

c)
t
he principle of openness and delivering an adequate system for the
collection of personal information shall address—
(i)

the scope an
d purpose of the whistleblowing;
(ii)

the processi
ng of reporting;
(iii)

the consequ
ences of the justified and unjustified reporting;
(iv)

the
way of exercising the rights of access, correction, deletion as
well as the competent authority to which a request can be made; and
(v)

the
third party who may receive data concerning the informer and
the person who is implicated in the scope of the processing of the
report;
(vi)

the technica
l and organisational rules;
(vii)

rules
concerning the rights of the data subject by making clear that
the right of access doesn’t allow to access to data linked to a third
person without his or her express and written consent; and
(viii)

the method
of notifying the Authority.
(3)

The person who is implicated shall be informed as soon as possible of the
existence of the report and about the facts which he or she is accused of in order to
exercise the rights established in this Act.
(4)

The release of information to the person who is implicated may be withhe
ld
in exceptional circumstances.
PART XI
General Provisions
32 Regulations
(1)
The Minister may, in consultation with the Authority, make regulations
providing for all matters which by this Act are required or permitted to be prescribed or
which, in his or her opinion, are necessary or convenient to be prescrib
ed for carrying
out or giving effect to this Act.
(2) Regulations

referred to in subsection (1) may provide for the exercise of
the rights referred to in sections 25 to 27 of the Act.
33

Offences and Penalties
(1

) Any member of staff of the Authority or any expert, contractor, sub-
5
10
15
20
25
30
35
40
CYBER SECURITY AND DATA PROTE CTION

18
contractor who violates the provisions of this Act shall be guilty of an offence and liable
to a fine not exceeding level seven or to imprisonment for a period not exceeding two
years or to both such fine and such imprisonment.
(2)
Any data controller, his or her representative, agent or assignee who
contravenes section 11, 18(4), 24 and 28 shall be guilty of an offence and liable to a
fine not exceeding level eleven or to imprisonment for a period not exceeding seven
years or to both such fine and such imprisonment.
(3) Upon conviction

by a Court of competent jurisdiction the Court may order
the seizure of the media containing the data to which the offence relates, such as manual
filing systems, magnetic discs or magnetic tapes, except for computers or any other
equipment, or the deletion of the data.
(4) Seizure or deletion

may be ordered where the media containing the data
does not belong to the person convicted.
(5)

The objects seized in terms of this section shall be destroyed.
(6)

The controller or his or her representative shall be liable for the payment
of the fines incurred by his or her agent or assignee.
34
Appeals
(1)

Any person aggrieved by the decision of the Authority may appeal to the
Administrative Court.
PART XII
ConseQuential amendments
35 Amendment of Chapter VIII of Cap. 9:23
(1

) The Criminal Law (Codification and Reform) Act [Chapter 9:23] (hereinafter
called the “principal Act”) is amended in section 162 by the repeal of the definitions of
“computer virus”, “data”, “essential service” and “owner” and the substitution of the
following definitions—

““acce
ss provider” means any person providing—
(

a)
a
n electronic data transmission service by transmitting information
provided by, or to, a user of the service in a communication
network; or
(b)

access to a communication network;
“caching provider” means any person providing an electronic data

transmission service by automatic, intermediate or temporary storage
of information performed for the sole purpose of making the onward
transmission of data to other users of the service upon their request
more efficient;
“child” means any p

erson under the age of eighteen years;
“child pornography” means any representation through publication,

exhibition, cinematography, electronic means or any other means
whatsoever, of a child engaged in real or simulated explicit sexual
activity, or any representation of the sexual parts of a child for primarily
sexual purposes;
“computer device” means any portable and non-portable electronic

programmable device used or designed, whether by itself or as part
of a computer network, a database, a critical database, an electronic
5
10
15
20
25
30
35
40
45
CYBER SECURITY AND DATA PROTE CTION

