Currently, there is no specific legislation in Uganda dealing primarily with cybersecurity. However, there is a patchwork of laws that cover cybersecurity and the safety of information and data:
- The Computer Misuse Act, 2011 ('the Computer Misuse Act') is a general piece of legislation that establishes provisions for the safety and security of electronic transactions and information systems. It criminalises the unlawful access, abuse, or misuse of computers and information systems by unauthorised persons.
- The Data Protection and Privacy Act, 2019 ('DPPA') is omnibus legislation that regulates data collectors, data processors, and data controllers in the collection, processing, holding or using of personal data within Uganda. The scope of the DPPA also extends outside of Uganda when the collection, processing, and controlling of personal data relates to Ugandan citizens. The DPPA also provides for measures to be taken to ensure the security of data by data collectors, processors, and controllers in respect of the data in their possession or control and the measures to be taken in the event of breaches of personal data. The DPPA further establishes provisions on the obligations of data collectors, controllers, and processors and the rights of data subjects.
- The Data Protection and Privacy Regulations, 2021 ('the Regulations').
- The Uganda Communications (Computer Emergency Response Team) Regulations, 2019 is a piece of legislation that establishes the Computer Emergency Response Team ('CERT'). The CERT is a unit within the Uganda Communications Commission ('UCC') which is mandated with protecting critical communications infrastructure. Its primary role is to manage and implement a critical infrastructure protection program to protect Uganda’s critical communication assets in the event of an interference, compromise, incapacitation or integrity problem; including acts of cyberwar, espionage, or cyber terrorism.
- Sections 11 and 13 of the Electronic Signatures Act, 2011 ('the Electronic Signatures Act'), provides for security requirements for electronic signatures.
Please note that this guidance note mainly considers the impact of the DPPA.
1.2. Regulatory authority
The DPPA establishes the National Information Technology Authority - Uganda ('NITA-U') as the regulatory body (Section 2 of the DPPA) and establishes a Personal Data Protection Office that is independent (and not under the direction or control of any person or authority) and is responsible for personal data protection as follows (Section 5 of the DPPA):
- to oversee the implementation of, and be responsible for the enforcement of, the DPPA;
- to formulate, implement, and oversee programs intended to raise public awareness about the DPPA;
- to receive and investigate complaints relating to infringement of the rights of the data subject under the DPPA;
- to establish and maintain a data protection and privacy register;
- to perform any other function as may be described by the DPPA and any other law, or as the NITA-U considers necessary for the promotion, implementation, and enforcement of the DPPA; and
- to notify data subjects in case of unauthorised access of personal data.
In addition, the Uganda National Computer Emergency Response Team ('CERT-UG') is responsible for ensuring the protection of critical information infrastructures and is led by and a part of the UCC. CERT-UG provides, among others, security tips and advisory reports for product vulnerabilities. In addition, cybersecurity incidents can be reported to CERT-UG here.
The Ministry of ICT is responsible for providing guides on policy and advocacy related to the ICT legal and regulatory environment in Uganda. However, the Ministry of ICT is not responsible for the implementation of the laws relating to ICT.
1.3. Regulatory authority guidance
NITA-U has provided the following guidance:
- the National Information Security Policy outlines the mandatory minimum security controls that all public and private sector organisations that use, own and/or operate protected computers, handle official communications and personal data must apply to reduce their vulnerability to cyber threats.
2. SCOPE OF APPLICATION
The laws apply to all persons, institutions, or public bodies which collect, process, or store data within or outside Uganda.
The territorial and extraterritorial scope
The applicability of the laws to persons or entities outside of Uganda is restricted to personal data relating to Ugandans.
The material scope
The laws restrict the definition of processing to any operation performed by automated means i.e. organisation or alteration of data, retrieval or consultation of data, and alignment, destruction or erasure of data.
Personal data and special categories of data are covered by the law provided there is consent.
Cybersecurity incident: any real or suspected adverse event relating to the safety of computer systems or computer networks.
4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK
The NITA-U encourages all IT providers to engage in continuous training on cyber security issues and requires companies seeking IT certifications to show proof of their employees undergoing training but not necessarily limited to cybersecurity. There is no explicit law however in relation to cybersecurity training.
The DPPA and the Regulations thereto provide for a data protection impact assessment to be carried out where the processing or collection of data poses a high risk to the freedoms and rights of natural persons. The NITA-U is yet to publish a list of those activities which require a data protection impact assessment to be carried out in compliance with the law.
The DPPA and the Regulations thereto provide that the data collectors and processors shall not retain the personal data for a period longer than necessary to achieve the purpose for which the data was collected.
Further, the Personal Data Protection Office, shall publish in the Gazette the generally accepted information security practices and procedures that are applicable to the security of personal data.
The DPPA and the Regulations thereto require the data protection officer of an organisation to submit to the national Personal Data Protection Office, at the end of every 90 days and after a financial year, a summary of data breaches, complaints, action taken and the status of any such breaches, complaints or actions.
Generally, under the DPPA, a data controller, data collector, or data processor must secure the integrity of personal data in their possession or control by adopting appropriate, reasonable, technical, and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access to, or unauthorised processing of, data. A data controller is required to take the following security measures into account in order to:
- identify reasonably foreseeable internal and external risks to prevent loss, damage, or unauthorised destruction and unlawful access to or unauthorised processing of the personal data;
- establish and maintain appropriate safeguards against the identified risks;
- regularly verify that the safeguards are effectively implemented;
- ensure that the safeguards are continually updated in response to new deficiencies; and
- observe the generally accepted information security practices and procedures and specific industry or professional rules and regulations.
A data processor is required to comply with the data security measures in place and it is a statutory requirement that a contract between a data controller and data processor relating to processing of personal data be in place to establish and maintain the confidentiality and security measures necessary to protect the integrity of the personal data.
