Purpose of the law

Data Protection and Privacy Act, 2019 was assented to by the President on 28th May 2019 and it commenced on 1st March, 2019. The purpose of the law is to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processers and data controllers; to regulate the use or disclosure of personal information; and for related matters.

The law gives individuals whose personal information has been requested, collected, collated, processed or stored powers to exercise control over their personal data including consent to the collection and processing, or to request for the correction and deletion of personal data.

The law was necessary to operationalize and or give effect to Article 27(2) of the Constitution of the Republic of Uganda which provides that no person shall be subjected to interference with the privacy of that person's home, correspondence, communication or other property.

The law is in line with a number of international conventions including; the Universal Declaration of Human Rights to which Uganda is a signatory. It is also in line with the European Union General Data Protection Regulation (GDPR) which gives control to European Union (EU) citizens and residents over their personal data, and applies to every global organisation that may hold or process data on EU citizens and residents.

Who is bound by The Data Protection and Privacy Act, 2019

Under section 1 of The Data Protection and Privacy Act, 2019, the law applies to any person, institution or public body collecting, processing, holding or using personal data within Uganda; and outside Uganda for those who collect, process, hold, or use personal data relating to Ugandan citizens.

For further clarity, section 2 of the Act provides that if whatever is being held in any form is enough to identify a particular person then it is personal data. Personal data therefore includes information that relates to; (a) the nationality, age or marital status of the person; (b) the educational level, or occupation of the person; (c) an identification number, symbol or other particulars assigned to a person; (d) identity data; or ( e) other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual. Personal data also include; addresses, email addresses, photographs, telephone numbers, salary details and bank account information, next of kin details among others.

An employer is bound to have personal data of its employees such as employee records or client's records in its possession. Accordingly, employers are obliged to put in place adequate measures to protect to protect that information/ personal data in their possession.

A data collector is defined by the Act to mean a person who collects data. A data controller is the legal 'person' including the organisation that decides why and how personal data is to be processed. The data controller may appoint another organisation or a person other than an employee of the data controller to be their data processor, in other words to process the data on their behalf. A data subject is an individual from whom or in respect of whom personal data is requested, collected, processed or stored. Data subject is broad and may include but not limited to; employees, clients, customers, business associates, job applicants among others.

Seven Principles of Data Protection

The Act in section 3 outlines seven data protection principles which must be complied with by data collectors, data processors, data controllers or any other person who collects, processes, holds or uses personal data. These principles are: (i) accountability to data subjects for data collected processed held or used, (ii) collect and process data fairly and lawfully; (iii) collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data, (iv) retain personal data for the period authorised by law or for which the data is required, (v) ensure quality of information collected, processed , used or held, (vi) ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data and (vii) observe security safeguards in respect of the data.

National Information Technology Authority of Uganda shall ensure that every data collector, data controller, data processor or any other person collecting or processing data complies with the principles of data protection and this Act.

Establishment of the Personal Data Protection Office

Section 4 of the Act establishes the personal data protection office under the National Information Technology Authority – Uganda which is mandated to, among others oversee the implementation and enforcement of the Act; receive and investigate complaints from data subjects; and establish and maintain a data protection and privacy register.

Appointment of Data Protection Officer by Institutions

Under section 6 of the Act, The head of every institution that handles personal data is required to appoint a Data Protection Officer. This is the person in the Organization/company who is the central point of contact and responsible for all data protection compliance issues. The data protection officer shall also receive access requests to personal data and all matters related to data subjects including; employees, clients, customers, suppliers among others. The data protection officer is the main contact person for National Information Technology Authority on all matters regarding personal data. From interpretation of the section of the law, an institution can appoint an individual or company to be its data protection officer as long as the individual or company complies with the law regarding personal data of the subject.

Prior consent to collection and processing of personal data

Section 7 of the Act gives the data subject the right to consent to the collection and processing of personal data. According to the section, a person shall not collect or process personal data without the prior consent of the data subject.

However, the Act also provides for exception where the data may be collected and processed without the consent of the data subject. Under section 7 (2), Personal data may be collected or processed; where the collection or processing is authorised or required by law, where it is necessary-(i) for the proper performance of a public duty by a public body; (ii) for national security; (iii) for the prevention, detection , investigation, prosecution or punishment of an offence or breach of law, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, for medical purposes or for compliance with a legal obligation to which the data controller is subject.

Except under the above exceptions, where a data subject objects to the collection or processing of personal data, the person who is collecting or processing the personal data shall stop the collection or processing of the personal data.

Processing personal data outside Uganda

Under section 19, where a data processor or data controller based in Uganda processes or stores personal data outside Uganda, the data processor or data controller shall ensure that; the country in which the data is processed or stored has adequate measures in place for the protection of personal data at least equivalent to the protection provided for by this Act or the data subject has consented.

Rights of Data Subjects

  • Right to privacy. Section 10 of the Act protects the data subject's right to privacy by prohibiting the collection or processing of personal data in a manner that infringes on the privacy of the data subject.
  • Right to access personal information under section 24. A data subject who provides proof of identity may request a data controller to give him or her access to the personal information held by the data controller. The data controller is required to comply with the request promptly and in any event not more than thirty days after the request.
  • Under section 25 of the Act, the data subject has a right to prevent or stop the processing of personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject by notice in writing to the data controller or processor in accordance with section 25.
  • Data subject has a right to prevent or stop the processing of his or her personal data for purposes of direct marketing under section 26 of the Act.
  • Under section Section 31, a data subject has a right to make a complaint to the Authority where he or she believes that a data collector or processor or controller is infringing upon his or her right or violating provisions of the Act.
  • Right to compensation. Under section 33, A data subject is entitled to compensation for damage and distress caused by the failure of a data controller to comply with the Act.

Offences and Penalties

  1. Section 35, a person shall not unlawfully obtain, disclose or procure the disclosure to another person of personal data held or processed by a data collector, data controller or data processor.
  2. Under section 36, a person shall not unlawfully destroy, delete, mislead, conceal or alter personal data.
  3. Under section 37, a person shall not sell or offer for sale personal data of any persons.

The punishment for any person who commits any of the abovementioned offences upon conviction is a fine of up to two hundred and forty five currency points (which is equivalent of Ug. Shs. 4,800,000/=) or imprisonment not exceeding ten years or both.

Way forward for institutions bound by the Act

  1. Institutions/ organizations/ companies should put in place guidelines and policies for protection of personal data to help them comply with provisions of the Act.
  2. Explicit consent of the data subjects must be sought and obtained by any person or organisation that seeks to collect and process personal data where the such requirement is not exempted as explained above.
  3. Organisations need to appoint a Data Protection Officer who will ensure compliance with the Act from time to time.
  4. Organisations/ companies need to put in place data protection policy to facilitate compliance with the Act. This is especially critical to employers with employee personal data and or records.
  5. Companies should put in place safeguards for the personal data that they receive from other stakeholders including; customers, clients, suppliers, service providers and or associates to ensure that their data is not compromised in light of the Act.
  6. All Organisations need to carry out internal risk assessment and or review regarding its compliance with the law and devise measures aimed at ensuring compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.