Uganda - Data Protection Overview
1. Governing Texts
Uganda passed the Data Protection and Privacy Act, 2019 ('the Act') in 2019 and Data Protection and Privacy Regulations, 2021 ('the Regulations') were issued in May 2021, to implement the Act. The Act and the Regulations are intended to support privacy protections which are already guaranteed to Ugandans under the Constitution of the Republic of Uganda, 1995 ('the Constitution') and further to complement sectoral laws for regulated activities that had previously incorporated data protection provisions.
Article 27 of the Constitution grants the right to privacy and provides that the privacy of a person's home, correspondences, communication or property, shall not be interfered with.
In furtherance of Article 27 of the Constitution, the Act was enacted, guaranteeing the protection of privacy in the digital world. The Act focuses on the protection of privacy and personal data through regulation of data collection, processing, storage, and dissemination of personal information.
The Act, which mirrors the UK Data Protection Act,1998 revolves around several principles concerning data protection and collection. These principles stipulate, among other things, that data should (Section 3 of the Act):
- be collected in a lawful and fair manner;
- be adequate and relevant;
- be accurate;
- not be kept longer than necessary;
- be secure; and
- not be transferred outside the jurisdiction of collection.
On March 12, 2021, the Minister of Information Communication and Technology (ICT) and National Guidance, published the Regulations, which are intended to implement the Act. The Regulations provide for a number of forms to be used to take certain types of actions, including:
- the manner in which an application to object to the collecting or processing of personal information can be made (Regulations 10(5) and 23(3));
- application for registration or renewal of registration (Regulation 16(1));
- the form of undertaking not to process or store personal data outside Uganda (Regulation16(4));
- the template for a certificate of registration (Regulation 19(2));
- the format for an application for a certified copy of the extract or entry in the Register (Regulation 28(3));
- complaint concerning processing personal data without appropriate security measures (Regulation 32(3));
- the manner in which a notification of breach can be made (Regulation 33(2));
- request to confirm possession of personal data (Regulation 35(1));
- complaint concerning inaccurate personal data in the possession of a data controller (Regulation 39(3));
- the decision on a complaint in respect of inaccurate personal data in the possession of the data controller (Regulation 39(5));
- complaint concerning infringement or violation of the Act (Regulation 41(2)); and
- the form of an appeal to the Permanent Secretary, Ministry of Information and Communications Technology, and the Minister's decision (Regulation 46(1) and 46(7)).
1.3. Case law
Not applicable. Both the Act and the Regulations are developing, their application has not yet been tested in the courts of law
2. Scope of Application
The Act applies to any person, institution, or public body which collects, processes, stores, uses, or discloses personal data within Uganda or outside Uganda.
The applicability of the Act to persons or entities outside Uganda is restricted to personal data relating to Ugandan citizens.
The Act restricts the definition of processing to any operation performed by automated means upon collected data, including (Section 2 of the Act):
- the organization, adaptation, or alteration of data;
- the retrieval, consultation, or use of data;
- disclosure of data by transmission, dissemination, or otherwise making available; and
- alignment, combination, blocking, erasure, or destruction of information or data.
3.1. Main regulator for data protection
The National Information Technology Authority - Uganda ('NITA-U') is designated as the national data protection authority and also maintains the Data Protection Register ('the Register') that lists every institution, person, or public body collecting or processing personal data.
Additionally, the Personal Data Protection Office ('the PDPO') is an independent office under NITA-U, responsible for overseeing the implementation of and enforcement of the Act. The PDPO is headed by the National Personal Data Protection Director.
3.2. Main powers, duties, and responsibilities
NITA-U's main responsibility is to ensure that every data collector, data controller, data processor, or any other person collecting or processing data complies with the principles of data protection and the Act. In addition to the above, NITA-U is in charge of:
- responding to data breaches and determining whether the data subject should be informed of the breach;
- maintaining the Register, where it records every person, institution, or public body collecting or processing personal data and the purpose of collecting such data;
- making data in the Register available for inspection by any person; and
- investigating any complaints regarding data protection and privacy.