The DPPA Regulations provide for a data protection impact assessment where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons. Every data impact assessment shall include a systematic description of the envisaged processing and the purposes of the processing and an assessment of the risks to personal data and the measures to address the risks.
Under the DPPA, in the event that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data collector, data processor, or data controller must immediately notify NITA-U of the unauthorised access or acquisition in a prescribed manner, including an indication of the remedial action taken. It is up to NITA-U to determine whether the data collector, data controller, or data processor should notify the data subject.
Whilst notifying the data subject, the notification is to be made by registered mail to the data subject's last known residential or postal address or by electronic mail to the data subject’s last known electronic mail address or by placement in a prominent position on the website of the responsible party or by publication in the mass media. The notification given must provide sufficient information relating to the breach to allow the data subject to take protective measures against the consequences of unauthorised access or acquisition of the data.
NITA-U has not issued specific guidance on cybersecurity within the educational sector. However, the Child Online Protection Safety Handbook ('the Child Handbook') may be relevant which provides, among other things, basic steps for managing criminal offences related to online sexual offences related to children. More specifically, the Child Handbook provides for, among other things:
- the need to establish that the victim concerned is a child and, once identified, the child should be rescued;
- the need to prove the act of pornography by exhibiting still pictures or video recordings that were exchanged on the internet;
- the need to establish that there was transmission or possession of such images or pictures depicting child sexual abuse through a technological process; and
- the need to carefully store any exhibits related to such crimes.
The DPPA provides for offences that could either lead to a criminal conviction or result in a monetary fine of up to 240 currency points which is equal to approximately UGX 4,800,000 (approx. €1,220). The following are considered offences:
- any person who unlawfully obtains, discloses, or procures the disclosure to another person of personal data held or processed by a data collector, data controller, and data processor; and
- any person who unlawfully destroys, deletes, misleads, conceals, or alters personal data.
The Computer Misuse Act establishes a regime of sanctions that could either lead to a reprimand or monetary fines of up to 360 currency points (approx. €1,830). The nature of these fines is criminal. Cybercrime offences include:
- unauthorised access: it is an offence for any person to intentionally access or intercept any program or data without authority or permission;
- unauthorised modification of computer material: it is an offence to commit any act which causes an unauthorised modification of the content of any computer with requisite intent or knowledge;
- unauthorised use or interception of computer services: it is an offence to knowingly, and without authority or lawful excuse, interfere with, interrupt, or obstruct the lawful use of a computer, impede, prevent access to, or impair the usefulness or effectiveness of any program or data stored in a computer. (Monetary fine not exceeding 360 currency points and conviction not exceeding 15 years); and
- unauthorised disclosure of access codes: it is an offence to knowingly and without authority disclose any password, access code, or any other means of gaining access to any program or data held in any computer knowing or having reason to believe that it is likely to cause loss, damage or injury to any person or property (monetary fine not exceeding 360 currency points and conviction not exceeding 15 years).
11. OTHER AREAS OF INTEREST
A major issue has been identified in respect of mobile banking fraud and mobile money fraud. Since these are largely secured by a one-time password ('OTP') only known to the account holder, there have been several incidents of phone thefts and hacking, which in turn have resulted in the access of the OTP and subsequent unlawful access to money.
There have been no general safety measures or guidance issued by the authorities. Each involved bank or telecommunication company handles the issue as it deems fit. In other cases, criminal charges have been preferred under existing laws.
The Ministry of ICT and Guidance has also issued a National Broadband Policy which notes that a key objective is to improve the information security system to be secure, reliable and resilient, and capable of responding to cybersecurity threats.
In addition, Section 11 of the Electronic Signatures Act provides that, if an electronic signature is executed in a trustworthy manner through a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, and if it is in good faith relied upon by a party, that signature shall be treated as a secure electronic signature at the time of verification provided that the electronic signature satisfied the following criteria at the time it was made (Section 11 (a)-(e) of the Electronic Signatures Act):
- the signature creation data used for signature creation is unique and its secrecy is reasonably assured;
- it was capable of being used to objectively identify that person;
- it was created in a manner or using a means under the sole control of the person using it, that cannot be readily duplicated or compromised;
- it is linked to the electronic record to which it relates in such a manner that if the record was changed to electronic signature would be invalidated; and
- the signatory can reliably protect his or her signature creation data from unauthorised access.
Lastly, Section 13 of the Electronic Signatures Act 2011 notes that a digital signature should be treated as a secure electronic signature if:
- the digital signature was created during the operational period of a valid certificate and is verified by reference to a public key listed in the certificate; and
- the certificate is deemed trustworthy, in that it is an accurate binding of a public key to a person's identity.
Cloud Computing Services
The Cloud Computing Guidelines for Government, Ministries, Departments and Agencies ('the Cloud Computing Guidelines') provide the main principles that should govern cloud computing, including ensuring that ministries, departments and agencies ('MDAs') data is secure and always available, and that MDAs' information assets are adequately protected against cyber threats. In addition, the Cloud Computing Guidelines require that MDAs:
- adhere to the use of 'Cloud First' for the design of IT-enabled services;
- ensure that all information classified as 'official', 'secret', and 'top secret' is hosted in the government cloud;
- utilise the government cloud when procuring new ICT requirements;
- apply to NITA-U for cloud services exceptions; and
- migrate all existing classified IT enabled services at contract expiry or/and natural ICT refreshments to the government cloud.
Please note that the above information on cloud computing requirements is only applicable for government bodies.
Section 68 of the National Payments Systems Act, 2020 requires that Electronic Money Issuers licensed under that Act shall have a primary data center in Uganda.
Brian Kalule Partner