19
5
10
15
20
25
30
35
40
45
communications network or critical information infrastructure or any
other device or equipment or any part thereof, to perform predetermined
arithmetic, logical, routing or storage operations in accordance with
set instructions and includes—
(a)

input devices;
(b)

output devices;
(c)

processing devices;
(d)

computer data storage mediums;
(e)

programmes; and
(f)

other equipment and devices,

that
are related to, connected or used with, such a device or any part
thereof and “device” shall be construed accordingly;
“computer

data storage medium” means any device or location from which
data is capable of being reproduced or on which data is capable of
being stored, by a computer device, irrespective of whether the device
is physically attached to or connected with the computer device;
“computer system” means interconnected or related computer devices
, one or

more of which uses a programme to perform the automatic processing
of data, exchange data with each other or any other computer system
or connect to an electronic communications network;
“critical information infras

tructure” means computer systems, devices,
networks, computer programmes, computer data, so vital to the country
that the incapacity or destruction of or interference with such systems
and assets would have a debilitating impact on security, defence,
economic and international affairs, public health and safety, or to
essential services as defined in section 19 of the Criminal Law Code
including the banking system and “critical data” shall be construed
accordingly;
“cybercrime” means

any offence under this Act;
“data”

means any representation of facts, concepts, information, whether
in text, audio, video, images, machine-readable code or instructions,
in a form suitable for communications, interpretation or processing
in a computer device, computer system, database, electronic
communications network or related devices and includes a computer
programme and traffic data;
“hosti

ng provider” means any person providing an electronic data
transmission service by storing of information provided by a user of
the service;
“hyperlink”

means a characteristic or property of an element such as symbol,
word, phrase, sentence or image that contains information about another
source and points to and causes to display another document when
executed;
“information

and communications technologies” means a device or inter-
connected or related devices that are used or that are responsible for the
creation, transmission, receiving, processing or collation of digital data
by making use of computer, software, networking, telecommunications,
Internet, programming and information system technologies;
“information

system” means a device or inter-connected or related devices,
one or more of which uses a programme to automatically processes
CYBER SECURITY AND DATA PROTE CTION

20
5
10
15
20
25
30
35
40
45
computer data as well as computer data stored, processed, retrieved
or transmitted by that device or inter-connected or related devices for
the purposes of its or their operation, use, protection or maintenance;
“pornography” includes any representation, through publication, ex
hibition,

cinematography, electronic means or any other means whatsoever, of
a person engaged in real or simulated explicit sexual activity, or any
representation of the sexual parts of a person for primarily sexual
purposes;
“programme”

means data or a set of instructions which, when executed in
a computer, causes the computer to perform a function;
“remote

forensic tool” means an investigative tool including, software or
hardware, installed on or in relation to a computer system or part of
a computer system and used to perform tasks that include keystroke
logging or transmission of an IP-address;
“service provider” m

eans—
(

a)
any person that provides to users of its service the ability

to communicate by means of information communication
technology systems, and
(

b)
any person that processes or stores information and

communications data on behalf of such communications service
or users of such service;
and includes—
(c)

access, caching and hosting provider;
“system” means an arrangement

of data or one or more programmes which,
when executed, performs a function;
“traffic

data” means data relating to a communication by means of an
information communications system or generated by an information
communications system that forms a part of the chain of communications
indicating the communication’s origin, destination, route, format, time,
date, size, duration or type of the underlying service;
“utilise” in relation

to a remote forensic tool includes—
(a)

developing a remote forensic tool;
(b)

adopting a remote forensic tool; and
(c)

purchasing a remote forensic tool.”
(2)

The Principal Act is amended by the repeal of sections 163 to 166 and the
substitution of the following—
“PART I
offenCes relatinG to ComPuter systems , C omPuter d ata , d ata storaGe m ediums ,
d
ata Codes and d eviCes
163

Hacking

(1)

A person who—
(a)

knowing

or suspecting that he or she must obtain prior
authority to access the data, computer programme, computer
data storage medium, or the whole or any part of a computer
system in question; and
(

b)
intentionally

, unlawfully and without such authority, secures
access to such data, programme, medium or system;
CYBER SECURITY AND DATA PROTE CTION

21
5
10
15
20
25
30
35
40
45
shall be guilty of hacking and liable—
(c)

in any of the aggravating
circumstances described in section
13 to a fine not exceeding level 14 or to imprisonment for
a period not exceeding ten years or both such fine and such
imprisonment;
(d)

in
any other case, to a fine not exceeding level 10 or to
imprisonment for a period not exceeding five years or to
both such fine and such imprisonment.
(2) For the purposes of this section “sec

ure access” includes—
(a)

to
obtain, to make use of, gain entry into, view, display,
instruct or communicate with, or store data in or retrieve
data from;
(b)

to copy
, move, add, change or remove data, critical data or
a critical database, or otherwise to make use of, configure
or reconfigure any resources of a computer device, a
computer network, a database, a critical database, an
electronic communications network, a critical information
infrastructure, whether in whole or in part, including their
logical, arithmetical, memory, access codes, transmission,
data storage, processor or memory function, whether
physical, virtual, by direct or indirect means or by electronic,
magnetic, audio, optical or any other means;
“suspect”,

in relation to suspecting something to be the case,
means to realise that there is a real risk of possibility
that something is the case.

