Understanding Data Protection Principles Under Tanzania’s PDPA - A Data Protection Officer Guide

Understanding Data Protection Principles Under Tanzania’s PDPA?

Every data protection law relies on a set of guiding principles, and the Tanzania Personal Data Protection Act (PDPA) is no different. These principles represent the core rules for how personal data should be collected, processed, and safeguarded. Their goal is simple yet vital: to ensure personal data is handled ethically, securely, and with respect for the rights of the data subjects—the individuals whose data is being processed.?

In the context of the PDPA, these principles are not abstract ideas. They serve as a practical framework for controllers and processors to follow, ensuring compliance and ethical handling of personal data. To begin, let’s define some key terms which you will come across a lot in this article: A?controller?is the individual or entity that determines the purpose and means of collecting and processing personal data, a processor is the individual or entity that?acts on behalf of the controller/on instructions issued by the controller, and the data subject is the individual whose personal data is being processed. Understanding these roles is essential before delving into the principles themselves.?

?The Importance of Data Protection Principles?

Why do these principles matter? Principles provide the foundation for all data processing activities, ensuring that personal data is handled responsibly. For controllers and processors, these principles are more than compliance checkboxes—they help build trust with individuals by demonstrating respect for their privacy.?

By adhering to these principles, organizations ensure they have a clear legal basis for processing, which reduces the risk of misuse and ambiguity. Furthermore, the PDPA’s alignment with international standards like the GDPR means that Tanzanian data protection practices are consistent with global best practices. These principles lay the groundwork for a robust framework that protects data subjects while fostering ethical and responsible data management.?

Principles of Personal Data Protection?

The PDPA defines eight key principles of personal data protection, outlined in Section 5 of the Act and Part V of the Personal Data Protection (Personal Data Collection and Processing) Regulations. These principles guide how controllers and processors collect, process, and store personal data ethically. Let’s explore each principle, their requirements, and how Data Protection Officers (DPOs) can ensure compliance.?

?Lawfulness, Fairness, and Transparency?

The first principle mandates that personal data must be collected and processed lawfully, fairly, and transparently. Lawfulness means that every act of data processing must have a valid legal basis, such as consent, a contractual obligation, or a legal requirement. Notably, in the context of the PDPA, “unlawful” extends beyond criminal acts to include any unauthorized or hidden processing that is being done without the knowledge and consent of the data subject.?Fairness ensures that no harm or disadvantage befalls the data subject, such as discriminatory profiling. Meanwhile, transparency obligates controllers to inform data subjects clearly about how their data will be used, who it will be shared with, and for what purpose.?

Recommendations for DPOs:?

• Publish a privacy notice at every point of data collection, both digitally (e.g., on a website) and manually (e.g., at a reception desk).?
• Implement a consent management framework, if possible using automated tools to collect and manage consents efficiently.?
• Conduct legitimate interest assessments when processing data under this legal basis, documenting findings using standardized templates to establish audit trail (See s. 22, 25, 30 & 32 pdpa?to learn more on legal basis).??

Purpose Limitation?

This principle ensures that personal data is only collected for specified, legitimate purposes and is not processed for unrelated activities without additional consent. For example, a bank collecting customer data for account management cannot repurpose this data for marketing without informing and obtaining explicit consent from the customer.?The principle emphasizes accountability: controllers must articulate the purpose of data collection upfront and ensure employees adhere to these defined purposes.?

Recommendations for DPOs:?

• Clearly define all purposes of data collection in the privacy notice.?
• Develop policies restricting employee access and use of personal data to the purposes for which it was collected.?
• Establish robust retention practices to delete data once the lawful purpose is fulfilled or the retention period expires.??

Adequate/Data Minimization?

The principle of data minimization requires controllers and processors to collect only the personal data that is necessary for the intended purpose. Bulk data collection without justification is prohibited. Instead, organizations must focus on limiting data collection to only what is relevant and pseudonymizing or anonymizing data where possible.?For instance, a job application form should not request personal details unrelated to the hiring process, such as an applicant’s medical history, unless legally required.?

Recommendations for DPOs:?

• Design/purchase systems with Privacy by Design and Default, ensuring unnecessary data cannot be collected.?
• Implement strict access controls to limit data access to employees who need it for their roles.?
• Use technical measures like pseudonymization to reduce risks when data is no longer needed for direct identification.?

?Data Accuracy?

Accuracy is critical to ensuring fair and ethical decision-making. Data must be complete, consistent, and up-to-date. For instance, outdated or incorrect records in a database could lead to unfair outcomes, such as a customer being denied services.?Controllers are responsible for verifying data accuracy at various stages and providing mechanisms for data subjects to correct inaccuracies.?

