Towards better privacy protection policies

IT is necessary to continue the discussion on potential breach of privacy against fears of identity theft and unauthorised data sharing.

MIRIAM T MAJOME

These concerns were triggered by the recent publication of the voters’ roll regarding the personal information contained in it for public consumption.

After last week’s discussion nagging doubts and questions remain and the feeling is that not enough justice was done to the topic. People remain skeptical that their personal information will be used for nefarious purposes despite the fact that the personal information on the voter’s roll has always been and is accessible on other public platforms.

This calls for an examination of the national privacy policy if at all there is one and an exploration of global best practices for privacy protection of personal information.

Privacy policies in Sadc

Zimbabwe has no specific privacy policy other than the right of privacy provided for in Section 57 of the Constitution. The much loathed Access to Information and Protection of Privacy Act (Aippa) of 2002 linked to the exiled former Information minister Professor Jonathan Moyo missed a good opportunity to promote the privacy rights of citizens.

Its purpose was to protect the State by clamping down media houses considered hostile to the political establishment rather than protecting citizens’ rights. Aippa has for a long time needed serious urgent reform to bring it up to speed with a free and transparent society, which puts the protection of the rights of citizens first ahead the State’s interests.

Sadc does not have a unitary privacy protection protocol or guidelines like in the EU which bind member states. Some individual bodies within Sadc such as the Sadc Banking Association have crafted their own independent privacy policies.

In the region, South Africa has the most progressive legislation and awareness. Its Protection of Personal Information Bill which is waiting assent and Zimbabwe could do well to follow suit.

Abusing personal information

Section 21(9) (b) of the Electoral Act criminalises the misuse of personal information contained on the voter’s roll.

It states that anyone who makes use of the voters’ roll for commercial or other purposes unconnected with an election shall be guilty of an offence and liable to a fine or jail term not exceeding five years or to both fine and imprisonment.

The provision is broad and allows for criminal penalties for offences related to abusing personal information on the voters’ roll by for example misusing or selling it, stalking people, housebreaking and other illegal acts.

The single most major concern for the majority of people who are unhappy with the voters’ roll is the possibility of unauthorised sharing of their personal data by the Zimbabwe Electoral Commission (Zec) or other parties, who may have access to the roll. They fear the information will be used for unspecified harmful and undesirable purposes.

EU privacy protection regulations

A private policy is a statement or legal document that discloses how personal data collected from other people like clients and other third parties is gathered, used, disclosed and managed.

The European Union’s general data policy regulations were assented to by most EU states between 2014-2016 and became binding on all member states in 2018.

One reader kindly shared an abridged reader friendly version of the guidelines, which in their ordinary format are hundreds of pages long.

The GDPR provides for the protection of personal data and dictates how handlers of personal data should collect, store and share the information they hold and procedures to follow when there has been a breach and the data is compromised.

The guidelines give EU citizens the right to know and decide how their personal data is used, stored, protected, transferred and deleted. It gives more power to individuals generally, as they have the right to restrict further processing of their personal data and to request that any data held of them by private organisations be erased.

There are heavy penalties levelled against organisations for non-compliance with up to €20 million or 4% of their annual global revenue, whichever is greater.

Why are EU privacy guidelines important to us here?

Despite not being EU residents or citizens, most of us and the world are consumers of global products and brands such as Google, Yahoo, Twitter, Facebook and numerous other international organisations that are bound and subject to these EU laws.

We are also affected and protected because the organisations cannot misuse anyone’s personal data. This is the reason there has been a flurry of communications in the past months from various sites which collect personal data like Facebook, Twitter, Instagram, Yahoo, Google, online stores and other online platforms.

These organisations and sites routinely collect peoples’ personal information like names, birthdays, addresses, telephone numbers, email addresses etc. Almost all the major international organisations sent requests to all users globally requesting them to review the new privacy guidelines and update their privacy settings before they could proceed using their accounts.

Public personal information

Many of the fears and objections about the publication of personal data are understandable, but not substantive. It is true that the personal data contained in the voters’ roll can be shared with third parties, who can indeed use it for devious purposes if they are that way inclined, but there is no uniquely attributable link to an upsurge of identity theft crimes with the publication of personal information on the voter’s roll.

It must be noted and understood well that not all personal information is private information for example names, addresses, email addresses, phone numbers and birthdays. This information is ordinarily held and accessible in many public offices by anyone at all.

The public can inspect records at the deeds registry, births registry, marriage registry, courts, companies’ office etc. There would have to be a complete overhaul of the legal and administrative system before that can change. The reason the information is made public is to promote transparency and the rule of law.

For instance it is possible to ascertain someone’s marital status by verifying with the Marriage Registry. The importance of this cannot be overemphasised. It also enables judgment creditors to execute judgments because they are able to ascertain if a judgement debtor has assets that can be attached like immovable property or shares through inspecting records at the Deeds Registry and Companies Office.

A potential employer can avoid serious problems by knowing if a prospective employee has a criminal record or not by perusing records at court. The list of positives connected to maintaining an open and transparent system for public inspections of personal information is long.

Sensitive personal information

A distinction must be drawn between potentially harmless and harmful personal information that can be shared. There is information that is harmful to share such as banking details, purchase histories and preferences, medical records, HIV status, sexual orientation, undisclosed phone numbers, passwords etc.

There would be serious breach of privacy if for example doctors were to make patients’ records publicly available on public platforms. Some personal information is so sensitive that it cannot be shared publicly, hence the reason banks and hospitals are ultra-guarded with customer accounts and patients records respectively.

Credit stores should not share their customers’ information and lists with 3rd parties, as this constitutes serious breach of privacy because the sharing will not have been authorised. The potential threats of leaking and unauthorised sharing of sensitive personal information are what people should be more worried about than worrying about names and addresses that are already in the public domain and easily obtainable from many other platforms.

The recent much publicised Facebook/Cambridge Analytica scandal is interesting further reading for those interested in this topic.

Policy review

There are definite disadvantages to having an open and transparent system where personal data is publicly available, because identity theft is a real risk. However, there are also advantages to maintaining an open and transparent system where public personal records are inspectable and verifiable.

A delicate balance has to be struck between maintaining transparency of publicly held personal information and respecting and promoting personal privacy and confidentiality.

The more the world converges and becomes more digital and more information hungry personal information should be handled with greater care. There is need for the country and the region to review its policies and keep up with global best practices on data protection and privacy, but while maintaining transparency.
 Miriam Tose Majome is a lawyer and a teacher. She writes in her personal capacity and can be contacted on enquiries@legalpractitioners.org

Do you have a coronavirus story? You can email us on: news@alphamedia.co.zw