Learner’s Submission: Data Safety in Zimbabwe

“In Zimbabwe, data is very safe. The government has taken measures to ensure that data is very safe.  While many government bodies have established endpoint security policies, they do not have the right security management software and laws to enforce them. Users continue to run software that is either unauthorized or is without the latest patches, opening the doors to cyber criminals and cyber terrorists. Users can also remove data from government networks via removable devices or media and if the data is not encrypted, sensitive information can be exposed. Apart from the investment in equipment and software that protects data; the Zimbabwean government has gone a step further to use legislation that protects data. The following are existing data protection laws. The New Constitution, Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, Census and Statistics Act Chapter 10:05, Banking Act Chapter 24:20, National Registration Act Chapter 10:17, Interception of Communications Act Chapter 11:20, Access to Information and Protection of Privacy Act Chapter 10:27.

The constitution of Zimbabwe provides for the right to privacy which applies to everyone.  Access to information is provided for and applies to everyone, and for information held by the State or by any person and for the latter to the extent that the information is required for the exercise or protection of a right. Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, regulates and restricts attendance at and publication of proceedings of courts and adjudicating authorities. Section 3, restriction of disclosure of proceedings where the court or adjudicating authority considers it necessary or expedient to do so either at its instance or that of the party involved.  Publication of the name, address or other information likely to reveal the identity of any person concerned or mentioned can be withheld if it would cause prejudice or is likely to cause prejudice to the party or if it’s in the interest of justice. Census and Statistics Act provides  for  a  census  to  be  held  on  such  other  particulars whatsoever; as shall be prescribed, which involves the collection of data, Section  10:  restricts  disclosure  of  information  collected  which enables  the  identification of  the person  taking part  in  the census unless  they  are  employed  in  carrying  out  the  provisions  of  the Act Section  13  also  creates  offences  and  penalties  for  unlawful  use and disclosure of any information collected. Banking Act Chapter 24:20 Sections 76 & 77 restrict the disclosure and use of collected information by the Registrar of the Reserve Bank, his representatives or employees, a curator or an auditor of the Banking Institution, but does not however deal with the Banking Institutions specifically. National Registration Act Chapter 10:17 the Registrar-General must keep in safe custody any information acquired in the performance of his duties. All persons who are employed  in carrying out  the provisions of  the Act are  required  to keep secret and aid  in keeping secret  all  information  coming  to  their  knowledge  in  the exercise of their duties.

Interception of Communications Act Chapter 11:20 no  person  is  allowed  to  intercept  any  communication  in the course of its transmission unless, he or she is a party to the communication; or he or she has the consent of the person  to  whom,  or  the  person  by  whom,  the communication  is  sent;  or  he  or  she  is  authorized  by  a warrant. Unlawful Interception attracts a penalty of a fine of up to US$5000 or imprisonment of up to 5years. Access to Information and Protection of Privacy Act Chapter 10:27 provides members of  the public with a  right of access  to records and information held by public bodies;  and makes public  bodies  accountable  by  giving  the  public  a  right  to request  correction  of  misrepresented  personal information; to prevent the unauthorized collection, use or disclosure  of  personal  information  by  public  bodies;  to protect personal privacy.” – Soul Nyangoni – Harare, Zimbabwe

Learner’s Submission: Data Protection – Provision and Practice

“Data can be defined as both the qualitative and quantitative facts or the points of observations and, if contextualized, they are the primary source of information. Data or collection of data without their connection to time or space do not make information. But such data with some context or connection to time or space make information. Both the management of data and information are two of the significant components of knowledge management in government and other organizations. Government organizations usually manipulate data derived from two major process: creating data themselves from observations, monitoring and from daily decision making with reference to different policies and second is the reception of data from other organizations or individuals. Self-generated or received from others, the government organizations use data in different forms such as electronic copies, hard copies and verbal signals. As data in context have meaning and signified implications, they help for making generalizations, fact based rational decisions, projection of trends and consequently innovations to tackle with potential problems. Because of these points of significance, government organizations, being based on laws or other standard conventional practice, usually protect the created, collected or received data in the organizations. But despite the intention of the protection of the data as envisaged by varieties of prevailing laws, their misplace or loss cannot be ignored due to different causes such as blurred responsibility, organizational culture of not sharing data or policy of ultra-secrecy, or lack of physical drawers and folders or as a whole available infrastructure. For the protection of data, the government of Nepal has formed different acts, rules and policies.

