DAR ES SALAAM: THERE is a moment I often return to, not because it was extraordinary, but because it was profoundly ordinary. It happened during a public awareness session in Tunduma.
A young man stood up, looked around cautiously, then asked a question that silenced the room: “Ninapotoa taarifa zangu, nani anazilinda?” (When I give out my personal data, who protects it?) It was not asked with suspicion, but with genuine concern.
And in that moment, it became clear that behind every digital interaction lies an unspoken contract— one built on trust.
Later that same day, as we continued the discussion, another participant added quietly, “Ndiyo maana wengine wetu tunaandika majina ya uongo gesti ” (That is why some of us use fake names when checking into Guest Houses.)
That statement, simple as it sounded, revealed a deeper reality: when trust is uncertain, people create their own systems of protection, even if those systems undermine formal processes. It is not defiance; it is self-preservation.
Today, whether in Kariakoo’s busy marketplaces, the growing urban centres of our regions or across digital platforms, personal data has become currency.
We register SIM cards, open bank accounts, apply for loans, access e-government services, and download mobile applications.
Each action requires us to surrender pieces of ourselves, our names, phone numbers, locations, financial details. What many do not always see is that this exchange is not unregulated.
It is governed by a legal framework: the Personal Data Protection Act, Cap. 44. At its core are the principles of data protection, practical rules that define how institutions must collect, use, store, and safeguard personal data.
These principles are not theoretical constructs. They are operational obligations. The first principle is that data must be processed lawfully, fairly, and transparently. In practical terms, there should be no hidden intentions.
If a mobile application requests access to your contacts, location, or camera, it must clearly explain why. Not in technical jargon, but in language that an ordinary user can understand.
Consider a simple example. A food delivery app asks for your location. That is reasonable, it needs to know where to deliver your order.
But if the same app requests access to your entire contact list without explanation, the question arises: for what purpose? Transparency requires that such a request be justified.
Without that clarity, suspicion grows, and trust begins to erode. As we often say, “Uwazi ni msingi wa uaminifu.”
Transparency is the foundation of trust. Closely linked to this is the principle of purpose limitation. Data must be collected for explicit, specific, and legitimate purposes—and used only for those purposes. Take the case of a citizen applying for a business licence.
The Organisation will collect personal details to process that application.
That information should remain within that context. If, months later, the same individual begins receiving unsolicited marketing messages from unrelated entities, it raises a critical concern: how did their data move from a licensing system to a marketing database?
This is not merely an inconvenience. It is a breach of purpose. When data begins to “travel” beyond its original intention without consent or legal basis, confidence collapses.
Another principle is data minimisation, ensuring that data collected is adequate, relevant, and not excessive.
I often frame it simply during engagements: if a service only needs your phone number, why ask for your marital status, occupation, next of kin, and place of birth?
In a session in Songea, a participant shared an experience where a service provider required a full set of personal details, including information that had no clear connection to the service offered.
The individual complied, not because it made sense, but because there was no alternative.
This is precisely what the law seeks to prevent. Overcollection is not efficiency; it is risk. The more data an institution holds unnecessarily, the greater the exposure in the event of misuse or breach.
Not every piece of information is necessary for every service. Accuracy is another critical pillar.
ALSO READ: Personal data protection in the financial sector and mobile services
Data must be correct and kept up to date. Imagine being denied access to a loan because your name was misspelled in a system, or your repayment history was incorrectly recorded. These are not hypothetical scenarios.
They occur more often than we acknowledge. In one case, a small trader was flagged as a defaulter due to a system error linking his identity to another individual with a similar name.
It took months to resolve, a period during which his business suffered.
The law places responsibility on institutions to ensure that the data they hold reflects reality. Accuracy is not optional; it is essential to fairness. Then there is the principle of storage limitation.
Data should not be retained indefinitely. A common misconception is that once data is collected, it should be kept “just in case”. But the law challenges this thinking.
If data was collected for a specific, time-bound purpose, there must be a clear retention period and a defined point at which that data is deleted or anonymised.
For example, if a hotel collects identification details for a guest’s stay, those details should not remain indefinitely in an active database long after the guest has checked out unless there is a clear legal or operational justification.
Storage does not mean forever. Security, perhaps the most visible principle in today’s digital environment, requires that personal data be protected against unauthorised access, loss, or disclosure.
This encompasses both technical and organisational measures. We are living in an era where cyber threats are evolving rapidly.
Data breaches are no longer rare incidents; they are persistent risks. When an institution fails to secure personal data, the consequences extend beyond technical failure, they strike at the heart of public trust.
Consider a scenario where a financial institution experiences a breach, exposing customer account details. Even if no immediate financial loss occurs, the psychological impact on customers is significant.
Trust, once shaken, is difficult to restore. Security, therefore, is not just about systems, it is about stewardship.
Finally, the principle of accountability ensures that institutions do not merely comply in theory but can demonstrate compliance in practice.
This means having clear policies, documented procedures, trained personnel, and internal controls. It means being able to answer, with evidence, how data is collected, why it is used, where it is stored, and how it is protected.
Accountability transforms compliance from a passive obligation into an active discipline. Collectively, these principles form the backbone of Tanzania’s data protection framework. They are not barriers to innovation; they are enablers of sustainable progress.
A digital economy cannot thrive in an environment of uncertainty. Citizens will only fully engage with digital services when they are confident that their personal information is handled responsibly.
When a farmer in Morogoro registers for a digital marketplace, when a student in Dodoma applies for an online scholarship, when a trader in Kariakoo uses mobile banking, each of these actions is an act of trust.
And trust is not built through policy statements alone. It is built through consistent, visible adherence to these principles. As I often emphasise, data protection is not about restricting access. It is about ensuring respect.
Behind every dataset is a human story. A trader striving to grow a business. A student pursuing opportunity.
A parent securing their family’s future. Their data is not just information, it is an extension of their identity. As Tanzania continues its digital transformation journey, the question is no longer whether we will use data, it is how we will protect it.
Because in the end, the strength of our digital future will not be measured by how much data we collect, but by how well we protect the people behind it. “Mwisho wa yote, ulinzi wa taarifa binafsi ni heshima kwa utu wa mtu.”
Data should be accurate and kept up to date. Institutions must take responsibility for ensuring that what they hold reflects reality. There is also the principle of storage limitation. Data should not be kept indefinitely.
For instance, if information was collected for a one-time service, there must be a clear point at which it is deleted or no longer retained in identifiable form. “Kuhifadhi siyo kuhifadhi taarifa milele.”
Security is addressed through the requirement to ensure integrity and confidentiality. In today’s environment, where cyber risks are increasing, institutions must actively safeguard the data entrusted to them.
A breach is not just a system failure, it is a breach of public trust. And trust, once broken, is difficult to rebuild.
Finally, the Act emphasises accountability. Institutions must not only comply with these principles but also demonstrate that they are doing so. This means having systems, policies, and internal controls that show responsibility in action.
These principles are not about limiting innovation. On the contrary, they enable sustainable progress. A digital economy cannot thrive without trust.
When citizens feel confident that their information is handled responsibly, they are more willing to engage with digital services.
As I often say, data protection is not about restricting access, it is about ensuring respect. Behind every dataset is a human being: a trader, a student, a farmer, a parent. Their information is not just data; it is part of their identity.
As Tanzania continues this digital journey, these principles will determine whether technology becomes a tool of empowerment or a source of concern.
The choice lies in how faithfully we implement them. Lets comply with the principles and make Tanzania digital economy safe and trusted.
No comments :
Post a Comment