Data protection in Zambia is regulated under the Data Protection Act 3 of 2021 (DPA), which came into effect on 1 April 2021. The DPA regulates all matters relating to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means.

The enactment of the DPA revolutionised privacy protection in Zambia and there has been a noticeable enhancement in data security practices among businesses. However, the DPA also presents potential implications for employers, an aspect that has not been thoroughly explored.

Employers as data controllers

The DPA defines a data controller as a person who, either alone or jointly with other persons, controls and is responsible for keeping and using personal data in respect of a data subject. By this definition, an employer can be classified as a data controller and an employee, a data subject.

Generally, employers come into contact with personal and sensitive personal data before and during the course of the employee’s employment. For instance, data is provided by a potential employee to enable the employer to make a decision on whether they are the best candidate for the role/ position. This includes documents like identification documents, police clearance reports, educational and professional qualifications and in some cases, medical reports.

Further, during the course of employment, an employer may come into contact with more personal data such as sick notes, marriage certificates, or loan application documents for employer approval.

Consent of the employee

An employer may process the personal data of the employee either where consent has been obtained or where the processing is necessary to in terms of the contract of employment or to take steps at the request of the employee prior to entering into a contract. The employer may also process personal data to comply with a legal obligation (Section 13 of the DPA).

Thus, although consent of the data subject is said to be an essential aspect of data processing, the DPA provides for situations when data can be processed without the consent of the employee.

Regarding sensitive personal data, the DPA provides for processing only in the following circumstances:

• when it is necessary for the establishment, exercise or defence of a legal claim whenever a court is exercising a judicial function;
• where it is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; and
• where the processing is necessary for public interest.

Principles relating to processing personal data

The following are the principles that employers should consider and adhere to when processing personal data (Section 12 of the DPA):

• to ensure that it is processed lawfully, fairly, and transparently;
• to collect personal data for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
• to ensure that personal data is adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• to ensure it is accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;
• to store it in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
• to process it without impacting the rights of a data subject; and
• to process it in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction, or damage, using appropriate technical or organisational measures.

Potential obligations on the employer

Before the enactment of the DPA, employers processed data in line with ethical standards and established best practices. The enactment of the DPA has created legal obligations and sanctions in the event of non-compliance. 

Registration as a data controller: A data controller is required to register with the Data Protection Commissioner (Commissioner) (Section 20(1) of the DPA). Failure to register prohibits a data controller from controlling or processing personal data (Section 19(1) of the DPA) and creates a liability, upon conviction, of a fine not exceeding five hundred thousand penalty units (approximately USD 7 300) or imprisonment for a term not exceeding five years or both (Section 19(2) of the DPA).

It should be noted that the Data Protection (Registration and Licensing) Regulations categorise data controllers as follows:

• Micro Organisation: Maximum 10 employees;
• Medium Organisation: More than 10 employees but less than 50 employees; and
• Large Organisation: More than 50 employees.

The registration fees payable are dependent on the category to which an employer belongs. Further, the Commissioner may exempt a person, for a limited or unlimited period of time, from the requirement to hold a certificate of registration. It is not clear the criteria for exemption. However, this should be clarified when the office of the Commissioner is operational.

Appointment of a data protection officer: A data controller is under an obligation to appoint a data protection officer under the guidelines issued by the Commissioner (Section 48 (1) and (2) of the DPA). Currently, the office of the Commissioner is not yet operational and as such, the guidelines have not been issued. However, this obligation may create a potential challenge for employers as there is need to factor into their budgets, a new employee to serve as data protection officer or to extend the functions of an already existing employee to include those of a data protection officer.

Data protection assessment: A data controller is required to carry out a data protection impact assessment to assess the impact of the envisaged processing on the protection of personal data especially where the processing utilizes new technologies and is likely to result in a high risk to the rights and freedoms of the data subject (Section 46 of the DPA). This is a potential challenge for employers due to the potential cost of the assessment.

Record of processing activities: A data controller is obligated to keep and maintain in writing, a record of processing activities and meta data under its responsibility as well as all categories of processing activities carried out in the prescribed manner and form (Section 45 of the DPA).

Security of processing: A data controller is obligated to provide guarantees regarding the technical and organisational security measures employed to protect the personal data associated with the processing undertaken and to ensure strict adherence to such measures (Section 47 of the DPA).

Notification of security breach: Where there is a security breach affecting personal data, a data controller is obligated to notify the Commissioner within 24 hours (Section 49 of the DPA).

Conclusion

The enactment of the DPA is a progressive step for Zambia, as it safeguards individuals’ rights to privacy. Additionally, it ensures that data can be restored in cases of corruption, compromise or loss. This legislation imposes several obligations on employers, identifying them as data controllers and stipulating penalties for any breaches.

Although the Commissioner was appointed in 2023, his office not yet operational. Nevertheless, it is crucial for all employers to familiarise themselves with the DPA and the obligations set out above, as this area may soon become ripe for lawsuits.

Written by Mabvuto Sakala, Managing Partner and  Precious Mwansa-Chisha, Associate, Bowmans Zambia