Notification obligations arising from personal data breaches in Tanzania: Key considerations for entities

The rising frequency and sophistication of cyber incidents have placed personal data breaches under heightened regulatory scrutiny in Tanzania. With the enactment of the Personal Data Protection Act, Chapter 44, Revised Edition 2023 (the PDP Act) and the Personal Data Protection (Collection and Processing) Regulations, Government Notice Number 449C of 2023 (the Collection and Processing Regulations), entities that collect and/or process personal data are now subject to clearer and more stringent legal obligations in the event of a personal data breach.

One of the most important obligations imposed on data controllers and data processors is the requirement to assess, and where applicable, notify the Personal Data Protection Commission (the Commission) of a personal data breach without undue delay. 

This legal update examines the notification obligations under the PDP Act and the Collection and Processing Regulations, including what constitutes a notifiable personal data breach, who is required to notify and the recipients of such notification, the required contents of breach notifications, and the key practical considerations for entities when responding to and mitigating a data breach.

What constitutes a notifiable personal data breach?

Section 27(5) of the PDP Act requires a data controller to notify the Commission, without undue delay, of any security breach affecting personal data processed by or on behalf of the data controller. Although the PDP Act does not explicitly define “security breach”, it can generally be interpreted to mean any incident resulting in unauthorised access to, disclosure of, loss of, or compromise of personal data, whether accidental or intentional. Such incidents may include unauthorised access, accidental or unlawful disclosure, loss, alteration, or destruction of personal data, as well as failures in the technical or organisational safeguards designed to protect it.

Unlike some international frameworks, such as the European Union (EU) General Data Protection Regulation (GDPR) of 2016, where notification is required only if the breach is likely to pose a risk to the rights and freedoms of data subjects, section 27(5) of the PDP Act does not condition notification on the level of harm or risk. Under the PDP Act, a breach becomes notifiable once a security incident affecting personal data has occurred, irrespective of whether any actual harm has resulted.

With regards to the timeline for notification, the PDP Act requires that notification be made “without undue delay”, however, it does not provide further guidance on what constitutes undue delay. While the term “undue delay” is not defined under the PDP Act, comparable data protection regimes in neighbouring jurisdictions generally interpret this requirement as a period ranging from 48 hours to 72 hours.

Who is required to notify and the recipients of such notification?

Under section 27(5) of the PDP Act, the data controller is primarily responsible for notifying the Commission of a personal data breach. Data processors must promptly inform the controller of any breach to enable timely reporting. Where a single entity acts as both controller and processor, it bears full responsibility for detecting, managing and reporting the breach directly to the Commission without undue delay.

The PDP Act does not provide an obligation to notify data subjects. However, as a matter of good practice, affected data subjects should also be informed, particularly where the breach is likely to result in harm or adversely affect their rights, so as to enable them to take appropriate protective measures.

What should a breach notification include?

The Commission provides a prescribed format for reporting personal data breaches to ensure consistency and compliance. A complete personal data breach notification is required to include the following:

• details of the data controller and/or data processor;
• summary of the data breach;
• assessment of the data breach;
• notifications and communications;
• root cause analysis;
• technical and organisational measures;
• identified areas for improvement;
• supporting documentation; and
• declaration of the data controller or processor.

Key practical considerations for entities when responding to and mitigating a data breach

Data controllers and/or data processors are required to adopt a structured approach to manage personal data breaches and ensure timely assessment and notification. Key actions include:

• prompt assessment and reporting of the breach to the Commission;
• coordination through a dedicated breach response team; 
• comprehensive record-keeping;
• communication with affected data subjects where necessary;
• review and reinforcement of technical and organisational security measures;
• root cause investigation and corrective actions to prevent recurrence; and
• applying lessons learned to update internal policies and incident response plans.

Conclusion 

Non-compliance with personal data breach notification obligations under the PDP Act carries significant penalties under regulation 63 of the Collection and Processing Regulations. These include a fine of Tanzanian Shillings (TZS) 100,000 (approximately United States Dollars (USD) 41) up to TZS 5,000,000 (approximately USD 2,030) or imprisonment for a term not exceeding five (5) years. In some instances, both a fine and imprisonment may be imposed.