Uganda - Data Protection Overview
1. Governing Texts
Uganda passed the Data Protection and Privacy Act, 2019 ('the Act') in 2019. Following the passing of the Data Protection and Privacy Regulations, 2021 ('the Regulations') in May 2021, it is anticipated that the Regulations will implement the Act, which is not yet in effect. The Act and Regulations are intended to support privacy protections which are already guaranteed to Ugandans under the Constitution of the Republic of Uganda, 1995 ('the Constitution') and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.
Article 27 of the Constitution introduces the right to privacy, stating that no person shall be subjected to interference with the privacy of that person's home, correspondences, communication or other property.
In furtherance of Article 27 of the Constitution, the Act was enacted, guaranteeing the protection of privacy in the digital world. The Act focuses on the protection of privacy and personal data through regulation of its collection, processing and storage.
The Act, which mirrors the UK Data Protection Act, 1998 revolves around several principles concerning data protection and collection. These principles stipulate, among other things, that data should (Section 3 of the Act):
- be collected in a lawful and fair manner;
- be adequate, accurate;
- not be kept longer than necessary;
- be secure; and
- not be transferred outside the jurisdiction of collection.
In exercise of the powers conferred upon the Ministry of ICT and National Guidance, the same published the Regulations on 12 March 2021. The Regulations are intended to implement the Act and they provide for a number of forms to be used to take certain types of actions, including:
- the manner in which an application to object to the collecting or processing of personal information can be made (Sections 10(5) and 23(3) of the Regulations);
- application for registration or renewal of registration (Section 16(1) of the Regulations);
- the form of undertaking not to process or store personal data outside Uganda (Section 16(4) of the Regulations);
- the template for a certificate of registration (Section 19(2) of the Regulations);
- the format for an application for a certified copy of the extract or entry in the Register (Section 28(3) of the Regulations);
- complaint concerning processing personal data without appropriate security measures (Section 32(3) of the Regulations);
- the manner in which a notification of breach can be made (Section 33(2) of the Regulations];
- request to confirm possession of personal data (Section 35(1) of the Regulations);
- complaint concerning inaccurate personal data in the possession of a data controller (Section 39(3) of the Regulations);
- the decision on a complaint in respect of inaccurate personal data in the possession of the data controller (Section 39(5) of the Regulations);
- complaint concerning infringement or violation of the Act (Section 41(2) of the Regulations); and
- the form of an appeal to the Permanent Secretary, Ministry of Information and Communications Technology and the Minister's decision (Sections 46(1) and 46(7) of the Regulations).
1.3. Case law
Not applicable. Both the Act and the Regulations are developing, their application has not yet been tested in the courts of law.
2. Scope of Application
The Act applies to any person, institution, or public body which collects, processes, stores, uses, or discloses personal data within Uganda or outside Uganda.
The applicability of the Act to persons or entities outside Uganda is restricted to personal data relating to Ugandan citizens.
The Act restricts the definition of processing to any operation performed by automated means upon collected data, including (Section 2 of the Act):
- the organisation, adaptation, or alteration of data;
- the retrieval, consultation, or use of data;
- disclosure of data by transmission, dissemination, or otherwise making available; and
- alignment, combination, blocking, erasure, or destruction of data.
3.1. Main regulator for data protection
The National Information Technology Authority - Uganda ('NITA-U') is designated as the national data protection authority and also maintains the Data Protection Register ('the Register') that lists every institution, person, or public body collecting or processing personal data.
3.2. Main powers, duties and responsibilities
NITA's main responsibility is to ensure that every data collector, data controller, data processor, or any other person collecting or processing data complies with the principles of data protection and the Act. In addition to the above, NITA is in charge of:
- responding to data breaches and determining whether the data subject should be informed of the breach;
- maintaining the Register, where it records every person, institution, or public body collecting or processing personal data and the purpose of collecting such data;
- making data in the Register available for inspection by any person; and
- investigating any complaints regarding data protection and privacy.
4. Key Definitions
Data controller: A person who alone, jointly with other persons or in common with other persons, or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.
