Cyber Security and Cyber Crimes Act, 2021
Act 2 of 2021
- Published in Government Gazette on 24 March 2021
- Assented to on 23 March 2021
- Commenced on 1 April 2021 by Cyber Security and Cyber Crimes Act (Commencement) Order, 2021
- [This is the version of this document from 24 March 2021.]
Part I – Preliminary provisions
1. Short title and commencementThis Act may be cited as the Cyber Security and Cyber Crimes Act, 2021, and shall come into operation on the date appointed by the Minister by statutory instrument.
2. InterpretationIn this Act, unless the context otherwise requires—"access" has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"advanced electronic signature" has the meaning assigned to the words in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"article" means any data computer program, computer data storage medium or computer system which—(a)is concerned with, connected with or is, on reasonable grounds, believed to be concerned with or connected with the commission of a crime or suspected commission of a crime;(b)may afford evidence of the commission or suspected commission of a crime; and(c)is intended to be used or is, on reasonable grounds, believed to be intended to be used in the commission of a crime;"Authority" has the meaning assigned to the word in the Information and Communications Technologies Act, 2009;[ Act No. 15 of 2009]"cache" means the storing of data in a transmission system in order to speed up data transmission or processing";"caching" has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"child" has the meaning assigned to the word in the Constitution;[Cap. 1]"child pornography" means pornography in audio, visual, text or other digital format that depicts or represents a child engaged in sexually explicit conduct;"child solicitation" means persuading, luring, or attempting to persuade or lure a child into sexual activity through the use of a computer system or device, regardless of the outcome;"computer" has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"computer data" means a representation of facts, concepts or information in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;"computer data storage medium" means an apparatus or object from which electronic information is capable of being reproduced, with or without the aid of an article or device;"computer system" means a set of integrated devices that input, output, process, and store data and information including internet;"controller" means a person, either alone or in common with other persons, who controls and is responsible for critical information infrastructure;"Council" means the National Cyber Security Advisory and Coordinating Council constituted under section 7;"critical information" means information that is declared by the Minister to be critical for the purposes of national security or the economic and social wellbeing of the Republic;"critical information infrastructure" means the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace;"cyber" means the—(a)computer simulated environment; or(b)state of connection or association with electronic communications systems or networks including the internet;"cyber crime" means a crime committed in, by or with the assistance of the simulated environment or state of connection or association with electronic communications or networks including the internet;"cyber ecosystem" means the interconnected information infrastructure of interactions among persons, processes, data, and information and communication technologies, along with the environment and the conditions that influence those interactions;"cyber inspector" means a person appointed as cyber inspector under section 8;"cyber security" means tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurances and technologies that can be used to protect the cyber environment, organisation and user assets;"cyber security incident" means an act or activity on or through a computer or computer system, that jeopardises or adversely impacts, without lawful authority, the security, availability or integrity of a computer or computer system, or the availability, confidentiality or integrity of information stored on, processed by, or transiting a computer or computer system;"damage" means the impairment to the intergrity or availability of data, a program, a system or information;"device" includes—(a)components of computer systems such as graphic cards, memory chips and processors;(b)storage components such as hard drives, memory cards, compact discs and tapes;(c)input devices such as keyboards, mouse, trackpad, scanner and digital cameras;(d)output devices such as printer and screens; and(e)an apparatus which can be used to intercept a wire, oral or electronic communications;"denial of service" means rendering a computer system incapable of providing a normal service to its legitimate user;"digital forensics" means the application of scientific investigatory techniques to cyber crimes by collecting, identifying and validating the digital information for purposes of reconstructing past events;"digital forensic tool" means hardware or software used for conducting digital forensics;"Director-General" means a person appointed as Director-General under the Information and Communication, Technologies Act, 2009;[Act No. of 15 2009]"electronic communications" has the meaning assigned to the words in the Electronics Communications and Transactions Act, 2021;[Act No. 4 of 2021]"electronic communications service" means any service which provides the ability to send, receive, process or store electronic communications;"electronic signature" has the meaning assigned to the words in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"explicit sexual conduct" includes sexual intercourse, or other sexual conduct whether between persons or between a person and an animal, masturbation, sexual sadistic or masochistic abuse, or the lascivious exhibition of the genitals or pubic area of any person;"Genocide" has the meaning assigned to the word in the United Nations Convention on the Prevention and Punishment of the Crime of Genocide;"hate speech and conduct" means verbal or non verbal communication, action, material whether video, audio, streaming or written, that involves hostility or segregation directed towards an individual or particular social groups on grounds of race, ethnicity, antisemitism, tribalism, sex, age, disability, colour, marital status, pregnancy, health status and economic status, culture, religion, belief, conscience, origin;"hosting" has the meaning assigned to the word in the Electronic Communications and Transactions Act, 2021;[Act No. 4 of 2021]"hyperlink" means a clickable electronic reference or link of a data message that contains information about another source and when clicked points to and causes to display another data message;"interception" means an act, by a person who is not a party to a conversation, of wiretapping subscribers or aural or other acquisition of conversation of any wire, electronic or oral communication through the use of an electronic, mechanical