Tanzania: The Personal Data Protection Act of 2022

The Personal Data Protection Act No. 11 of 2022 (the Act) was passed on 1 November 2022 as a recognition to the right to privacy and personal security enshrined under Article 16 of the Constitution of the United Republic of Tanzania, 1977. The Act sets minimum requirements for the collection and processing of personal data in Tanzania. It is crucial to note that the commencement of the Act is subject to publication of a notice by the Minister of Information, Communication and Information Technology setting out a date from which the Act will take effect. As of the date of this legal update, the notice of commencement of the Act is yet to be published. In this update, we provide an overview of the Act and analyse the mechanisms put in place to ensure the protection of personal data as collected and processed for various purposes.

Application of the Act

The Act applies to both public and private institutions with the responsibility to collect and process personal data in Tanzania. Undeniably, the protection of personal data existed before the enactment of the Act, however, the Act comes in to strengthen such protection and provide specific remedies for breach in relation to personal data.

Parties which accumulate significant data will no doubt query whether they are covered by the Act or not. Would a law firm or an accountancy firm be covered by the Act for example? Both institutions accumulate data and sensitive information. Would they qualify as Data Collectors or Data Processors for example? As the Act has just been published and is not yet in force, there are currently no accompanying Regulations which provide specific clarity on the matter. What is clear is that if one is an institution which collects data for statistics for example or market surveys then one is likely covered. We will prepare an additional legal update once further information becomes available from the relevant Ministry.

Key Interpretations

The following key terms have been defined in the Act:

“Child” means a person below the age of eighteen years;

“Code of ethics” means the code that sets out the ethics and restrictions on collectors and processors of personal data prepared in accordance with the Act;

“Data collector” means a person, body corporate or a public institution which either alone or in conjunction with another institution determine the purpose and methodology of personal data processing and where such methods have been prescribed by law;

“Data processor” means a person, body corporate or public institution which processes personal data for and on behalf of the data collector under the guidance of the data collector, except persons under the direct control of the data collector, and includes their agents;

“Data subject” means a person whose personal data is being processed in accordance with the Act;

“Minister” means the minister responsible for communications;

“Personal data” means information of an identifiable person stored in any form, which includes:

• personal information concerning the colour, nationality or tribe, religion, age, or marital status of an individual;
• personal information about education, medical history, crime, or employment;
• any identification number or mark which identifies a person;
• address, fingerprint or blood group of an individual;
• a name of a person which appears on another person's personal data to whom they are related or where disclosure of such name would reveal personal information; and
• information which is sent to a personal data collector which is clearly personal or confidential, and a response to such information may reveal the content of a prior information, and the views of any other person about the data subject.

“Personal data protection officer” means a person appointed by a data collector or processor and given the responsibility to ensure the implementation of obligations specified in the Act;

“Recipient” means a person, entity or public institution who receives personal information from the collector;

“Sensitive personal data” means:

• information concerning Deoxyribonucleic Acid (DNA), children, crime, financial transactions of an individual, security and biometric information;
• in the case of processed information, personal information which indicates race or tribe, political ideology, religious or philosophical beliefs, trade union membership, gender, health data or sexual relationships; and
• any personal information which is considered to have a significant impact on the rights of the data subject according to the laws of Tanzania; and

“Transfer of personal data abroad” means the transfer of personal data across countries through electronic means or any other means.

Objectives of the Act

The Act was prepared in order to ensure that the collection and processing of personal data is strictly controlled. This is achieved through establishing legal and institutional arrangements for the protection of such information. According to the Act, data collectors and processors shall ensure that personal information:

• is processed lawfully, fairly and transparently;
• is collected for a specified legitimate purpose and not processed for any other purpose;
• is sufficient for the purpose of processing in accordance with the intended purpose;
• is correct and where necessary improved by taking all necessary measures to ensure that the incorrect information is deleted and replaced without delay;
• is stored in a manner which allows identification of the data subject for a period not exceeding that which is necessary;
• is collected in accordance with the rights of the data subject;
• is processed in a manner that will safeguard its security; and
• is not transferred outside the United Republic of Tanzania contrary to the provisions of the Act.

Data Protection Authorities

The Act establishes a Personal Data Protection Commission (the Commission) which is a body corporate with perpetual succession and common seal. The Commission shall be capable of doing the following in its own name:

• acquiring and holding movable property, to dispose of property and to enter into a contract or other transactions;
• suing and being sued; and
• doing all other acts and things which bodies corporate may lawfully do or suffer to do, for the proper performance of its functions under the Act.