163A Unlawful acquisition of data
(1)

Any person who unlawfully and intentionally—
(a)

intercepts
by technical or any other means any private
transmission of computer data to, from or within a computer
network, computer device, database or information system or
electromagnetic emissions from a computer or information
system carrying such computer data;
(b)

overcomes
or circumvents any protective security measure
intended to prevent access to data; and
(c)

acquires data within a computer system or data which is
transmitted to or from a computer system;
shall be guilty of unlawful acquisition of

data and shall be
liable to a fine not exceeding level 14 or to imprisonment for
a period not exceeding five years or to both such fine and such
imprisonment.

(2)
Any person who unlawfully and intentionally possesses
data knowing that such data was acquired unlawfully shall be guilty of
unlawful possession of data and liable to a fine not exceeding level 14 or
to imprisonment not exceeding five years or to both such fine and such
imprisonment.
(3)

For the purposes of this section “acquire” includes to use,
examine, capture, copy, move to a different location or divert data to a
destination other than its intended location.
CYBER SECURITY AND DATA PROTE CTION

22

5
10
15
20
25
30
35
40
45

(4)
Any person who contravenes this section in any of the
aggravating circumstances described in section 13 shall be liable to a fine
not exceeding level 14 or to imprisonment for a period not exceeding ten
years or to both such fine and such imprisonment.
163B

Unlawful interference with data or da
ta storage medium
(1)

Any person who unlawfully and intentionally interferes with
computer data or a data storage medium by—
(a)

damaging,
corrupting, impairing or deteriorating computer
data; or
(b)

deleting computer data; or
(c)

altering computer data; or
(

d)
rendering com
puter data meaningless, useless or ineffective;
or
(e)

obstructing,
interrupting or interfering with the lawful use
of computer data; or
(f)

obstructing,
interrupting or interfering with any person in
the lawful use of computer data; or
(g)

denying,
hindering, blocking access to computer data to any
person authorised to access it; or
(h)

maliciously
creating, altering or manipulating any data,
programme or system in whole or in part which is intended
for installation in a computer;
shall

be guilty of an offence and liable to a fine not exceeding
level 10 or to imprisonment for a period not exceeding five years
or to both such fine and such imprisonment.
(2)

Any person who contravenes subsection (1) in any of the
aggravating circumstances described in section 13 is liable to a fine not
exceeding level 14 or to imprisonment for a period not exceeding ten
years or to both such fine and such imprisonment.
163C

Unlawful interference with computer
system

(1)
Any person who unlawfully and intentionally interferes
with the use of a computer or information system, computer device, an
electronic communications system or critical information infrastructure
by blocking, hindering, impeding, interrupting, altering or impairing the
functioning of, access to or the integrity of, a computer device, computer
or information system, an electronic communications network or critical
information infrastructure shall be guilty of unlawful interference with
computer or information system and liable to a fine not exceeding level
14 or to imprisonment not exceeding ten years or to both such fine and
such imprisonment.
(2)

Any person who contravenes subsection (1) in any of the
aggravating circumstances described in section 13 is liable to a fine not
exceeding level 14 or to imprisonment for a period not exceeding twenty
years or to both such fine and such imprisonment.
163D

Unlawful disclosure of data code
(1)

Any person who unlawfully and intentionally—
(a)

communicates,
discloses or transmits any computer data,
CYBER SECURITY AND DATA PROTE CTION

23
5
10
15
20
25
30
35
40
45
programme, access code or command or any other means of
gaining access to any programme or data held in a computer
or information system to any person not authorised to access
the computer data, programme, code or command for any
purpose;
(b)

activates
or installs or downloads a programme that is
designed to create, destroy, mutilate, remove or modify
any data, programme or other form of information existing
within or outside a computer or computer system; or
(

c)
c
reates, alters or destroys a password, personal identification
number, code or any method used to access a computer or
computer network;
shall be guilty of an offence and liable to a fine not exceeding
level 12 or imprisonment for a period not exceeding ten years or
both such fine or such imprisonment.