or other device;"internet connection record" shall include—(a)connections which are made automatically by a person, browser or device;(b)a customer account reference such as an account number or identifier of the customer’s device or internet connection;(c)the time stamp of the session log;(d)the source and destination IP addresses and their associated identity information;(e)the volume of data transferred in either, or both, directions;(f)the name of the internet service or server connected to;(g)those elements of a URL which constitutes communications data; or(h)any other related meta data."information infrastructure" means the communication networks and associated software that support interaction among people and organisations;"Information Technology Auditor" means a person who possesses the expertise to examine and evaluate an information security management system as it relates to information technology infrastructure;"Judge" means a Judge of the High Court;"law enforcement officer" means—(a)a police officer above the rank of subinspector;(b)an officer of the Anti-Corruption Commission;(c)an officer of the Drug Enforcement Commission;(d)an officer of the Zambia Security Intelligence Service; and(e)any other person appointed as such by the Minister for purposes of this Act;"malicious software" means a computer program written to allow access to a computer system, whether with or without user intervention for purposes of negatively affecting normal computer system usage or modifying data or transmitting data to another computer system;"meta data" means data that describes other data;"multiple electronic mail message" means a mail message including email and instant messaging sent more than once to a recipient;"penetration testing service" means a service for assessing, testing or evaluating the cyber security of a computer or computer system and the integrity of any information stored in or processed by the computer or computer system, by searching for vulnerabilities in, and compromising, the cyber security defences of the computer or computer system with express permission of the system owner;"pornography" means audio or visual material that depicts images of a person engaged in explicit sexual conduct;"premises" includes a computer and data messages;"racist and xenophobic material" includes any image, video, audio recording or any other representation of ideas or theories, which advocates, promotes or incites hatred, discrimination or violence, against any individual or group of individuals, based on race, colour, descent or national or ethnic origin;"service provider" means a public or private entity authorised to—(a)provide or offer an electronic communication system;(b)process or store computer data on behalf of a communication service or user of such service; or(c)own an electronic communication system to provide or offer an electronic communication service;"traffic data" means digital data that—(a)relates to a communication by means of a computer system;(b)is generated by a computer system that is part of the chain of communication; and(c)shows the communication’s origin, destination, route, time, date, size, duration or the type of underlying services;"Uniform Resource Locator (URL)" means the unique address of the world wide web page; and"Zambia Computer Incidence Response Team" means the Zambia Computer Incidence Response Team constituted under section 6.
3. Supremacy of ActSubject to the Constitution, where there is an inconsistency between the provisions of this Act and the provisions of any other written law relating to the regulation of cyber security, cyber crimes and digital forensics, the provisions of this Act shall prevail to the extent of the inconsistency.[Cap. 1]
Part II – Regulation of cyber security services
4. Cyber security regulatorThe Authority is responsible for the implementation of this Act.
5. Functions of Authority
6. Constitution of Zambia Computer Incidence Response Team
7. Constitution of National Cyber Security Advisory and Co-ordinating Council
Part III – Inspectorate
8. Appointment of cyber inspector
9. Power to inspect and monitorA cyber inspector may in the performance of the inspector’s functions, with a warrant—
10. Data retention notice
11. Power to access, search and seize
12. Obstruction of cyber inspector
13. Appointment of cyber security technical expert
14. Emergency cyber security measures and requirements
Part IV – Investigation of cyber security incidents
15. Power to investigate
Part V – Protection of critical information and critrical information infrasctructure
16. Scope of protecting critical information infrastructureThe provisions of this Part apply to a critical information infrastructure or parts thereof and to the controllers of critical protecting information infrastructure.
17. Declaration of critical information
18. Localisation of critical information
19. Registration of critical information infrastructure
20. Change in ownership of critical information infrastructure
21. Register of critical information infrastructureThe Authority shall maintain a register of critical information infrastructure which shall contain such information as may be prescribed.
22. Auditing of critical information infrastructure to ensure compliance
23. Duty to report cyber security incident in respect of critical information infrastructure
24. National cyber security exercises
25. Non-compliance with Part V
Part VI – Interception of communications
26. Prohibition of interception of communication
27. Central Monitoring and Co-ordination Centre
28. Lawful interception
29. Interception of communication to prevent bodily harm, loss of life or damage to property
30. Interception of communication for purposes of determining location
31. Prohibition of disclosure of intercepted communication
32. Disclosure of intercepted communication by law enforcement officer
33. Privileged communication to retain privileged characterA privileged communication, oral or electronic communication intercepted in accordance with the provisions of this Act does not lose its privileged character.
34. Prohibition of random monitoring
35. Protection of user from fraudulent or other unlawful use of service
36. Interception of satelite transmission
37. Prohibition of use of interception device
38. Assistance by service provider
39. Duties of service provider in relation to customers
40. Interception capability of service provider
Part VII – Licensing of cyber security service providers
41. Prohibition from providing cyber security services without licence
42. Application for licence
43. Renewal of licence
44. Refusal to grant or renew licence
45. Validity of licenceA licence is valid for the period prescribed by statutory instrument.
46. Revocation or suspension of licence
Part VIII – International cooperation in maintaining cyber security
47. Identifying areas of cooperationThe Authority shall identify and ensure that it cooperates with private, international organisations and other government entities involved in cyber security matters at international level.
