Data Protection in Zimbabwe with Reference to the Covid-19 Pandemic and International Law

Authors

DOI:

https://doi.org/10.17159/1727-3781/2024/v27i0a17744

Keywords:

COVID-19, pandemic, processing, data subject, privacy, sensitive personal data, health-related data, Zimbabwe

Abstract

The corona virus that caused the COVID-19 disease defied geographical boundaries, spreading faster than the measures to contain its transmission. The processing of personal health-related data became widespread as a measure to respond to the pandemic. This triggered new concerns about the possibility of there being a data crisis. Individuals suspected to be infected by COVID-19 were forced to undertake mandatory testing that involved the collection of health-related data. To limit the spread of the disease, the collection of personal data extended to secondary contacts. Personal health-related data are very prone to abuse, and this data included secondary data inconsistent with initial collection purposes. Admittedly, such risks are not new. Prior to the pandemic, health-related data were processed through electronic health (e-health) platforms. The health-related data processing methods during the pandemic were insufficient to meet the data protection principles of consent, transparency, purpose and storage, potentially violating the right to privacy. Globally, expectations are that countries should have data protection laws informed by established principles regulating the processing of personal data. While, Zimbabwe had not enacted the Cyber and Data Protection Act (CDP Act), which lists some of the data principles, this paper relies on existing laws to determine whether Zimbabwe is still abiding by constitutional and international human rights standards in protecting personal data privacy. The paper examines the development of data principles and their application in Zimbabwe in respect of health-related data protection during the pandemic. The paper 1) analyses the existing laws and their protection of personal health-related data; 2) explores the incorporation of data principles in COVID-19-related responses including in national laws as informed by international laws; and 3) highlights the gaps in both law and practice as they relate to the handling of personal health-related data in Zimbabwe during the pandemic. The paper concludes that even if the existing laws on data privacy were not comprehensive and even if the CDP Act came too late, the global regulations, the sectoral laws and other guidance accessible to Zimbabwe in responding to the pandemic would have sufficed to avert a data pandemic during the health pandemic and allowed Zimbabwe to be compliant with international data protection standards.

Downloads

Download data is not yet available.

Author Biography

  • Otto Saki, University of the Western Cape

    LLB Hons (Uni Zim) LLM Human Rights Law (Columbia University, USA) LLM Information Communication Technology Law (Open University, Tanzania) LLD Candidate, University of the Western Cape, South Africa.

References

Bibliography

Literature

Alunge R "Consolidating the Right to Data Protection in the Information Age: A Comparative Appraisal of the Adoption of the OECD (Revised) Guidelines into the EU GDPR, the Ghanaian Data Protection Act 2012 and the Kenyan Data Protection Act 2019" in Thorn J, Gueye A and Hejnowicz A (eds) Innovations and Interdisciplinary Solutions for Underserved Areas (Springer Cham 2020) 192-207

Baraniuk C Covid-19 Contact Tracing: A Briefing 2020 BMJ 1-3

Borra S "COVID-19 Apps: Privacy and Security Concerns" in Joshi A, Dey N and Santosh K (eds) Intelligent Systems and Methods to Combat Covid-19 (Springer Singapore 2020) 11-17

Blume EP "Data Protection in the Private Sector" 2004 Scand Stud L 297-318

Bradford A "The Brussels Effect" 2012 North Western University Law Review 1-69

Braman S "Privacy by Design: Networked Computing, 1969-1979" 2011 New Media & Society 798-814

Chen J "How the Best-Laid Plans Go Awry: The (Unsolved) Issues of Applicable Law in the General Data Protection Regulation" 2016 IDPL 310-323

Chipendo T et al "Implementation of the COVID-19 Laboratory Testing Certification Program (CoLTeP), Zimbabwe, 2021" 2022 Pan African Medical Journal 1-8

Dersso AS "The Jurisprudence of the African Commission in Human and People's Rights with Respect to People's Rights" 2006 AHRLJ 333-357

Dove SE and Chen J "Should Consent for Data Processing be Privileged in Health Research? A Comparative Legal Analysis" 2020 IDPL 117-131

Esayas YS "The Idea of 'Emergent Properties' in Data Privacy: Towards a Holistic Approach" 2017 IJLIT 139-178

French MA "Woven of War-Time Fabrics: The Globalization of Public Health Surveillance" 2009 Surveillance & Society 101-115