(2)

A person shall not be liable under this section if the action
is—
(a)

pursuant
to measures that can be taken in terms of section
39; or
(b)

authorised under the law
.
(3)

Where an offence under this section is committed in relation
to data that forms part of a database or that involves national security or
the provision of an essential service, the penalty shall be imprisonment
for a period not exceeding ten years.
(4) For the

purposes of this section, it is immaterial whether the
intended effect of the illegal interference is permanent or merely temporary.
163E

Unlawful use of data or devices

(1)

Any person who unlawfully and intentionally acquires,
possesses, produces, sells, procures for use, imports, distributes, supplies,
uses or makes available an access code, password, a computer programme
designed or adapted for the purpose of committing an offence or similar
data or device by which the whole or any part of a computer or information
system is capable of being accessed, for purposes of the commission or
attempted commission of an offence in terms of this Act, shall be guilty of
an offence and liable to a fine not exceeding level 12 or imprisonment for
a period not exceeding ten years or both such fine or such imprisonment.

(2)

Any person who unlawfully and intentionally assembles,
obtains, sells, purchases, possesses, makes available, advertises or uses
malicious software, programmes or devices for purposes of causing
damage to data, computer or information systems and networks, electronic
communications networks, critical information infrastructure or computer
devices shall be guilty of an offence and liable to a fine not exceeding
level 10 or imprisonment for a period not exceeding five years or both
such fine and such imprisonment.

(3)

Any person who contravenes this section in any of the
aggravating circumstances described in section 13 shall be liable to a
fine not exceeding level 12 or imprisonment for a period not exceeding
ten years or to both such fine and such imprisonment.
CYBER SECURITY AND DATA PROTE CTION

24
5
10
15
20
25
30
35
40
45
163F Aggravating circumstances

In this Part, an of
fence is committed in aggravating circumstances
if—
(a)

committed
in connection with or in furtherance of the
commission or attempted commission of a crime against
the State specified in Part III of the Criminal Law Code;
(b)

it
is intended for or results in damaging, destroying or
prejudicing the safe operation of an aircraft;
(c)

it is intended to conceal or disguise the proceeds of unlawful
dealing in dangerous drugs or the enjoyment thereof;
(d)

it results in defeating or obstructing the course of justice;
(e)

it
seriously prejudices the enforcement of the law by any
law enforcement agencies;
(

f)
any
computer, computer network, information
communications network data, programme or system
involved is owned by the State, a law enforcement agency, the
Defence Forces, the Prison Service, a statutory corporation
or a local authority;
(g)

the of
fence results in considerable material prejudice or
economic loss to the owner of the computer, computer
network, data, programme or system;
(h)

the
offence seriously interferes with or disrupts an essential
service; or
(

i)
the of
fence was committed in furtherance of organised crime
or the perpetrator was part of organised criminal gang.
PART II
offenCes relatinG to eleCtroniC CommuniCations and m aterials
164 T ransmission of data message inciting violence or damage to
property

Any person who unl
awfully by means of a computer or information
system makes available, transmits, broadcasts or distributes a data
message to any person, group of persons or to the public with intend
to incite such persons to commit acts of violence against any person or
persons or to cause damage to any property shall be guilty of an offence
and liable to a fine not exceeding level 10 or to imprisonment for a period
not exceeding five years or to both such fine and such imprisonment.
164A Sending threatening data message

An
y person who unlawfully and intentionally by means of a
computer or information system sends any data message to another
person threatening harm to the person or the person’s family or friends
or damage to the property of such persons shall be guilty of an offence
and liable to a fine not exceeding level 10 or to imprisonment for a period
not exceeding five years or to both such fine and such imprisonment.

