Module 1: Introduction to Data Privacy in Zimbabwe
Objectives:
- Learn what personal data and privacy mean in the digital age.
- Understand Zimbabwe’s Cyber and Data Protection Act (2021) and its purpose (to protect privacy and build trust in ICT use).
- Know that the Postal and Telecommunications Regulatory Authority (POTRAZ) is designated as the national Data Protection Authority.
Lessons:
- What is the Data Protection Act? Zimbabwe’s 2021 Act is the country’s first comprehensive data privacy law. It’s modelled on global standards (like the EU GDPR) and aims to safeguard personal information. The law applies to any electronic processing of data in Zimbabwe.
- Data Protection Authority: POTRAZ now oversees data privacy. All data controllers must comply with POTRAZ regulations. For example, by March 2025, entities handling personal data on 50+ people must register as data controllers with POTRAZ.
- Key Terms: Personal data includes any information that can identify you (name, phone, location, etc.). Data controllers (like app developers or companies) collect and process your data; data subjects (you) have legal rights over it.
Real-World Example:
- In Feb 2025 news, a cybersecurity firm revealed an 850,000+ customer data breach at Econet Wireless Zimbabwe – leaking names, emails, addresses and phone numbers. This highlights why strong data laws and enforcement (by POTRAZ) are needed.
Practical Activity:
- Data Inventory: List three types of personal data your favorite apps collect (e.g. contacts, location). Discuss why the app might need each type. Consider: Is this “explicit, specified and legitimate” use of your data?
Module 2: Your Rights and Responsibilities
Objectives:
- Know your rights as a “data subject” under the Act.
- Understand your responsibilities as a mobile user (ethical sharing and respect for others’ data).
- Learn how to exercise your rights (information, access, correction, deletion).
Lessons:
- Rights of Data Subjects: By law, you have the right to: be informed how your personal information will be used; access any personal data held about you; object to processing of your data; and correct or delete any false/misleading information about you. For example, an app must tell you why it collects your email or location, and you can request to see or remove that data.
- Responsibility and Respect: You also have responsibilities. You should only share your own personal data or someone else’s data when it is ethical and legal to do so. POTRAZ guidelines stress: “You have rights and … other people should respect them. You should never accept harassment or bullying… online as well as in real life.”. In practice, this means not sharing someone else’s private photos or personal details without permission, and reporting abuse when you see it.
- Fair Use and Honesty: Act with integrity online. Always verify information before reposting. As POTRAZ advises, “Always double check the information from other reliable sources” before sharing something that looks too good (or bad) to be true. This helps curb misinformation.
Real-World Example:
- On social media, many Zimbabweans learn to spot “fake news” ahead of elections. Training sessions (e.g. by fact-check groups) stress critical thinking: “People must be trained to tell the difference between fake news, misinformation, disinformation, and real news.”. Citizens who verify sources avoid spreading harmful rumors.
Practical Activity:
- Check an App Permission: Open a social or utility app on your phone. Identify one permission it asks for (e.g. camera, contacts). Discuss: Why might the app need this? Is it necessary for its function? Consider unchecking or disabling any unnecessary permission.
Module 3: Consent & Data Sharing
Objectives:
- Understand how apps must obtain your consent to use your data.
- Learn about controlling data sharing (through privacy settings and personal choices).
- Recognize the difference between personal and sensitive data in law.
Lessons:
- Consent Rules: Under the Act, personal data may only be processed if you consent to it. (Consent can be implied for ordinary data, but you must explicitly agree to give information.) For sensitive data (like health, biometric, or political opinions), you must give written consent before it is processed. This means app developers should not secretly use your health or political views without your clear permission.
- Limiting Data Collection: Apps should only collect data that is “adequate, relevant and not excessive” for their purpose. You have a right to know why data is collected and to refuse non-essential data. Always check the app’s privacy policy or settings.
- Use Privacy Settings: Protect your data by using in-app privacy tools. POTRAZ advises: “If you join a social networking site use the privacy settings to protect your online profile so that only your friends can see it.”. For example, set your social media accounts to private, and only accept friend requests from people you know.
- Think Before You Share: Never post personal information (like ID numbers or passwords) publicly. As a rule, “Think twice before you publish or share anything online”. Once something is on the Internet, you can’t fully take it back. Before sharing a photo or message, ask yourself: Could this harm me or someone else? or Am I violating someone’s privacy?
Real-World Example:
- Many Zimbabwean children have been taught online safety with the SMART rules (Safe, Meeting rules, Accepting, Reliable, Tell). These include using nicknames and adjusting settings so strangers can’t see private profiles. The same caution applies to all users: for instance, using WhatsApp’s privacy controls to hide your last-seen and profile picture from strangers.
Practical Activity:
- Privacy Settings Drill: Pick one social app (e.g. Facebook or WhatsApp). Go to its privacy settings and restrict who can see your posts or profile. Also review one app’s permissions: disable an unnecessary permission (e.g. location for a game that doesn’t need it).
