Sensitive personal data
I am a data manager for a large organization based in Arusha. My role includes ensuring compliance with various data protection laws and regulations. Recently I have found myself in a bit of a conundrum regarding the handling of sensitive data. I have encountered a number of scenarios where the lines seem blurred and struggled to clearly define what constitutes ‘sensitive data’ according to the law. Please guide me.
ZK, Arusha
Matters concerning personal data are regulated by the Personal Data Protection Act [Cap.44] (the Personal Data Protection Act). According to section 3 of the Personal Data Protection Act ‘sensitive personal data’ includes (a) genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data; (b) if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and (c) any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject. It is true that the current definition provided in the law is wide and not very specific.
However, we believe it was drafted that way to capture the complex reality about sensitive data. It is our hope that the Personal Data Protection Commission will provide guidelines on the implementation of the Personal Data Protection Act. You may consult the Commission for further clarification on the matter. Your lawyer can also guide you further.