Strict data protection measures for Zim telcos
Strict data protection measures for Zim telcos
Telecom companies in Zimbabwe can work with foreign data and cloud hosting companies but have to ensure the protection of subscribers' personal data.
Among the country's telecommunications firms are mobile operators Econet, NetOne and Telecel Zimbabwe, as well as sole fixed phone operator, TelOne. ISPs such as ZOL, Africom, Dandemutande and Powertel also compete for market share.
Zimbabwe's new ICT Minister Jenfan Muswere recently gazetted new regulations which stipulate measures that operators must take to ensure the protection of subscriber private data, including when engaging with foreign data hosting service providers.
"The prohibition to the transfer of information relating to subscribers in terms of subsection (11) shall not be regarded as preventing service providers from making use of data storage services, including cloud services provided or hosted by foreign data storage hosts," reads a new provision in the country's telecom regulations of 2014.
The regulations impose stringent conditions for the protection of data where it becomes "necessary, or unavoidable as part of the operational access to the data storage services, to transfer information relating to subscribers" with any foreign data hosting firm.
Zimbabwean telecom companies using a foreign data hosting company must ensure that subscriber data "so transferred is encrypted in such a way that it cannot be read by the foreign" host.
Local telecom companies are also required to "retain the keys used to encrypt and de-encrypt data before it is transferred or uploaded on the cloud server in order to prevent third parties, including the cloud-service provider, from accessing" the protected and personal information.
Additionally, companies must submit a report on the steps taken to protect the data and the data hosting agreements to the Posts and Telecommunications Regulatory Authority of Zimbabwe (Potraz).
Affected subscribers also have to be given the opportunity to consent to the transfer of data to a foreign hosting company.
"The service provider is prohibited from selling, trading and sharing, the transferred data," according to new provisions gazetted under Statutory Instrument 250 of 2019.