About The Data Protection Act In Zambia


As technological advancements continue to integrate into our daily lives, concerns arise regarding the amount of information and control we should provide to the technologies we use. The question of how much is too much arises. Who should oversee and control the storage and management of data collected from individuals? Does privacy disappear as we relinquish control to “unknown” sources? How does this affect the safety of the internet and our surroundings?

In response to these concerns, governments around the world, including Zambia, have enacted laws and regulations to guide, control, and protect data, particularly sensitive data collected from users.

In Zambia, various pieces of legislation have been enacted to provide a safe, secure, and effective environment for electronic communications. These include the Electronic Communications and Transactions Act No. 4 of 2021 (the ECT Act), the Data Protection Act No. 3 of 2021 (the Data Protection Act), the Cyber Security and Cyber Crimes Act No. 2 of 2021 (the CSCC Act), and the Information and Communications Technologies Act No. 15 of 2009 (the ICT Act). These laws regulate issues related to data privacy and data protection.

This article examines the Data Protection Act, its purpose, and its implications for ordinary citizens like you and me.

What is the Data Protection Act?

The Data Protection Act was initially introduced as a Bill in the Zambian Parliament a few years ago and was approved in 2018. However, the Bill was not enacted immediately, and its passing was delayed until 2020 when it was reintroduced as the Data Protection Bill 2020. After undergoing the 3-stage legislative process, the Data Protection Bill was accepted and approved by the President on 23 March 2021. A few weeks later, on 1 April 2021, the Data Protection Act was published in the Government Gazette, thereby coming into effect. The Act also established the Office of the Data Protection Commissioner.

Key Objectives of the Data Protection Act

The Data Protection Act aims to provide an effective system for the use and protection of personal data by regulating the collection, use, transmission, storage, and processing of such data. It establishes the Office of the Data Protection Commissioner, which is responsible for overseeing data processing, registration of data controllers, and licensing of data auditors. The Act also outlines the rights of data subjects (individuals who provide their personal information to institutions such as banks and hospitals) while specifying the duties of data controllers and data processors.

Furthermore, the Data Protection Act protects personal information obtained through electronic transactions. It requires data controllers to obtain written permission from data subjects before collecting, processing, or disclosing their information. Data controllers are obligated to explain the purpose of collecting personal information and are prohibited from using the collected information for any other purpose without consent.

The Act also restricts the disclosure of personal information to third parties unless required or permitted by law or authorized in writing by the data subject. In such cases, the data controller must maintain a record of the third party to whom the personal information was disclosed, along with the reasons and timing of the disclosure.

In addition to outlining the duties of data controllers, data auditors, and the rights of data subjects, the Data Protection Act establishes the role of data inspectors. These inspectors ensure organizational compliance with the law. The Act also mandates that any person or organization wishing to collect, process, store, or audit personal data must apply for a license from the Data Protection Commissioner, subject to a prescribed fee.

Breaching the regulations stated in the Data Protection Act can result in penalties. Corporate bodies may face fines not exceeding 100 million penalty units or 2% of the preceding financial year’s annual turnover, whichever is higher. Natural persons, upon conviction, may face fines not exceeding 1 million penalty units, imprisonment for a term not exceeding five years, or both.

The Data Protection Act provides exemptions for data controllers and data auditors in certain cases, such as when personal data processing is necessary for national security, defence, public order, legal proceedings, research, archiving, statistical purposes, or journalistic purposes.

What Does This Mean for a Common Citizen?

For ordinary citizens, it is crucial to understand and be aware of their rights regarding personal information. They should know whom they can trust with their personal information and the consequences of rights infringement. This knowledge helps individuals stay safe online and be cautious when providing personal information to unknown or unverified sources.

Understanding the Data Protection Act also plays a role in preventing scams where individuals unknowingly disclose their PINs or personal information to fraudulent entities claiming false inquiries, prizes, or job opportunities.

Public campaigns are necessary to raise awareness and educate people about these important regulations, empowering them against fraudsters and scammers.


In today’s technologically advancing world, individual users must prioritize their own safety. Trust should not be easily given to sources requesting personal information unless proven legitimate. Social engineering, as the easiest method of obtaining personal information, necessitates caution in all interactions involving personal data. Asking the necessary questions and being vigilant can help protect personal information from falling into the wrong hands.



Find the published Data Protection Act No.3 of 2021 here https://www.parliament.gov.zm/sites/default/files/documents/acts/Act%20No.%203%20The%20Data%20Protection%20Act%202021_0.pdf

The Electronic Communications and Transactions Act No.4 of 2021 https://www.dataguidance.com/sites/default/files/act_no._4_of_2021_the_electronic_communications_and_transactions_0.pdf

The Cyber Security Crimes Act No.2 of 2021 https://www.dataguidance.com/sites/default/files/si_52_of_2021.pdf

The Information and Communication Technologies Act No. 15 of 2009 https://www.parliament.gov.zm/sites/default/files/documents/acts/Information%20and%20Communication%20Technologies%20Act,%202009.pdf

Zambia – Data Protection Overview https://www.dataguidance.com/notes/zambia-data-protection-overview