Learner’s Submission: Data Safety in Zimbabwe

“In Zimbabwe, data is very safe. The government has taken measures to ensure that data is very safe.  While many government bodies have established endpoint security policies, they do not have the right security management software and laws to enforce them. Users continue to run software that is either unauthorized or is without the latest patches, opening the doors to cyber criminals and cyber terrorists. Users can also remove data from government networks via removable devices or media and if the data is not encrypted, sensitive information can be exposed. Apart from the investment in equipment and software that protects data; the Zimbabwean government has gone a step further to use legislation that protects data. The following are existing data protection laws. The New Constitution, Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, Census and Statistics Act Chapter 10:05, Banking Act Chapter 24:20, National Registration Act Chapter 10:17, Interception of Communications Act Chapter 11:20, Access to Information and Protection of Privacy Act Chapter 10:27.

The constitution of Zimbabwe provides for the right to privacy which applies to everyone.  Access to information is provided for and applies to everyone, and for information held by the State or by any person and for the latter to the extent that the information is required for the exercise or protection of a right. Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, regulates and restricts attendance at and publication of proceedings of courts and adjudicating authorities. Section 3, restriction of disclosure of proceedings where the court or adjudicating authority considers it necessary or expedient to do so either at its instance or that of the party involved.  Publication of the name, address or other information likely to reveal the identity of any person concerned or mentioned can be withheld if it would cause prejudice or is likely to cause prejudice to the party or if it’s in the interest of justice. Census and Statistics Act provides  for  a  census  to  be  held  on  such  other  particulars whatsoever; as shall be prescribed, which involves the collection of data, Section  10:  restricts  disclosure  of  information  collected  which enables  the  identification of  the person  taking part  in  the census unless  they  are  employed  in  carrying  out  the  provisions  of  the Act Section  13  also  creates  offences  and  penalties  for  unlawful  use and disclosure of any information collected. Banking Act Chapter 24:20 Sections 76 & 77 restrict the disclosure and use of collected information by the Registrar of the Reserve Bank, his representatives or employees, a curator or an auditor of the Banking Institution, but does not however deal with the Banking Institutions specifically. National Registration Act Chapter 10:17 the Registrar-General must keep in safe custody any information acquired in the performance of his duties. All persons who are employed  in carrying out  the provisions of  the Act are  required  to keep secret and aid  in keeping secret  all  information  coming  to  their  knowledge  in  the exercise of their duties.

Interception of Communications Act Chapter 11:20 no  person  is  allowed  to  intercept  any  communication  in the course of its transmission unless, he or she is a party to the communication; or he or she has the consent of the person  to  whom,  or  the  person  by  whom,  the communication  is  sent;  or  he  or  she  is  authorized  by  a warrant. Unlawful Interception attracts a penalty of a fine of up to US$5000 or imprisonment of up to 5years. Access to Information and Protection of Privacy Act Chapter 10:27 provides members of  the public with a  right of access  to records and information held by public bodies;  and makes public  bodies  accountable  by  giving  the  public  a  right  to request  correction  of  misrepresented  personal information; to prevent the unauthorized collection, use or disclosure  of  personal  information  by  public  bodies;  to protect personal privacy.” – Soul Nyangoni – Harare, Zimbabwe

Learner’s Submission: Open Data Portal – Edo State Government, Nigeria

“The online public service that I have made use of in my home country is the Edo State Open Data Portal which is the only online state public service in Nigeria and first sub-national portal in the continent of Africa.

It is a new initiative by the Edo State Government to make information more readily available to those who need it, enhance transparency in government and encourage investors. It is an online platform which makes it easy for the citizenry to access and reuse data from the Edo State Government Ministries, Departments and Agencies free of charge.

The Edo State Open Data Portal which is powered by the Edo State Information and Communications Technology Agency (ICTA) is aimed at improving Government and nipping the embarrassing phenomenon of ghost workers, wastages and misuse of public information and other forms of resource misuse in the bud, empower citizens and ultimately reduce government expenditure, and also effectively break away from the bureaucratic bottle-necks usually experienced while soliciting for information that should normally be made available to the public on request as well as the slow pace of Government officials when speed is of utmost importance.