- the nationality, age, or marital status of the person;
- the educational level or occupation of the person;
- an identification number, symbol, or other particulars assigned to a person;
- identity data; or
- other information which is in the possession of, or is likely to come into the possession of, the data controller and includes an expression of opinion about the individual.
Sensitive data: Information which relates to a person's religious or philosophical beliefs, political opinion, sexual life, financial information, health status, or medical records. This type of data is widely used in data analytics.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wish which they, by a statement or by a clear affirmative action, signifies agreement to the collection or processing of personal data relating to them.
Data collector: A person who collects personal data.
Data subject: An individual from whom or in respect of whom personal information has been requested, collected, collated, processed, or stored.
Recipient: A person to whom data is disclosed including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment.
Third party: A person other than the data subject, data collector, data controller, data processor, or other person authorised to process data for the data controller or processor.
5. Legal Bases
Mandatory consent before the collection or processing of personal data except in circumstances where the collection is (Section 7 of the Act):
- mandated by law;
- necessary for prevention, investigation, or prosecution of an offence or breach of law;
- for national security;
- necessary for the proper performance of a public duty by a public body;
- for medical purposes; or
- for compliance with a legal obligation to which the data controller is subject.
It is worth noting that upon withdrawal of the consent provided by the data subject, data collection or processing must cease immediately.
In addition, under Section 8 of the Act the collection and processing of data relating to a child is prohibited unless it is with the prior consent of the parent or guardian or any person giving authority over the child.
Personal data may also be collected or processed for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Personal data may also be collected or processed for compliance with a legal obligation to which the data controller is subject.
The interests of the data subject are paramount and any data collector, data processor, data controller, or any person who collects, processes, holds, or uses personal data shall be accountable to the data subject for data collected, processed, held, or used (Section 3(1)(a) of the Act).
Personal data may be collected or processed where it is necessary for the proper performance of a public duty or national security in Uganda (Section 7(2)(b)(i) of the Act).
Generally, the collection or processing of data is for the purpose of fulfilling legitimate activities of a body or association. This is subject to the consent of the data subject.
The Act places an obligation on data processors to ensure that:
- they hold and process personal data in a manner that does not infringe on the privacy of the data subject;
- data is complete, accurate, and up to date;
- they only process relevant data; and
- they maintain security measures for the protection of data.
7. Controller and Processor Obligations
Every person, institution, or public body collecting or processing personal data is mandated to register with NITA-U for inclusion on the Register under Section 3 of the Registration Classification and Guidance Notes for Application for Registration/Renewal of Registration (Version 1.3) (December 2021) ('the Registration Guide') If a data collector, data processor, or data controller collects or processes personal data for two or more purposes, then one is required to indicate this in the application for registration (Section 3 of the Registration Guide). The different purposes for the personal data to be collected or processed should be detailed in a single application (Section 3 of the Registration Guide). In addition, the Register can be accessed by the public for purposes of inspection.
An application for registration must include the following information (Section 16(2) of the Regulations):
- applicant's name;
- name and address of the applicant's representative, where the applicant is a foreigner or situated outside Uganda;
- specify whether the applicant is a data collector, data controller, or data processor;
- applicant's address;
- specify the nature and category of personal data being processed or that is to be processed;
- specify the purpose for which the applicant collects or processes personal data;
- description of the purpose for which the personal data is being processed or collected;
- retention period for the personal data;
- description of the recipient to whom the applicant intends to disclose the personal data, if any;
- specify the details of the data protection officer ('DPO'), if any;
- specify the name of the country to which the applicant may transfer the data, if any;
- general description of measures to be taken to secure the personal data; and
- any other information that the PDPO may require.
In addition, the applicant must include with the application a written undertaking not to process or store personal data in a country outside Uganda unless such a country has adequate measures in place, which must be at least equivalent to the protection provided for by the Act for the protection of the personal data and the data subject must also consent to the transfer (Section 16(3) of the Regulations). The written undertaking is found in the Form 3 - Undertaking Not to Process or Store Personal Data Outside Uganda ('the Form 3') in Schedule 1 of the Regulations (Section 16(4) of the Regulations).
