Code of ethics for data protection

I am an administrative officer for a private hospital based in Dar es Salaam. Our hospital has codes of ethics for employees which amongst others prohibit abuse of patient personal data. However, recently there have been regulatory developments concerning protection of personal data in Tanzania. I believe these changes may necessitate the need to review our internal policies and codes of ethics. Are there any legal considerations we need to take into account in our review?
FC, Dar es Salaam

It is good that as an administrative officer you want to ensure your company is compliant with the law. According to section 65 of the Personal Data Protection Act No. 11 of 2022, every data controller shall draw and put in place a code of ethics or policy for personal data protection which shall prescribe for ethics and conduct to be complied with during collection or processing of personal data. In addition, such codes or policies shall be submitted to the Commission for consideration and approval.  In considering the codes of ethics or policies, the Commission shall ascertain, among other things, whether the drafts submitted to it have complied with the provisions of the Personal Data Protection Act and the relevant sector and where it considers necessary, seek the views of data subjects or their representatives and consult with the data controller concerned for the purposes of undertaking necessary amendments prior to the approval. Your lawyer can guide you further on this.