All that anybody who is in need of information has to do is to have access to the internet and log on to data.edostate.gov.ng where the visitor can randomly search for any information of her/his choice, provided it is in relation to the state and within the purview of its concerns. One could also click on individual hyper links which the reader can directly follow, depending on what is desired by the visitor or available for view.
Being the first online public service in the state, it will take a thorough and extended effort to make Edo State Government data truly useful. Stakeholders expect to have improved data quality. Agencies will have to begin improving the quality of their data simply to avoid public embarrassment.

Up to now, the government’s release of open data has largely been a one-way affair: Agencies publish datasets that they hope will be useful without consulting the organizations and companies that want to use it. The government is therefore expected to build feedback loops from data users to government data providers.

Open data is also of value for government itself as it can increase government efficiency. For example, if the Edo State Ministry of Education can publish all of their education-related data online for re-use, the number of questions they receive will obviously drop, reducing work-load and costs, and the remaining questions will also be easier for civil servants to answer, because it is clear where the relevant data can be found.

Open government data can also help citizens make better decisions in life and make them more active in society. People can easily re-use cadastral information from government data as well as local registers to publish information which helps them find public utilities such as public toilets, public libraries, public parks, hotels, etc.
New combinations of data can create new knowledge and insights, which can lead to whole new fields of application. This potential can be unleashed if government data is really open, i.e. if there needed information are actually available and there are no restrictions (legal, financial or technological) to its re-use by others. Every restriction will exclude people from re-using the public data, and make it harder to find valuable ways of doing so.” – Uhunwa Benard Otamere – Edo State, Nigeria

Learner’s Submission: Social Media Channels in Zimbabwe

“Social media refers to internet services and mobile phone applications used for the generation, dissemination information. When a government has obtained knowledge it must be managed so that it can easily be obtained by those who need it. This overload of data is making knowledge management increasingly more important. Three key reasons why actively managing knowledge is important to Zimbabwe’s government’s success are to facilitate decision-making capabilities, build a learning country and to stimulate cultural change and innovation.  Zimbabwe uses television, radios and the internet as its social media channels.  The Zimbabwean government has realized that social media technologies allow for television and radio to be accessed and shared in a variety of ways. Viewers can actively participate while watching a program and have their interactions viewed and responded to in real time by other viewers. Technologies such as smart phones and laptops allow for these actions to occur anytime, anywhere. The Zimbabwean government has used the television and to some extent the radio to disseminate information across the country. The radio and television are used to disseminate educational and developmental information on critical areas such as agriculture and mining. This growth of internet access via mobile phones has led to much more use of social media by public sector organizations. This is part of a wider shift in greater openness around communications channels in Zimbabwe. Social media is becoming an increasingly popular set of channels for Zimbabwean government to use in their communication and engagement mix because, they provide a cost effective means of engaging with an audience, more and more people across different demographics are using social media; and they are simple to set up and use. The government has realized that each and very Zimbabwean must receive or must have access to important information irrespective of race, social status, industry and geographical locations. Information is power and has enhanced the development of the Zimbabwean community.” – Soul Nyangoni – Harare, Zimbabwe

Learner’s Submission: Access to Data in Austria

“Austria became an independent republic in 1955 after the Second World War and since 1995 has been a Member of the European Union (EU). As a Member State of the EU, Austria is obliged to implement laws issued by the EU within its legal framework to ensure compliance at the national level with EU law.

The enactment of the right of access to data is covered in the regulations on data protection. The data protection law in Austria aims to regulate the free flow of data and, most importantly, to protect data privacy of citizens.

The first data protection laws in Europe were enacted in the late 1960s as a response to the emergence of the electronic data processing. The German State of Hessen passed the world’s first regional data protection law in 1970 (Room, 2007, pp. 7–8).

An important role of the EU is to provide directives, which serve as guidance for all EU Member States to follow. At the European level, Directive 95/46/EC, commonly known as the Data Protection Directive, is the main reference within the EU pertaining to the protection of personal data of citizens in EU Member States. The Directive was adopted in 1995 and states that EU Member States shall provide the data subject with “the existence of the right of access to and the right to rectify the data concerning him”. Article 12 of the Directive provides the data subject’s right of access to their personal data (Publications Office of the European Union, 1995, pp. 31–42).