4. Key Definitions
Data controller: A person who alone, jointly with other persons or in common with other persons, or as a statutory duty, determines the purposes for and the manner in which personal data is processed or is to be processed.
- the nationality, age, or marital status of the person;
- the educational level or occupation of the person;
- an identification number, symbol, or other particulars assigned to a person;
- identity data; or
- other information which is in the possession of, or is likely to come into the possession of, the data controller and includes an expression of opinion about the individual.
Sensitive data: Information which relates to a person's religious or philosophical beliefs, political opinion, sexual life, financial information, health status, or medical records. This type of data is widely used in data analytics.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wish which they, by a statement or by a clear affirmative action, signifies agreement to the collection or processing of personal data relating to them.
Data collector: A person who collects personal data.
Data subject: An individual from whom or in respect of whom personal information has been requested, collected, collated, processed, or stored.
Recipient: A person to whom data is disclosed including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment.
Third party: A person other than the data subject, data collector, data controller, data processor, or other person authorized to process data for the data controller or processor.
5. Legal Bases
Consent from the data subject is mandatory before the collection or processing of personal data except in circumstances where the collection is (Section 7 of the Act):
- mandated by law;
- necessary for the prevention, investigation, or prosecution of an offense or breach of law;
- for national security;
- necessary for the proper performance of a public duty by a public body;
- for medical purposes; or
- for compliance with a legal obligation to which the data controller is subject.
It is worth noting that upon withdrawal of the consent provided by the data subject, data collection or processing must cease immediately.
In addition, under Section 8 of the Act, the collection and processing of data relating to a child is prohibited unless it is with the prior consent of the parent or guardian or any person giving authority over the child.
Personal data may also be collected or processed for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Personal data may also be collected or processed for compliance with a legal obligation to which the data controller is subject.
The interests of the data subject are paramount and any data collector, data processor, data controller, or any person who collects, processes, holds, or uses personal data shall be accountable to the data subject for data collected, processed, held, or used (Section 3(1)(a) of the Act).
Personal data may be collected or processed where it is necessary for the proper performance of a public duty by a public body or national security in Uganda (Section 7(2)(b)(i) and (ii) of the Act).
Generally, the collection or processing of data is for the purpose of fulfilling legitimate activities of a body or association. This is subject to the consent of the data subject.
The Act places an obligation on data processors to ensure that:
- they hold and process personal data in a manner that does not infringe on the privacy of the data subject;
- data is complete, accurate, and up to date;
- hold personal data for the duration required by law or for which the data is required;
- they only process relevant data; and
- they maintain security measures for the protection of data.
7. Controller and Processor Obligations
Every person, institution, or public body collecting or processing personal data is mandated to register with NITA-U for inclusion on the Register under Section 3 of the Registration Classification and Guidance Notes for Application for Registration/Renewal of Registration (Version 1.3) (December 2021) ('the Registration Guide') If a data collector, data processor, or data controller collects or processes personal data for two or more purposes, then one is required to indicate this in the application for registration (Section 3 of the Registration Guide). The different purposes for the personal data to be collected or processed should be detailed in a single application (Section 3 of the Registration Guide). In addition, the Register can be accessed by the public for purposes of inspection.
An application for registration must include the following information (Section 16(2) of the Regulations):
- applicant's name;
- name and address of the applicant's representative, where the applicant is a foreigner or situated outside Uganda;
- specify whether the applicant is a data collector, data controller, or data processor;
- applicant's address;
- specify the nature and category of personal data being processed or that is to be processed;
- specify the purpose for which the applicant collects or processes personal data;
- description of the purpose for which the personal data is being processed or collected;
- retention period for the personal data;
- description of the recipient to whom the applicant intends to disclose the personal data, if any;
- specify the details of the data protection officer ('DPO'), if any;
- specify the name of the country to which the applicant may transfer the data, if any;
- general description of measures to be taken to secure the personal data; and
- any other information that the PDPO may require.
