Magalla Jr.

©2013

The C.I.A. Conceptual and Data Protection in Tanzania

What Do You Understand About It?

Prepared by Asherry Magalla1

Digitally signed by
RACHEL

RAC DN: cn=RACHEL

Reason: I am the
Master of this
document

HEL Location:
Iringa-Tanzania
Date: 09/21/13
08:14:18

1
LL.B Degree Holder at the University of Iringa (Formerly known as Tumaini University Iringa University College)
2009-2012, currently a Masters Candidate in Information, Communication and Technology Law at Iringa
University2012-2013, Author and a trainee in lecturing at Iringa University.

i
 The C.I.A. Conceptual and Data Protection in Tanzania

1.1 Introduction

When you pronounce the name CIA most of the people will definitely referred it to e Central

Intelligence Agency that will be their first priority because of its prominent use. But the name

CIA can mean anything because it is just an abbreviation like any other abbreviation. For

example I can say BBC stands for Black Breweries Corporation, and nobody can refute that

because that is what I understand instead of British Broadcasting Corporation.

In our daily life, economic activities, and national security highly depend on stability, safely, and

resilient cyberspace. A network brings communications and transports, power to our homes, run

our economy, and provide government with various services.2

However it is through the same cyber networks which intrude and attack our privacy, economy,

social life in a way which is harmful. Some scholars have interestingly argued that, “in the

Internet nobody knows you are a dog”.3 This raises some legal issues and concerns.4

This paper presents important issues of Confidentiality, Integrity and Availability of Data

Protection in Tanzania. The paper try to familiarize the reader with a careful understanding of the

three concepts and data, data protection, briefly origin of cyber security, data protection

2
United Nations 199, see also social learning theory and moral disengagement analysis of criminal computer
behaviour: an exploratory study by Marcus, K. R. 2001.
3
Christopher Reed (2000). Internet Law; Text and Materials, at Pp.119.
4
Adam J. Mambi (2010). ICT LAW BOOK, a Source Book for Information and Communication Technologies and
Cyber Law in Tanzania and East Africa Community.Pp. 96.
2
principles and the situation of the concepts in Tanzanian laws, and lastly the paper show how

other legislations have been dealing with the problem.

1.2 Confidentiality, Integrity and Availability

A good example of an international instrument which tried to categorize the above concepts as

types of cyber crime is the Council of Europe Convention on Cyber Crime,5 European Treaty

Series. 6The Convention on Cyber Crime distinguishes between four different types of

offences7one among being an offences against the confidentiality, integrity and availability of

computer data and systems, such as illegal access, illegal interception, data interference, system

interference, and misuse of devoice8. However, this does not give the clear picture of what the

three concepts means.

Joseph Kizza defines computer security in terms of three elements;9

1.2.1 Confidentiality.
5
No. 185, Budapest, and 23.XI. 2001.
6
Sofaer, Toward an International Convention on Cyber in Seymour/Goodman, The Transnational Dimension of
Cyber Crime and Terror, page 225, available at: http://media.hoover.org/document/0817999825_221.pdf-Extracted
on 31st February 2013.
7
The same typology is used by the ITU Global Cyber Security Agenda/High-Level Experts Group, Global Strategic
Report, 2008, at http://www.itu.int/osg/csd/cybersecurity/gca/global_strategic_report/index.html-Retrieved on 4th
march 2013.
8
See Article 2,3,4,5 and 6 of the Council of Europe Convention on Cyber Crime, European Treaty Series - No. 185,
Budapest, and 23.XI. 2001.
9
Herman T. Tavani (2007). Ethics and Technology, Ethical Issues in an Age of Information and Communication
Technology, 2nd Edition, John Wiley & Sons, Inc, , United States of America. Pp.169.
3
Confidentiality10 means a communication made within a certain protected relationship such as

Husband and Wife, Attorney and Client, Priest and Penitent and legally protected from being

forced to disclose.11

I believe when something is confidential means that thing is kept within a certain boundaries that

limits any other persons other than those with such a thing are keen to know. In privacy there are

three levels of maintaining information away from others.

