Learner’s Submission: Data Safety in Zimbabwe

“In Zimbabwe, data is very safe. The government has taken measures to ensure that data is very safe.  While many government bodies have established endpoint security policies, they do not have the right security management software and laws to enforce them. Users continue to run software that is either unauthorized or is without the latest patches, opening the doors to cyber criminals and cyber terrorists. Users can also remove data from government networks via removable devices or media and if the data is not encrypted, sensitive information can be exposed. Apart from the investment in equipment and software that protects data; the Zimbabwean government has gone a step further to use legislation that protects data. The following are existing data protection laws. The New Constitution, Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, Census and Statistics Act Chapter 10:05, Banking Act Chapter 24:20, National Registration Act Chapter 10:17, Interception of Communications Act Chapter 11:20, Access to Information and Protection of Privacy Act Chapter 10:27.

The constitution of Zimbabwe provides for the right to privacy which applies to everyone.  Access to information is provided for and applies to everyone, and for information held by the State or by any person and for the latter to the extent that the information is required for the exercise or protection of a right. Courts and Adjudicating Authorities (Publicity Restrictions) Act Chapter 7:04, regulates and restricts attendance at and publication of proceedings of courts and adjudicating authorities. Section 3, restriction of disclosure of proceedings where the court or adjudicating authority considers it necessary or expedient to do so either at its instance or that of the party involved.  Publication of the name, address or other information likely to reveal the identity of any person concerned or mentioned can be withheld if it would cause prejudice or is likely to cause prejudice to the party or if it’s in the interest of justice. Census and Statistics Act provides  for  a  census  to  be  held  on  such  other  particulars whatsoever; as shall be prescribed, which involves the collection of data, Section  10:  restricts  disclosure  of  information  collected  which enables  the  identification of  the person  taking part  in  the census unless  they  are  employed  in  carrying  out  the  provisions  of  the Act Section  13  also  creates  offences  and  penalties  for  unlawful  use and disclosure of any information collected. Banking Act Chapter 24:20 Sections 76 & 77 restrict the disclosure and use of collected information by the Registrar of the Reserve Bank, his representatives or employees, a curator or an auditor of the Banking Institution, but does not however deal with the Banking Institutions specifically. National Registration Act Chapter 10:17 the Registrar-General must keep in safe custody any information acquired in the performance of his duties. All persons who are employed  in carrying out  the provisions of  the Act are  required  to keep secret and aid  in keeping secret  all  information  coming  to  their  knowledge  in  the exercise of their duties.

Interception of Communications Act Chapter 11:20 no  person  is  allowed  to  intercept  any  communication  in the course of its transmission unless, he or she is a party to the communication; or he or she has the consent of the person  to  whom,  or  the  person  by  whom,  the communication  is  sent;  or  he  or  she  is  authorized  by  a warrant. Unlawful Interception attracts a penalty of a fine of up to US$5000 or imprisonment of up to 5years. Access to Information and Protection of Privacy Act Chapter 10:27 provides members of  the public with a  right of access  to records and information held by public bodies;  and makes public  bodies  accountable  by  giving  the  public  a  right  to request  correction  of  misrepresented  personal information; to prevent the unauthorized collection, use or disclosure  of  personal  information  by  public  bodies;  to protect personal privacy.” – Soul Nyangoni – Harare, Zimbabwe

Learner’s Submission: My Data and My Country

“Preamble

Identity theft for a long period has become a global menace to personal identification and data protection. Individuals- wealthy and poor- and corporate organizations have become victims of identity theft. Nigeria with many challenges on its shoulder is teetering on the brink of identity theft; hence the scourge thereon has become a kick in the teeth to Nigeria given that Nigeria does not have a law on data protection, despite its leading role in Africa. To my knowledge there is no law on data protection that exists in Nigeria. A proposed bill- Personal Information and Data Protection Bill- is still in pipeline and its passage into law seems like an illusion given the torrents of reservations that have been put forth by various stakeholders. The proposed bill is at variance with the contemporary best practices in international laws and some section of Chapter 4 of the 1999 constitution of Nigeria- the section that deals with the Fundamental Rights of citizens. Strikingly, the Bill is devoid of necessary ingredients to tackle data protection issues. Countries like Ghana, South Africa and Egypt have gone ahead of Nigeria in data protection policies. In the global world today, many countries are embracing the challenges of identity theft by fine-tuning ways to protect personal information of their citizens and preserve the image of their corporate organizations through potentially effective legislations. Nigeria seems to be comfortable living at the medieval where people’s identities had less importance. Nigeria really needs to wake up and smell the coffee!

