An Overview of the Data Protection and Privacy Act 2019
25 March 2020
The legal framework governing rights related to data and privacy in Uganda was for several years solely based on diverse sources that included the Constitution of Uganda, principles of common law and some of the legislation regulating various sectors. The coming into force of the Data Protection and Privacy Act, 2019 (the “Act”) has established a detailed and specific legal framework for the regulation and protection of the privacy of the individual and of personal data. The said Act commenced on the 1st of March 2019.
Below is an overview of the salient features of the Act.
Scope of the Act
The Act applies to a person, institution or public body that collects, processes, holds or uses personal data within Uganda and in case it is outside Uganda, for those who collect, process, hold or use personal data relating to Ugandan citizens.
Regulation of Data Collection
The Act provides for the National Information Technology Authority-Uganda (the “Authority”) as the regulatory body that is responsible for regulating data collection in Uganda. The duties of the Authority include the following:
- ensuring that every person collecting or processing data complies with the principles of the Act;
- keeping and maintaining a data protection register whose information is to be made available for inspection by any person;
- taking complaints from any affected party about any violation or non-compliance with the Act; and
- investigating any complaint made to it and direct any concerned party to remedy any breach or taking such action as will restore the integrity of data collected, processed or held by the data collector, data processor or data controller or the rights of the data subject.
The Act requires that the collection or processing or personal data shall require the prior consent of the data subject. However, the Act provides for some exceptions to the requirement for prior consent and these include instances where the collection or processing of personal data:
- is authorized or required by law;
- is necessary for the proper performance of a public duty by a public authority;
- is for national security;
- is for the prevention, detention, investigation, prosecution or punishment of an offence or breach of law;
- is for medical purposes.
Restrictions on Data Collection
Certain restrictions on the collection and processing of personal data are imposed by the Act. For instance the collection and processing of personal data from children is prohibited unless: a) it is carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child; b) it is necessary to comply with the law; or c) it is for research or statistical purposes.
The Act also prohibits the collection and processing of special personal data which relates to religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual except as collected under the Uganda Bureau of Statistics Act. However, a data collector, processor or controller may collect special personal data where the collection or processing of the data is in exercise or performance of a right or an obligation imposed by law on an employer or where the information is given freely and with the consent of the data subject or in instances whether it is for purposes of legitimate activities of a body or association.
Sources of Personal Data
According to the Act, personal data should be collected from the data subject. However, personal data may be collected from another source (a third party) where the data is contained in a public record, has been deliberately made public, is unlikely to prejudice the privacy of another individual or is necessary in preventing an offence or breach of the law.
The Act provides that the collection of personal data must be for a lawful purpose which is explicit and explicitly defined and is related to the functions and activity of the data collector or data collector. Furthermore, the data subject must be given adequate information before personal data is collected such as the nature and category of the data being collected, the name and address of the person responsible for the data collection and the purpose for which the data is being collected amongst other details provided under the Act.
In the event that the personal data is collected by a third party, then the data subject should be given the abovementioned information before the data is collected or as soon as practicable after the data is collected except in cases where the data is necessary to avoid the compromise of the law enforcement power of a public body responsible for the prevention or punishment of an offence and information relating to national security amongst other types of information specified under the Act.
Principles of Data Protection
The Act lays down seven principles of data collection which should be observed by data collectors, data processors, data controllers or any other person who collects, processes, holds or uses personal data. These principles are:
- accountability to the data subject for data collected, processed, held or used;
- lawful and fair collection and processing of data;
- adequacy and relevance of the personal data collected, processed and used or held;
- timely retention of personal data for the period authorized by law or for which the data is required;
- quality of information collected, processed, used, or held;
- transparency and participation of the data subject in the collection processing, use and holding of the personal data; and
- security of the data.
Safeguards relating to the Right to Privacy
The Act contains various safeguards to ensure that the right to privacy is protected. These include the following:
- A data controller or data processor must only process necessary and relevant personal data and must not process personal data in excess of what is legally required for a specific purpose.