The first is confidential which the right to be left alone is but in some circumstances such

confidentiality is disclosed for example for the purpose of criminal records or aiding the court of

law to find the right verdict. Most of confidential matters relate to personal information like

medical reports.

The second is secrecy which is also the right to be left alone in which every society have its own

secrecies that no any other society is allowed to know. It has to be understood that it is not secret

society like many of us think, for example most of us we do believe that ‘Freemason’ is a secret

society, but it is a society with secrets in which any of the organizations or institutions have their

own secrecies. Secrecies can be released when it comes to the matter of public interest.

And lastly is Top secrets, these cannot be released at any cost. Most of this information is

government information which is kept secrecy for the public interest in which the released of it

may cause breach of peace in a certain nation. This information is regarded as sensitive and that

10
Confidentiality refers to limiting information access and disclosure to authorized users "the right people" and
preventing access by or disclosure to unauthorized ones "the wrong people."
11
Bryan A.G (1999), Black’s Law Dictionary, 8th Edition, West Group Publishing Company. Pp. 273.
4
may raise a sense of inhuman when disclosed, therefore it is for the best of the public interest not

to release them.

For example, what if an ordinary person discovered that a government conducts a biochemical

military research by using human being bodies who are still alive or using a certain medicine or

vaccine to human being in a certain area which have long term effects to human being. This is

why they call them top secrets even though keeping them as secrecies may later on affect

negatively the society but keeping safe the society currently.

Therefore, the big difference between these three levels of privacy is the accessibility of the

information, that some can be accessible for public use and some cannot be accessible for public

interest.

1.2.2 Integrity.

Integrity means the act of being consistent. This term means to be honest and of a good moral

character.12 Being of good character and honest automatically implies the act of being consistent.

When a computer file is not changed or deleted and is stored the same way since starting.13

As I understand, being consistent means being accurate with what a person is doing. Then the

term integrity means the act of being accurate of whatever a person conducts. When one is

accurate is honest, and when honest means for whatever that person is doing must be in good

12
That data have not been changed inappropriately, whether by accident or deliberately malign activity. It also
includes "origin" or "source integrity" that is, that the data actually came from the person or entity you think it did,
rather than an imposter.
13
Black's Law Dictionary Free Online Legal Dictionary 2nd Ed available at
Law Dictionary: What is FILE INTEGRITY? Definition of FILE INTEGRITY (Black's Law Dictionary)
http://thelawdictionary.org/file-integrity/#ixzz2asjJJgsl- extracted on 12nd August 2013.
5
faith. If there is presence of good faith, then such activity is protected. In data protection accurate

means the information taken must be accurate with the purpose of taking it.

1.2.3 Availability.

Availability means the presence of something. Relating to data protection means the presence of

data protection in other way security. It may also mean an information system that is not

available when you need it is almost as bad as none at all. It may be much worse, depending on

how reliant the organization has become on a functioning computer and communications

infrastructure.14

To my understanding, data protection is the careful observation and examination of the above

three concepts.15 These are sometimes referred as CIA Triad which provides protection for data

in transit16 and data at rest.17

1.3 The origin of Cyber security

In the old days people used to hide their faces, draw their guns and rob the local bank or stage-

coach. Currently the ways which crimes are conducted become more technological creative. For

instance, we have gone from in-person robberies to nameless and faceless crimes involving

14
http://it.med.miami.edu/x904.xml-retrieved on 13rd June 2013.
15
Confidentiality, Integrity and availability.
16
This refers to data that is moving within the network. Sensitive data, for example, that is sent through network
layers or through the Internet. A hacker can gain access to this sensitive data by eavesdropping. When this happens,
the confidentiality of the data is compromised. Encrypting data-in-transit avoids such compromises.
17
It is possible for a hacker to hack the data that is stored in the database. Encrypting data-at-rest prevents such data
leakages. See Lamar Stonecypher, Concepts of Database Security at http://www.brighthub.com/computing/smb-
security/articles/61402.aspx.
6
computers. A crime such as spamming, passing on computer viruses, harassment, cyber stalking,

and others have become common in our modern world.18

While these issues do not carry potential monetary loss, they are just as harmful in the possibility

of losing files, information and access to your computer. This is why Cyber Security is needed.19

