Skip to content

Part 1 » Preliminary Provisions

1. Short title and commencement

This Act may be cited as the Data Protection Act, 2021, and shall come into operation on the date appointed by the Minister by statutory instrument.

2. Interpretation

In this Act, unless the context otherwise requires —

  • anonymisation” means the process of removing direct and indirect personal identifiers that may lead to an individual being identified;
  • Authority” means the Zambia Information Communications and Technology Authority established by the Information Communications and Technologies Act, 2009(1);
  • automated” in relation to data, means electronically transmitted in whole or in part, by means of a data message in which the conduct of a data message of one or more parties are not reviewed by a natural person in the operation of the electronic system, in the ordinary course of that natural person’s business or employment;
  • biometric data” means Personal data resulting from scientific analysis relating to the physical, physiological or behavioural characteristics of a natural person, which confirm the unique identification of that natural person;
  • child” has the meaning assigned to the word in the Constitution(2);
  • child abuse” includes physical and emotional neglect, physical injury, other than accidental injury, ill treatment and sexual abuse of a child;
  • child abuse data” means personal data consisting of information as to whether the child data subject is or has been thesubject of, or may be at risk of, child abuse;
  • code of conduct” means a data protection charter approved by the Authority which regulates the conduct of a data controller or data processor, in order to ensure that the data controller or data processor of personal data complies with this Act and any other applicable written law;
  • Commission” means the Competition and Consumer Protection Commission established by the Competition and Consumer Protection Act, 2010(3);
  • consent” means any written, freely given, specific, informed and unambiguous indication of the data subject’s wishes by which such data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to that data subject;
  • consumer” has the meaning assigned to the word in the Competition and Consumer Protection Act, 2010(3);
  • data” means numbers, letters, alphabetic or numeric strings, symbols or codes in any form;
  • data auditor” means a person licensed as a data auditor under section 29;
  • data controller” means a person who, either alone or jointly with other persons,controls and is responsible for keeping and using personal data on a computer, or in structured manual files, and requests, collects, collates, processes or stores personal data from or in respect of a data subject;
  • data processor” means a person, or a private or public body that processes personal data for and on behalf of and under the instruction of a data controller;
  • Data Protection Commissioner” means a person appointed as Data Protection Commissioner under section 5;
  • data retention” means a process of retention of personal data for a specified purpose for a defined period;
  • data subject” means an individual from, or in respect of whom, personal information is processed;
  • genetic data” means any personal information relating to the inherited or acquired genetic characteristics of an individual which result from the analysis of a biological sample from the individual in question, in particular chromosomal deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained;
  • health practitioner” has the meaning assigned to the word under the Health Professions Act, 2009(3);
  • Independent Broadcasting Authority” means the Independent Broadcasting Authority established by the Independent Broadcasting Authority Act, 2002(4);
  • information system” means a system for the generation, sending, reception, storage, display or other processing of data messages, and includes the internet;
  • joint controllers” means two or more data controllers who jointly determine the purposes for which and the means by which personal data is processed;

  • law enforcement officer” means —

    1. a police officer above the rank of sub-inspector;
    2. an officer of the Anti-Corruption Commission;
    3. an officer of the Drug Enforcement Commission;
    4. an officer of the Zambia Security Intelligence Service; and
    5. any other person appointed by the Minister for purposes of this Act;

  • legally disqualified” has the meaning assigned to the words in the Mental Health Act, 2019(5);

  • legal practitioner” has the meaning assigned to the words in the Legal Practitioners Act(6);
  • meta data” means data that describes other data; “personal data” means data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • processing” means an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of the data or the carrying out of any operation or set of operations on data, including —

    1. organisation, adaptation or alteration of the data;
    2. retrieval, consultation or use of the data;
    3. alignment, combination, blocking, erasure or destruction of the data; or
    4. disclosure of the information or data by transmission, dissemination or otherwise making available;

  • profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, including analysis or prediction of the data subject’s aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

  • pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
  • public body” has the meaning assigned to the words in the Public Finance Management Act, 2018(7);
  • recipient” means a person to whom data is disclosed, including an employee or agent of a data controller, a data processor or an employee or agent of a data processor in the course of processing the data for the data controller, but does not include a person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;
  • Register” means the Register kept and maintained under section 80;

  • sensitive personal data” means personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes

    1. the race, marital status, ethnic origin or sex of a data subject;
    2. genetic data and biometric data;
    3. child abuse data;
    4. a data subject’s political opinions;
    5. a data subject’s religious beliefs or other beliefs of a similar nature;
    6. whether a data subject is a member of a trade union; or
    7. a data subject’s physical or mental health, or physical or mental condition;

  • third party” means a person other than —

    1. a data subject;
    2. a data controller, or
    3. a data processor or other person authorised to process data on behalf of data controller or data processor.

  • vulnerable person” means a person aged 18 or above and whose ability to make informed decisions about their rights and well being is temporally or permanently impaired through physical or medically certified hindrance or impairment; and

  1. Act No. 15 of 2009
  2. Cap. 1
  3. Act No. 24 of 2010
  4. Act No. 17 of 2002
  5. Act No. 6 of 2019
  6. Cap. 30
  7. Act No. 1 of 2018

3. Application

  1. This Act applies to the processing of personal data performed wholly or partly by automated means and to any processing otherwise than by electronic means.
  2. This Act does not apply to the processing of personal data by an individual for personal use.