In addition, the applicant must include with the application a written undertaking not to process or store personal data in a country outside Uganda unless such a country has adequate measures in place, which must be at least equivalent to the protection provided for by the Act for the protection of the personal data and the data subject must also consent to the transfer (Section 16(3) of the Regulations). The written undertaking is found in Form 3 - Undertaking Not to Process or Store Personal Data Outside Uganda ('Form 3') in Schedule 1 of the Regulations (Section 16(4) of the Regulations).
An application for registration or renewal can be found in Form 2 - Application for Registration/Renewal of Registration ('Form 2') in Schedule 1 of the Regulations which must be accompanied by a fee of UGX 100,000 (approx. $27) as set out in Schedule 2 of the Regulations (Regulations 16(1) and 23(3), and Section 5 of the Registration Guide).
Furthermore, in June 2022, the PDPO launched a data protection and privacy web portal to ease reporting, processing, and resolving of data protection and privacy complaints, in addition to easing registration of data controllers, data collectors, and data processors. In this regard, the PDPO urged all private and public data controllers and processors to register with the PDPO immediately. The portal can be accessed here.
For an illustration on how to complete Forms 2 and 3 see the Registration Guide in the section on regulatory authority guidance above.
Review of the registration application
The PDPO is responsible for reviewing the registration application upon receipt to ensure that all the relevant documents and information are available to enable the processing of the application (Regulation 17(1)). In addition, where the PDPO finds that an application is incomplete, it will request the applicant to provide additional information or clarify the information provided (Regulation 17(2)). Furthermore, the PDPO may conduct any investigation or audit in respect to any application to facilitate decision-making (Regulation 17(3)).
Report in respect of application
PDPO must within 30 days after receipt of the application or additional information investigate and prepare a detailed report in respect of the application to enable the processing of the application (Section 18(1) of the Regulations). In particular, the PDPO must take into account the nature and category of the personal data to be collected or processed by the applicant when considering the application (Regulation 18(2)). Furthermore, the PDPO must decide within 15 days after the report has been made whether or not to register the applicant (Regulation 18(3)).
Grant or refusal of registration
The PDPO will grant the application and issue a certificate of registration after it has considered the application as well as the report under Section 18 of the Regulations and is satisfied that the applicant meets the requirements for registration (Regulation 19(1)). Form 4 - Certificate of Registration in Schedule 1 of the Regulations provides a certificate of registration (Regulation 19(2)).
On the other hand, the PDPO will not grant the application for registration if after considering the application and the report under Section 18 of the Regulations as well as being satisfied that (Regulation 21(1)):
- the applicant does not meet the requirements for registration;
- the particulars provided for inclusion in the Register are insufficient; or
- the applicant has failed to provide the appropriate safeguards for the protection of the data subject's privacy.
Importantly, the PDPO must communicate in writing the decision to refuse the registration and include the reasons for the refusal (Regulation 21(2)). However, the refusal of an application for registration does not prevent the applicant from making a fresh application (Regulation 21(3)). In addition, if the applicant is dissatisfied with the PDPO's decision it may appeal to the Minister of ICT and National Guidance which will be handled in accordance with the appeal procedure in Regulation 46 (See Regulation 22(1)).
Validity of registration and renewal
The registration is valid for 12 months from the date of registration, after which it should be renewed (Regulations 20 and 23(1), Section 5 of the Registration Guide, and the Controller Guide). The application for renewal of registration must be made within three months before the expiry of the current registration and include the appropriate fees (Regulation 23(2) and Section 5 of the Registration Guide) (see section on how to below).
The PDPO can, in consultation with the board of directors appointed under the National Information Technology Authority, Uganda Act No. 4 of 2009 and by notice in the Gazette, exempt certain data collectors, data controllers, or data processors from the requirement to register with the PDPO (Regulation 15(2) and Section 2 of the Registration Guide). However, it should be noted that this will be done at a later date and that for now all data collectors, data controllers, and data processors are required to register (Section 2 of the Registration Guide).
The Act does not bar the processing or storage of personal data outside Uganda, as long as the jurisdiction receiving the data has adequate protection measures at least equivalent to the protection under the Act or the data subject has consented to such transfer (Section 19 of the Act). Consequently, once a data subject consents to processing or storage of their personal data outside Uganda, this negates the need to ensure the existence of adequate protection measures.
