Data Security Compliance in Zambian Universities

This study examined data security compliance in Zambian universities after the enactment of the Data Protection Act No. 3 of 2021. Although universities manage highly sensitive personal data, including student records, biometrics, and academic credentials, limited empirical evidence exists regarding how well institutions have implemented the Act. The study evaluated the extent of implementation, identified barriers to compliance, and proposed strategies for improvement.

Using a qualitative multiple-case study design, the research involved two private universities and one government university. Data were collected through 21 semi-structured interviews with key stakeholders, document analysis, and observational field notes. Thematic analysis followed Braun and Clarke’s six-phase approach.

Findings indicated uneven compliance maturity across cases. University B demonstrated high compliance, supported by strong governance policies, technical safeguards, and established incident response procedures. University A showed moderate compliance, with general awareness but inconsistent execution. University C exhibited low compliance, marked by limited awareness and weak foundational governance structures. Three recurring patterns emerged: a gap between leadership awareness and operational implementation, a policy-practice disconnect linked to inadequate communication and training, and persistent resource constraints. The study concludes that legal mandates alone are insufficient; sustained compliance requires a data protection culture, capacity building, clear implementation guidance, adequate resourcing, and effective regulatory oversight.