Existing Legislations and flaws

Basically, the 1999 Constitution of the Federal Republic of Nigeria is the premise on which other existing laws are based. The existing laws that referred to protection of personal information in Nigeria are in furtherance of fundamental rights as enshrined in section 37- the section that deals with the Right to Private and Family Life- and other relevant sections of the 1999 Constitution of Nigeria, for example section 39- the section that deals with the Right to Freedom of Expression and the Press. But these provisions are handicapped by section 45- the section that deals with Restriction on and Derogation from Fundamental Human Rights.

Beside the Constitution, data protection is somehow referred to in the Freedom of Information (FOI) Act, 2011 which inter alia aims to enhance public access to information and protect public records and information as well personal privacy. Section 14 of the FOI Act deals with the exemption of personal information- circumstances upon which applications that seek personal information of others can be denied or granted. Though the provisions contained thereon may seem glamorous to the purpose of data protection, but they leave a hole in the fabrics of data protection as they only make reference to personal information in the saddle of public institutions, with no recourse to personal information in the pocket of private firms.

Registration of Telephone Subscribers Regulation (RTS) 2011, previously known as SIM Card Registration Regulation 2010, enshrines data protection, so to speak, as stipulated in section 11- the section that deals with Data Protection. The RTS 2011 makes reference to General Consumer Code Practice for Telecommunications Services, which therein in section 35 contains mechanism for data protection, but for consumers of telecommunications services in Nigeria. Though these regulations seem, to an extent, to embody some sort of outlook and effort to entrench data protection principles in the telecommunication industry, I do not have the firm conviction that the information about myself and my family that I have exposed in the course of Sim Card Registration and(or) other form of registration are well protected given the illicit and erroneous treatment of personal information in Nigeria, which are incidental consequences of the absence of a well detailed legal framework that guides data protection. These regulations seem more like a watery sun hung in the autumn sky. It is really ridiculous that upon violation of data protection provisions as contained in those regulations by some violator(s), the regulators do not treat such breach of data protection as a gross violation of the victims’ right to privacy, but rather as a mere breach of regulations with paltry financial and (or) trifling corporate sanctions that are mere scratch on the surface. This does not show the muscle of a regulation that is hell-bent on tearing down the thick walls of data protection menace.

It is very unfortunate that despite all the hullabaloos about financial sector restructuring and reinvention by the Central Bank of Nigeria (CBN), particular in the banking sector, that Nigeria still cannot boast of a single data protection law in the sector. To my knowledge, no law exists for data protection in the financial sector. Even the Banking and Other Financial Institutions Act (BOFIA) does not guarantee that. Customers disclose high volume of sensitive information to their banks, which unfortunately if misused cannot be enforced by customers, yet regulators with the statutory rights perform noticeably poor in protecting privacy of personal information of these gullible customers. The situation in the financial sector as compared to telecommunication sector seems to be worrisome.

Conclusion

In conclusion, given the astronomical increase in technology-driven activities with the resulting necessities for public and private institutions to seek for people’s personal data and information, where those information and date have become valuable to the seeker, the need to protect those information and data about people have become paramount. Time is now ripe for the Nigerian government to wake up and embrace the global trend in establishing data protection laws. ” – Okonkwo Julius Chukwuma – Abuja, Nigeria

Learner’s Submission: Data Protection in Albania

“According to my personal opinion I think that Albania has made some progress during these last years in the field of data protection. It’s absolutely necessary to emphasize the fact that this is a multiple sphere, which involves the cooperation of many key actors as: public, private, international, etc. We are all aware that technology today has changed the way how we see the world and how we behave. Considering the fact that all these new technologies are used by anyone it’s absolutely necessary to regulate this sector by putting rules and obligations. In Albania I want to mention the establishment of the Commissioner for Personal Data Protection (CPDP), which plays an important role to protect personal data in the Republic of Albania.