An application for registration or renewal can be found in the Form 2 - Application for Registration/Renewal of Registration ('the Form 2') in Schedule 1 of the Regulations which must be accompanied by a fee of UGX 100,000 (approx. €25) as set out in Schedule 2 of the Regulations (Sections 16(1) an 23(3) of the Regulations and Section 5 of the Registration Guide).
Furthermore, in June 2022, the PDPO launched data protection and privacy web portal to ease reporting, processing, and resolving of data protection and privacy complaints, in addition to easing registration of data controllers, data collectors, and data processors. In this regard, the PDPO urged all private and public data controllers and processors to register with the PDPO immediately. The portal can be accessed here.
For an illustration on how to complete the Forms 2 and 3 see the Registration Guide in the section on regulatory authority guidance above.
Review of the registration application
The PDPO is responsible for reviewing the registration application upon receipt to ensure that all the relevant documents and information are available to enable the processing of the application (Section 17(1) of the Regulations). In addition, where the PDPO finds that an application is incomplete, it will request the applicant to provide additional information or clarify the information provided (Section 17(2) of the Regulations). Furthermore, the PDPO may conduct any investigation or audit in respect to any application to facilitate decision-making (Section 17(3) of the Regulations).
Report in respect of application
PDPO must within 30 days after receipt of the application or additional information investigate and prepare a detailed report in respect of the application to enable the processing of the application (Section 18(1) of the Regulations). In particular, the PDPO must take into account the nature and category of the personal data to be collected or processed by the applicant when considering the application (Section 18(2) of the Regulations). Furthermore, the PDPO must decide within 15 days after the report has been made whether or not to register the applicant (Section 18(3) of the Regulations).
Grant or refusal of registration
The PDPO will grant the application and issue a certificate of registration after it has considered the application as well as the report under Section 18 of the Regulations and is satisfied that the applicant meets the requirements for registration (Section 19(1) of the Regulations). The Form 4 - Certificate of Registration in the Schedule 1 of the Regulations provides a certificate of registration (Section 19(2) of the Regulations).
On the other hand, the PDPO will not grant the application for registration if after considering the application and the report under Section 18 of the Regulations as well as being satisfied that (Section 21(1) of the Regulations):
- the applicant does not meet the requirements for registration;
- the particulars provided for inclusion in the Register are insufficient; or
- the applicant has failed to provide the appropriate safeguards for the protection of the data subject's privacy.
Importantly, the PDPO must communicate in writing the decision to refuse the registration and include the reasons for the refusal (Section 21(2) of the Regulations). However, the refusal of an application for registration does not prevent the applicant from making a new application (Section 21(3) of the Regulations). In addition, if the applicant is dissatisfied with the PDPO's decision it may appeal to the Minister of ICT and National Guidance which will be handled in accordance with the appeal procedure in Section 46 of the Regulation (Section 22(1) of the Regulations).
Validity of registration and renewal
The registration is valid for 12 months from the date of registration, after which it should be renewed (Sections 20 and 23(1) of the Regulations, Section 5 of the Registration Guide, and the Controller Guide). The application for renewal of registration must be made within three months before the expiry of the current registration and include the appropriate fees (Section 23(2) of the Regulations and Section 5 of the Registration Guide) (see section on how to below).
The PDPO can, in consultation with the board of directors appointed under the National Information Technology Authority, Uganda Act of 31 July 2009 and by notice in the Gazette, exempt certain data collectors, data controllers, or data processors from the requirement to register with the PDPO (Section 15(2) of the Regulations and Section 2 of the Registration Guide). However, it should be noted that this will be done at a later date and that for now all data collectors, data controllers, and data processors are required to register (Section 2 of the Registration Guide).