Cyber security means protecting information, equipment, devices, computer, computer resources,

communication device and information stored therein from unauthorized access, use, disclosure

disruption, modification or destruction.20

1.4 Data Protection Principles.

Before processing any data there some principles to be observed. Even children who are old

enough to understand what is being asked of them should be given the opportunity to give their

own consent with regard to Data Protection issues.21

Data protection is the use of techniques such as file locking and record locking, database

shadowing, and disk mirroring, to ensure the availability, confidentiality and integrity of the

data.22

18
http://dealnews.com/pages/articles/guide-computer-crime-prevention-retrieved on 23rd June 2013.
19
Ibid.
20
Section 2 (1) nb of the India Information Technology Act of 2000.
21
See Gillick v. West Norfolk and Wisbech Health Authority HOUSE OF LORDS [1986] 1 AC 112, [1985] 3 All
ER 402, [1985] 3 WLR 830, [1986] 1. This established that in general terms, once a child becomes 12 years of age
that he or she is likely to be able to understand the implications of what is being asked. This is commonly referred to
as the "Gillick Principle".
22
Read more: http://www.businessdictionary.com/definition/data-protection.html#ixzz2fPvqw77I-retrieved on 20th
September 2013.
7
Data in computing means information that has been translated into a structure that is more

suitable to shift or progress. Relative to today's computers and communication media, data is

information transformed into double digital form.23

Generally and in science, data is a gathered body of facts. Some authorities and publishers,

cognizant of the word's Latin origin and as the plural form of "datum," use plural verb forms

with "data". Others take the view that since "datum" is rarely used, it is more natural to treat

"data" as a singular form.24

To my opinion one cannot define data unless they are protected. Because it is from its protection

where it emerge. In the light to the human being, this means one cannot called a person as human

being unless is protected as human being and not like any other creature.

That is to say data (in a singular and plural form) is the collections of various protected

information presenting a certain particulars or details of both living organisms or non-living

organisms in a way that is more convenience and well understood by any person through which

particulars or details are presented.

Data protection has general principles. These General Principles ought to define expectations and

responsibilities for data subjects and regulators.25 For instance;

1. Legitimacy which defining when personal data processing is acceptable (accessibility).

2. Purpose provides restriction ensuring that personal data is only processed for the

purposes for which it was collected, barring further consent from the data subject. A

23
http://searchdatamanagement.techtarget.com/definition/data, Margaret Rouse (2005)-retrieved on 21st June 2013.
24
Ibid.
25
Neil Robinson et al (2009), Review of the European Data Protection Directive, RAND Corporation. Pp.50.
8
 person require to be clear in relation to the purposes for which personal data are held in

order to ensure that the data are processed in a way that is companionable with the

original purpose. For example a doctor discloses his patient list to his uncle’s who owned

a tourist company, which offers special holiday deals to patients needing healing.

Disclosing the information for this purpose would be irreconcilable with the purposes for

which it was obtained.

3. Security and confidentiality specifically by requiring the data controller to take

appropriate technical and organizational measures. It means the suitable security to avoid

personal data being unintentionally or consciously compromised. It is of necessity to

propose and categorize the protection to a healthy environment of the personal data held,

and the destruction that may effect from a security contravene. It is worthwhile to be

comprehensible to guarantee information security on the right physical and technical

security of a respectful personnel prepared to act in response to any contravene of

security quickly and successfully.

4. Adequate, relevant and not excessive. Data taken must not exceed the purpose of the

transferring. To take reasonable steps to ensure the accuracy of any personal data obtain;

to ensure that the source of any personal data is clear; carefully consider any challenges

to the accuracy of information; and consider whether it is necessary to update the

information. For example a journalist builds up a profile of a particular public figure.