An important role has performed by this institution to raise awareness at persons for the importance of data protection. I want to emphasize the fact that during working for this paper I have been considerable been referred to the 2012-2013 Strategy of Albanian Commissioner’s Office for Personal Data Protection, which address the main issues of data management and protection in Albania.

Vision of the 2012-2012 CPDP Strategy is to make Albania a safe place, where the law is applied and personal data protection is under control.  1. The controllers who collect and process personal data are responsible for performing this task in a safe and righteous way all data protection is under control. 2. The controllers provide to the subjects the right to access their personal data. 3. The subjects understand how their personal data are processed and are aware that they can take measures to protect their data from misprocessing.

Priorities: The strategic goals can be summarized as follows: 1. Improving personal data protection; 2. Reducing the threats to personal data processing; 3. Monitoring and inspecting the application of the law by public and non-public controllers; 4. Identifying the needs for intervention.

Policy and effects:

• Excessive and irrelevant.
• Stored for a longer time than the purpose for which they were collected.
• Disclosed to persons not entitled to have them.
• Used wrongfully and in violation of the law for other purposes.
• Not stored securely.

Capacity building

 1.  Direct communication:

a) Direct communication with the public (Personal data subjects);
b) Ongoing communication with the media;
c) Organizing a quarterly press conference at the premises of the Commissioner for Personal Data Protection;
d) Participating in different television programs;
e) Giving interviews for different media interested in specific issues on personal data protection;
f) Participating in meetings, workshops and other activities organized by different Albanian media forums and making public specific attitudes and opinions of the Commissioner’s Office for Personal Data Protection;
g) Training students of the Department of Journalism and other media employees in the field of personal data protection;
h) Ongoing monitoring of the press regarding potential violations of the Law “On personal data protection”.

2.  Enhancing the notification and registration process:

a) Ongoing identification of the private and public controlling subjects;
b) Legal review and evaluation of data processing according to the statements in the Notification Form;
c) Registering the controllers’ notification in the Central Register;
d) Organization and further conduction of awareness raising activities for the controllers

Albanian Commissioner’s Office for Personal Data Protection aim to achieve in its Strategy 2012-2013 the following goals:

• The approval of legal amendments to the Law “On personal data protection”;
• Ongoing development of the domestic legal framework aiming the best international practices;
• Other collaboration agreements with the universities, Prosecution Office, counterpart institutions, etc;
• Close collaboration with IPA-2009 project;
• Training controllers on the new amendments to the law, after their approval;
• Trainings mainly for legal departments of state institutions;
• Launching draft acts in round tables before their approval by the Commissioner;
• Promoting any approved new act through leaflets or awareness raising guidelines;
• Close collaboration between the departments of the institution;
• Collaboration with foreign authorities to exchange mutual experiences.

Addressing complaints and monitoring:

a) Addressing complaints;
b) Administrative control and inspection;
c) Plan-based control;
d) Notification-based control
I. Whether the status of the processing for a specific controller is as reflected on the Register;
II. Whether the controller has updated the information and does not process data in violation of the processing status that has been registered;
III. Whether the Commissioner’s Office, upon notification, should verify with the controller the sensitive data processing, processing through CCTVs, biometric data processing and international transfers.
– Complaints-based inspection;
– Inspection on the applicability of the Recommendations, Orders and Decisions of the Commissioner

Basic legislation on data protection: Albania’s first law for the protection of personal data is that of 1999, Law No. 8517, dated 22.07.1999 “On protection of personal data”, which found no effect.

The basic legislation of this Institution is:

1. Law “On Personal Data Protection” No.9887, dated 10 March 2008
2. Decision No. 934, dated 2.9.2009 on Determination of States with adequate level of protection of personal data.
3. Decision no. 1232, dated 11.12.2009 on Determination of cases for exemption from the obligation of notification of processed personal data.” – Mirsada Hallunaj – Tirana, Albania

Learner’s Submission – Knowledge Management in India

“Indian Government is relatively a new entrant to Information technology and Knowledge Management. Notwithstanding the envious position of Indian private sector as ‘leading IT services providers in the world’, Indian Governmental organizations have been extremely slow and lethargic in adopting the latest in IT infrastructure and skills. Consequently Indian bureaucracy displays incapacity and inefficiency in gathering, collating, protecting, scaling and staying accessible to technology upgradation and cutting edge in IT technologies.

