By Promise Njiqu and Kelvin Sabao

Background

The following story is based on an incident that circulated online, but it has been fictionalised for illustrative purposes.

It was meant to be a joyous family occasion — a roora (lobola) celebration filled with laughter, traditional songs, and colourful outfits. 

Guests gathered, the food was ready, and the bride’s family waited expectantly. But as the hours passed, one person was noticeably missing — the groom never showed up.

Disappointment quickly turned into anger and embarrassment. In the heat of the moment, someone close to the family posted the groom’s photo on social media, expressing frustration and outrage over his failure to attend the roora. Within hours, the post went viral. The image spread across WhatsApp groups, X (formerly Twitter), and Facebook, accompanied by comments, jokes, and remarks. What began as a private family matter soon became a public spectacle.

Yet beyond the humour and online chatter lies a serious question: was it lawful to share the groom’s image without his consent?

Introduction

Under Zimbabwe’s Cyber and Data Protection Act [Chapter 12:07], a person’s photograph qualifies as personal information. Sharing it without the person’s consent — unless a lawful exception applies — can amount to unlawful processing of personal data, an offence punishable by fines or imprisonment.

In an age where one post can reach thousands in seconds, understanding what the law says about sharing someone’s image isn’t just courteous — it is a legal necessity.

Unless a person is:

a. a media house or journalist in the ordinary course of their professional duties¹; or

b. an officer of the court (lawyer, magistrate, or judge) acting in the ordinary exercise of their duties; or

c. a member of the security services performing official duties; or

d. the owner of the image; or

e. involved in a legal matter with the person in the image, and the image is necessary and used strictly for that purpose;

f. a licensed data controller or data processor acting within the scope of their ordinary duties; or

g. a family member or member of an organisation to which both parties belong

— it is prudent not to share or circulate images (or any personal information) of another person without their consent.

Legal Context

The introduction of the Cyber and Data Protection Act [Chapter 12:07] (hereinafter referred to as the CDPA) ushered in a new legal framework governing the collection, sharing, transmission, storage, and processing of information about data subjects.

The CDPA seeks to give effect mainly to two fundamental constitutional rights of every data subject — the right to privacy and the right to human dignity — as enshrined in the Constitution of Zimbabwe.³⁴

Failure to comply with the legal procedures prescribed under the CDPA when processing another person’s personal information may result in criminal liability, including fines and/or imprisonment.⁵

The CDPA achieves this goal by defining how personal information of data subjects is to be processed.

Who Is Protected? — Data Subject

Data Subjects refer to an individual who is an identifiable person and the subject of the data. This means that a natural person or a human being is a Data Subject.

Such individuals are entitled to the constitutional rights of privacy and dignity; therefore, their personal information must be handled in a manner that upholds and protects these rights.

What Type of Activity? — Processing

Processing refers to, among other things, carrying out any operation (including use) of personal information of a data subject.

By Who? — A Data Controller

A Data Controller refers to an individual or natural person who determines the purpose and means of processing data.⁷

Statutory Instrument 155 of 2024, at section 3 (2), states that a data controller is anyone who processes personal information to obtain commercial gain or other benefit from the processing of personal information.

So, when one shares personal information of another, they assume the position of a Data Controller and are subject to the CDPA and SI 155 of 2024.

A photograph that has an identifiable person (data subject) is personal information that, when shared, falls under processing per the CDPA. Given the nature of a photograph, one can safely conclude that it can be either sensitive or non-sensitive data.

What Type of Information? — Personal Information

Personal information refers to information that relates to an identifiable human.⁸ The list of information relating to data subjects that falls under this class includes a person’s name, race, marital status, blood type, opinions, health care record, or other particulars assigned to that person.

According to Burns (2023:65), while referring to the Protection of Personal Information Act, a photograph could be argued to fall under “other particulars assigned to that person.” Given that the definition of personal information is the same in POPIA and the CDPA, and both pieces of legislation intend to protect Data Subjects, it is safe to conclude that the meaning is the same.

Despite the definition, the very nature of a photograph where a person or people are easily identifiable makes it fall under personal information.

Classification of Personal Information

Personal information can further be classified as sensitive information or non-sensitive information.¹⁰

This classification is important for two reasons:

1. To differentiate when one is processing sensitive data and when one is processing non-sensitive data; and

2. To establish the basis upon which personal information can be processed.

a. Sensitive Information

Sensitive information refers to information presenting a major risk to the fundamental freedoms of the data subject if disclosed. The basis for processing this type of personal information is consent, given by the Data Subject in writing.¹¹

Examples include racial or ethnic origin, political opinion, sex life, criminal record, educational status, marital or family status, and membership of a trade or professional union.

Without consent, processing of sensitive information can only be justified when:

i. it is an obligation of the controller;

ii. it is done to protect the vital interest of the data subject or another person;

iii. it is done by an organisation, association, or non-profit organisation to which the data subject is a party;

iv. the processing is to comply with national security laws;

v. the processing relates to information made public by the data subject;

vi. it is for legal claims (establishment or defence);

vii. it is for scientific research.¹²

b. Non-Sensitive Information

Non-sensitive information refers to personal information that, on its own, does not present a major risk if processed.

The standard for processing such information is also consent; however, non-sensitive information may be processed without consent if:

i. it is evidence to prove an offence;

ii. a controller is required by law to process it;

iii. it is necessary for the protection of vital interests of the data subject.

Practical Scenarios

Scenario Type of Data Lawful Without Consent?

Photo of a crowd at a public event with no identifiers Non-sensitive Usually lawful if individuals are not singled out

Group photo of identifiable people (e.g. company staff, church members) Sensitive Requires consent unless an exception applies

Close-up image of one identifiable person Sensitive Requires written consent

Journalist photographing a public protest for reporting Lawful exception No consent required if done in ordinary course of duty

Private citizen posting someone’s image out of anger or ridicule Sensitive Unlawful without consent

In short: if a person can be identified in the photo, consent is required — unless a clear legal exception applies.

Conclusion

A photograph or image containing an identifiable person qualifies as personal information within the meaning of the CDPA. Sharing such an image — whether on social media, messaging platforms, or elsewhere — constitutes processing.

Unless the sharing falls within one of the lawful exceptions or is based on the data subject’s consent, it may amount to unlawful processing of personal information and expose the person responsible to criminal penalties.

Before sharing someone’s image, pause and ask:

a. Do I have consent?

b. Do I fall within a legal exception?

c. Could this harm someone’s rights or reputation?

In a society where “screenshots never die” and content posted online can never be fully removed, responsible digital conduct is not just ethical — it is legally required.

Disclaimer

The information provided in this article is for general informational purposes only and does not constitute legal advice. While every effort has been made to ensure the accuracy of the content at the time of publication, laws and regulations may change, and the application of the law may vary depending on the specific circumstances. 

Readers should not act upon this information without seeking professional legal advice from a qualified practitioner. The author disclaims any liability for any loss or damage arising from reliance on the content of this article.