Protection of Employee Personal Data in the Workplace: Employer Obligations Under Tanzanian Law

The increased use of digital systems in workplaces has resulted in the extensive collection and processing of employee personal data by employers. Such information is processed routinely for purposes such as recruitment, payroll administration, performance management, security, and regulatory compliance. Employers may also utilise surveillance technologies such as Closed-Circuit Television (CCTV), biometric systems, and electronic monitoring tools to safeguard business operations and maintain workplace discipline.

While these technologies enhance workplace management, they also raise important legal considerations regarding the protection of employee personal data. Employee information often contains sensitive details relating to identity, financial status, health, and workplace performance.

In Tanzania, the processing of employee personal data is primarily regulated by the Personal Data Protection Act, Chapter 44 Revised Edition 2023 (the PDP Act) together with the Personal Data Protection (Personal Data Collection and Processing) Regulations, Government Notice No. 449C of 2023 (the Collection and Processing Regulations). Additionally, the data protection regime operates alongside the Employment and Labour Relations Act, Chapter 366 Revised Edition 2023 (the ELRA), which governs employment relationships and imposes obligations on employers to maintain employment records and uphold fair labour practices, including the confidentiality of employee information.

This legal update highlights key legal considerations for employers regarding the collection and processing of employee personal data, particularly considering growing workplace monitoring practices.

Employers as data controllers under the PDP Act

Section 2 of the Collection and Processing Regulations defines a data controller as:

“a natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, ‘data controller’ is the natural person, legal person or public body designated as such by that law and it includes his representative.”

In most employment settings, employers act as data controllers because they determine the purposes and means through which employee personal data is collected, stored, and used within the relevant entity. Such personal data may include:

(a) identification details such as names, age, addresses, sex and national identification numbers (NINs);

(b) employment records including contracts, disciplinary records, and performance assessments;

(c) payroll and financial information;

(d) health-related information required for workplace safety; and

(e) biometric data collected through attendance systems.

Key employer obligations to protect employee personal data under the PDP Act

Regulation 23 of the Collection and Processing Regulations sets out the obligations of data controllers and data processors when collecting and processing personal data. In particular, it requires that personal data be:

(a) collected and processed lawfully, fairly and transparently;

(b) collected for a legitimate and specified purpose; 

(c) adequate and necessary for purposes for which it is processed;

(d) accurate and where necessary, is kept up to date with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;

(e) stored in a form which permits identification of the data subject for no longer than is necessary for the purpose for which the persona data is processed;

(f) processed in accordance with the rights of the data subject;

(g) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures;

(h) not transferred abroad contrary to the provisions of the PDP Act; and

(i) not applied in the existing circumstances without taking steps to ensure such data is complete, accurate, consistent with the content and not misleading.

These obligations provide a comprehensive framework to ensure that employee personal data is collected, stored, and used responsibly.

Employer obligations to protect employee personal data under the ELRA

In addition to the obligations under the PDP Act, the ELRA imposes duties relating to the collection, retention, and confidentiality of employee information. While the ELRA does not expressly address data protection, its provisions indirectly safeguard employee personal data through the regulation of employment records.

Collection of employee records

Section 16 of the ELRA requires employers to provide employees with a written statement of particulars upon commencement of employment, including essential information such as employee’s name, age, address, sex, job description, place of work, working hours and remuneration. Employers are also required to retain these records for a period of five (5) years following termination of employment. This duty aligns with Part IV of the PDP Act, which requires personal data to be collected lawfully for specified purposes, kept accurate and up to date, and retained only for as long as necessary.

Duty to maintain proper employment records

Section 97 of the ELRA requires employers to maintain proper employment records, including wage and attendance records, employment contracts, and other documentation necessary to demonstrate compliance with applicable labour standards. These records are essential for labour inspections, regulatory compliance, and the resolution of employment disputes. From a data governance perspective, this obligation aligns with Part IV of the PDP Act which sets out the duties of data controllers to ensure that personal data is collected lawfully and for a specified purpose, kept accurate and up to date, used only for its intended purpose, stored securely, and retained only as long as necessary, while safeguarding the confidentiality and integrity of employee information.

Duty to confidentiality

Section 102 of the ELRA imposes a duty of confidentiality in respect of information obtained in the course of administering employment matters, particularly where such information relates the financial or business affairs of another person and was acquired in the performance of functions under the ELRA. This means that employee information, including employment records and labour administration data, must be treated as confidential and should not be disclosed without proper authority. This obligation is consistent with the requirements under Part IV of the PDP Act, which require organisations to process personal data securely and to implement appropriate safeguards to prevent unauthorised access, loss, misuse, or disclosure of personal data.

Consequences for non- compliance under both the ELRA and the PDP Act

Non-compliance in the handling employees’ personal data under the ELRA and the PDP Act may expose entities to significant legal and financial consequences. In relation to information concerning the financial or business affairs of another person, Section 103(4) of the ELRA prescribes a penalty for unauthorised disclosure. Any person who discloses such information commits an offence, and, upon conviction, may be liable to a fine not exceeding Tanzanian Shillings (TZS) 1,000,000 (approximately USD 391). 

However, with respect to other types of employee personal data beyond financial or business information, the PDP Act imposes stricter penalties for non-compliance with data protection obligations. Entities that fail to comply may face significant financial penalties ranging from TZS 1,000,000 (approximately USD 391) to TZS 5,000,000,000 (approximately USD 1.95 million), and responsible officers may also be held personally liable. These provisions highlight the importance of handling employee personal data lawfully and protecting it against unauthorised disclosure.

Conclusion

The protection of employee personal data is a critical obligation for employers in Tanzania. The PDP Act sets out the legal framework for the lawful collection, processing, storage, and security of personal data, while the ELRA reinforces these obligations through requirements on employment records and confidentiality. Together, these laws require employers to manage employee information responsibly, ensuring privacy is safeguarded and mitigating the risk of legal and financial consequences.