Furusa SS and Coleman A "Factors Influencing E-Health Implementation by Medical Doctors in Public Hospitals in Zimbabwe" 2018 South African Journal of Information Management 1-9

Ghersi I, Mariño M and Miralles MT "Smart Medical Beds in Patient-Care Environments of the Twenty-First Century: A State-of-Art Survey" 2018 BMC Medical Informatics and Decision Making 1-12

Greenleaf G "The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108" 2012 IDPL 68-92

Gumedze S "HIV/AIDS and Human Rights: The Role of the African Commission on Human and Peoples' Rights" 2004 AHRLJ 181-200

Hurd H "The Moral Magic of Consent" 1996 Legal Theory 121-146

Khumalo NB "The Need for the Establishment of E-records and eHealth Legislation and Policy Framework in the Health Sector in Zimbabwe" 2017 Library Philosophy and Practice 1-18

Kirby M "The History, Achievement and Future of the 1980 OECD Guidelines on Privacy" 2011 IDPL 6-14

Klaaren J et al "South Africa's COVID-19 Tracing Database: Risks and Rewards of which Doctors Should be Aware" 2020 SAMJ 617-620

Koops BJ "The Concept of Function Creep" 2021 Law, Innovation and Technology 29-56

Kwet M "Surveillance in South Africa: From Skin Branding to Digital Colonialism" in Vagle J and Kwet M (eds) Cambridge Handbook of Race and Surveillance (Cambridge University Press Cambridge 2023) 97-122

Lloyd IJ Information Technology Law 7th ed (Oxford University Press Oxford 2014)

Makulilo AB "A Person is a Person through Other Persons: A Critical Analysis of Privacy and Culture in Africa" 2016 Beijing Law Review 192-204

Makwaiba BS "Tension between the Individual's Fundamental Human Rights and the Protection of the Public from Infectious and Formidable Epidemic Diseases" 2021 AHRLJ 311-334

McQuoid-Mason DJ "COVID-19 and Patient-Doctor Confidentiality" 2020 SAMJ 461-462

Mhazo AT and Maponga CC "Governing a Pandemic: Biopower and the COVID-19 Response in Zimbabwe" 2022 BMJ Global Health 1-13

Mokrosinska D "Why States have no Right to Privacy but May be Entitled to Secrecy: A Non-Consequentialist Defense of State Secrecy" 2020 Critical Review of International Social and Political Philosophy 415-444

Neethling J "The Concept of Privacy in South African Law" 2005 SALJ 18-28

Office of the United Nations High Commissioner for Human Rights and UNAIDS International Guidelines on HIV/AIDS and Human Rights. 2006 Consolidated Version (UN Geneva 2006)

Rocher L, Hendrickx JM and De Montjoye YA "Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models" 2019 Nature Communications 1-9

South African Law Reform Commission Discussion Paper 109, Project 124: Privacy and Data Protection (The Commission Pretoria 2005)

Schermer BW, Custers B and Van der Hof S "The Crisis of Consent: How Stronger Legal Protection May Lead to Weaker Consent in Data Protection" 2014 Ethics Information and Technology 171-182

Singh A and Power M "The Privacy Awakening: The Urgent Need to Harmonise the Right to Privacy in Africa" 2019 African Human Rights Yearbook 202-220

Solove DJ "Conceptualising Privacy" 2002 CLR 1087-1156

Tschider C "The Consent Myth: Improving Choice for Patients of the Future" 2019 Washington University Law Review 1505-1528

Tuovinen J "What to Do with International Law? Three Flaws in Glenister" 2013 CCR 435-449

Waltraut K "The Proposal for a New General Data Protection Regulation: Problems Solved?" 2014 IDPL 274-281

Zimbabwe Human Rights NGO Forum 180 Days of What? A Summary Review of the First 180 Days of the COVID-19 National Lockdown in Zimbabwe (Zimbabwe Human Rights NGO Forum Harare 2020)

Zwitter and Gstrein 2020 Journal of International Humanitarian Actiontter A and Gstrein OJ "Big Data, Privacy and COVID-19: Learning from Humanitarian Expertise in Data Protection" 2020 Journal of International Humanitarian Action 1-7

Report

ZimCovidSafe Mobile Application Security Assessment Report (10 September 2021) (on file with the author)

Case law

Amann v Switzerland ECHR App No 27798/95 (16 February 2000)