The Commission is tasked with various functions which include:

• monitoring the compliance of data collectors and processors with the Act;
• registration of data collectors and processors;
• receiving, investigating and handling complaints on the breach of data protection and the right to privacy; and
• researching and monitoring technological development in relation to data processing.

Furthermore, the Act establishes a Board of the Commission with the duty to provide guidelines for the management of the Commission, to approve the Commission’s investment plans and performance reports, among others.

Registration of Data Collectors and Processors

The Act provides a strict requirement for any person who intends to collect or process data in Tanzania to be registered by the Commission. Registration is initiated through an application made to the Commission which will either accept or reject the application. Upon acceptance, the Commission will issue a certificate of registration and where rejected, the Commission will provide its reasons for the decision in writing.

An issued certificate of registration shall be valid for a period of five years from the date of issuance. The Act directs that all applications for renewal be made three months before the expiry of the registration period. The Act further provides a leeway for the Commission to cancel an issued certificate of registration.

Data Collection, Use, Disclosure and Retention

The Act directs that personal information be collected where necessary and for a legitimate purpose. To ensure accuracy of information, the Act places a duty on data collectors to take necessary steps to confirm that data collected is complete, correct and consistent with the content for which it was collected. Such steps are necessitated prior to using the collected data.

According to the Act, data collected may only be disclosed under the following circumstances:

• where the data subject has consented to such disclosure;
• where authorised or required by law;
• where disclosure is directly related to the purpose for which such data was collected;
• where such disclosure would preserve health or reduce harm to another person or the society; and
• where disclosure is necessary in compliance with the law.

Disclosure of information may also be permitted where:

• the data subject is not identified; or
• for statistical or research purposes, where it is guaranteed that such data will not be published in a manner that will identify the data subject.

Additionally, data collectors are required to maintain a proper security system dedicated to ensuring that the data collected is not destructed, converted, accessed or processed in any way without authorisation.

Data Transfer

The Act does not prohibit the transfer of personal data to other jurisdictions, provided that such jurisdictions have a reliable legal system for the protection of personal data, and the said transfer is necessary for a legitimate or public interest. Please note that the Commission may restrict transfer of personal data to other countries in accordance with the Act. In some instances, personal data may be transferred to a receiving country with no specific legal protection on personal data but has guaranteed protection of such data.

Rights of Data Subject

As a guarantee to the protection of personal data, the Act vests the following rights upon a data subject:

• right to be informed of data collection and processing as well as the purpose involved;
• right to access the data collected and processed;
• right to object the processing of personal data collected where such processing will lead to adverse impacts;
• right to rectify personal data to ensure its accuracy;
• right not to be subject to automated decision making. A data subject has the right to instruct that decisions made by data collectors and processors on their behalf should not be arrived at, solely based on automated processing; and
• right to compensation.

Complaints and Penalties

According to the Act, a person may file a complaint against a data collector or processor who has violated the principles of personal data protection. Please note that such complaints are submitted to the Commission. The Commission will initiate a confidential investigation where satisfied that there are fundamental reasons to investigate. Such investigation will be conducted and concluded within 90 days, however under certain circumstances, the Commission may extend such period.

Where it is determined that there has been a violation in the provisions of the Act, the Commission may issue an enforcement notice directing the respective person to remedy such violation within a certain period. Furthermore, the Commission may issue a notice of penalty where the respective party has failed to remedy the violation within the given period.

According to the Act, unconsented disclosure of personal data by an individual shall constitute an offence punishable by a fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 20,000,000 (approximately USD 8,600) or to imprisonment for a term not exceeding ten years. In some instances, both a fine and imprisonment may be imposed.

With regards to a body corporate, the Act imposes a fine of not less than TZS 1,000,000 (approximately USD 430) and not more than TZS 5,000,000,000 (approximately USD 2,127,700) for unconsented disclosure of personal data.

The Act further establishes an offence of unlawful destruction, deletion, concealment or conversion of personal data. This offence is punishable by a fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 10,000,000 (approximately USD 4,300) or to imprisonment for a term not exceeding five years. Both a fine and imprisonment may be imposed in some instances.

Where an offence is committed by a body corporate, the Act poses a direct liability on all officers who intentionally authorised or allowed the commission of such an offence.

Additionally, the Act stipulates a general fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 5,000,000 (approximately USD 2,200) or to imprisonment for a term not exceeding five years, or to both, a fine and imprisonment. This provision will apply where the Act does not specifically provide a punishment for an offence.