The implementation of the EU directive on Data Protection differs in EU Member States as EU directives are not legally binding, however, only set out the basic standards and recommendations for EU Members to incorporate them into their national legislation.

The right to the protection of data is also recognized by the EU Charter of Fundamental Rights, which was proclaimed in 2000 and became a statutory law through the Treaty of Lisbon in 2009. Article 8 of the EU Charter states that “

• Everyone has the right to the protection of personal data concerning him or her” and in addition:
•  “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
• Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified” (Publications Office of the European Union, 2000, p. 10).

Prior to Austria joining the EU in 1995, a privacy protection law was already in place since 1978. The regulatory authority for data protection in Austria is the Austrian Data Protection Commission, which was founded in 1980 as one of Europe’s oldest data protection authority. The Austrian Data Protection Commission is a governmental authority responsible for ensuring compliance of data regulations, as required by the Data Protection Act (Österreichische Datenschutzkommission, 2013).

After becoming a Member of the EU, Austria was requested to harmonize its existing laws in accordance with EU directives and regulations. Consequently, in 1999 the old Austrian privacy protection law from 1978 was amended to comply with the EU Directive 95/46/EC. The result of this amendment was the Federal Act concerning the Protection of Personal Data (DSG 2000), still the current legislation governing data protection in Austria (Österreichische Datenschutzkommission, 2013).

Personally I have never exercised my right to access my own personal data. However, I am aware that access to personal information in Austria requires a person to submit a written request under § 26 DSG 2000 to the organization or entity concerned. The organisation must respond to the request within eight weeks. This request is free of charge, unless there was a similar request sent for information in that same year (Österreichische Datenschutzkommission, 2013).

The currently existing EU Data Protection Directive is under discussion to be amended and streamlined to address the differences in data protection legislations implemented by individual EU Member States to guarantee same level of protection for personal data. As a result, the European Commission envisages a uniform common European law on data protection to be regulated by the relevant national supervisory authority. However, there is still a long way to go before completion of the discussions on a consistent application of data protection legislation across the EU (European Parliament, 2013, p. 2).

References:

European Parliament. (2013). Data protection day: is your private life safe?, p. 2. Brussels.

Österreichische Datenschutzkommission. (2013). Welcome to the Website of the Austrian Data Protection Commission. Österreichische Datenschutzkommission. Retrieved February 9, 2013, from http://www.dsk.gv.at

Publications Office of the European Union. (1995). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281).

Publications Office of the European Union. (2000). Charter of Fundamental Rights of the European Union (2000/C 364/01).

Publications Office of the European Union. (2007). Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007 (OJ C 306).

Room, S. (2007). Data Protection & Compliance in Context. United Kingdom: British Information Society Limited.” – Elfriede Bosch – Vienna, Austria

Learner’s Submission: Access to Information in Brazil

“In Brazil, the right of access to public information is provided constitutionally since 1988, the date of enactment of the Magna Carta. Only on November 18, 2011, Law No. 12,527, called Law and Access to Information Restriction with “vacatio legis” of 180 (one hundred eighty) days, was sanctioned by the President of the Republic. As most already had the text of constitutional law, it was given the power to regulate, already mentioned, citizens’ access to public information. The devices bring the statute in its wake, rules for three branches, in any sphere of Union, United States, Federal District and Municipalities. NGOs (Non-Governmental Organizations) are also subject to the law, the nonprofit private entities that receive public funds to carry out actions in the public interest and have partnership or agreements with the government must disclose information about money received and its destination.

Law 12.527/2011 created the so-called transparency active, ie, dissemination of information on the initiative of the Administration itself, in ways accessible to citizens; passive and transparency in procedures to meet the specific demands of citizens .

The publication of the Law under discussion meant an important evolution for Brazilian democracy. It represents a paradigm shift, because it establishes that access is the rule and secrecy the exception. In addition, made possible greater popular participation, social control of government actions, society’s access to public information fostered improvements in public administration and in prevention of corruption in the country.

