Uganda was the first East African country to recognize privacy as a fundamental human right, as enshrined in article 27 of the 1995 Uganda Constitution as well as in regional and international laws. The Data Protection and Privacy Act, 2019 aims to protect individuals and their data by regulating the processing of personal information by state and non-state actors, within and outside Uganda.
An Act to protect the privacy of an individual and personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processors and data controllers; to regulate the use or disclosure of personal information and for related matters.
Significant highlights of the Act
- The Act requires consent before collecting or processing personal data. Personal data may be collected or processed where the collection or processing is authorized or required by law or where it is necessary for the proper performance of a public duty by a public body or for the performance of a contract to which the data is subject, for medical purposes or for compliance with a legal obligation to which the data controller is subject.
- The Act provides that a person shall not collect or process personal data relating to a child unless the collection or processing thereof is; carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child; necessary to comply with the law; or for research or statistical purposes.
- The Act prohibits the collection and processing of special personal data. A person shall not collect or process personal data which relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, and health status or medical records of an individual. This exemption does not apply to information collected under the Uganda Bureau of Statistics Act.
- The Act requires the protection of privacy. A data collector, data processor or data controller shall not collect, hold or process personal data in a manner which infringes on the privacy of a data subject.
- The Act prohibits the retention of records of personal data for a period longer than is necessary to achieve the purpose for which the data is collected and processed unless; the retention of the data is required or authorized by law; the retention of the data is necessary for a lawful purpose related to a function or activity for which the data is collected or processed, the retention of the data is required by a contract between the parties to the contract, or the data subject consents to the retention of the data.
- The Act requires that where a data processor or data controller based in Uganda processes or stores personal data outside Uganda, the data processor or data controller shall ensure that; the country in which the data is processed or stored has adequate measures in place for the protection of personal data at least equivalent to the protections provided for by this Act, or the data subject has consented.
- The Act requires that a data controller, data collector or data processor shall secure the integrity of personal data in the possession or control of a data controller, data processor or data collector by adopting appropriate, reasonable, technical and organizational measures to prevent the loss, damage, or unauthorized destruction and unlawful access to or unauthorized processing of the personal data.
- The Act provides that right to access personal information. A data subject who provides proof of identity may request a data controller to; confirm whether or not the data controller holds personal data about that data subject; describe the personal data which is held by the data controller; provide the identity of a third party or a category of a third party who has or has had access to information.
- The Act provides for the right to prevent the processing of personal data. A data subject shall at any time by notice in writing to a data controller or data processor, require the data controller or data processor to stop processing personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject.
- The Act provides that where a data subject or any person who believes that a data collector, data processor or data controller is infringing upon their rights or is in violation of this Act may make a complaint in the prescribed manner to the authority. The victim may in writing make a complaint to the authority about any violation or noncompliance with this Act.
- The Act creates offences including; unlawful obtaining or disclosing of personal data, unlawful destruction, deletion, concealment or alteration of personal data, sale of personal data and among others.
Due to the absence of regulations, there is a loop in the effective implementation of this law over that past year. These only exposes millions of citizens to data exploitation. We therefore, take this opportunity to call on the government to take active measures to effectively implement the law to ensure that it complies with its national and international obligations to protect people, their privacy and their data.