Companies collecting personal data must prove ability to protect it - govt

Some companies have been accused of abusing personal data while others have shared it with third parties for commercial gain. photo | File 

What you need to know:

  • According to the Mr Chris Lukolyo, the UN Capital Development Fund digital country lead, digitizing is not an end in itself, it can only be complete if there is efficiency, traceability and accountability.

By the close of December, which is barely a month away, all persons, companies and public entities  that collect and process personal data, must prove their ability to safeguard such information.
According to the Personal Data Protection Office, whose mandate is to regulate collection and processing of personal data in Uganda, anyone or company that doesn’t prove its capability to secure personal data will not be registered. 

Speaking during an event to commemorate 100-Days of Data Protection in Kampala yesterday, Ms Stella Alibateesa, the National Data Protection Director, said so far they had issued 18 certificates out of the 80 institutions that have applied.
“We expect to have registered over 1,000 [persons, institutions and government bodies] at the close of the year. Starting January 2022, we shall start enforcement measures against organizations or persons who have not registered,” she said, noting that the registration will enable organizations to understand the importance of personal data and how it can be protected. 

Personal data has become an important business aspect with a number of companies using such data to make business decisions. 
Some companies have been accused of abusing personal data while others have shared it with third party users without consent. 
A February report by National Information Technology Authority - Uganda (NITA-U) found that SafeBoda, a ride hailing application, had unlawfully shared clients’ data with a US company. 
The report had come after investigations that had sought to ascertain claims that SafeBoda had failed to disclose third party recipients of customer information.
“The SafeBoda privacy policy and data protection policy versions of 2017 and 2019 respectively did not provide information on recipients with whom its users’ personal data will be shared,” the report found. 

Ms Alibateesa also noted that the registration would help government to ascertain how companies, individuals and government agencies collect data why they collect it, how they use it and who they share it with. 
The registration, she said, would also seek to measure the capacity of companies and individual to secure collected data from third party breaches, noting that because Uganda has a number of organisations that have offices in countries with mature data protection and privacy laws, it was urgent that the country matches up with its peers. 

A number of countries have enacted stringent data protection laws as claims of abuse continue to be documented across the globe. 
Global companies such as Facebook, among others, have been accused of sharing personal data with third party companies, some of which have used such data for commercial purposes. 
Mr Chris Lukolyo, the UN Capital Development Fund digital country lead, said it was difficult to build an inclusive digital economy that people do not trust.