This includes information derived from rumours circulating on the internet that the

individual was once arrested on suspicion of dangerous driving. If the journalist records

that the individual was arrested, without qualifying this, he or she is asserting this as an

9
 accurate fact. However, if it is clear that the journalist is recording rumours, the record is

accurate – the journalist is not asserting that the individual was arrested for this offence.26

5. Transparency that appropriate levels of transparency are provided to data subjects;

6. Data subject participation ensuring that the data subjects can exercise their rights

effectively (the right to retain information) such as review the length of time personal

data are kept; consider the purpose of holding the information for in deciding whether

(and for how long) to retain it; securely delete information that is no longer needed for

this purpose; and update, archive or securely delete information if it goes out of date.

For examples, images from a CCTV system installed to prevent fraud at an ATM

machine may need to be retained for several weeks, since a suspicious transaction may

not come to light until the victim gets their bank statement. In contrast, images from a

CCTV system in a pub may only need to be retained for a short period because incidents

will come to light very quickly. However, if a crime is reported to the police, the images

will need to be retained until the police have time to collect them.27

7. Accountability. That those processing personal data would be held accountable for their

actions according to the Outcomes;

8. And Authorization of data transfer28 and protection. That with the consent of the owner,

or recognized legal authority if necessary. This shift of information is not the similar as

26
Information Commissioner’s Office, The Guide to Data Protection, accessed on
www.ico.org.uk/.../Data_Protection/.../THE_GUIDE_TO_DATA_PROTECTION...-retrieved on 14th Sept 2013.
27
Information Commissioner’s Office, The Guide to Data Protection, accessed on
www.ico.org.uk/.../Data_Protection/.../THE_GUIDE_TO_DATA_PROTECTION...-retrieved on 14th Sept 2013.
28
A transfer involves sending personal data to someone in another country. For example a tour agent sends
customer’s information to Serengeti National Park in Tanzania where they will be making their tour during on
holiday.
10
 the transfer of information though a country. This principle is barely being relevant

conditionally to the information moves to a country, rather than merely transient through

it direction to its target.

1.5 A comparative Assessment of Data Protection; Tanzania and United Kingdom

Legislations.

1.5.1 Data Protection in Tanzania

Currently Tanzania lacks an effective legal regime on data protection. Absence of a

comprehensive Data protection law exposes subjects to threats of enjoyment of the right of

privacy. It also poses a great threat on misuse of information and data protection.29

However we have Electronic and Postal Communication Act which was passed by the Tanzanian

Parliament on January 29th 2010 and came into force on May 7, 2010.30

It repealed and replaced the Broadcasting Services Act31 and the Tanzania Communications Act

and amended32 the Tanzania Communications Regulatory Authority Act33 together with the Fair

Competition Act.34

The Act does provide the duty of confidentiality by the employee or any member of employee to

keep the confidentiality of the licensee information and should not disclose the information to the

29
Baraka Kanyabuhinya, Information Privacy Law in Tanzania, Support for Harmonization of the ICT Policies
in Sub-Sahara Africa, available at www.itu.int/.../Tanzania%20presentations/Data%20Protection%20Law%...
30
See Government Gazette, No.19 of May 7, 2010.
31
Cap. 306 R.E 2002.
32
See Electronic and Postal Communications Act 2010 ss.169-185.
33
Cap. 172 R.E 2002.
34
Cap. 285 R.E 2002.
11
public or to any other person unless where there an order of the court to do so for security

purpose or the information needed by the court as evidence35.

It further stated that, “no person shall disclose the content of information of any customer

received in accordance with the provisions of this Act, except where such person is authorised by

any other written law.”36

Also, a person shall not disclose any information received or obtained in exercising his powers or

performing his duties in terms of this Act except it is provided by the law.37

The interception of someone’s communication is prohibited by the Act. That is to intercept,

discloses, or attempts to disclose, use or attempt to use for any other person the contents of any

communications, knowingly or having reason to believe that the information was obtained

through the interception of any communications.38 The act of prohibiting communication

interception means preserving someone’s information not to be known to another, especially the

confidential one.