The law has determined that public bodies create call centers within each organ called SICs (Citizens Information Services). These centers need to have structure to assist and guide the public to access information in the collective interest, eg, processing of documents, bidding processes and spending. Information may be requested in the Citizen Information Services (SICs), which will be installed at each public agency. The law also mandates that the citizen is granted the option to request data via the Internet. Other means, such as letter and telephone, will depend on the systems adopted by each agency. If the agency has information within immediate reach, the request can be serviced at the time it is made by Citizen, the SICs. If you need to search, the agency has twenty (20) days, renewable for another ten (10) days, to meet demand. The citizen will be notified by phone or internet. After that period, the public official must justify the reason for not providing the information.

On the internet, the Access to Information Act also requires that public entities to disclose, in a clear and easily accessible information about public administration. Must contain at least record the skills and organizational structure, addresses and phone numbers of their units and opening hours to the public. Also to be published records of any transfers or transfers of financial resources and information on bids, including bids and results. The law also requires that become exposed on the Internet for general data tracking programs, activities, projects and works of the government, as well as answers to frequently asked questions of society. The information should be kept up to date. Only municipalities with fewer than 10,000 (ten thousand) inhabitants are absolved the present on a website, data on municipal operations. However, the bodies of these small municipalities are obliged to provide information when requested.

No need to provide any justification for the request for information. There are no limits to the information being requested. Public servants who do not provide the requested information and submit legal justification may not suffer administrative sanctions and even be prosecuted for misconduct. Can be requested any information about data on public agencies. Is it possible, for example, ask how a ministry or department has spent on wages of servants, public works, ongoing bidding processes, details of audits, inspections and other.

The government of each member state created Brazilian transparency portals, network-accessible computers. Depend on how the body has stored the data for reporting. In cases of digital files, the citizen may obtain information on a CD or other digital media. If you need to print a high volume of papers, the citizen will pay the cost.

Free access to information of public service is a fundamental and constitutional right of the citizen. Law 12.527/2011 brought an instrument for citizenship. This is an achievement, a tool that improves the transparency of management and gives the principles of advertising effectiveness and morality of art inserts. 37 of the Constitution of the Federative Republic of Brazil. Free access became the rule and secrecy the exception.” – Gustavo Oliveira Paganini – Minas Gerais, Brazil

Learner’s Submission: Data Protection Legislation in India

“The data protection legislation in India is covered under the IT Act 2000.

Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.

Under IT Act, 2000 the various subsections provide the legislative rules for the Data Protection. Various sections discussed below give a clear insight into the same.

Section 43
This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.

Section 65
This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.

Section 66
Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.

Section 70
This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.

Section 72
This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.” – Vikas Razdan – Kolkata, India

Learner’s Submission: Right to Privacy in India

“In the present “information and cyber age”, the importance of data cannot be underestimated by any government of the world. Having strong spirituality in belief, in my country, India, the majority masses believe in confidentiality of their personal information. At present, Indian Law is at a crossroads with regard to the development of data protection. Thus, in India to some extent, law related to data protection is illusory, never-the-less it can at best be regarded as a promise of future improvements.

Legislative Provision

The Law of the Land has endorsed “right to privacy” as one of the most fundamental right of all persons whether they are citizen or not of India. Privacy was held to be important aspect of fundamental right vide Article 14, Article 19 (1) (a) and Article 19 (1) (d), and Article 21. In fact, the Information Technology Act, 2000, the Indian Copyright Act, 1957, the right to Information Act, 2005, enacted by the Indian Parliament, is the main legislations in this field.

The Information Technology Act, 2000

The main principles on data protection and privacy enumerated under the Information Technology Act, 2000 are:

(i) defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’, etc;

(ii) Creating civil liability if any person accesses or secures access to computer, computer system or computer network;

(iii) Creating criminal liability if any person accesses or secures access to computer, computer system or computer network;

(iv) Declaring any computer, computer system or computer network as a protected system;

(v) Imposing penalty for breach of confidentiality and privacy;

(vi) Setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations Appellate Tribunal, etc.

Right to Information Act 2005

After right to file “Public Interest litigation”, “Right to Information act’ is another milestone in contemporary legal history.

RTI Act laid down a procedure to guarantee right. Under this law, all Government Bodies or Government funded agencies have to designate a Public Information Officer (PIO). The PIO’s responsibility is to ensure that information requested is disclosed to the petitioner within 30 days or within 48 hours in case of information concerning the life or liberty of a person.

