What does the Electoral Act say about electronic voters’ roll?
The Electoral Act part IV section 21 subsection (1) states that the voters’ roll, and every consolidated roll referred to in section 20(4a), shall be a public document and open to inspection by the public, free of charge, during ordinary office hours at the office of the Commission or the registration office where it is kept.
Subsection (2) states that a person inspecting the voters’ roll for a constituency may, without removing the voters’ roll, make any written notes of anything contained therein during office hours.
In addition, subsection (3) says the Commission (Zimbabwe Electoral Commission) shall within a reasonable period of time provide any person who requests it, and who pays the prescribed fee, with a copy of any voters roll, including a consolidated roll referred to in section 20(4a), either in printed or in electronic form as the person may request.
Meanwhile, the Electoral Act on section 21 subsection (7 says where a voters roll is provided in electronic form in terms of subsection (3), (4) or (6), its format shall be such as allows its contents to be searched and analysed: Provided that— (i) the roll may be formatted so as to prevent its being altered or otherwise tampered with; (ii) the Commission may impose reasonable conditions on the provision of the roll to prevent it from being used for commercial or other purposes unconnected with an election.
Subsection (9) however states that any person who alters the voters’ roll shall be guilty of an offence and liable to a fine not exceeding level ten or to imprisonment for a period not exceeding five years or to both such fine and imprisonment.
What is the role of Cyber and Data Protection Act when it comes to voters’ roll?
CITE Contacted a Lawyer Trust Manjengwah who said in their opposing papers to the application to provide the voters roll in electronic format, Zimbabwe Electoral Commission (ZEC) asserted that voters’ personal data was protected in terms of the Cyber and Data Protection Act.
Background
In their opposing papers to the application to provide the voters’ roll in electronic format; ZEC made the argument that the proviso to Section 21(7) of the Electoral Act allowed them to format the voters roll so as to prevent it from being altered or otherwise tampered with, before releasing it to the public.
“They made the additional argument that Sections 13 and 18 of the Cyber and Data Protection Act introduced further obligations that bind them regarding the securing of registered voters’ personal data. The ZEC asserted that voters’ personal data was protected in terms of the Cyber and Data Protection Act from negligent or unauthorized destruction, negligent loss, unauthorized alteration and access and any other unauthorized processing of the data,” said Manjengwah.
“ZEC argued, as they had not yet developed the capacity to format the electronic voters roll, and worked independent of anyone’s direction, they could not at this time be compelled to provide the roll in electronic format.”
The two sections ZEC relied on read as follows:
13. Duties of data controller
Every data controller or data processor shall ensure that personal information is—(a) processed in accordance with the right to privacy of the data subject;
(b) processed lawfully, fairly and in a transparent manner in relation to any data subject;
(c) collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
(d) adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
(e) collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
(f) accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay; and kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected.
18. Security
(1) In order to safeguard the security, integrity and confidentiality of the data, the controller or his or her representative, if any, or the processor, shall take the appropriate technical and organizational measures that are necessary to protect data from negligent or unauthorized destruction, negligent loss, unauthorized alteration or access and any other unauthorized processing of the data.
(2) These measures referred to in subsection (1) must ensure an appropriate level of security taking into account the state of technological development and the cost of implementing the measures on the one hand, and the nature of the data to be protected and the potential risks to the data subject on the other hand.
(3) The Authority may issue appropriate standards relating to information security for all or certain categories of processing.
(4) The data controller shall appoint a data processor who shall provide sufficient guarantees regarding the technical and organisational security measures employed to protect the data associated with the processing undertaken and ensure strict adherence to such measures.
(5) The data controller shall enter into a written contract or any other legal instrument with the data processor which ensures that the data processor maintains security measures on data.
Manjengwah said while the Cyber and Data Protection Act creates, as regards a data controller, which includes in this instance, the ZEC, the obligation to ‘take the appropriate technical and organizational measures that are necessary to protect data from negligent or unauthorized destruction, negligent loss, unauthorized alteration or access and any other unauthorized processing of the data.’ This does not prohibit the release of the voters roll in electronic format.
“The release of the voters’ roll is allowed in terms of Section 10 (b) of the Cyber and Data Protection Act, which mandates the processing of data by the data controller for the purpose of compliance with an obligation to which ZEC is subject to by virtue of section 21(3) of the Electoral Act,” he said.
He added that the Cyber and Data Protection Act obligates ZEC to put into place measures to protect the voters’ roll, when in its possession, from negligent or unauthorised destruction, negligent loss, unauthorised alteration or access and any other unauthorised processing of the data.
“This means ZEC has to develop the technical capacity to ensure that the roll is not tampered with when it is in its possession. It does not prohibit ZEC from giving out the voters’ roll in fulfilment of its Section 21(3) obligation. ZEC may at its choice, format the electronic roll, but must provide the roll within a reasonable time and ensure it is in a searchable and analysable format,” said Manjengwah.