Unauthorized access or use of computer system. The computer system can be in any electronic

device that is capable of operating it and not necessary being a computer itself. The Act provides

that any person who secures unauthorized access to a computer or intentionally causes or

knowingly causes loss or damage to the public or any person, destroy or delete or alter any

information in the computer resources or diminish its value or utility or affect it injuriously by

any means, commits an offence and on conviction shall be liable to a fine not less than five

hundred thousand Tanzanian shillings or to imprisonment for a term of not exceeding three

35
Sections 98.
36
Sections 98 (2).
37
Section 99.
38
Section 120.
12
months or to both. By securing good use of computer system39 brings one step ahead in

developing the protection of data in telecommunication industry in Tanzania.40

Apart from the Act itself, there are some Regulations which in one way or another in supporting

information security of customers.

Regulation 8 (a) of Electronic and Postal Communications Act (CAP.306), (Computer

Emergency Response Team) 41 provider's obligations to the service provider in relation to cyber

security,42 for a secure environment for the connectivity of their subscriber base by maintaining

updated systems that have a protection mechanism against information security threats. By

securing information security threats means the subscriber information is protected, thus

confidentiality exists.

Regulation 6. -(1) Electronic and Postal Communications Act (CAP.306) (Consumer

Protection)43 provides that, a licensee may collect and maintain information on individual

consumers where it is reasonably required for its business purposes. But such information must

processed in accordance with the consumer’s other rights, protected against improper or

accidental disclosure and not transferred to any other party without authorization. Therefore,

information of the customer is protected.

39
Securing one’s data from being unlawfully access creates the protection of one’s confidential information from
being disclose.
40
Section 124 (3) of the Act.
41
Electronic and Postal Communications Act (CAP.306), Electronic and Postal Communications (Computer
Emergency Response Team) GOVERNMENT NOTICE NO. 419 published on 9/12/2011.
42
As per Regulation 3, means protecting information or any form of digital asset stored in computer, computer
devices, communication devices or digital memory device from unauthorized access, use, disclosure, disruption,
modification or destruction.
43
Electronic and Postal Communications Act (CAP.306), Electronic and Postal Communications (Consumer
Protection) GOVERNMENT NOTICE NO 427 published on 9/12/2011.
13
Regulations 26 -(1)44 of the Electronic and Postal Communications Act (Cap.306) Electronic

and Postal Communication (Licensing) a licensee shall use all reasonable measures to ensure

nondisclosure of confidential information obtained in the course of its business from any person

to whom it provides the licensed services. A licensee shall establish and implement reasonable

procedures for maintaining confidentiality of such information subject to any requirement under

the law.

Regulation 23 (a)45 of the Electronic and Postal Communications Act (Cap.306) Electronic and

Postal Communication (Postal). Each postal licensee shall ensure that all steps are taken to

improve mail security and combat postal crimes which include mail violation and secretion. This

puts obligation to the licensee regarding to the maintenance and protection of confidentiality of

their customer’s information.

Regulation 6 (1)46 of the Electronic and Postal Communications Act (Cap.306) Electronic and

Postal Communication (Radio communications and Frequency Spectrum), provides that a person

shall not intercept or acquaint himself with the contents of any radio communications other than

those transmitted for general information or for the information of licensees belonging to the

same licensed network.

These are some of the Regulations which try to explain the concept of confidentiality and

privacy protection in telecommunication.

44
Electronic and Postal Communications Act (C Ap.306) Electronic and Postal Communication (Licensing)
GOVERNMENT NOTICE NO 430 published on 9/12/2011.
45
Electronic and Postal Communications Act (Cap.306) Electronic and Postal Communication (Postal)
GOVERNMENT NOTICE NO. 424 published on 9/12/2011.
46
Electronic and Postal Communications Act (Cap.306) Electronic and Postal Communication (Radio
communications and Frequency Spectrum) GOVERNMENT NOTICE NO. 424 published on 9/12/2011.
14
1.5.2 Data protection in the United Kingdom.