Catt v ACPO 2012 EWHC 1471

Deliberation of the Restricted Committee No SAN-2020-012 of 7 December 2020 Concerning the Companies Google LLC and Google Ireland Limited (CNIL - French Data Protection Agency)

Jestina Mukoko v Attorney-General (SC 11/12 Const Application No 36/09) [2012] ZWSC 11 (19 March 2012)

Law Society of Zimbabwe v Minister of Transport and Communications (unreported) case number SC 59/03 of 2 March 2004

Legal Resources Foundation v Zambia 2001 AHRLR 84

Minister of Health v Goliath 2009 2 SA 248 (C)

S and Marper v United Kingdom 2008 ECHR 1581

Tyrer v United Kingdom 1978 2 EHRR 1

Z v Finland 1997 ECHR 10

Legislation

Kenya

Constitution of Kenya, 2010

South Africa

Constitution of the Republic of South Africa, 1996

National Health Act 61 of 2003

Protection of Personal Information Act 4 of 2013

United States of America

Freedom of Information Act, 1966

Zimbabwe

Constitution of Zimbabwe Act 1 of 2013

Civil Protection Act, 1989 (Chapter 10:06)

Criminal Law (Codification and Reform) Act, 2019 (Chapter 9:23)

Cyber and Data Protection Act, 2021 (Chapter 12:07)

Freedom of Information Act 1 of 2020

Interception of Communications Act 6 of 2007 (Chapter 11:20)

Postal and Telecommunications Act, 2000 (Chapter 12:05)

Public Health Act 11 of 2018

Government publications

South Africa

GN 318 in GG 43107 of 18 March 2020, as amended (Regulations Issued in terms of Section 27(2) of the Disaster Management Act 57 of 2002)

Zimbabwe

Cybersecurity and Data Protection Bill (undated layman draft)

GN 492/2022 of 11 March 2022

Statutory Instrument 95 of 2014: Postal and Telecommunications (Subscriber) Regulations, 2014

Statutory Instrument 76 of 2020: Civil Protection (Declaration of State of Disaster: Rural and Urban Areas of Zimbabwe) (COVID-19) Notice, 2020

Statutory Instrument 77 of 2020: Public Health (COVID-19 Prevention, Containment and Treatment) Regulations, 2020

Statutory Instrument 95 of 2021: Postal and Telecommunications (Telecommunications Traffic Monitoring System) Regulations, 2021

Statutory Instrument 102 of 2023: Public Health (COVID-19 Prevention, Containment and Treatment) (National Lockdown) (No 22) (Amendment) Order, 2023 (No 44)

International instruments

African Charter on Human and Peoples' Rights (1981)

African Charter on the Rights and Welfare of the Child (1990)

African Union Convention on Cyber Security and Personal Data Protection (2014)

Constitution of the World Health Organization (1946)

Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (1984)

Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data (1981) (Convention 108)

Council of Europe Committee of Ministers Recommendation 509 (1968)

Council of Europe Committee of Ministers Resolution (73) 22 on the Protection of the Privacy of Individuals vis-a-vis Electronic Data Banks in the Private Sector (1973)

Council of Europe Committee of Ministers Resolution (74) 29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector (1974)

Declaration of Principles on Freedom of Expression and Access to Information (2019)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data OJ L 281/31 (1995)

Emergency Care Systems for Universal Health Coverage: Ensuring Timely Care for the Acutely Ill and Injured. Report by the Director-General WHO Doc A72/31 (2019)

General Data Protection Regulation (2016)

International Covenant on Civil and Political Rights (1966)

International Health Regulations (2005)

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), as revised in 2013

Protocol Amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (2018) (Convention 108+)

Report of the Special Rapporteur on the Right to Privacy, Joseph A Cannataci UN Doc A/76/220 (2021)

Resolution on Human and Peoples' Rights as Central Pillar of Successful Response to COVID-19 and Recovery from Its Socio-Political Impacts AU Doc ACHPR/Res 449 (LXVI) (2020)

SADC Model Law on Data Protection (2013)

UN General Assembly, Special Rapporteur on the Right of Everyone to the Enjoyment of the Highest Attainable Standard of Physical and Mental Health UN Doc A/HRC/22/53 (2013)

Vienna Convention on the Law of Treaties (1969)

WHO Report of the Review Committee on the Functioning of the International Health Regulations (2005) during the COVID-19 Response WHO Doc A74/9 Add.1 (2021)