CYBER SECURITY AND DATA PROTE CTION

25
5
10
15
20
25
30
35
40
45
164B Cyber-bullying and harassment

Any person who unlawfully and intentionally by means of a computer

or information system generates and sends any data message to another
person, or posts on any material whatsoever on any electronic medium
accessible by any person, with the intent to coerce, intimidate, harass,
threaten, bully or cause substantial emotional distress, or to degrade,
humiliate or demean the person of another or to encourage a person to
harm himself or herself, shall be guilty of an offence and liable to a fine
not exceeding level 10 or to imprisonment for a period not exceeding ten
years or to both such fine and such imprisonment.
164C

T
ransmission of false data message intending to cause
harm

Any person who unlawfully and intentionally by means of a computer

or information system makes available, broadcasts or distributes data to
any other person concerning an identified or identifiable person knowing
it to be false with intend to cause psychological or economic harm shall
be guilty of an offence and liable to a fine not exceeding level 10 or to
imprisonment for a period not exceeding five years or to both such fine
and such imprisonment.
164D

Spam

Any person who intentionally and without lawful excuse—
(a)

uses a protected
computer system to relay or retransmit
multiple electronic mail messages, with the intent to deceive
or mislead recipients or any electronic mail or internet service
provider as to the origin of such messages; or
(

b)
materially
falsifies header information in multiple electronic
mail messages and initiates the transmission of such
messages.

shall
be guilty of an offence and liable to a fine not exceeding level 5 or
to imprisonment for a period not exceeding one year or to both such fine
and such imprisonment.

164E

Transmission of intimate images without consent
(1)

Any person who unlawfully and intentionally by means of a
computer or information system makes available, broadcasts or distributes
a data message containing any intimate image of an identifiable person
without the consent of the person concerned causing the humiliation or
embarrassment of such person shall be guilty of an offence and liable to a
fine not exceeding level 10 or to imprisonment for a period not exceeding
five years or to both such fine and such imprisonment.

(2) For the purposes of subsection (1) “intimate

image” means
a visual depiction of a person made by any means in which the person
is nude, the genitalia or naked female breasts are exposed or sexual acts
are displayed.
1

64F
Pro
duction and dissemination of racist and xenophobic
material

Any person who unlawfully
and intentionally through a computer
CYBER SECURITY AND DATA PROTE CTION

26
5
10
15
20
25
30
35
40
45
or information system—
(a)

produces or causes to be produced racist or xenophobic
material for the purpose of its distribution;

(b)

of
fers, makes available or broadcasts or causes to be offered,
made available or broadcast racist or xenophobic material;
(

c)
distributes or transmits or causes to be distributed or

transmitted racist or xenophobic material;
(

d)
uses language that tends to lower the reputation or feelings of

persons for the reason that they belong to a group of persons
distinguished on the grounds set out in section 56(3) of the
Constitution or any other grounds whatsoever, if used as a
pretext for any of these factors;

shall
be guilty of an offence and liable to a fine not exceeding
level 14 or to imprisonment for a period not exceeding ten years
or to both such fine and such imprisonment.
164G

Identity-related of
fence

Any person who unlawfully and intentiona
lly by using a computer
or information system acquires, transfers, possesses or uses any means o
f
identification of another person with the intent to commit, or to assist in
connection with the commission of an offence shall be guilty of an offence
and liable to a fine not exceeding level 10 or imprisonment for a period
not exceeding five years or to both such fine and such imprisonment.

PART III
offenCes aGainst Children and ProCedural law
165 Child pornography

Any person who unlawfully
and intentionally, through a computer
or information system—
(a)

produces child pornography;
(b)

of
fers or makes available child pornography;
(c)

distributes or transmits child pornography;
(d)

procures or obtains child pornography for oneself or for
another person;
(e)

possesses child
pornography on a computer system or a
computer-data storage medium;
(f)

knowingly
obtains, accesses or procures child pornography;
shall

be guilty of an offence and liable to a fine not exceeding level 14 or
to imprisonment for a period not exceeding ten years, or both such fine
and such imprisonment.
165A Exposing children to pornography

Any person who unlawfully
and intentionally through a computer
or information system—
(a)

makes pornographic material available to any child; or
(b)

facilitates
access by any child to pornography or displays
pornographic material to any child;
CYBER SECURITY AND DATA PROTE CTION

27
5
10
15
20
25
30
35
40
45
with or without the intention of lowering the child’s inhibitions
in relation to sexual activity or inducing the child to have sexual
relations with that person;
shall

be guilty of an offence and liable to a fine not exceeding level 14
or to imprisonment for a period not exceeding five years or to both such
fine and such imprisonment.
165B

Search and seizure
(1) In this section “seize” includes—
(a)

taking possession of or securing a computer;
(

b)
securing a computer system or part thereof or a computer
-data
storage medium;
(c)

taking a printout or output of computer data;
(d)

making
and retaining a copy of computer data, including
through the use of use of onsite equipment;
(e)

activating
any onsite computer system or computer data
storage media;
(f)

maintaining
the integrity of any stored relevant computer
data;
(g)

rendering
inaccessible or removing computer data in the
accessed computer system.
(2)