Module 4: Security and Avoiding Misinformation
Objectives:
- Learn basic security practices (strong passwords, updates, two-factor authentication) for mobile safety.
- Understand how to identify and avoid misinformation on apps.
- Appreciate the societal impact of fake news and rumors.
Figure: Community training workshop on identifying misinformation (Bulawayo, 2022). Media literacy training helps Zimbabweans spot fake news before it spreads.
Lessons:
- Device Security: Keep your phone and apps up to date. Use strong passwords or biometrics, and enable two-factor authentication when possible. Only download apps from official stores. These practices prevent unauthorized access to your data.
- Data Breach Awareness: If you suspect your personal data was exposed (e.g. in a corporate breach like the Econet case), contact your mobile provider and watch for scams. POTRAZ requires organizations to notify breaches, but you should also monitor your accounts (bank, social media) for unusual activity.
- Spotting Misinformation: Be cautious with sensational news or messages. Verify facts through reliable sources (local news, official health or government pages, or Zimbabwe-based fact-checkers). The Zimbabwe media training emphasizes: “always double check the information from other reliable sources”. Don’t forward unverified posts to family or groups.
- Respectful Online Behavior: If you see hate speech or threatening content in an app, report or block the user. The same rules of respect apply online: POTRAZ notes that laws against harassment and bullying apply in cyberspace too. Don’t engage with trolls and don’t share hateful or violent content.
Real-World Example:
- Zimbabwe’s 2023 elections saw a flood of rumors on WhatsApp and Facebook. Community groups and fact-checkers (like ZimFact) worked to debunk viral falsehoods. For instance, viral claims of polling station fraud were checked against official data. Learning to wait for official updates helps voters avoid panic from fake alerts.
Practical Activity:
- Fact-Checking Drill: Find a trending social media post or forwarded message (on WhatsApp or Facebook) about a current event. Take 5 minutes to check if it’s verified by any reputable source (news site, official statement). Decide: true or false, and explain how you checked it.
- Security Checkup: Enable 2FA on one app (e.g. your email or WhatsApp). Write down why this adds security (it means someone needs your phone plus your password to log in).
Figure: Zimbabwean youth participating in a media and information literacy workshop. Programs like these teach users to critically evaluate online content and protect personal data when using apps.
Module 5: Developer Obligations & Reporting Misuse
Objectives:
- Understand the obligations of app developers and service providers under the law.
- Learn how to report data breaches or abuse to authorities.
- Know where to seek help if privacy is violated.
Lessons:
- Data Controller Duties: App developers and companies must follow strict rules. They must process your data lawfully, only for the purposes stated, and keep it secure. For example, they must employ “appropriate technical and organizational measures” (like encryption and firewalls) to protect data. They also cannot hold data longer than needed.
- Licensing and Compliance: Large data handlers must register with POTRAZ. Under the Regulations, any organization (local or foreign) that processes personal data in Zimbabwe needs a Data Controller’s licence by March 12, 2025. They must also appoint a qualified Data Protection Officer (DPO) to oversee compliance. This means developers building apps in Zimbabwe have new legal responsibilities.
- Breach Notification: If a company suffers a data breach, it must notify POTRAZ within 24 hours. The company should also inform affected users “without undue delay” if there is a high risk to their rights.
- Reporting Violations: As an individual, you can report misuse of your data. POTRAZ is empowered to receive complaints about data processing. You can file a complaint on POTRAZ’s website or write to them about any suspected violation of the Act. The Authority will investigate and can impose fines or sanctions on offenders. In emergencies (like fraud or threats), you can also contact the Cybercrime unit or police.
Real-World Example:
- Suppose a fake app is stealing passwords from users. Victims in Zimbabwe can report this to POTRAZ or Cybercrime authorities. Under the Act, POTRAZ “shall investigate any complaint received” about improper data use. (In practice, victims might also be advised to report financial fraud to banks or the police if money is involved.)
Practical Activity:
- Complaint Simulation: Write a brief email (2–3 sentences) as if you were reporting a data breach. Include: your name, what happened (e.g. “I received a suspicious SMS from my bank after clicking a link in an app”), and request help. Note that you could send this to POTRAZ or Cybercrime authorities.
- Developer’s Checklist: If you were building a simple app, list three things you must do to be legal: (1) clearly explain why you collect data (e.g. “for login”), (2) secure the data (password protect it), and (3) get user consent (show a checkbox) for any personal data.
Course Wrap-Up: By the end of this course, learners will understand their legal rights under Zimbabwe’s Data Protection Act, how to use mobile apps ethically, and where to turn if something goes wrong. Adhering to these guidelines helps create a safer, more trusted digital environment for everyone in Zimbabwe.
Sources: Content is based on Zimbabwe’s Cyber and Data Protection Act (2021) and official guidelines, including POTRAZ materials, Zimbabwean news cases, and expert analyses. These sources ensure the course reflects current national law and best practices.
