Population: 16,591,390

Capital: Lusaka

President: Edgar Lungu

2020 Freedom House Score: 54/100

Data protection law? Partial, enforced

Data protection and privacy matters in Zambia currently fall under the scope of the Electronic Communications and Transactions Act, No. 21 of 2009 (ECTA). However, recognising the shortcomings of the ECTA, the Cabinet has approved the introduction of the Data Protection (Repeal) Bill, 2018 to Parliament, with the goal of repealing and replacing the ECTA. This bill has yet to become law. 

Under the ECTA, personal information is information about an identifiable individual, including, but not limited to:  

• information relating to the race, gender, pregnancy, marital status, nationality, ethnic or social origin, colour, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth; 
• information relating to education, medical, financial transaction, criminal or employment history; 
• any identifying number, symbol, or other identifier assigned to the individual; 
• address, fingerprints or blood type; 
• personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award of a prize to be made to another individual; 
• correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence; 
• views or opinions of others about the individual; 
• views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name; and 
• an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (unless a person has been deceased for more than 20 years). 

When collecting and processing personal information, data controllers must: 

• obtain express written consent from the data subject to collect, collate, process or disclose any of the data subject’s personal information, unless otherwise permitted or required by law; 
• only electronically request, collect, collate, process or store personal information on a data subject necessary for the lawful, required purpose; 
• disclose, in writing, to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored; 
• not use any personal information for any purpose other than the disclosed purpose, without express written permission from the data subject, unless permitted or required by law; 
• keep a record of the personal information and the specific purpose for collection for as long as the personal information is used, but no less than one year; 
• not disclose any personal information held by the data controller to a third party unless required or permitted by law or specifically authorised in writing by the data subject; 
• keep a record of any third party to whom the personal information was disclosed and of the date on which, and the purpose for which, it was disclosed for as long as the personal information is used, but no less than one year; 
• delete or destroy all personal information, except as otherwise provided under the ECTA or any other law; and 
• only use personal information to compile profiles for statistical purposes and trade with such profiles and statistical data if a third party cannot link the profiles or statistical data to any specific data subject. 

The Zambia Information and Communication Technology Authority is responsible for enforcing the ECTA, but there is no requirement under the ECTA for data protection officers to be appointed or for data controllers to register with the Authority. There are, however, penalties for violations of the ECTA. An individual could face a fine of up to five hundred thousand penalty units (approx. US$12,712), a term of imprisonment no longer than five years, or both. A corporation or an unincorporated body could face a fine of up to one million penalty units (approx. US$25,424). 

Barring certain exceptions, Zambian law mandates the consent of the person whose data is to be transferred. 

There are no breach notification requirements in Zambia. 

Remember to include as much information as possible in your complaint, including:

• the name of the party that processed the data;
• their contact details, if known;
• a brief description of the violation; and
• the specific remedy that you are requesting.

E-mail your complaint to ZICTA: [email protected]