ZAMBIA
DATA PROTECTION FACTSHEET
-
Population: 18,383,956
Capital: Lusaka
President: Hakainde Hichilema
2021 Freedom House Score: 52/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, the right to privacy is protected in Article 17 of the Constitution.
DPA legislation: In 2021, Zambia passed the Data Protection Act No. 3 of 2021 (‘the Act’), which entered into effect on 1 April 2021 when the Commencement Orders were published in the Government Gazette. The Act is now the primary legislation regulating data protection and privacy matters in Zambia, although a number of other pieces of legislation cover relevant topics, such as the Electronic Communications and Transactions Act No. 4 of 2021 (‘ECTA’), the Cyber Security and Cyber Crimes Act No. 2 of 2021 (‘the CSCC Act’), and the Information and Communications Technologies Act No. 15 of 2009 (‘the ICT Act’), which, together, provide a comprehensive regulatory environment in Zambia. The Act establishes the office of the Data Protection Commissioner within the Ministry of Communications, although the office has not been become operational.
The Act gives data subjects the right to confirm whether their data is being processed, to access information about the processing of their data, such as the purpose, the envisaged period, and the source of the data, to obtain a copy of the data, to receive information about the logic involved in any automatic processing of their data, and to be notified if their data is disclosed to third parties. The data subject also has the right to rectification of inaccurate data, to complete data that is incomplete, and to the erasure of data where it is no longer necessary for the purpose for which it was collected, or the data subject withdraws consent or objects to the processing on legitimate grounds.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Signed
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Partial
Law enforcement exclusion: Partial
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: Partial
Journalistic, literary or artistic purposes exclusion: Partial
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: No
Excludes foreign entities that only transit personal data through the country: No
-
Under the Act, personal data is defined as information relating to an individual who can be directly linked or indirectly identified from that data:
- A name;
- An identification number;
- Location data;
- An online identifier; or
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
-
The Act requires that all data controllers and processors register as such with the Data Protection Commissioner.
It also requires that when collecting and processing personal information, data controllers must:
- Process data lawfully, fairly, and transparently;
- Collect data only for specific purposes and ensure the data is relevant and limited to what is necessary for that purpose;
- Ensure the data is accurate and kept up to date;
- Keep personal information only as long as it is used for the specific purpose for which it was collected and is relevant for that purpose and for one year after that period;
- Ensure appropriate security of the personal data;
- Keep a record of the purpose and processing for which personal data was collected and any third parties to which it was disclosed; and
- Not disclose personal data they have collected without the consent and notification of the data subject, or in other narrow circumstances.
The Act places additional restrictions on the processing of sensitive personal data, defined as personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms, including but not limited to:
- The race, marital status, ethnic origin or sex of a data subject;
- Genetic data and biometric data;
- Child abuse data;
- A data subject’s political opinions;
- A data subject’s religious beliefs or other beliefs of a similar nature;
- Whether a data subject is a member of a trade union; or
- A data subject’s physical or mental health, or physical or mental condition.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: Partial
Exceptions exist to breach notifications: No
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: NA
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: No
DPA is empowered to subpoena or request evidence: No
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Unclear
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): Unclear
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
Personal data may be transferred to another country if the data subject has consented and the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Data Protection Commissioner, if the Minister has prescribed that transfer is permissible, or if the particular transfer has been authorised by the Data Protection Commissioner. Where the Minister determines that the personal data is subject to an adequate and effective level of protection, criteria for transfers may be prescribed. The Act provides other specific circumstances in which cross-border transfers may be allowed as well. Sensitive personal data may not be transferred outside Zambia without the consent of the data subject.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 23 May 2022