The Union Government and State Government have in recent years spent crores of rupees on projects of e-Government. The infrastructure have been established and functionaries have been put in place, however, amusing part is, the functionaries are often found fumbling and struggling with the applications and hardware. Indian bureaucracy are similar to cave men handling LPG (liquefied Petroleum Gas) stoves, awed by the advanced technology, poor souls, are lost in the paraphernalia of the latest in IT. This demonstrable incompetence is stark and explicit in Police stations and Cyber Crime Cells in India. We as ordinary citizens find it difficult, if not impossible, to repose faith in the police to tackle petty Cyber Crimes. Hence most of us choose not to approach the police for small cyber-crimes which have become too common and extremely irritating in recent days. In our organization we have started to participate in programme which will encourage folks to adopt the latest upgraded, licensed programs and technology to curb the growing Cyber misdemeanors by enhancing individual level security of PCs/Devices. The Indian Government has also been constantly pressurized to involve in technology adaptation and training to its staff and closer collaboration with the private sector on matter of online security and Governance. The authorities have realized their incompetence on the issue of Internet Governance and have resorted to excessive regulation which has been severely criticized by the Citizens and Civil society in recent days. Given the above circumstances, we believe, data with our government is NOT safe. The government has no means or skills to secure our data and will definitely endanger the safety and well being of our Country.

Under section 87 of Information Technology Act 2000, the Indian Government is empowered, by notification, to prescribe rules and regulations for Data Security. Data security is secured through digital certification and signatures. Controller of Certifying Authority (CCA) is identified as the regulating agency for the licensing ‘Certifying Authority (CA)’, who is to issue DSCs to applicants, also maintain repositories of signatures and revocation lists, regulations of infrastructure necessary for receiving recognition for being
designated as CA has also been elaborated. Technology security is advised, few standards have been prescribed, and verification and signing of certificates are facilitated through well designed aesthetically pleasant websites. Requirements that need to be fulfilled for issuance of the ‘Keys’ or ‘Digital Signature Certificates (DSA)’ has been notified through the Gazette. Algorithms, Website features and physical and data security measures which need to be adhered to, have been clarified through official website of the CCA – cca.gov.in. Under section 70B of Information Technology Act 2000 as amended by IT Act 2008 empowers the central government to establish CERT-In (Indian Computer Emergency Response Team), through gazette notification, which is authorized to step in to deal with cyber-crime and security response mechanisms to deal with national, International cyber-crimes and depending on ‘discretion’, regional/state cybercrimes may also be investigated. Here Cyber-crimes include the entire gamut of Computer related criminal activity. The functioning of the CERT-In has been impressive as they have helped in solving some cases of online defamation, Phishing, spam, Online Intimidation. We got the opportunity to go through a case study (By- Additional District & Sessions Judge – Talwant Singh – Cyber law and Information Technology) provided through CERT-In official website; however there have been very little convictions under IT Act 2000. The problem has been in lack of proper awareness and desensitization (presently over sensitization of middle bureaucracy have led to avoidable punitive harassment of Internet/social media users in India) of the bureaucracy about the nature of cyber misdemeanors. It would need long-term planning and proper training schedules for the senior and middle level staff training, while the cutting edge bureaucracy will need the necessary motivations and incentives to enhancing skills and overcome inertia that is characteristic of weberian bureaucracies.” – Anil Dev Gopalakrishna – Karnataka, India

Learner’s Submission: Data Protection Legislation in India

“The data protection legislation in India is covered under the IT Act 2000.

Our constitution has provided the law relating to privacy under the scope of Article 21. Its interpretation is found insufficient to provide adequate protection to the data. In the year 2000, effort has been made by our legislature to embrace privacy issues relating to computer system under the purview of IT Act, 2000. This Act contains certain provisions which provide protection of stored data. In the year 2006, our legislature has also introduced a bill known as ‘The Personal Data Protection Bill’ so as to provide protection to the personal information of the person.

