Trauma caused by COVID-19: taking it one day at a time
COVID-19 continues to paralyze the world. Uganda has so far experienced two waves of severe COVID-19 outbreaks, which have affected not jus…
On January 28th we celebrated Data Privacy Day - the day when the world comes together to promote awareness about privacy, data protection and enabling trust on the internet.
In 2019 Uganda enacted the Data Protection and Privacy Act which seeks to protect the privacy of the individual and personal data by regulating the collection and processing of personal information. The Act defines personal data as information about a person from which the person can be identified, that is recorded in any form and is likely to come into the possession of the data controller and includes an expression of opinion about the individual. And this may include a National Identification Number, names, telephone number, a home address etc.
It's also important to note that no person shall collect or process personal data relating to a child unless the collection or processing thereof is carried out with the prior consent of the parent or guardian. The collection of sensitive/special personal data which includes information that relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual (data subject) is also prohibited by the law.
The law provides for principles of data protection which are binding on data collectors, processors and data controllers. These principles include being accountable to the data subject; collecting and processing data fairly and lawfully; collecting, processing, using or holding adequate, relevant and not excessive or unnecessary personal data among others.
Any kind of collection or processing of personal data without the prior consent of the individual is prohibited. The law also requires the data collector, processor or controller not to collect, hold or process personal data in a manner which infringes on the privacy of the data subject. Therefore with all intents and purposes privacy must be ensured and that must be protected at all costs.
Any entity or person that collects or processes personal data is under an obligation to respect the rights of the data subjects. It’s from the aforementioned obligation that a person collecting personal data has to inform the data subject about the nature and category of data being collected; the name and address of the person responsible for the collection of data; the purpose for which the data is required and whether or not the supply of the data by the data subject is discretionary or mandatory.
Data collectors also need to specify the consequences likely to be faced by data subjects for failure to provide the data; the authorized requirement for the collection of the information or the requirement by law for its collection; the recipients of the data; the existence of the right of access to and the right to request rectification of the data collected before the collection; and the period for which the data will be retained to achieve the purpose for which it is collected. Where the data is collected from a third party, the data subject shall be given the information aforementioned before the collection of the data or as soon as practicable after the collection of the data.
As a data subject, one has a right to correct or delete personal data held or under control of the data controller. Where personal data is processed outside Uganda, the data processor has to ensure that the country in which the data is processed has adequate measures in place for protection of personal data or at least equivalent protection provided by Uganda’s data protection law.
Also, as a data subject, one has a right to personal information, a right to prevent processing of personal data, a right to prevent processing of personal data for direct marketing, a right inform a data processor to ensure that any decision taken by or on behalf of the data controller which significantly affects that data subject is not based solely on processing by automatic means of personal data in respect of that data subject, a right to rectify, block, erase and destroy personal data.
In regards to implementation, the mandate is vested with the National Information Technology Authority – Uganda (NITA) which has to ensure compliance with the Data Protection and Privacy Act. The Act establishes the office of the personal data protection office whose major function is to oversee the implementation of and be responsible for the enforcement of the law. The office has not been operationalized since the enactment of the law. The Act also requires institutions to designate a person as a data protection officer responsible for ensuring compliance with data protection and privacy legal regime.
In the event there are data breaches or privacy violations the data protection law creates the following offences; unlawful obtaining or disclosing of personal data; unlawful destruction, deletion, concealment or alteration of personal data and sale of personal data.