Where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons, the data collector, data processor, or data controller shall, prior to the processing and/or collection, carry out an assessment of the impact of the envisaged collection or processing operations on the protection of personal data (Regulation 12(1)).
Every data protection impact assessment (DPIA) shall include (Regulation 12(2)):
- a systematic description of the envisaged processing and the purposes of the processing;
- an assessment of the risks to personal data and the measures to address the risks; and
- any other matter the PDPO may require.
The PDPO shall establish and make public a list of processing operations which are subject to the requirements for a DPIA under Regulations 12(1) and (3).
Section 6 of the Act stipulates that, insofar as the Act applies to an institution, the institution is required to appoint a data protection officer ('DPO'). While the Act does not stipulate requirements with respect to the appointment, duties, or responsibilities of DPOs, the Regulation outlines information on the same.
In particular, the Regulations provide that every person, institution or public body that processes or controls personal data must designate a DPO where (Regulation 47(2)):
- the activities of the person, institution, or public body consist of processing operations which by virtue of their nature, scope or purpose require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the person, institution, or public body consist of processing of special personal data in accordance with the Act.
For the purposes of determining what constitutes 'large scale' under Regulation 47(2) the following shall be taken into consideration (Regulation 47(5)):
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data or the range of different data items being processed;
- the duration, or permanence of the data processing activity; or
- the geographical extent of the processing activity.
Further to the above, the responsibilities of a DPO are (Section 47(3) of the Regulations):
- to conduct regular assessments and audits to ensure compliance with the Act;
- to serve as the point of contact between the person, institution or public body, and the PDPO;
- to maintain records of all data processing activities conducted by person, institution or public body;
- to respond to data subjects and to inform them about how their personal data is being used and what measures the person, institution or public body, has put in place to protect the data; and
- to ensure that data subjects' requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.
Please note that every data collector, data processor, and data controller is required to file an application to register with the PDPO which must include, among other things, the details of the DPO (Regulation 16(2)).
The Registration Guidance further specifies that the application for registration should include whether the DPO has other duties in the institution by identifying such person by title or position, e.g. 'finance officer', 'secretary', 'senior executive officer', 'director', or 'manager' etc. or whether such a person is providing DPO services as an outsourced service.
In addition, when notifying a personal data breach pursuant to Section 23(1) of the Act, the notification must include, among other things, the name and contact details of the DPO or other point of contact.
Under Section 23 of the Act, it is mandatory to notify NITA-U of any unauthorized access or acquisition of data, in addition to the remedial action taken. However, it is left to the discretion of NITA-U to determine whether the data subject should be notified of the breach.
Overall, the Act places a strong emphasis on data security and maintenance of a robust security system with continuous updates to address new risks and deficiencies.
As a general rule, the Act does not set a duration for the retention of data. However, it stipulates that personal data should not be retained for a period longer than is necessary to achieve the purpose for collection or processing of the data, unless (Section 18 of the Act):
- the retention of data is required or authorized by law (e.g. the Anti Money Laundering Act, 2013 sets 10 years as the duration for retention of records);
- the retention is necessary for a lawful purpose related to the function/activity for which the data is collected or processed;
- the retention is required by a contract between parties; or
- the data subject consents to the retention of the data.
In addition, the retention of data for national security purposes, judicial or legal proceedings, and historical, statistical, or research purposes is permissible and the general rule on data retention is not applicable.
Furthermore, where data is used to make a decision about a data subject, it must be retained for a period prescribed by law. Where no such period is required or prescribed by law, the data is retained for a period necessary to afford the data subject an opportunity to request access to the data.
There is also a strong emphasis on the destruction of data in a manner that guarantees that it cannot be reconstructed in an intelligible form.
According to Section 8 of the Act and Regulation 11, every data collector, data processor, and data controller is mandated to establish a system to ascertain the age of persons whose personal data is to be collected, processed, or stored and where such data relates to children, the manner of obtaining consent of a parent or legal guardian.
The collecting or processing of data relating to children is to be carried out with the prior consent of the parent or guardian or any other person having the authority to make decisions on behalf of the child.