The Act does not bar the processing or storage of personal data outside Uganda, as long as the jurisdiction receiving the data has adequate protection measures at least equivalent to the protection under the Act or the data subject has consented to such transfer (Section 19 of the Act). Consequently, once a data subject consents to processing or storage of their personal data outside Uganda, this negates the need to ensure the existence of adequate protection measures.
Where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons, the data collector, data processor, or data controller shall, prior to the processing and/or collection, carry out an assessment of the impact of the envisaged collection or processing operations on the protection of personal data (Section 12(1) of the Regulations).
Every data protection impact assessment shall include (Section 12(2) of the Regulations):
- a systematic description of the envisaged processing and the purposes of the processing;
- an assessment of the risks to personal data and the measures to address the risks; and
- any other matter the Personal Data Protection Office may require.
The PDPO will establish and make a public list of processing operations which are subject to the requirements for a DPIA under Section 12(1) of the Regulation (Section 12(3) of the Regulations).
Section 6 of the Act stipulates that, insofar as the Act applies to an institution, the institution is required to appoint a data protection officer ('DPO'). While the Act does not stipulate requirements with respect to the appointment, duties, or responsibilities of DPOs, the Regulation outlines information on the same.
In particular, the Regulations provide that every person, institution or public body that processes or controls personal data must designate a DPO where (Section 47(2) of the Regulations):
- the activities of the person, institution, or public body consist of processing operations which by virtue of their nature, scope or purpose require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the person, institution, or public body consist of processing of special personal data in accordance with the Act.
For the purposes of determining what constitutes 'large scale' under Section 47(2) of the Regulations the following shall be taken into consideration (Section 47(5) of the Regulations):
- the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- the volume of data or the range of different data items being processed;
- the duration, or permanence of the data processing activity; or
- the geographical extent of the processing activity.
Further to the above, the responsibilities of a DPO are (Section 47(3) of the Regulations):
- to conduct regular assessments and audits to ensure compliance with the Act;
- to serve as the point of contact between the person, institution or public body, and the PDPO;
- to maintain records of all data processing activities conducted by person, institution or public body;
- to respond to data subjects and to inform them about how their personal data is being used and what measures the person, institution or public body, has put in place to protect the data; and
- to ensure that data subjects' requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.
Please note that every data collector, data processor, and data controller is required to file an application to register with the PDPO which must include, among other things, the details of the DPO (Section 16(2) of the Regulations).
The Registration Guidance further specifies that the application for registration should include whether the DPO has other duties in the institution by identifying such person by title or position, e.g. 'finance officer', 'secretary', 'senior executive officer', 'director', or 'manager' etc. or whether such a person is providing DPO services as an outsourced service.
In addition, when notifying a personal data breach pursuant to Section 23(1) of the Act, the notification must include, among other things, the name and contact details of the DPO or other point of contact.
Under Section 23 of the Act, it is mandatory to notify NITA-U of any unauthorised access or acquisition of data, in addition to the remedial action taken. However, it is left to the discretion of NITA-U to determine whether the data subject should be notified of the breach.
Overall, the Act places a strong emphasis on data security and maintenance of a robust security system with continuous updates to address new risks and deficiencies.
As a general rule, the Act does not set a duration for the retention of data. However, it stipulates that personal data should not be retained for a period longer than is necessary to achieve the purpose for collection or processing of the data, unless (Section 18 of the Act):
- the retention of data is required or authorised by law (e.g. the Anti Money Laundering Act, 2013 sets ten years as the duration for retention of records);
- the retention is necessary for a lawful purpose related to function/ activity for which the data is collected or processed;
- the retention is required by a contract between parties; or
- the data subject consents to the retention of the data.
In addition, the retention of data for national security purposes, judicial or legal proceedings, and historical, statistical, or research purposes is permissible and the general rule on data retention is not applicable.
Furthermore, where data is used to make a decision about a data subject, it must be retained for a period prescribed by law. Where no such period is required or prescribed by law, the data is retained for a period necessary to afford the data subject an opportunity to request access to the data.
There is also a strong emphasis on the destruction of data in a manner that guarantees that it cannot be reconstructed in an intelligible form.
