Recently, Dexter Nduna, a politician, apologised to the President of Zimbabwe, after being seen in a graduation gown, even though he wasn’t actually graduating. But that’s not the focus here. Instead, let’s talk about a notice from the University of Zimbabwe’s Law Faculty which went viral on social media, titled “Notice to All Students With Courses to Repeat.”
The notice included students’ names, registration numbers, and details about failed courses.
Under the Cyber and Data Protection Act [Chapter 12:07], this is classified as personal information. The Act defines personal information as anything related to a person, like their name, address, telephone number, identifying numbers, and includes “information about educational, financial, criminal, or employment history.”
When combined, names, academic records, and registration numbers reveal identities and constitute personally identifiable information. This disclosure by the Law Faculty violates the Cyber and Data Protection Act. Posting this information on a notice board was unnecessary for notifying students about their academic status.
Registration numbers are supposed to protect student privacy; they help anonymize identities in academic and administrative records. Publicly posting them exposes students to potential data misuse. These numbers can be linked to other personal details in the university’s systems, such as addresses, financial records, and contact information.
Unauthorized publication of this data could harm a student’s reputation or even affect their job prospects. The Cyber and Data Protection Act aims to change societal norms around privacy. While it might have been common practice to post such information on a notice board, the law now mandates a higher standard of privacy. The University of Zimbabwe, as a data controller, has a duty to protect personal information and respect students’ right to privacy under Section 13 of the Act.
In the age of the internet, posting personal information on a notice board risks broader exposure online, which could cause even greater harm. Imagine being one of the eight students whose names and academic details went viral on social media. What if this exposure affected a job opportunity? You could be judged unfairly based on publicly available information. No one should face such prejudice and embarrassment because their personal information was mishandled.
The university could have notified the students individually or via a student portal, this is an appropriate way to handle private information because it is not in the public interest to let everyone know. Furthermore, a notice with registration numbers only would have sufficed, allowing students to identify themselves privately. If the university felt obliged to clarify the case of Dexter Nduna, the university could have issued a press statement explaining that he wasn’t on the graduation list due to outstanding modules, without exposing unnecessary personal details.
Students affected by this disclosure have the right to lodge a complaint with the Data Protection Authority (POTRAZ), which can investigate, recommend actions, or even issue fines. They can send a complaint to dpa@potraz.zw.
Moving forward, the University of Zimbabwe needs to appoint a Data Protection Officer who will ensure that it processes the data of students, staff, and others in compliance with the Cyber and Data Protection Act. In addition, they must put in place a comprehensive student privacy policy. Such a document would describe how they collect and use student personal data from the point an offer is accepted, during, and after their studies, in accordance with the Act. This route ensures that student personal information remains private, maintaining anonymity and protecting students from unnecessary exposure.
This guest post was authored by Melissa Chasi , a certified Data Protection Officer. In her role as Board Member for Research and Advocacy at the Privacy Practitioners Association of Zimbabwe, she is dedicated to empowering citizens of their data rights and advising corporations on the significance of data protection.
What’s your take?