The Act expressly bars the collection of special personal data which has over time been used to profile individuals and run political adverts. In Uganda, information collected by the Uganda Bureau of Statistics is exempted from this provision.
In the following exceptional circumstances, the collection and processing of special personal data is permitted (Section 9(3) of the Act):
- the collection or processing of the data in the exercise or performance of a right or an obligation conferred or imposed by law on an employer;
- the information is given freely and with the consent of the data subject; or
- the collection or processing of the information is for the purposes of the legitimate activities of a body or association which:
- is established for non-profit purposes;
- exists for political, philosophical, religious, or trade union purposes; and
- relates to individuals who are members of the body or association or have regular contact with the body or association in connection with its purposes, and does not involve disclosure of the personal data to a third party without the consent of the data subject.
Pursuant to the above, operations of data analytics companies might be constrained in Uganda unless they operate within the parameters for exemption set by the Act.
Data processors and controllers are required to enter into contractual agreements setting out their responsibilities and liabilities, in order to establish and maintain the confidentiality and security measures necessary to protect the integrity of the personal data.
8. Data Subject Rights
Data subject rights are set out through Sections 24 to 28 of the Act. These rights are:
- the right to access personal information;
- the right to know the purpose for which the information is collected;
- the right to prevent processing of personal data;
- the right to prevent processing of personal data for direct marketing purposes; and
- the right not to be subjected to a decision affecting the data subject which is solely based on processing by automatic means.
The data subject has the right to know the purpose for which the information is collected. A data collector, data processor, or data controller who collects or processes personal data without the prior consent of the data subject contravenes Section 7 of the Act and is liable on conviction to a fine.
The data subject has a right to access their personal information from the data controller subject to provision of proof of identity. This can include confirming whether the data controller holds personal data about that data subject, or requesting that a description of that personal data is given by the data controller, etc. If information also relates to another individual, their consent must be sought or a court order to the same if it is not reasonable in the circumstances to comply with the request without the consent of the other individual. To weigh this reasonableness, the data controller must look at any duty of confidentiality owed to another individual, and the steps taken by the data controller to seek consent of the other individual among other factors.
The Act also provides for the rectification, erasure, blocking, and destruction of personal data, for instance, in cases where the subject data complains to NITA-U that the personal data is inaccurate, NITA-U may order the controller to rectify, update, block, erase, or destroy the data. With this comes the obligation to inform third parties to whom the data has been previously disclosed of the rectification, blocking, updating, or destruction.
See section on the right to rectification above.
Data subjects are also empowered with the right to prevent the processing of personal data, done by way of writing a notice to the data controller or data processor especially if the data is likely to cause unwarranted substantial damage or distress to the data subject. The controller has 14 days from receipt of such notice to inform the subject in writing of compliance, intent to comply, or the reasons for non-compliance.
Section 26 of the Act provides the right to prevent processing of personal data for direct marketing.
A data subject may also notify a data controller in writing requiring them to ensure that any decision taken by or on behalf of the data controller which significantly affects the data subject is not based solely on the processing by automatic means of personal data in respect of that data subject. Response to this must be within 21 days of receipt and must indicate the steps taken to comply.
The Act creates a number of offenses which are aimed at ensuring compliance. Such offenses include (Part VIII of the Act):
- unlawfully obtaining or disclosing personal data;
- unlawful destruction, deletion, concealment, or alteration of personal data; and
- sale of personal data.
The penalties imposed against corporations for these offenses range from the imprisonment of the corporation's officers for a term not exceeding 10 years, payment of a fine not exceeding 240 currency points that is UGX 4.9 million (approx. $1,350), or 2% of the corporation's gross income in the event the offense is committed by a corporation.
In response to a complaint, NITA-U launched an investigation into the data processing activities of SafeBoda, a transportation company operating in Uganda. In its subsequent report, NITA-U found that Safeboda unlawfully disclosed data to third parties and issued an order mandating SafeBoda, to make fundamental changes to how it handles people's personal data in order to comply with the Act.
This landmark enforcement action by NITA-U sets an important precedent to holding data controllers, both private and public entities, to account for their legal obligations under the Act.