Protection of Personal Data in Tanzania: Addressing the Unlawful Repurposing of Personal Data

In today’s digital age, personal data is both a valuable and vulnerable asset. Despite its importance, personal data is often misused or repurposed beyond its original intent, threatening transparency and lawful governance.

From a legal perspective, personal data can be defined as data about an identifiable person that is recorded in any form, including:

(a) personal data relating to the race, national or ethnic origin, religion, age, or marital status of the individual;

(b) personal data relating to the education, medical, criminal, or employment history;

(c) any identifying number, symbol, or other particular assigned to the individual;

(e) the name of the individual appearing on the personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; and

(f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence and the views or opinions of any other person about the data subject.

In Tanzania, repurposing of personal data is governed by the Personal Data Protection Act, Chapter 44, Revised Edition 2023 (the PDP Act), and the Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023 (the Collection and Processing Regulations).

This article outlines the legal framework governing the repurposing of personal data, provides practical examples of how personal data may be repurposed, and examines the legal consequences of doing so without compliance with applicable laws.

What is repurposing of personal data?

Although the PDP Act does not expressly define repurposing of personal data, it may be understood to refer to the use of personal information for a purpose other than that for which it was originally collected.

What constitutes unlawful repurposing of personal data?

Unlawful repurposing of personal data arises when such data is used for purposes other than those for which it was originally collected, without the explicit consent of the data subject or another valid legal basis.

The following examples demonstrate common scenarios where personal data may be used for purposes beyond those originally intended, often without the knowledge or consent of the individuals concerned:

(a) personal identification documents collected by Government agencies for national registration purposes are sometimes repurposed to profile citizens for unrelated surveillance purposes;

(b) telecommunications companies using customers’ registration information to send promotional messages without first obtaining their consent; and

(c) hospitals or research institutions may at times repurpose patient data for research or commercial purposes without obtaining the patients’ consent.

Data repurposing under the Tanzania legal framework

Section 25 of the PDP Act stipulates that personal data must be used for its intended purpose only. The repurposing of personal data is permissible only if:

(a) the data subject authorises the use of the personal data for that other purpose;

(b) the use of the personal data for that other purpose is authorised or required by law (explained below);

(c) the purpose for which the personal data is used is directly related to the purpose for which the personal data was collected;

(d) the personal data is used:

      (i) in a form in which the data subject is not identified; or
      (ii) for statistical or research purposes and is not published in a form that could reasonably be expected to identify the data subject.

Furthermore, regulation 30 of the Collection and Processing Regulations reinforces the principle of storage limitation, requiring that personal data be retained only for as long as is necessary to fulfil its original purpose. Once that purpose has been achieved, the data should neither be repurposed nor retained without justification.

Practical approach

The question on what constitutes a “new purpose authorised by law” presents a significant challenge in distinguishing between a lawful continuation of the original purpose and an unlawful repurposing of personal data that requires fresh consent. Regulation 28(b) of the Collection and Processing Regulations reinforces the principles of proportionality and necessity in data processing, requiring data controllers and processors to collect and use  personal data that is only necessary for the specific and  intended purpose without exceeding the required purpose.

Where a data controller or processor intends to process personal data for a purpose other than that for which it was originally collected, they must demonstrate that the new purpose is compatible, necessary, and reasonable. If this cannot be established, the data controller or processor must rely on a lawful basis for the new processing or obtain fresh, explicit consent from the data subject. Failure to do so may amount to unlawful repurposing of personal data under the PDP Act and the Collection and Processing Regulations.

Conclusion 

Unlawful repurposing of personal data is a serious violation of the PDP Act and the Collection and Processing Regulations. Individuals may face fines of between Tanzanian Shillings (TZS) 100,000 (approximately USD 41) to TZS 20,000,000 (approximately USD 8,197) or imprisonment for up to ten (10) years. Furthermore, organisations risk a fine of between TZS 1,000,000 (approximately USD 410) to TZS 5,000,000,000 (approximately USD 2,049,180), with responsible officers held personally liable. This underscores the importance of processing personal data solely for its intended purpose, supported by proper consent and robust safeguards.