Use of Data Protection Law

I have used Right to Information Act 2005 to access data from several leading government organizations.

The practical way to get access of data under Right to Information Act 2005 is to send enquiry to the designated PIOs of the concern organization who is duty bound to provide the details. If the information pertains to other organization, then instead of refusing directly, he has to forward the enquiry to the concern organization with the information to the concern person. The most important aspect is to ensure that respond must be send to the concern person within the stipulated time period.

To get access of data, I generally prepare information sought to be taken in the form of list of questionnaire. The questionnaire is prepared in such a way which involve direct questions, but in tricky manner. The required information is send to the concern designated PIO by registered post/speed post.

As far as my experience is concern, I observed in most of the cases the concern authority generally respond on information sought, never-the-less the information provided by them are either not in complete sense or simply mention that information sought does not pertains to their department.

Never-the-less, despite of some lacunas, it is beyond reasonable doubt that Right to Information Act 2005 is certainly one of the most important legislation which give right to general masses to get access data in India.

Conclusion

India is still at a very early stage of developing personal data protection. At present India does not provide significant protection to personal data in relation to all or most of the common privacy principles, in any sector, to meet any international standards. We should always remember the lines of Robert frost:

“The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep.”” – Ashutosh Kumar – Delhi, India

Learner’s Submission: Access to Data in Spain

“The protection of personal data is a fundamental right. We live in the information society and every day try to millions of personal data. We provide our personal data when opening a bank account, when we asked to participate in a contest, when we booked a flight or a hotel and every time we make a payment by credit card. The name and surname date of birth, address or e-mail phone number, the DNI and many other data we use daily are valuable information that could help identify a person, either directly or indirectly. With this information we can develop our daily activity, we enrolled our children in school, receive care health, make phone calls or enjoy our leisure.

In our days, all the people have the right to not be subject to a decision with legal consequences for them, or which significantly affects them, and which is based processing of data intended to assess certain aspects of their personality.

I am living in Spain and I know the legislation on access to data, because is a matter of national interest and is a present subject in our work.

The Control bodies are the Spanish Agency for Data Protection (AEPD in the Spanish acronym) – the body monitoring compliance with the rules of data protection within the Spanish territory; and other data protection agencies, autonomous, in the Autonomous Communities of Madrid, Catalonia and the Basque Country.

The Spanish Agency for Data Protection is the public law authority overseeing compliance with the legal provisions on the protection of personal data, enjoying as such an absolute independence from the Public Administration. The AEPD is of the understanding that its functions must always be conducted with a priority objective, that of guaranteeing the protection of individual rights.

The regulatory Standards are the Law 15/1999 of December 13, Protection of Personal Data and the Royal Decree 1720/2007 approving the Regulation implementing the Law 15/1999 of December 13.

The Organic Law15/1999 of December 13 is intended to guarantee and protect the public liberties and fundamental rights of natural persons and in particular their personal and family privacy, with regard to the processing of personal data.

This Organic Law shall govern any processing of personal data: when the processing is carried out on Spanish territory as part of the activities of an establishment belonging to the person responsible for the processing; when the person responsible for the processing is not established on Spanish territory but is subject to Spanish law pursuant to the norms of public international law and  when the person responsible for the processing is not established on the territory of the European Union and is using for the processing means situated on Spanish territory, unless such means are used solely for transit purposes.

The Royal Decree 1720/2007 approving the Regulation implementing the Law 15/1999 of December 13 intended to have a wide scope indeed, provides in Article 1 that “[This Organic Law] is intended to guarantee and protect, with regard to the processing of personal data, the public liberties and fundamental rights of individuals, and in particular their honor and personal privacy”. It includes, therefore, automated and non-automated processing of personal data.

The Organic Act (LOPD) is the basis of the Spanish system for guaranteeing the right to protect personal data. The adequate compliance by all of the agents involved is an essential instrument for better protecting the rights of citizens.

I have not yet made ​​use of the data protection legislation, but surely I will if it will be necessary.” – Ana Ionela Cristea – Barcelona, Spain