A magistrate may, on an application by a police officer
in the prescribed form, that specified computer data or a printout or
other information is reasonably required for the purpose of a criminal
investigation or criminal proceedings, order that—
(

a)
a person in Zimbabwe in control of the relevant computer

system produce from the system specified computer
data or a printout or other intelligible output of that
data; or
(

b)
a
n electronic communications service provider in
Zimbabwe produce information about persons who
subscribe to or otherwise use the service.
(3)

An application referred to in subsection (1) shall be supported
by an affidavit in which the police officer shall set out the offence being
investigated, the computer system in which it is suspected to be stored,
the reasonable grounds upon which the belief is based, the measures that
will be taken in pursuance of the investigation and the period over which
those measures will the taken.
(4)

A police officer granted a warrant in terms of this section
may—
(a)

if there are reasonable grounds
to believe that computer
data concerned is susceptible to loss, alteration, deletion,
impairment or modification, by written notice given to a
person in control of the computer data, require the person
in control of the data to ensure that the data specified in the
notice is preserved for a period not exceeding seven days
as may be specified in the notice which period may be
extended, on an application to a magistrate, for such period
as the magistrate may grant;
CYBER SECURITY AND DATA PROTE CTION

28
5
10
15
20
25
30
35
40
(b) by written notice to a person in control of the computer
system or information system concerned, require the person
in control thereof to disclose relevant traffic data concerning
specified communications in order to identify—
(i)

the service providers; or
(

ii)
the path through which the communication was

transmitted.
(5)

Any person who does not comply with the order given in
terms of this section shall be guilty of an offence and liable to a fine.

165C

Expedited preservation
(1)

A magistrate may, on an application by a police officer in the
prescribed form, that there are reasonable grounds to suspect or believe
that traffic data associated with a specified communication is required
for the purposes of a criminal investigation—
(a)

order any person in control of such data to—
(i)

collect,
record or preserve the traffic data associated
with a specified communication during a specified
period; or
(ii)

permit
and assist a specified police officer to collect
or record that data.
(b)

authorise
the police officer to collect or record traffic data
associated with a specified communication during a specified
period through the use of any appropriate technological
means.
(2) Sectio

n 33(3) shall apply mutatis mutandis to an application
in terms of this section.
PART IV
General Provisions
166 Obligations and immunity of service pr oviders
(1)

An electronic communications network or access service
provider shall not be criminally liable for providing access or transmitting
information through its system if such service provider has not—
(a)

initiated the transmission; or
(b)

selected the receiver of the transmission; or
(

c)
se
lected or modified the information contained in the
transmission.
(2)

The provision of access or the transmission referred to in
subsection (1) shall include the automatic, intermediate and transient
storage of the information transmitted in so far as this takes place for
the sole purpose of carrying out the transmission in the communication
network, and the information is not stored for any period longer than is
reasonably necessary for the transmission.

(3)
A hosting provider shall not be criminally liable for the
information stored at the request of a user of the service if the hosting
CYBER SECURITY AND DATA PROTE CTION

29
5
10
15
20
25
30
35
40
45
provider—
(a)

promptly
removes or disables access to the information
after receiving an order from any court of law to remove
specific stored illegal information; or
(b)

in
any other manner, obtains knowledge or becomes aware
of any illegal information stored, promptly informs the
appropriate authority to enable it to evaluate the nature
of the information and if necessary, issue an order for its
removal.
(4) Subsection

(3) shall not apply where the user of the service
is acting under the authority or the control of the hosting provider.
(5)

Where the hosting provider removes the content after receiving
an order pursuant to sub-section (3), no liability shall arise from the
contractual obligations with the user with regard to the availability of
the service.
(6)

A hosting provider who fails to remove or disable access to
information in terms of subsection (3) shall be guilty of an offence and
liable to a fine not exceeding level 8 or to imprisonment for a period not
exceeding two years or to both such fine and such imprisonment.