Compared to the United Kingdom, they have enacted specific law which deals with data

protection. Data Protection Act Cap. 29 of 1998. The Act among other things provides for data

protection principles which as I said before they give a framework for data protection.47

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to

safeguard personal data. This framework balances the legitimate needs of organizations to collect

and use personal data for business and other purposes against the right of individuals to respect

for the privacy of their personal details.48

However, the Act applies to a particular activity processing personal data rather than to particular

people or organisations. So, if you “process personal data”, then you must comply with the Act

and, in particular, you must handle the personal data in accordance with the data protection

principles.49

Broadly, however, if you collect or hold information about an identifiable living individual, or if

you use, disclose, retain or destroy that information, you are likely to be processing personal

data. The scope of the Data Protection Act is therefore very wide as it applies to just about

everything you might do with individuals’ personal details.

The Act defines

Data as;

a) Information which is being processed by means of equipment operating automatically in

response to instructions given for that purpose, or

47
See section 4 and references in this Act to the data protection principles are to the principles set out in
Part I of Schedule 1.
48
Information commission office (ICO), A Guide to Data Protection.
49
Ibid.
15
 b) Recorded with the intention that it should be processed by means of such equipment, or

c) Recorded as part of a relevant filing system or with the intention that it should form part

of a relevant filing system, or

d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as

defined by section 68, or

e) Recorded information held by a public authority and does not fall within any of

paragraphs (a) to (d).50

Paragraphs (a) and (b) entails that information kept on computer, or is projected to be held on

computer, is data. Therefore this implies that data is not only the information recorded on paper

but also that one a person intended to put it on computer.

Among other things the Act further explained the concept of data controller,51 data subject,52 data

processor53 and personal data54which is protected under Article 8.55

50
Section 1 (1) of Data Protection Act Cap.29 of 1998.
51
Means, subject to subsection (4), a person who (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any personal data are, or are to be, processed.
52
Means an individual who is the subject of personal data. The Act does not count as a data subject an individual
who has died or who cannot be identified or distinguished from others.
53
In relation to personal data, means any person (other than an employee of the data controller) who processes the
data on behalf of the data controller.
54
Means data which relate to a living individual who can be identified— (a) from those data, or (b) from those data
and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data
controller or any other person in respect of the individual.
55
The Charter of Fundamental Rights of the European Union available at Brown, I. (2010). The challenges to
European data protection laws and principles. EC DG Justice, Freedom and Security
http://ec.europa.eu/justice/policies/privacy/docs/studies/new_privacy_challenges/final_report_en.pdf-retrieved 14th
Sept 2013.

16
Sometimes data are jointly owned, that means more than one person. For instance, a government

department sets up a database of information about every child in the country. It does this in

partnership with local councils. Each council provides personal data about children in its area,

and is responsible for the accuracy of the data it provides. It may also access personal data

provided by other councils (and must comply with the data protection principles when using that

data). The government department and the councils are data controllers in common in relation to

the personal data on the database.

Sensitive Data.

It includes;

(a) The racial or ethnic origin of the data subject.

(b) His political opinions.

(c) His religious beliefs or other beliefs of a similar nature.

(d) Whether he is a member of a trade union (within the meaning of the Trade Union and Labour

Relations (Consolidation) Act 1992).

(e) His physical or mental health or condition.

(f) His sexual life.

(g)The commission or alleged commission by him of any offence. Or

(h) Any proceedings for any offence committed or alleged to have been committed by him, the

disposal of such proceedings or the sentence of any court in such proceedings.

Sensitive data are important to be observed in the society. If used badly they can harmful

person’s reputations and even affecting someone’s economic position. Their categories are much

wider than personal data then they needs to be treated with greater care than other personal data.

In particular, if you are processing sensitive personal data you must satisfy one or more of the

17
conditions for processing which apply specifically to such data, as well as one of the general

conditions which apply in every case.

The categories of sensitive personal data are broadly drawn so that, for example, information that

someone has a broken leg is classed as sensitive personal data, even though such information is

relatively matter of fact and obvious to anyone seeing the individual concerned with their leg in

plaster and using crutches. Clearly, details about an individual’s mental health, for example, are

generally much more “sensitive” than whether they have a broken leg.56

The Act also deals with the Processing of data by defining

Processing as,57

In relation to information or data, means obtaining, recording or holding the information or data

or carrying out any operation or set of operations on the information or data, including –

(a) Organisation, adaptation or alteration of the information or data,

(b) Retrieval, consultation or use of the information or data,

(c) Disclosure of the information or data by transmission, dissemination or otherwise making

available, or

(d) Alignment, combination, blocking, erasure or destruction of the information or data.

