DAR ES SALAAM: AS government services become increasingly digital, a quiet but defining question sits beneath our progress: Who is protecting the citizen behind their personal data? Every form completed online, every hospital record digitised, every payroll system automated carries more than efficiency gains.
It carries personal information, names, identities, medical histories, financial details.
In this week’s column, I examine why compliance with the Personal Data Protection Act (PDPA) is no longer a procedural requirement for public institutions, but a test of leadership, accountability and national credibility in our digital transformation journey.
Tanzania is accelerating its digital transformation and aligning national systems with the aspirations of Vision 2050.
Yet modernisation without safeguards risks undermining the very trust it seeks to build. Digital government is no longer a distant ambition captured in policy documents; it is our daily reality.
Citizens register businesses online, access healthcare through digital systems, sit for examinations processed electronically, apply for licences through integrated platforms, and interact with public authorities through data-driven services.
Every interaction generates personal data. That data is not abstract; it belongs to a student, a patient, a trader, a civil servant, a pensioner, a voter.
The PDPA is explicit. All public institutions, government agencies, public schools, hospitals and authorities that process personal data are required to register with the Personal Data Protection Commission (PDPC) and comply fully with the law.
The law has ensured that public institutions fall squarely within its scope. Registration is not ceremonial; it is a declaration of accountability.
It signals that an institution recognises its role as a data controller and is prepared to meet legal standards of lawfulness, fairness, transparency, purpose limitation, data minimisation and security safeguards.
Public institutions cannot call upon citizens to embrace digital services while failing to protect the information entrusted to them.
The consequences of neglect are not theoretical. Across many contexts, breaches in the public sector have caused real harm.
A hospital employee shares a patient’s medical records through unsecured channels. Sensitive health information becomes public, exposing the individual to stigma and discrimination.
A district authority publishes examination results containing full names, dates of birth and identification numbers in an unprotected format, inadvertently creating a resource for identity theft.
A payroll database is compromised because of weak passwords and outdated systems, exposing salary details and banking information of public servants.
A social protection registry is shared without proper safeguards, placing vulnerable households at risk. Each of these scenarios reflects more than a technical failure. It is a breach of trust. The public sector bears a higher obligation because citizens cannot opt out of interacting with it.
One must register a birth and death, seek medical care in public facilities, pay taxes, enrol children in public schools, or apply for national identification. The relationship between the State and the citizen is not equal in bargaining power.
That imbalance imposes a greater duty of care. Compliance with the PDPA must therefore be understood as a governance imperative, not merely a regulatory exercise.
Digital transformation without personal data protection is structurally unstable. As Tanzania invests in interoperable government systems, smart infrastructure and advanced digital platforms, the volume and sensitivity of personal data will expand significantly.
Vision 2050 envisions a competitive, knowledge-based economy. Such an economy depends on trust in digital systems.
Without confidence that personal information is secure, citizens will hesitate to engage fully, and institutions will struggle to realise the efficiencies they seek.
ALSO READ: Beyond Privacy Day: Why protecting personal data must remain national priority
Data protection must become embedded practice. Public institutions should collect only data that is strictly necessary for defined purposes.
They must move away from habitual over-collection of personal details simply because forms have historically required them.
They must implement appropriate technical and organisational measures: Access controls, encryption where applicable, routine security audits, defined retention periods and clear internal accountability lines.
Many breaches arise not from sophisticated cyberattacks but from ordinary negligence, misdirected emails, poorly managed databases, weak authentication practices or casual handling of confidential files. Staff awareness is critical. Policies sitting on shelves will not protect anyone.
Training must be continuous, practical and aligned with evolving risks. Institutions must also establish internal reporting mechanisms for suspected data breaches and respond swiftly and transparently when incidents occur.
The urgency of compliance has now been reinforced at the highest levels of government. During the recent e-Government meeting in Arusha, Ambassador Dr Moses Kusiluka, Chief Secretary and Head of Public Service, reminded Chief Executive Officers and institutional leaders that registration with the PDPC and full compliance with the PDPA is not optional.
His message was direct: Public institutions must lead by example. When guidance comes from the Head of Public Service, it is both an administrative directive and a clear signal of national priority.
Similarly, Angela Mbelwa Kairuki, Minister for Communication and Information Technology, recently has provided a definitive compliance window for all public and private institutions to register with the PDPC and align their operations with the PDPA by 8th April 2026. After that date, the PDPC has been instructed to commence enforcement.
This marks a decisive shift from sensitisation to accountability. It would be profoundly unfortunate for any public institution to face sanctions for failing to comply with a law designed to protect citizens.
A fine is not merely a financial penalty; it signals governance weakness and exposes institutional complacency. For a public body, reputational damage can be far more costly than monetary sanctions.
The public rightly expects higher standards from those entrusted with authority. The message is therefore clear.
Permanent Secretaries, Director Generals, Managing Directors, Chief Executive Officers, Heads of Agencies, Regional and Local Government Authorities, public universities, hospitals and schools must immediately confirm their registration status with the PDPC.
Where gaps exist, corrective action must be taken without delay. Personal Data protection policies must be reviewed and operationalised. Data inventories should be conducted. Security safeguards must be strengthened
Leadership must demand regular compliance reports and embed accountability at senior management level.
Amb Dr Kusiluka has articulated the administrative expectation. Minister Kairuki has set the regulatory deadline. Institutional leaders must now respond decisively.
•The writer is a Strategic Communication expert, committed to advancing personal data protection, ethical leadership and public accountability in Tanzania’s digital transformation journey.
Mobile: 0748643888