(7)
A caching provider shall not be criminally liable for the
automatic, intermediate or temporary storage of information where
the caching was performed for the sole purpose of making the onward
transmission of the information to other users of the service upon their
request more efficient if the caching provider—
(a)

does not modify the information;
(b)

complies with conditions of access to the information;
(

c)
complies wi
th rules regarding the updating of the information,
specified in a manner widely recognised and used by industry;
(d)

does not interfere
with the lawful use of technology, widely
recognised and used by industry, to obtain data on the use
of the information; and
(

e)
acts promptly to remove or to disable access to the information

it has stored upon obtaining knowledge that the information
has been removed from the network at the initial source of
the transmission, or that access to it has been disabled, or
that a court or an appropriate public authority has ordered
such removal or disablement.
(8)

A caching provider who contravenes the conditions set out
in subsection (7) shall be guilty of an offence and liable to a fine not
exceeding level 8 or to imprisonment for a period not exceeding two
years or to both such fine and such imprisonment.
(9)

An internet service provider who enables access to information
provided by a third person by providing an electronic hyperlink shall not
be criminally liable with respect to the information if the internet service
provider—
(a)

promptly removes or disables access to the information
after
receiving an order from an appropriate public authority or
court to remove the link; or
CYBER SECURITY AND DATA PROTE CTION

30
5
10
15
20
25
30
35
40
45
(b) through other means, obtains knowledge or becomes aware
of stored specific illegal information promptly informs the
appropriate authority to enable it to evaluate the nature of the
information and if necessary issue an order for its removal.
(10)

An internet service provider who fails to promptly remove
or disable access to information in terms of subsection (9) shall be
guilty of an offence and liable to a fine not exceeding level 8 or to
imprisonment for a period not exceeding two years or both such fine
and such imprisonment.
(

11) Any service provider who knowingly enables access to, stores,
transmits or provides an electronic hyperlink to, any information with
knowledge of the unlawfulness of the content of any such information
shall be guilty of an offence and liable to a fine not exceeding level 14 or
to imprisonment not exceeding a period of ten years or to both such fine
and such imprisonment.
166A

Jurisdiction
(1)

A court in Zimbabwe shall have jurisdiction to try any offence
under this Act where the offence was committed wholly or in part—
(a)

within Zimbabwe
or by any person in or outside Zimbabwe
using a computer or information system or device, software
or data located in Zimbabwe; or
(b)

on a ship or aircraft registered in Zimbabwe; or
(c)

by a national
or permanent resident of Zimbabwe or a
person carrying on business in Zimbabwe, whether or not
the offence is committed in Zimbabwe; or
(d)

by a national
or permanent resident of Zimbabwe or a
person carrying on business in Zimbabwe and the offence is
committed outside Zimbabwe, if the person’s conduct also
constitutes an offence under the law of the country where
the offence was committed and harmful effects were caused
in Zimbabwe; or
(e)

by any person, regardless
of the location, nationality or
citizenship of the person—

(i)
using a
computer or information system or device,
software, or data located within Zimbabwe; or
(ii)

directed
against a computer or information system or
device, software or data located in Zimbabwe.
166B

Admissibility of electronic evidence
(1) In any criminal

proceedings for an offence in terms of this Act,
evidence generated from a computer system or by means of information
and communications technologies or electronic communications systems
shall be admissible in court.

(2) In assessing the admissibility
or evidential weight of the
evidence, regard shall be given to—
(a)

the reliability
of the manner in which the evidence was
generated, stored or communicated;
CYBER SECURITY AND DATA PROTE CTION

31
5
10
15
20
(b) the integrity of the manner in which the evidence was
maintained;
(

c)
the manner in which the originator or recipient of the evidence

was identified; and
(d)

any other relevant factors.

(4)
The authentication of electronically generated documents
shall be as prescribed in rules of evidence regulating the integrity and
correctness of any other documents presented as evidence in a court of
law.
(5)

This section shall apply in addition to and not in substitution
of any other law in terms of which evidence generated by computer
systems or information and communications technologies or electronic
communications systems or devices may be admissible in evidence.
166C

Forfeiture

A
court convicting any person of an offence under this Act may
order the forfeiture to the State of—
(a)

any money
, asset or property constituting or traceable to the
gross proceeds of such offence; and
(b)

any
computer or information system, software or other
devices used or intended to be used to commit or to facilitate
the commission of such offence.
166D

Guidelines

The Cyber security Committee may
, with the approval of the
Minister, issue such guidelines as may be necessary for the carrying out
of the provisions of this Act as it relates to its functions under this Act.”.
CYBER SECURITY AND DATA PROTE CTION