Protect personal data breaches


SOMETHING that has become very worrying for me is the misuse of personal information since the election period and in this edition, we consider the importance of this and steps to be taken to minimise the abuse of personal information.

Just saying: Paul Kaseke

To start with, personal information is information that identifies an individual. Some of this includes one’s name, address, health status etc. It is important to flag from the outset that when identity fraud is committed, it is done by using this information to clone the identity. With the ever-digitalised world we live in, we need to be very careful how this information is used as it could have severe repercussions in the future. Most of my clients in the fraud arena are victims of the theft or misuse of personal information which is used by fraudsters to open accounts in their name

The just-ended elections proved more than ever, that Zimbabwe needs to seriously consider legislation that protects citizens from the abuse and misuse of personal information. We previously discussed the debacle with the Zimbabwe Electoral Commission (Zec) and the compromise of personal information it held. Zec is a data mine in the sense that it holds the most comprehensive details of a large section of the country’s population.

The Registrar-General’s Office holds a fraction of the information Zec has, although it arguably possesses basic information about anyone who is lawfully present in the country regardless of nationality and residency status. The information Zec holds is not just restricted to names, surnames and identity numbers, but extends to biometric information (fingerprints and pictures). I maintain that Zec does not need the extensive information it holds, as it poses a ticking security bomb that can go off anytime with drastic effects.

When the ruling party used personal information of voters to campaign for the elections, this breach should have been a cause for concern and a thorough investigation should have been conducted. I personally believe this information was from Zec as no other body possessed the specificity required to have successfully sent messages to the right people in the right places. It was no ordinary or random texting exercise. It was done with precision and the kind of precision that only Zec could have provided.

Whether this information was supplied by Zec or it was obtained illegally from it is another question for another day. The point is, personal information was used to achieve means that are not constitutionally or otherwise legally acceptable. Someone still must account for the act. The Postal and Telecommunications Authority of Zimbabwe, which regulates the communication sector and mobile telecommunications giant, Econet Wireless, denied being the source of the information and I believe their version to be correct based again, on the specificity of the information used which included constituency-based details. Regardless of who the source was, personal information was misused, and nobody has been held accountable.

Zec’s own admission to a data breach is the most worrying. Since Zec is a data mine, this admission warrants further scrutiny. Questions of importance are who breached their systems, how this was done but most importantly, what they did with that personal information.

Unfortunately, the voters’ roll was made available in the public domain in both secured and non-secured formats. A detailed copy of this roll can still be accessed online, thus exposing millions of Zimbabweans to potential identity fraud.

Several organisations decided to analyse the information on the voters’ roll which in itself may not be a problem. What I had issues with is the wanton disregard of the right to privacy of the data “analysed” by some of these entities.

By displaying duplicates of a voter for example, the personal information is (and was) exposed to the public on social media where most of this information was displayed. If someone had the time and energy, they could look up any individual on the roll, harvest their information and sell it to fraudsters who can generate that into fake accounts and facilitate identity theft. In the same vein, one can physically track and trace individuals on the roll because of the specificity of information available.

It must be noted that globally, a voters’ roll or register is highly protected because of the nature of the information contained. In most countries, no version of the roll is made public, let alone placed online. Members of the public may go and inspect the relevant part of the roll to check if the information is correct, but the roll is not a public document released into the public domain.

In Zimbabwe, the position is seemingly different as any Tom, Dick and Harry can access the roll online and use it for whatever purpose they want to use it for. I can understand access being granted to parties to check the integrity of the roll but even that should be closely regulated to prevent abuse of personal information. Millions of details are in the public domain now and once scamsters get wind of this, we should expect identity fraud on a massive scale.

Currently, there is no specific act that deals with the kind of protection that is required to protect information mentioned above. The closest we have is the infamous Access to Information and Protection of Privacy Act. The Act partially deals with the preventions of unauthorised collection, use or disclosure of personal information by public bodies and seeks to protect personal privacy.

The Act only covers conduct of public bodies in relation to the protection of information but even then, it fails to detail steps to be taken to do so. It can hardly be considered an act dealing with the protection of personal information. It largely deals with the regulation of the press and when information can be disclosed.

The Act does not cover situations where two private citizens disclose personal information for instance or when a private body does the same. The 2002 Act fails to set out steps that should be taken by bodies like Zec in protecting personal information.

The Act does define personal information however, as including marital status, ID, blood type, disabilities, names, addresses, contact details, employment history and personal correspondence. Although this is set out, there is little recourse one would have against Zec in terms of the Act.

Zimbabwe urgently requires a personal information protection act that among other things, creates the office of an information regulator and sets out penalties for the misuse of personal information by both individuals and entities.

Security protocols must be standardised to ensure that those holders of personal information exercise the highest possible level of discretion and protection of the valuable information they have. Steps that should be taken to protect information should also be set out in explicit detail.

Recently, the European Union and South Africa took bold steps in protecting personal information. South Africa has already passed the Protection of Personal Information Act (POPI) and it is set to be fully functional in the next few months. I was privileged enough to engage in the discussions where the rolling out and practical implementation of the Act were thrashed out and although it is cumbersome on entities holding personal information, it is a win for those it protects.

Interestingly, any entity that keeps personal information is required to disclose why the information is needed, what it will be used for, how long it will be kept, measures to be taken to protect it, who may have access to it and how it will be processed. This will prevent selling of personal information and stop companies from recklessly discarding of personal information like employee details and CVs.

If the same framework is adopted in Zimbabwe, an entity that loses information deemed to be personal, will have to account for it and so will entities that share personal information without consent. This will also help end the revealing of personal information by third parties on social media which has been on the rise recently.

Sharing someone’s number or ID on social media should come with penalties as is the case in the EU and in some parts of Africa. Liberty Life suffered a major data breach and the information regulator in South Africa has already taken them to task for this.

This is what ideally should happen to Zec and any other body or individuals that expose personal information unlawfully. I would be remiss if I didn’t point out that there are other pieces of legislation in Zimbabwe that deal with personal information for various sectors, but my concern is the lack of uniformity and comprehensive legislation that is both constitutional and in line with international best practices in this regard. We should move with the times and ensure that everyone’s personal information is protected and treated as sacred.

Let me close with the Constitution’s phrasing of the right to privacy in section 57: Every person has the right to privacy, which includes the right not to have:

a. their home, premises or property entered without their permission;

b. their person, home, premises or property searched;
c. their possessions seized;
d. the privacy of their communications infringed;
e. their health condition disclosed.

It is up to the current Parliament to draft legislation that will protect personal information from being abused by both individuals and entities, thus furthering the right to privacy in terms of s57. All of us should be concerned about protecting personal information , the identity saved could be yours … just saying!

Paul Kaseke is a legal advisor, commentator, policy analyst and former law lecturer with the Wits Law School & Pearson Institute of Higher Education (formerly Midrand Graduate Institute). He serves as senior managing partner and current group chair of AfriConsult Firm. He writes in his personal capacity.