The Act on Right to Information, 2064 BS (2007) writes on its preamble that the act has been brought to promote the public accountability, transparency and access of people towards the information of public significance as well as to protect the sensitive information negatively affecting the state and the welfare of the people. Ensuring the right of people to information, it has also identified and mentioned some areas and nature of information that are protected or not disseminated by the public organizations at all. Such information includes as creating disturbances to sovereignty, national integrity, peace, international relations, fraternity among the castes and ethnic groups, and other information that tends to endanger personal privacy, and body, life, health and security of a person. Stating that the public institution has to ensure that the data and information related to some particular person is not leaked or published or disseminated without written approval of the person, the act writes that the personal information available in the office can be used only if it is demanded by law or in case of controlling corruption.

It has also made the provisions of Information Officer in each government office to deliver the information to the public and National Information Commission to overall protect and promote the right to information. It has provisioned to frame a committee in the chair of the chief secretary of the Government of Nepal to classify the information and fix the protection period as well as method as per the nature and sensitivity of the information.

Similarly, though it is not targeted to the management of data and information, there is the Civil Service Act, 2049 BS (1993) that states that  civil employee should not, without being authorized by Government of Nepal, directly or indirectly provide or divulge, to any other unauthorized employee or non-governmental person or press, any confidential matter or any other document or news prohibited by law which was /is known to him/her in the course of performing the governmental duty.

In addition to these acts, the Electronic Transaction Act 2063 BS (2006) has made different provisions regarding the protection of electronic data. It has forbidden the unauthorized access to computer materials. The act ensures legal validity of the electronic data, documents, information or records kept safely and exactly in the same format as originally generated or transmitted. It has also stated that if any person accesses any program, information or data of any computer without the permission of the owner or performs any act contrary to the authorization; such a person is liable to punishment.

The Prevention of Corruption Act, 2059 (2002 A.D) has different provisions on safeguarding the public documents. According to the act, it is punishable if a public servant or any other person, corrects, adds or changes in documents belonging to a government or public institution without authority. Similarly, damaging or destroying or concealing the documents belonging to the government or the public institution is defined to be punishable.

Besides the legal provisions, the role of the corresponding practice is also significant to protect the available data. Generally, in the offices, the practice of keeping data safe and utilizing them in appropriate time is influenced by a variety of factors. They include available furniture, drives, folders, office space, office layout, as well as the trends of filing and indexing, keeping the data or the documents in hard drives or sharing them among the co-workers are significant for the protection of the data in government organizations.

As a whole, the Government of Nepal has different legislation for both protection and transparency of data or information. The organizational practice on the protection of data is guided by the legislation. As being guided by the relevant acts, it is necessary for the officials to protect as well as provide the received data to other organizations or stakeholders. As no non-official can search or use records or files in the government offices, the possibility of leaking data or document is minimal through outsiders. Similarly, the digital data have legal validity like the hard copy data and unauthorized access to others’ computer or program, alteration, or deletion of others’ data is punishable by law. The concept of Government Integrated Data Center (GIDC) has also been introduced. From these all dimensions of prevailing laws, organizational general practice, officials’ moral and legal observance, the trends of managing hard data and soft data, the status of ensuring the protection of data can be said satisfactory.” – Yuba Raj Guragain – Kathmandu, Nepal

Learner’s Submission: Data Protection Legislation in India

“The data protection legislation in India is covered under the IT Act 2000.

Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.

Under IT Act, 2000 the various subsections provide the legislative rules for the Data Protection. Various sections discussed below give a clear insight into the same.

Section 43
This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.

Section 65
This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.

Section 66
Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.

Section 70
This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.

Section 72
This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.” – Vikas Razdan – Kolkata, India