Internet sources

Dencroft date unknown ZimCOVID Safe App Policy https://dencroft.com/zimcovid-safe-app-policy accessed 8 September 2021

Eigen M, Wang F and Gasser U 2020 Country Spotlight: Taiwan's Digital Quarantine System https://cyber.harvard.edu/story/2020-07/country-spotlight-taiwans-digital-quarantine-system accessed 23 March 2024

European Data Protection Board 2020 Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020//www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf accessed 22 March 2024

European Union Data Protection Working Party 2007 Opinion 4/2007 on the Concept of Personal Data https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf accessed 22 March 2024Data

European Union Data Protection Working Party 2005 Document No WP 105: Working Document on Data Protection Issues Related to RFID Technology https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf accessed 22 March 2024

Greenleaf G 2021 Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3836348 accessed 22 March 2024

Hoofnagle CJ 2014 The Origin of Fair Information Practices: Archive of the Meetings of the Secretary's Advisory Committee on Automated Personal Data Systems https://ssrn.com/abstract=2466418 accessed 2 September 2021

Human Rights Committee 1988 General Comment No 16: Article 17 (Right to Privacy). The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation https://www.refworld.org/legal/general/hrc/1988/en/27539 accessed 23 March 2024

Independent Panel for Pandemic Preparedness and Response 2021 COVID-19: Make It the Last Pandemic https://theindependentpanel.org/wp-content/uploads/2021/05/COVID-19-Make-it-the-Last-Pandemic_final.pdf accessed 16 September 2021

Information Regulator 2020 Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA) https://documentportal.george.gov.za/storage/level-five-covid-documents/August2020/qeyctYy1dBMmLgVwI1c5.pdf accessed 6 April 2024

Mhlanga B 2018 ZANU PF Breaks into ZEC Database https://www.newsday.co.zw/2018/07/zanu-pf-breaks-into-zec-database/ accessed 14 September 2021

Mhlanga B 2020 Military Nurses Take over Hospitals https://www.newsday.co.zw/2020/11/military-nurses-take-over-hospitals/ accessed 14 September 2021

Media Institute of Southern Africa Zimbabwe 2019 Submissions to United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression https://www.ohchr.org/sites/default/

files/Documents/Issues/Opinion/Surveillance/MISA_ZIMBABWE.pdf accessed 8 April 2024

Moyo-Ndlovu T 2021 Health Ministry Launches Covid-19 App https://www.herald.co.zw/health-ministry-launches-covid-19-app/ accessed 14 September 2021

Mungadze S 2020 Life Healthcare Reveals Damage Caused by Data Breach https://www.itweb.co.za/content/rW1xLv59YPGvRk6m accessed 2 November 2021

Murwira Z 2021 New Dawn for Zim … as President Launches Data Centre to Anchor Govt Operations https://www.herald.co.zw/new-dawn-for-zim-as-president-launches-data-centre-to-anchor-govt-operations accessed 14 September 2021

PSMI 2020 PSMI Launches a Telemedicine Platform https://www.psmi.co.zw/2020/06/08/192323/ accessed 14 September 2021

Tsiko S 2019 Telemedicine Revolutionises Zim Health Care https://www.herald.co.zw/telemedicine-revolutionises-zim-healthcare/ accessed 14 September 2021

United Nations 2020 United Nations Special Procedures and Covid-19 Working Document Covering Information as of 28 April 2020 https://www.ohchr.org/Documents/HRBodies/SP/COVID19_and_SP_28_April_2020.pdf accessed 9 September 2021

United Nations 2020 COVID-19 and Human Rights: We are All in this Together https://unsdg.un.org/sites/default/files/2020-04/COVID-19-and-Human-Rights.pdf accessed 9 September 2021

United States of America Department of Health, Education and Welfare Records 1973 Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems https://aspe.hhs.gov/reports/records-computers-rights-citizens accessed 1 November 2021

Published

11-12-2024

Issue

Section

Special Edition: Towards Endogenous Knowledge Production in Africa

How to Cite

Saki, O. (2024). Data Protection in Zimbabwe with Reference to the Covid-19 Pandemic and International Law. Potchefstroom Electronic Law Journal, 27, (Published on 11 December 2024) pp 1-38. https://doi.org/10.17159/1727-3781/2024/v27i0a17744

Similar Articles

11-20 of 1125

You may also start an advanced similarity search for this article.