- A data collector or controller must ensure that the data is complete, accurate, up-to-date and not misleading having regard to the purpose for its collection or processing. The data subject is also required to ensure the same.
- The data subject has the power to request the data controller to correct or delete personal data about him or her held that is inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully or destroy or delete a record of personal data about the data subject held by the data controller which the controller no longer has the authority to retain.
- The data controller is obligated to comply with the request made by the data subject. However, where the data controller is unable to comply with the data subject’s request, he or she shall inform the data subject of the rejection, and the reasons for the rejection in writing. Where the data controller complies with the request, the data controller shall inform each person to whom the data has been disclosed of the correction made.
- Where a person holds personal data for a specific purpose, further processing of the data will be for that specific reason.
- The Act provides for the protection of the processing of personal data outside Uganda where the data processor and data controller are based in Uganda.
Security of Personal Data
The Act imposes an obligation on data controllers, collectors and processors to secure the integrity of personal data in their possession or control by adopting appropriate, reasonable, technical and organizational measures to prevent loss, damage or unauthorized destruction and unlawful access to or unauthorized processing of the personal data. To this end, data controllers, collectors and processors ought to have security safeguards in place and they should observe generally accepted information security practices and specific industry or professional rules.
Where a data collector, data processor or data controller believes that the personal data of a data subject has been assessed or acquired by an unauthorized person, he or she must immediately inform the Authority. The Authority shall then determine whether or not the data subject should be informed. In case the data subject is to be informed, the notification shall be made by registered mail, electronic mail, placement in a prominent position on the website of the responsible party or publication in the mass media.
Rights of the Data Subject
- The data subject has the right to request the data controller for any of the following upon proof of identity: a) confirmation on whether or not the data controller holds personal data about him or her; b) a description of the personal data which is held by the data controller; and c) the identity of a third party or a category of a third party who has or has had access to information.
- Where the data controller is unable to comply with any of the above requests without disclosing data related to another individual, the data controller shall not comply with the requests unless the other individual consents to the disclosure of the data, it is reasonable in all the circumstances to comply with the request without the consent of the other individual or by a court order.
- A data subject may stop the data controller or data processor from processing data which causes or is likely to cause unwarranted substantial damage or distress to him or her.
- The data subject has the right to stop the processing of his or her personal data for purposes of direct marketing.
- The data subject may require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects him or her is not based solely on the processing by automatic means of personal data in respect of that data subject.
Offences and Penalties
The Act provides for three types of offences namely:
- unlawful obtaining or disclosing of personal data;
- unlawful destruction, deletion, concealment or alteration of personal data; and
- sale of personal data.
Where the above offences are carried out by corporations, the corporation and every officer of the corporation who knowingly and willfully authorized or permitted the contravention are liable to the offence.
The penalties prescribed under the Act for the first and second offence are a fine of two hundred forty currency points (four million eight hundred thousand Uganda shillings) or imprisonment for a term of not more than ten years or both. For the third offence, the penalty prescribed is a fine of currency point of two hundred forty-five currency points (four million nine hundred thousand Uganda shillings) or imprisonment for not more than ten years or both.
Under the Act, the first avenue for conflict resolution is to the Authority wherein complaints may be lodged with the Authority. A person that is aggrieved by the decision of the Authority may appeal to the Minister. A copy of the appeal shall be provided to the Authority.
- The Authority may order the data controller to rectify, update, block, erase, or destroy the data where it is satisfied on a complaint of a data subject that personal data is inaccurate whether the data is received from the data subject or a third party’s accurate record of information.
- Where the data subject suffers damage or distress through the contravention of any of the responsible parties under the Act, the data subject is entitled to apply to a court of competent jurisdiction for compensation from the party responsible for the damage or distress.
The information contained in this review is for general guidance and not a substitute for the need to get appropriate professional advice. If you require further information, please write to your usual contact person at Mukumbya Musoke Advocates or either of:
Juliana Laker | Prisca Nagujja | Julius M. Musoke