Mr Baker Birikujja, the manager of compliance and investigations at the Personal Data Protection Office. PHOTO/Courtesy


What are companies doing with your data? 

What you need to know:

Whenever you surf the web, you unknowingly contribute to the vast pool of information that feeds the digital realm. To delve deep into the labyrinth of data safety, Prosper Magazine’s Deogratius Wamala engages in an insightful conversation with Mr Baker Birikujja, the manager of compliance and investigations at the Personal Data Protection Office on the safety of your data. 

What does the law say about data security?
According to the law, anyone collecting personal data, or any controller or processor, must ensure its security and protect individuals’ privacy.
The law mandates that they put safeguards in place, and one of them is a policy that instructs those in charge of it on how to manage and secure it. The law also mandates that they conduct an assessment to determine the security risks associated with its scale.

However, the law further mandates that they not only put these measures in place, but also regularly test them to see if they are still necessary. 

Additionally, the law mandates that they notify the Personal Data Protection Office (PDPO) of any breaches for guidance.
The Act, which was passed in 2019, sets benchmarks for international standards on data protection, so the law is comprehensively written with no gaps. The nation’s law heavily incorporated and reflected the global standards for data protection. 

Aspects of the African Union, the European Union’s general data protection regulation, and the Malabo Convention on cyber security and data protection all contain these principles. 
The East African Community also has some components that draft cyber law frameworks, though. But areas that needed clarification were further provided for in the regulations of 2021.

Under what circumstances can someone take your data?
These are the very specific legal bases that were laid out in the law for the collection and use of personal data. They give the data controller, processor, or other person involved the opportunity to express consent. 
The law states that remaining silent or doing nothing does not constitute consent, and the court acknowledged this in a ruling issued at the end of June, 2023. However, there are some exceptions, such as government organisations. 

For instance, the National Identification Regulatory Authority (NIRA) does not need your permission to issue an identity card because the law requires them to do so.
Then there are contractual requirements, like when you apply for a loan and the bank needs to confirm your security and gather data from your guarantees. 

This is governed by a loan processing agreement because if you do not sign it, they cannot collect the information.

How safe is personal and company data?
Data collection is done at various stages by people and businesses, so we cannot scale it up to the national level.
People roll out products, and people have visitor’s books that collect so much information; therefore, if you do not know the extent and scale of the data that you collect, then protecting it will be a challenge for companies. 

But as regulators, the challenge is that a number of companies do not have a bird’s eye view of the information they collect. People have visitor’s books that collect so much information.
To address that, we mandate that these businesses and people register with the PDPO, which entails that they disclose the security measures that prompt them to consider how they protect data. 

Because they are unaware of the scope of the data they have, those who have not registered face many difficulties.
Then, it is necessary to train the humans involved in data management so that they can protect the information gathered and disclose it to a select group of people, such as the receptionists who record who you are going to see and why, as well as your National Identification card.
Although we at the office hold regular training sessions to improve data security, data collection companies still play the majority of the role. 

Are you giving consent when you enter a place and must register your information?
Although the exact answer varies depending on who is collecting the data, the law explicitly states that consent should not be coerced. It should be freely given. 

You have the option to withhold your consent if they fail to provide a good reason for collecting it. 
For your consent to be legally binding, they must also provide you with information about why they are collecting the information, who they intend to share it with, and how they plan to keep it secure. You can say “no” if that does not persuade you.

How dangerous can it be when someone takes another person’s data?
There are risks associated with it, such as mismanagement, where someone might take the registry book and the numbers and information for their own use before starting to bombard you with messages advertising a product that you are not even aware of from people you do not know.
They might even sell it to scammers who use it to track down your registration information and begin attempting to defraud you while posing a threat to your personal privacy.

What is the impact of Artificial intelligence on data protection and privacy?
Sharing personal information with these systems, for example, someone having a medical condition, and they sought specific responses from an Artificial Intelligence chat bot by feeding it with conditions that you might be experiencing.
 Medical-related information is personal data, and the law considers it special personal data because it is sensitive. Therefore, there is a chance that when you share that much specific information, it might be shared with someone else who might ask a similar question. 

Additionally, these systems occasionally display people’s names. As a result, there is a chance that information could be shared with someone else without your consent if you were to provide not only the medications but also your name.
The other is that these systems have occasionally created false information even when that information is not shared, which could ruin your reputation.

What is the state of compliance since the enactment of the law?
The regulations were published in 2021, the same year PDPO was established to improve the regulations, after the law was passed in 2019.
Depending on their level of compliance, individuals may collect and use personal data in a number of legal contexts.

But the first one is registration, which has so far attracted 2,257 data controllers, collectors, and processors from numerous data collectors throughout the entire nation even though it necessitates registration for everyone in the private and public sectors. 

There are many more people who are not registered, but we urge the public to check if they are registered before gathering their information, whether it is through a downloaded app, a visit to a hospital or school when they are accepting applications, or any other method.

How many companies have you found culpable for non-compliance and what is the repercussion?
The number of complaints has been steadily rising, especially among online money lenders. Since these loans are simple to obtain, these lenders find people who download their applications.
So, when you default, they contact almost all their phone contacts. It is at this point that people learn about these businesses accessing their entire phonebook, a significant security risk.

Then there are sports betting companies that market to individuals who have never registered for their services. To determine how they obtain this information, however, we are still conducting investigations.

What is the response from the public about the data protection and privacy? How much do they know about it?
Only 13.6 percent of people in Uganda were aware of any laws or regulations governing the protection of their personal data, according to a 2022 national IT survey carried out by NITA.