Uganda’s Data Protection and Privacy Act 2019
Uganda’s Data Protection and Privacy Act 2019 is a comprehensive data privacy law that was recently passed in 2019. In contrast to other international privacy laws that have been passed in recent years with the goal of guaranteeing the data privacy rights for data subjects, the Data Protection and Privacy Act 2019 was passed to reinforce and support the privacy protections that are already guaranteed to Ugandan citizens under the Constitution of the Republic of Uganda, 1995. To this end, the Data Protection and Privacy Act 2019 outlines the principles and obligations that data controllers in Uganda must follow when processing the personal data of Ugandan citizens.
What is the scope and application of the Data Protection and Privacy Act 2019?
Under the Data Protection and Privacy Act 2019, “any person, institution or public body which collects, processes, stores, uses or discloses personal data within Uganda or outside Uganda must maintain compliance with the law at all times. Conversely, the Data Protection and Privacy Act 2019 also defines the act of data processing to mean “ any operation performed by automated means upon collected data, including”:
- The organization, adaptation, or alteration of personal data.
- The retrieval, consultation, or use of personal data.
- The disclosure of personal data by the means of transmission, dissemination, and otherwise making personal data available.
- The alignment, combination, blocking, erasure, and destruction of personal data.
Moreover, the Data Protection and Privacy Act 2019 defines personal data to mean “Information about a person from which the person can be identified, that is recorded in any form and includes data that relates to”:
- The age, marital status, or nationality of an individual.
- The educational level or occupation of an individual.
- An identification number, symbol, or other particulars that are assigned to an individual.
- Identity data.
- Other personal information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion concerning a particular individual.
What are the obligations of data controllers under the Data Protection and Privacy Act 2019?
Under the Data Protection and Privacy Act 2019, data controllers are responsible for adhering to various principles as it relates to data privacy and protection. These data protection principles include:
- Holding and processing personal data in a manner that does not infringe on the privacy of data subjects.
- Ensuring that personal data is complete, accurate and up to date at all times.
- Ensuring that only relevant personal data is processed.
- Maintaining security measures for protecting personal data.
In addition to these data protection principles, the Data Protection and Privacy Act 2019 also mandates that data controllers fulfill a multitude of duties and obligations as it relates to safeguarding the personal data of data subjects. These obligations include common aspects of many privacy policies including providing affected parties with data breaches notifications in the event that a data controller experiences such an incident, ensuring that data controllers do not retain personal data for any period longer than what is necessary to achieve the purpose for which said data was collected, and obtaining consent from parents prior to collecting personal data from minors.
Alternatively, the Data Protection and Privacy Act 2019 mandates that “Every person, institution or public body collecting or processing personal data is mandated to register with NITA-U for inclusion on the Register”, for the purposes of providing data subjects with data processing notifications. This is in contrast to many other international privacy laws that have recently been passed that simply mandate that data controllers must register with a governing body, or contain no such stipulation at all. What’s more, the Data Protection and Privacy Act 2019 does not require data controllers to maintain data processing records, while such obligations are commonplace for many comprehensive data privacy laws.
What are the rights of data subjects under the Data Protection and Privacy Act 2019?
The data protection rights that are afforded to Ugandan citizens under the Data Protection and Privacy Act 2019 are as follows:
- The right to access personal data.
- The right to know the specific purpose for which personal data is being collected.
- The right to prevent the processing of personal data.
- The right to prevent the processing of personal data for direct marketing purposes.
- The right not to be subject to a decision affecting a data subject made solely on the grounds of data processing by automatic means.
- The right to rectification.
- The right to object or opt-out
In terms of penalties that can be imposed against data controllers who are found to be in non-compliance with the law, parties who are found to be in violation are subject to a variety of punishments. Such punishments include monetary fines ranging from ($1,362) to 2% of a corporation’s gross income for a given fiscal year, in instances where corporations are found to be in violation of the law. Furthermore, data controllers who violate the law are also subject to a prison term of up to ten years.
With the passing of the Data Protection and Privacy Act 2019, Uganda’s become the latest of many African countries to provide citizens with enhanced data privacy rights in the midst of our digital age. With the passing of landmark legislation such as the EU’s General Data Protection Regulation or GDPR and the California Privacy Right Act or CCPA, many countries around the world have since followed suit in passing privacy laws that are similar in nature and scope. To this end, Ugandan citizens enjoy a greater level of privacy protection than many other citizens around the world, as their privacy is not only protected by the Constitution of the Republic of Uganda, 1995 but by the Data Protection and Privacy Act 2019 as well.