According to Section 8 of the Act and Section 11 of the Regulations, every data collector, data processor, and data controller is mandated to establish a system to ascertain the age of persons whose personal data is to be collected, processed, or stored and where such data relates to children, the manner of obtaining consent of a parent or legal guardian.
The collecting or processing of data relating to children is to be carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child.
The Act expressly bars the collection of special personal data which has over time been used to profile individuals and run political adverts. In Uganda, information collected by the Uganda Bureau of Statistics is exempted from this provision.
In the following exceptional circumstances, the collection and processing of special personal data is permitted (Section 9(3) of the Act):
- the collection or processing of the data is in the exercise or performance of a right or an obligation conferred or imposed by law on an employer;
- the information is given freely and with the consent of the data subject; or
- the collection or processing of the information is for the purposes of the legitimate activities of a body or association which:
- is established for non-profit purposes;
- exists for political, philosophical, religious, or trade union purposes; and
- relates to individuals who are members of the body or association or have regular contact with the body or association in connection with its purposes, and does not involve disclosure of the personal data to a third party without the consent of the data subject.
Pursuant to the above, operations of data analytics companies might be constrained in Uganda unless they operate within the parameters for exemption set by the Act.
Data processors and controllers are required to enter into contractual agreements setting out their responsibilities and liabilities, in order to establish and maintain the confidentiality and security measures necessary to protect the integrity of the personal data.
8. Data Subject Rights
Data subject rights are set out through Sections 24 to 28 of the Act. These rights are:
- the right to access personal information;
- the right to know the purpose for which the information is collected;
- the right to prevent processing of personal data;
- the right to prevent processing of personal data for direct marketing purposes; and
- the right not to be subjected to a decision affecting the data subject which is solely based on processing by automatic means.
The data subject has the right to know the purpose for which the information is collected. A data collector, data processor, or data controller who collects or processes personal data without the prior consent of the data subject contravenes Section 7 of the Act and is liable on conviction to a fine not exceeding three currency points for each day the contravention continues.
The data subject has a right to access their personal information from the data controller subject to provision of proof of identity. This can include confirming whether the data controller holds personal data about that data subject, or to request that a description of that personal data is given by the data controller, etc. If information also relates to another individual, their consent must be sought or a court order to the same if it is not reasonable in the circumstances to comply with the request without the consent of the other individual. To weigh this reasonableness, the data controller must look at any duty of confidentiality owed to another individual, and the steps taken by data controller to seek consent of the other individual among other factors.
The Act also provides for the rectification, erasure, blocking, and destruction of personal data, for instance, in cases where the subject data complains to the NITA-U that the personal data is inaccurate, it may order the controller to rectify, update, block, erase, or destroy the data. With this comes the obligation to inform third parties to whom the data has been previously disclosed of the rectification, blocking, updating, or destruction.
See section on the right to rectification above.
Data subjects are also empowered with the right to prevent the processing of personal data, done by way of writing a notice to the data controller or data processor especially if the data is likely to cause unwarranted substantial damage or distress to the data subject. The controller has 14 days from receipt of such notice to inform the subject in writing of compliance, intent to comply, or the reasons for non-compliance.
Section 26 of the Act provides the right to prevent processing of personal data for direct marketing.
A data subject may also notify a data controller in writing requiring them to ensure that any decision taken by or on behalf of the data controller which significantly affects the data subject is not based solely on the processing by automatic means of personal data in respect of that data subject. Response to this must be within 21 days of receipt and must indicate the steps taken to comply.
The Act creates a number of offences which are aimed at ensuring compliance. Such offences include (Part VIII of the Act):
- unlawfully obtaining or disclosing personal data;
- unlawful destruction, deletion, concealment, or alteration of personal data; and
- sale of personal data.
The penalties imposed against corporations for these offences range from the imprisonment of the corporation's officers for a term not exceeding ten years, payment of a fine of UGX 4.9 million (approx. €1,245), or 2% of the corporation's gross income in the event the offence is committed by a corporation.