The role of data protection officers under Tanzania’s personal data protection framework

In today’s data-driven world, organisations are increasingly required to ensure the protection of personal data and comply with evolving privacy regulations. Under Tanzania’s personal data protection laws, the appointment of a Data Protection Officer (DPO) is a key requirement for ensuring that organisations meet their personal data protection obligations. The DPO plays an important role in overseeing data privacy compliance, advising on best practices, and ensuring the secure handling of personal data.

In this month’s legal update, we analyse the roles or responsibilities of DPOs under Tanzania’s data protection framework.

Key terms

The following are terms defined in the Personal Data Protection Act of 2022 (the Act) which we find relevant to this updater:

“data controller” means a natural person, legal person, or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, “data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative. 

“data processor” means a natural person, legal person, or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative. 

“data subject” means the subject of personal data which are processed under the Act.

“personal data” means data about an identifiable person that is recorded in any form, including:

(a) personal data relating to the race, national or ethnic origin, religion, age, or marital status of the individual;
(b) personal data relating to the education, medical, criminal, or employment history;
(c) any identifying number, symbol, or other particular assigned to the individual;
(d) the address, fingerprints, or blood type of the individual;
(e) the name of the individual appearing on the personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; and
(f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence and the views or opinions of any other person about the data subject.

“processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording, or holding the data or carrying out any analysis on personal data, including:

(a) organisation, adaptation, or alteration of the personal data;
(b) retrieval or use of the data; or
(c) alignment, combination, blocking, erasure, or destruction of the data.

“sensitive data” includes:

(a) genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;
(b) if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and 
(c) any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject.

General overview on DPOs

According to section 3 of Act a DPO is “an individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in the Act”. This means that organisations handling personal data must appoint a DPO to monitor personal data protection within the organisation.

Please be advised that in some jurisdictions DPOs are also referred to as Chief Privacy Officers (CPO). While DPO is the formal term used in regulatory frameworks like The General Data Protection Regulation (GDPR) and the Act, the term CPO is more commonly used in jurisdictions where privacy management is a business function rather than a legal mandate.

Appointment and qualifications of DPOs

DPOs are appointed for purposes of overseeing compliance with personal data protection obligations and ensuring that appropriate control measures and security safeguards are in place to protect personal data during collection and processing.

While the Act does not explicitly outline the professional qualifications, expertise, or specific competencies required for a DPO, best practice suggest that a DPO should possess a strong understanding of data protection laws, regulatory compliance, and industry-specific privacy risks. Additionally, it is advisable for a DPO to have in-depth knowledge of the organisation’s business processes and personal data flows, enabling them to effectively assess risks and implement necessary safeguards.

A DPO may be an existing employee within the organisation or an externally appointed professional, provided they have a clear understanding of the organisation’s data handling processes and the independence to perform their duties effectively.

Key responsibilities of DPOs

As mentioned above the role of a DPO is an important element in maintaining personal data privacy within an organisation. A DPO ensures the organisation complies with data protection laws and demonstrates a commitment to protecting a data subject’s privacy. 

The key responsibilities of a DPO as set out in the Act include:

1. Monitoring compliance

One of the core responsibilities of a DPO is to ensure ongoing compliance with the Act, its regulations, internal personal data protection policies, and any other relevant privacy laws or regulations. This includes not only ensuring that the organisation adheres to the legal requirements of the Act but also staying well-informed of any updates, amendments, or new regulations related to personal data protection that may have an impact to the organisation’s compliance mechanism. A DPO must ensure that the organisation’s data processing activities align with the principles of the Act, including the legality, fairness, and transparency of personal data processing, as well as the protection of a data subject’s rights.

2. Identifying and reporting personal data violations, and advising on rectification measures

A DPO serves as the primary point of contact between the organisation and the Personal Data Protection Commission (the Commission). This responsibility involves facilitating communication and cooperation between the organisation and the Commission on all matters related to personal data protection.
A DPO is also responsible for actively monitoring the organisation's personal data processing activities to identify any potential violations of the Act or its regulations. Should any violation of personal data or non-compliance be identified, the DPO must inform the data controller or data processor about the nature, scope, and potential impact of the violation. This may include breaches such as unauthorised processing of personal data, inadequate security measures, or failure to uphold a data subject rights. 

Upon receiving such notification, the data controller or data processor must assess the reported violation and without undue delay, notify the Commission of such violation.

In addition to reporting such violations, a DPO is tasked with advising the relevant data controller or data processor on corrective actions necessary to bring the organisation into compliance with the Act. Furthermore, a DPO should also provide guidance on implementing preventive measures, such as conducting regular audits.

3. Training and awareness

A DPO is responsible for ensuring that all employees within the organisation are properly educated on personal data protection laws and are fully aware of their responsibilities in relation to the same and the organisation's personal data privacy policies. A DPO plays a critical role in promoting a personal data protection culture throughout the organisation by developing and implementing comprehensive training programs regularly - either on a quarterly basis or bi-annually.

These programs are designed to ensure that employees at all levels, understand the legal requirements under the Act, as well as best practices for maintaining data privacy and security. This is regardless of whether they handle personal data directly or indirectly.

4. Handling data subjects’ applications or complaints 

A DPO is responsible for managing and addressing any applications or complaints made by a data subject in relation to the collection or processing of personal data. This includes; receiving and acknowledging complaints, assessing the complaints, investigating and responding to the complaints.

5. Overseeing Data Protection Impact Assessments (DPIAs)

A DPO is responsible for ensuring that DPIAs are conducted whenever a new data processing activity is introduced that could potentially impact the privacy of individuals. DPIAs are important tools for identifying, assessing, and mitigating privacy risks associated with personal data processing, especially where the processing involves sensitive data or may result in potential breaches of a data subject’s rights.

6. Preparation and submission of quarterly compliance reports

It is the responsibility of a DPO to prepare and submit detailed quarterly reports on the organisation’s compliance with the Act to the Commission. A DPO must also provide an overview of ongoing data protection activities, such as DPIAs, employee training efforts, and any incidents or breaches that occurred during the reporting period.

7. Performing any other duties as directed by a data controller or data processor

In addition to the core responsibilities provided in the Act, a DPO may be required to undertake additional tasks as directed by a data controller or data processor in relation to personal data protection.

Conclusion 

The role of a DPO is fundamental in ensuring compliance with the Act and protecting a data subject’s personal data. DPOs are responsible for overseeing personal data protection practices, advising on regulatory compliance, training, and ensuring transparency in personal data processing activities. A DPO is an important asset for organisations committed to strong data privacy governance.

If you have any further questions on the role of data protection officers, please contact or Tenda Msinjili, Joseph Louis, or Hadia Mgaya.