The classification of processing is very extensive and it is not easy to consider of anything an

institution might do with data that will not be processing.

However, data can be processed only for purposes for which they are required by or under any

enactment to be processed, the person on whom the obligation to process the data is imposed by

or under that enactment is for the purposes of this Act the data controller.

56
Information Commissioner’s Office, The Guide to Data Protection, accessed on
www.ico.org.uk/.../Data_Protection/.../THE_GUIDE_TO_DATA_PROTECTION...-retrieved on 14th Sept 2013.
57
Section 1 (1) of Data Protection Act Cap.29 of 1998.
18
For instance a government section that is answerable for paying reimbursement to person’s

contracts with a private company to oversee the benefits. The question is whether the

government department remains the data organizer for dispensation personal data on benefits,

despite of the scope given to the company in deciding how to do this at a practical level. The

government department retains overall responsibility for administering the provision of the

benefits, so it remains the data controller.58

An individual is entitled at any time by notice in writing to a data controller to require the data

controller at the end of such period as is reasonable in the circumstances to cease, or not to begin,

processing for the purposes of direct marketing personal data in respect of which he is the data

subject.59

Personal data should not be processed if it is insufficient for its intended purpose. For example, a

CCTV system is installed to identify individuals entering and leaving a building. However, the

quality of the CCTV images is so poor that identification is difficult. This undermines the

purpose for which the CCTV system was installed.60

Therefore control over the data shall apply throughout the period when a controller processing

personal data as do the rights of individuals in respect of that personal data until the time when

the data has been deleted, returned, or destroyed. Thus duties extend to the way controller

dispose of personal data when no longer need to keep it. The data must be disposing in a way

which does not discriminate the wellbeing of the persons anxious.

58
Information Commissioner’s Office, The Guide to Data Protection, accessed on
www.ico.org.uk/.../Data_Protection/.../THE_GUIDE_TO_DATA_PROTECTION...-retrieved on 14th Sept 2013.
59
See Section 11 of Data Protection Act Cap.29 of 1998.
60
Information Commissioner’s Office. Pp.33.
19
1.5.2. Exemptions on Data Protection.

The Data Protection Act contains a number of other exemptions from the rights and duties in the

Act. You must process personal data in accordance with the Act unless one of these exemptions

applies.

The exemptions either allow for the disclosure of information where there would otherwise be a

breach of the Act or allow information to be withheld that would otherwise need to be disclosed.

They are designed to accommodate special circumstances, for example when processing personal

data:

1. in connection with criminal justice, taxation or regulatory activities;

2. that is required to be made public;

3. where disclosure is required by law or is necessary for legal proceedings; or

4. To provide a confidential reference.

We cannot dispute the fact that, the United Kingdom Act provides a better basis for data

protection than ours. These are just few basics of data protection in the United Kingdom

Legislation which automatically entails the confidentiality, integrity and Availability of the data.

1.6 Conclusion.

Currently, a draft of three laws relating to Information, Communication and Technology have

been sent to the office of Attorney General. These Draft Laws are , The Electronic Transactions

and Communications Bill,61 the Computer Crime and Cybercrime Bill,62 and Data Protection and

Privacy Bill,63 which among other things provides for data protection as per Section 6 (2)64 data

61
Of 2013.
62
Ibid.
63
Ibid.
64
Data Protection and Privacy Bill, 2013.
20
controller65 shall not collect personal information by unlawful means; or by means that, in the

circumstances are unauthorized; or intrude to an unreasonable extent upon the privacy of the data

subject concerned, and Section 10 provides for the limits of the data controller on disclosure of

personal information,66 therefore in the coming years some of these legal issues can be solved as

the Act may give effect to principles of data protection; place limitations on the processing of

personal data; provide for the rights of the data subject; describe the responsibilities of the Data

Controller; establishment of the Data Protection Authority; and combat violations of privacy

likely to arise from the collection, processing, transmission, storage and use of personal data

activities.