Under IT Act, 2000 the various subsections provide the legislative rules for the Data Protection. Various sections discussed below give a clear insight into the same.

Section 43
This section provides protection against unauthorized access of the computer system by imposing heavy penalty up to one crore. The unauthorized downloading, extraction and copying of data are also covered under the same penalty. Clause ‘c’ of this section imposes penalty for unauthorized introduction of computer viruses of contaminants. Clause ‘g’ provides penalties for assisting the unauthorized access.

Section 65
This section provides for computer source code. If anyone knowingly of intentionally conceals, destroys, alters or causes another to do as such shall have to suffer a penalty of imprisonment or fine up to 2 lakh rupees. Thus protection has been provided against tampering of computer source documents.

Section 66
Protection against hacking has been provided under this section. As per this section hacking is defined as any act with an intention to cause wrongful loss or damage to any person or with the knowledge that wrongful loss of damage will be caused to any person and information residing in a computer resource must be either destroyed, deleted, altered or its value and utility get diminished. This section imposes the penalty of imprisonment of three years or fine up to two lakh rupees or both on the hacker.

Section 70
This section provides protection to the data stored in the protected system. Protected systems are those computers, computer system or computer network to which the appropriate government, by issuing gazette information in the official gazette, declared it as a protected system. Any access or attempt to secure access of that system in contravention of the provision of this section will make the person accessed liable for punishment of imprisonment which may extend to ten years and shall also be liable to fine.

Section 72
This section provides protection against breach of confidentiality and privacy of the data. As per this, any person upon whom powers have been conferred under IT Act and allied rules to secure access to any electronic record, book, register, correspondence, information document of other material discloses it to any other person, shall be punished with imprisonment which may extend to two years or with fine which may extend to one lakh rupees or both.” – Vikas Razdan – Kolkata, India

Learner’s Submission: Data Protection in India

“With the development in the field of information technology industry, cyber crimes have become a terrible headache for the government of every country . The existing laws is not enough to cover all the issues and circumstances that make the new digital world a threat to personal privacy. So all the developed countries have framed and established their data protection laws. The law relating to privacy is under the scope of Article 21 of the constitution in India. IT Act 2000 has been introduced in 2000 and it has certain provisions that provide protection to stored data and the issues relating to computer system.

Under IT Act, 2000, Section 43 provides protection against unauthorized access of the computer system. Under section 65 of this Act, protection has been provided against tampering of computer source documents. Section 66 provides protection against hacking. Section 70 provides protection to the data stored in the protected system. Under section 72, protection has been provided against breach of confidentiality and privacy of the data.

The ‘Personal Data Protection Bill 2006’ has been introduced in parliament on 8 December, 2006  to provide protection to the personal data and information of the person collected for a particular purpose by one organization, and to prevent its usage by other organization for commercial and other purpose. Data controllers are to look upon the issues of violation of the Act. The Bill was drafted wholly on the structure of the UK Data Protection Act . But this proposed Act has lapsed now.

The Indian Government on behalf of Ministry of Communications and Information Technology has notified the “Information Technology ( Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011” on 11 April 2011 under Section 43A of the Information Technology Act, 2000,  to implement certain provisions. In  August , 2011 , the Ministry of Communication and Information Technology issued a press note also to clarify some of the provisions of the Rules.

The provision of The Information Technology Rules , 2011 is to protect sensitive personal data. Sensitive Data means personal information of a person in relation to:

1. Passwords;
2. Financial information such as Bank account or credit card or debit card or other payment instrument details;
3. Physical , psychological and mental health condition ;
4. Sexual orientation ;
5. Medical records and history ;
6. Biometric information ;
7. Any detail relating to the above clauses as provided to body corporate for providing service ;
8. Any of the information received under above clauses by body corporate for processing , stored or processed under lawful contract.

In the Press Note, it has been clarified that The Rules are applicable to body corporate or any person.  The term ‘ body corporate ‘ is not limited to a ‘body corporate’ located in India . It means any company or other association of individuals engaged in commercial or professional activities. It also includes a foreign body corporate . The Rules will apply to sensitive data of any individual collected , processed or stored in India via computer resources by any entity , whether located in India or not .

