MACRA Urges Government to Safeguard Personal Data

Lilongwe, June 19, Mana: Government institutions have been urged to assume full legal and operational responsibility as data controllers under Malawi’s Data Protection Act of 2024, which is now in force to standardize the lawful processing of personal information across the public sector.

Malawi Communications Regulatory Authority (MACRA) made the appeal on Thursday during a strategic Data Protection Authority Awareness Workshop at the Bingu International Convention Centre (BICC) in Lilongwe.

The workshop was designed to enhance institutional compliance with the Act by outlining legal obligations, ethical standards and technical requirements related to data protection.

Speaking in an interview with Malawi News Agency (Mana), MACRA Member of the Board of Directors, Isaac Nkhono Songea noted that the enactment of the law is both timely and essential given the increasing sensitivity and economic value of personal data in today’s digital environment.

“Inappropriate handling of personal data leads to serious challenges including identity theft, misuse of information and a complete loss of public trust,” Songea said.

Songea emphasized that public institutions, now formally designated as data controllers, must implement robust data governance frameworks that ensure data is processed lawfully, fairly, accurately and in a transparent manner.

“Those who collect data must understand that it is not just a task, it’s a responsibility. The law is clear and MACRA is committed to enhancing data protection by providing the necessary guidance, tools and enforcement mechanisms,” he said.

The Act introduces core principles such as lawfulness, purpose limitation, data minimization, accuracy, integrity and confidentiality, mandating that data must only be processed with legal justification and limited to clearly defined and legitimate purposes.

MACRA’s Head of Data Protection, Daniel Chione underscored the importance of implementing technical and organizational measures including access controls, encryption and secure storage to mitigate risks of data breaches and unauthorized access.

“All entities collecting personal data must register with MACRA and implement strong security measures to ensure that data is protected from unauthorized access and breaches,” said Chione.

Chione said any institution processing data for over 10,000 data subjects would be subjected to a K20 per individual regulatory processing fee, designed to fund monitoring, enforcement as well compliance mechanisms.

“The money collected will help MACRA monitor and enhance the data protection framework so that citizens’ rights are respected and institutions remain accountable,” he added.

Among the participants were officials from the Ministry of Youth and Sports, Ministry of Foreign Affairs and key players from the financial and healthcare sectors, all of whom handle large volumes of sensitive data on a daily basis.

Mark Chonde from the National Bank of Malawi hailed the workshop as highly relevant in today’s data-driven economy.

“As a participant, this training is a game-changer for us. It will clearly show the difference between collecting data and protecting it. Our bank deals with sensitive client information daily, now we know exactly what is expected of us,” Chonde said.

The Data Protection Act was enacted in 2024 to safeguard individual digital privacy, harmonize Malawi’s data protection standards with international legal frameworks and entrust MACRA with the mandate to regulate, monitor and enforce best practices in data handling across sectors.