Also we cannot rely on the Bills by waiting them to be passed by the parliament, because what if it

will take 5 to10 years after? We normally know that we have an option when our laws are silent and

that is lacuna in which section 9 of the Judicature and Application of Law Act, Cap.358, then that

can be used while still waiting for the Bills to be passed. However, the question remain to ourselves

that how can an offence being subjected as an offence by the Act which does not claimed it to be an

offence?

65
By means of data controller, TCRA automatically is included within it, hence any action against confidentiality of
customers information will prevail as long as it is illegal.
66
Data Protection and Privacy Bill, 2013.
21
BIBLIOGRAPHY

Textbooks

Adam J. Mambi (2010), ICT LAW BOOK, a Source Book for Information and Communication

Technologies and Cyber Law in Tanzania and East Africa Community: Mkuki na Nyota Printers;

Dar Es Salaam

Christopher Reed (2000), Internet Law; Text and Materials.

Bryan A.G (1999), Black’s Law Dictionary, 8th Edition, West Group Publishing Company

Neil Robinson et al (2009), Review of the European Data Protection Directive, RAND

Corporation,

Articles and Journals

Baraka Kanyabuhinya, Information Privacy Law in Tanzania, Support for Harmonization of the

ICT Policies in Sub-Sahara Africa, available at

www.itu.int/.../Tanzania%20presentations/Data%20Protection%20Law%...

Sofaer, Toward an International Convention on Cyber in Seymour/Goodman, The Transnational

Dimension of Cyber Crime and Terror, page 225,

available at: http://media.hoover.org/document/0817999825_221.pdf

The same typology is used by the ITU Global Cyber Security Agenda/High-Level Experts

Group, Global Strategic Report, 2008,

At http://www.itu.int/osg/csd/cybersecurity/gca/global_strategic_report/index.html

United Nations 199, see also social learning theory and moral disengagement analysis of

criminal computer behaviour: an exploratory study by Marcus, K. R. 2001.

22
Internet Sources

World Wide Web Sites

http://dealnews.com/pages/articles/guide-computer-crime-prevention

http://it.med.miami.edu/x904.xml

http://thelawdictionary.org/file-integrity/#ixzz2asjJJgsl

http://www.brighthub.com/computing/smb-security/articles/61402.aspx

Legal Documents

Statutes

Electronic and Postal Communications Act 2010.

India Information Technology Act of 2000.

The United Kingdom Data Protection Act Cap.29 of 1998.

Case laws

Gillick v. West Norfolk and Wisbech Health Authority HOUSE OF LORDS [1986] 1 AC 112,

[1985] 3 All ER 402, [1985] 3 WLR 830, [1986]

23
International Instruments

The Council of Europe Convention on Cyber Crime, European Treaty Series - No. 185, Budapest,

and 23.XI. 2001

Regulations

Electronic and Postal Communications Act (CAP.306), Electronic and Postal Communications

(Computer Emergency Response Team) GOVERNMENT NOTICE NO. 419 published on

9/12/2011

Electronic and Postal Communications Act (CAP.306), Electronic and Postal Communications

(Consumer Protection) GOVERNMENT NOTICE NO 427 published on 9/12/2011

Electronic and Postal Communications Act (C Ap.306) Electronic and Postal Communication

(Licensing) GOVERNMENT NOTICE NO 430 published on 9/12/2011

Electronic and Postal Communications Act (Cap.306) Electronic and Postal Communication

(Postal) GOVERNMENT NOTICE NO. 424 published on 9/12/2011

Electronic and Postal Communications Act (Cap.306) Electronic and Postal Communication

(Radio communications and Frequency Spectrum) GOVERNMENT NOTICE NO. 424

published on 9/12/2011

Bills

Data Protection and Privacy Bill, 2013

24
Author’s Particulars

Name: Asherry Magalla.

Home Address: 8401, DSM-Tanzania.

E-mail Address: magallajr@gmail.com

Phone No: +255716348882, +255687565680, +255752140992

Occupation: Student (LL.B Degree Holder (2012) and LL. M-ICT LAW Candidate (2013)

The University of Iringa

25