Recommendations for DPOs:?

• Regularly verify the accuracy of personal data with data subjects during processing.?
• Provide self-service portals for data subjects to update or correct inaccuracies.?
• Use policies and reliable data sources to ensure accuracy and consistency across all systems.?

Storage Limitation?

The principle of storage limitation prohibits retaining personal data longer than necessary for the specified purpose. Controllers and processors must establish retention schedules, ensuring data is deleted or anonymized after the purpose has been fulfilled. For example, payroll records may need to be retained for a fixed period under labor laws but must be disposed of securely once the retention period ends.?

Recommendations for DPOs:?

• Implement automated system flags to remind users when data is nearing its retention limit.?
• Collaborate with HR, IT, and Legal teams to establish retention policies for different types of data.?
• Conduct routine audits to ensure expired data is deleted or anonymized promptly.?
• Have a comprehensive data destruction policy (a guideline of how data should be disposed off).?

Respect for the Rights of the Data Subject?

Respecting data subject rights means giving individuals control over their personal data. This includes the right to access, correct, or withdraw consent for processing. Controllers must ensure that these rights are upheld and that no discrimination occurs based on the exercise of these rights.?

Recommendations for DPOs:?

• Establish procedures for handling Data Subject Requests (DSRs) efficiently and ensure timely responses.?
• Provide a consent management system that allows data subjects to easily give or withdraw consent.?
• Train employees on the ethical handling of personal data and the importance of respecting data subject rights.?

Appropriate Security?

To protect personal data, controllers and processors must implement robust technical and organizational measures. Security should be tailored to the type of data being handled, with sensitive data requiring stricter safeguards.?

Recommendations for DPOs:?

• Collaborate with security teams to identify vulnerabilities and ensure only authorized personnel have access to personal data.?
• Use encryption, pseudonymization, or anonymization techniques to secure sensitive data.?
• Maintain backups, logs, and audit trails to monitor processing activities and mitigate risks.?

Lawful transfer - Cross-Border Data Transfers:?

This principle mandated that all transfers of personal data outside Tanzania?must align with the principle of adequate protection in the recipient country.?The transfer should ensure the DS’s rights are not adversely affected and the data exporter must ensure that data collection and processing?has a lawful basis, such as,?Consent from the data subject, the transfer is based on legal obligations,?Public interest or national security or?Contractual necessity.?

Recommendations for DPOs:?

1. Conduct transfer impact assessment before commencing with the data transfer?
2. Apply to the commission for permission (using the prescribed form) to transfer data outside Tanzania?
3. Implement technical and organizational measure to protect the data at all stages of the processing.??

Accountability?(Not specifically mentioned in the Act)

The principle of accountability ties all others together. Controllers and processors must demonstrate compliance by implementing systems, policies, and mechanisms that support data protection.?

Recommendations for DPOs:?

• Create and maintain Records of Processing Activities (RoPA), even if not mandated by the PDPA.?
• Establish internal compliance mechanisms, such as audits, privacy policies, and incident response plans.?
• Appoint a Data Protection Officer (DPO) as required under Section 27(3) of the PDPA to oversee compliance efforts.?

?Conclusion?

The PDPA’s data protection principles are more than legal obligations. They represent a commitment to ethical and responsible data handling. By adhering to these principles and implementing practical steps, controllers and processors can protect data subjects’ rights, build trust, and achieve compliance with the law. Through careful planning, robust policies, and collaboration across teams, organizations can create a secure and transparent data protection framework.?

????????????????????

?????? ?????????????????????? ???????????????? ???? ???????? ?????????????? ???? ?????? ?????????????? ?????????????????????????? ???????????????? ???????? ?????? ???????? ?????? ???????????????????? ?????????? ???? ???????????????????????? ????????????. ?????????? ?? ???????????? ???? ???????????? ?????? ???????????????? ?????? ?????????????????? ???? ?????? ??????????????, ???? ???? ?????? ?? ???????????????????? ?????? ???????????????? ???????????? ???????????????? ???? ???????? ????????????????????????’?? ???????????? ?????????????????????????? ???? ???????????????????? ??????????.

?????? ???????????????? ???????????????????????? ???????????????? ???? ???????????????????????? ???????????? ???? ???????? ???????????????????? ???????????????????? ?????????? ?????? ???????????????? ???????????????? ???????? ???????????????????? ?????? (????????) ?????? ?????????????? ?????????????????????? ?????? ?????? ???? ????????, ?? ?????????? ???????????????????????? ?????????????????????? ???? ?? ???????????????? ??????????. ???????????? ???????? ???????? ???? ?????????? ?????? ???? ?????? ?????????????? ?????????????????????? ????????????????????.