The Data Protection and Privacy Act, 2019

Introduction

The Data Protection and Privacy Act (the Act) of Uganda was passed in 2019 and the Data Protection and Privacy Regulations (DPP Regulations) under it were gazetted in March 2021. Following the passing of the DPP Regulations, the Personal Data Protection Office (PDPO), an independent office under National Information Technology Authority (NITA), was operationalized in August 2021, whose mandate is to regulate the collecting and processing of personal data in Uganda.

Application

This Act applies to a person, institution or public body;

1. collecting, processing, holding or using personal data within Uganda;
2. outside Uganda who collects, processes, holds, or uses personal data relating to Ugandan citizens.

Principles of data protection

The Act provides seven data protection principles a data collector, data processor or data controller or any person who collects, processes, holds or uses personal data must adhere to.

These include:

• Being accountable for the data subject to collection;
• Fair and lawful collection and processing of data;
• Collecting and processing adequate and relevant personal data;
• Data retention only for period authorised by law or purpose;
• Ensuring quality of information collected, processed,
• used or held;
• Ensuring transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and
• Observing security safeguards in respect of the data.

Registration

Every data collector, data processor or data controller is required to register with the Personal Data Protection Office as stipulated by Regulation 15 (1) of the Data Protection and Privacy Regulations.

Section 29 (2) of the Data Protection and Privacy Act mandates the Personal Data Protection Office (the Office/PDPO) to register in the data protection register, every person, institution or public body collecting or processing personal data and the purpose for which the personal data is collected or processed.  The registration validity period is one year and the person or institution shall apply for renewal within three months before the date of expiry of your registration.

Failure to register and or renew the registration, one commits an offence and will be liable on conviction to a fine or imprisonment not exceeding three months or both.

The Data Protection Officer

Every person, institution or public body that process or controls personal data shall designate a data protection officer. This is the person in the organisation who is the central point of contact and responsible for all data protection compliance issues.

Requirements for collecting and processing data

A person should not collect or process personal data without the prior consent of the data subject unless the collection or processing is authorised or required by law, for the proper performance of a public duty by a public body, for national security, for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, for medical purposes; or for compliance with a legal obligation to which the data controller is subject.

A person should not collect or process personal data relating to a child unless the collection or processing thereof is carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child and it is necessary to comply with the law or it is for research or statistical purposes.

Rights of data subjects

Under the act, the data subjects have the following rights;

• Right to access personal information held by the data controller after providing proof of identity;
• Right to prevent processing of personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject by notice in writing to the data controller or processor;
• Right to prevent processing of personal data for purposes of direct marketing;
• Rights in relation to automated decision-taking;
• Right to make a complaint to the Authority where he or she believes that a data collector or processor or controller is infringing upon his or her right or violating provisions of the Act.

Offences and penalties

The following are offences under the Act:

• Unlawfully obtaining, disclosing or procuring the disclosure to another person of personal data held or processed by a data collector, data controller or data processor.
• Unlawful destruction, deletion, concealment or alteration of personal data
• Selling or offering for sale of personal data

A person who contravenes the above commits an offence and is liable on conviction to a fine not exceeding two hundred and forty currency points or imprisonment for ten years or both.

Where offences are committed by a corporation, the corporation and every officer of the corporation who knowingly and willfully authorises or permits the contravention commits the offence.

Conclusion

Organisations should therefore not only formulate guidelines and policies for protection of personal data to help them comply with provisions of the Act but also review their current practices to establish whether they comply with the Data Protection and Privacy Act.

All employees should be sensitised to make sure that they understand their rights and obligations under the Act. Directors and management of organisations should be made aware of their responsibilities in respect of Data Protection compliance. 

Download Here - The Data Protection and Privacy Act, 2019