Sensitive data can be transferred to third party in India or outside India but the body corporate should be aware of the fact that: the provider has consented to such transfer , the third party is able to provide adequate level of protection for such data via legislative or other means and the transfer is necessary for the lawful contract .

The companies or the corporate houses are now making several agreements with other companies , partners , agencies or clients to provide adequate protection for their data . ‘ User license  agreements’ , ‘ non circumvention and non-disclosure agreements, referral partner agreements are such agreements that covers privacy and confidentiality clauses and also arbitration clauses for resolving any dispute if arises .The body corporate is allowed to adopt any other information security policies and standards approved by the Central Government to run their business smoothly. BPO companies have implemented security control measures like BS 7799 and the ISO 17799 standards of information security management. The body corporate  also implements the recognized and approved international standards like IS, ISO ,IEC 27001 on ‘Information Technology – Security Techniques –Information Security Management System –Requirements’.

As per The Rules , the security standards adopted by the body corporate should be audited at least once every year by an auditor approved by the Central Government.

The big question here arises : is our data safe ?  This  essay certainly has thrown ample light on  the Data Protection Legislation in India . Indian Penal code imposes punishment for crimes relating to data protection but it is a matter of surprise that how easy we are  providing room to the miscreants to do crimes through the easiest medium while using internet ,credit card etc. The criminals are being able to collect the secured information only by using computers and electronic gadgets.

Many countries other than India have framed their data protection law as a separate discipline. So it has raised concerns that a qualitative effort must be taken by the Government to frame and establish a most comprehensive data protection law.” – Dr. Mahabur Rahaman Mondal – Kolkata, India

Learner’s Submission: Information on Data Protection

“Do you think that data available in your government is safe? Do you know of any legislation in your country regarding the data protection?

Definition of data: refers to facts or information especially when examined and used to find out things or to make decisions.  There can be demographic, historical or “personal data” that is all information that could be used to identify or harm data subjects/or clients; “harm” can be done after the collection of data already done and discovering the possession of harmful objects like weapons. These data can be stored in computers, books, and others.

Davenport and Prusak articulated that data is  “simple observation of states of the world.” The data available in my country (Tanzania) is safe because it is protected and managed in an appropriately responsible manner.

Government this consists of legislators, administrators, and arbitrators in the administrative systems who control a state at a given time and the system by which they are organized.  It is the means by which state policy is enforced as well as the mechanisms for determining the policy of the state. It is the government which ensures the consolidation of the social and economic activities of the people of the country.

Data security refers to physical and technological measures that safeguard the confidentiality and integrity of personal data and prevent unauthorized modification, unlawful destruction, accidental loss, improper disclosure or undue transfer. In “physical” data can be safeguarded by person through movements, and “technological” data can be safeguarded by movements done by machines like computers and phones.

Legislation is the law which has been promulgated or enacted by a legislature or another governing body or the process of making it.  The source led law is judge made – law which is called “case law” which is the product of the cases conducted by judges in the courts. Legislation is mainly proposed by the members of the parliament.  Legislation is regarded as the main among the three main functions of government which are often distinguished under the teaching or doctrine of the separation of powers.  Up to now there is no specific law in Tanzania which protects data or database in Tanzania that is ‘my country’. The main concern here could be the right to privacy like information privacy which handles personal data, bodily privacy, privacy of communication, territorial privacy; these are under the Universal declaration article no. 5; and also data protection and danger of information misuse.

Data protection: this includes the following:

1.  Data must be obtained fairly and lawfully purpose. Such as people must not be misled when producing information needed.

2.  Must be used and be disclosed for the purpose of security.

3.  Must be adequate, relevant and not be excessive for its purpose.

4. Individuals or clients must be allowed access to data about themselves and without undue expenses and must be provided with a copy of it.

5. Must be corrected or erased to avoid distortion of information

6. Data users must take appropriate security measures to prevent unauthorized access, disclosure, alteration or distraction of personal data.

7. Data must be of privacy; that is information about client must be kept confidential from other people, yet must also be available to those people who it is about. To do and to follow all the above is to protect and maintain the whole about protecting data for the safeness of them and security of the particular country and its people at large.” – Michael Vincent Mhagama – Tanga, Tanzania