48. Entering into agreementThe Republic may enter into any agreement with any foreign State and international body regarding—
Part IX – Cyber crime
49. Unauthorised access to, interception of or interference with computer system and data
50. Illegal devices and software
51. Computer related misrepresentation
52. Cyber extortion
53. Identity related crimesA person who, knowingly without lawful excuse by using a computer system transfers, possesses, or uses, a means of identification of another person, commits an offence and is liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term not exceeding ten years, or to both.
54. Publication of informationA person who, with intent to compromise the safety and security of any other person, publishes information or data presented in a picture, image, text, symbol, voice or any other form in a computer system commits an offence and is liable, on conviction, to a fine of not less than five hundred thousand penalty units or to imprisonment for a term exceeding five years or to both.
55. Aiding, abetting, counselling etc.,
56. Prohibition of pornography
57. Child pornography
58. Child solicitation
59. Obscene matters or things
60. Introduction of malicious software into computer systemA person who intentionally introduces or spreads malicious software into a computer system commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a period not exceeding five years, or to both.
61. Denial of service attacksA person who intentionally renders a computer system incapable of providing normal services to its legitimate users commits an offence and is liable, on conviction, to a fine not exceeding one million penalty units or to imprisonment for a term not exceeding ten years, or to both.
62. Unsolicited electronic messages
63. Prohibition of use of computer system for offences
64. Application of offences under Act
65. Hate speechA person who, using a computer system, knowingly without lawful excuse, uses hate speech commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a period not exceeding two years, or to both.
66. Minimisation, etc., of genocide and crimes against humanityA person who, knowingly without lawful excuse distributes or otherwise makes available, through a computer system to the public or another person, material which denies, grossly minimises, approves or justifies acts constituting genocide or crimes against humanity commits an offence and is liable, on conviction, to a fine not exceeding two million penalty units, or to imprisonment for a period not exceeding twenty years, or to both.
67. Unlawful disclosure of details of investigation
68. Obstruction of law enforcement officer or cyber inspection officerA person who obstructs or hinders a law enforcement officer, cyber inspector or any person in the exercise of any powers under this Act or who neglects or fails to comply with an order commits an offence and is liable, on conviction, to a fine not exceeding two hundred thousand penalty units or to imprisonment for a period not exceeding two years, or to both.
69. Harassment utilising means of electronic communicationA person who using a computer system intentionally initiates any electronic communication, with the intent to coerce, intimidate, harass, or cause emotional distress to a person commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a period not exceeding five years, or to both.
70. Cyber terrorism
71. Cyber attackA person who carries out a cyber attack commits an offence and is liable, on conviction, to a fine not exceeding five hundred thousand penalty units or to imprisonment for a period not exceeding five years, or to both.
72. Cognizable offencesAn offence under this Act shall be deemed to be a cognizable offence for the purposes of the Criminal Procedure Code.[Cap. 88]
Part X – Electronic evidence
73. Admissibility of electronic evidence
Part XI – General provisions
75. Search and seizure
76. Prohibition of disclosure of information to unauthorised persons
78. Production orderWhere a judge is satisfied on the basis of an ex-parte application by a law enforcement officer that specified computer data, or a printout or other information, is reasonably required for the purpose of a criminal investigation or criminal proceedings, the Judge may order that—
79. Expedited preservation
80. Partial disclosure of traffic dataA law enforcement officer may, where the law enforcement officer is satisfied computer data is reasonably required for the purposes of a criminal investigation, by written notice given to a person in control of the computer system, require the person to disclose relevant traffic data about a specified communication to identify—
81. Collection of traffic data
82. No monitoring obligation
83. Limitation of liabilityAn electronic communications service provider shall not be criminally liable for providing access and transmitting information on condition that it meets the limitation of liability criteria stipulated in the Electronic Communications and Transactions Act, 2021.[Act No. 4 of 2021]
84. ExtraditionAn offence under the provisions of this Act is an extraditable offence for the purposes of the Extradition Act.[Cap. 94]
85. Evidence obtained by unlawful interception not admissible in criminal proceedingsDespite any other law, evidence which is obtained by means of any interception effected in contravention of this Act, shall not be admissible in any criminal proceedings except with the leave of the court, and in granting or refusing such leave, the court shall have regard, among other things, to the circumstances in which it was obtained, the potential effect of its admission or exclusion on issues of national security and the unfairness to the accused person that may be occasioned by its admission or exclusion.
86. General penaltyA person who commits an offence under this Act for which no penalty is provided is liable, on conviction—
87. Power of court to order cancellation of licence, forfeiture etc.,
History of this document
01 April 2021
24 March 2021 this version
23 March 2021
|Cyber Security and Cyber Crimes (National Cyber Security, Advisory and Coordination Council) Regulations, 2021||Statutory Instrument 52 of 2021|