Uganda: PDPO initiates enforcement action against Uganda Securities Exchange and Soft Edge Uganda for security breach
On July 13, 2023, the Personal Data Protection Office (PDPO) announced that it had concluded an investigation against the Uganda Securities Exchange (USE) and its data processor, Soft Edge Uganda Limited, for the violations of the Data Protection and Privacy Act 2019 and supporting Regulations, following a complaint by an individual.
Background to the decision
In particular, the PDPO stated that there was unauthorized access to the USE's technology third-party logging servers and that the breach occurred on the infrastructure of Soft Edge Uganda due to an incorrectly configured firewall on the audit logging server that left an open port from which personal data, including identification numbers, names, dates of birth, email addresses, physical addresses, and telephone addresses of individuals, was exposed for a period of 12 days.
Findings of the PDPO
The PDPO found that:
- USE failed to detect a Twitter message regarding the breach that led to the continuation of the breach for 12 days. The PDPO noted that despite being made aware of the breach, USE and Soft Edge Uganda failed to promptly respond to the breach, in violation of Section 20 of the Data Protection and Privacy Act 2019;
- the agreement between USE and Soft Edge Uganda was inadequate in securing the integrity and confidentiality of personal data as it failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy, in violation of Section 21 of the Data Protection and Privacy Act 2019;
- Soft Edge Uganda Limited was not registered with the PDPO even after the investigation started, in violation of Section 29(2) of the Data Protection and Privacy Act 2019; and
- USE's Information Systems Policies Manual contradicted Section 23 of the Data Protection and Privacy Act 2019, by giving the CEO sole discretion for deciding whether to report a breach.
In light of the above, the PDPO found that USE, Soft Edge Uganda, and their accountable representatives should be prosecuted for their negligence in handling personal data. The PDPO gave USE and Soft Edge Uganda Limited 3 months to rectify all the non-compliant acts highlighted by the PDPO and, additionally, called on USE to initiate disciplinary proceedings against relevant personnel as per its employee policies for their role in the breach.