Minister Kairuki’s privacy directive demands urgent public attention

DAR ES SALAAM: ON January 8, 2026, something important happened and it should make every public and private institution in Tanzania pause.

The Minister for Communication and Information Technology Angella Kairuki, did not issue a polite reminder.

She delivered a final directive: Institutions that collect or process personal data have three months to register with the Personal Data Protection Commission (PDPC) or face the law, without exception. This was not Government routine. It was a line drawn.

Speaking in Arusha at the closing of a specialised training for Data Protection Officers, the Minister made it clear that this grace period is the last one.

After it expires, enforcement begins. No reopening of the window. No explanations entertained. From where I stand, as someone deeply engaged in data protection public awareness, this directive is not harsh.

It is responsibility. Personal data is not paperwork. It is people’s lives. When institutions mishandle it, they do not just violate the law; they expose citizens to harm and embarrassment and they damage the country’s reputation.

When data protection fails, the damage is real We do not have to imagine what can go wrong. We have already seen it elsewhere.

During major international sports tournaments in Africa, including past Africa Cup of Nations editions, ticketing platforms have been compromised, leading to leaked names, phone numbers and ID details of fans.

In some cases, supporters later reported targeted scams, impersonation calls and financial fraud traced back to leaked event databases.

The events ended, but the damage followed people home. In the tourism sector, global headlines have ex posed how hotel reservation systems were hacked, leaking passport numbers, travel itineraries and credit card details of guests.

For victims, it meant cancelled cards, identity theft and humiliation. For destinations, it meant lost trust, bad press, and years of reputational repair.

These are not abstract risks. They are warnings. Why this matters for Tanzania now Tanzania is positioning itself as a trusted tourist destination and a serious host of continental and global events.

In 2027, AFCON will bring thousands of visitors, journalists, officials and investors into our systems, hotels, airlines, immigration, hospitals, transport apps and event platforms. Every one of those touchpoints collects personal data.

A single breach involving visitors’ passports, health information, or payment details would not only harm individuals, it would raise questions about Tanzania’s readiness, reliability and respect for privacy.

ALSO READ: PM tells private education institutions to operate within framework

In today’s world, that reputational cost is enormous. The same applies to international organisations operating from Tanzania.

Data protection compliance is now a basic expectation. Institutions that ignore it are quietly putting partnerships, funding and credibility at risk.

Enforcement is not intimidation; it is governance Minister Kairuki’s instruction for the PDPC to prepare nationwide compliance audits should be understood correctly.

This is not punishment. It is the Government fulfilling its constitutional duty to protect the right to privacy as Tanzania’s digital economy grows. Let us be honest: Institutions that are still unregistered are not confused.

They are procrastinating. This directive removes every excuse. The law exists. The timelines are clear.

The consequences are known. A final word to those still sitting on the fence This is no longer about forms or bureaucracy. It is about respect for privacy of our citizens, customers, tourists and partners.

It is about their dignity. Three months is enough time to comply. After that, enforcement will not be unfair, it will be deserved. There is only one choice, register with the PDPC. Fix your systems.

Train your staff. Protect the personal data entrusted to you. If Tanzania is to be trusted on the continental and global stage, this is the moment institutions must prove they take privacy seriously. April 8th is not far. Take action now.