Money lending apps asking for too much data, govt says 

The Personal Data Protection Office, a unit under the National Information Technology Authority, will commence investigations into digital money lenders’ operations over public complaints of abuse of data they acquire from borrowers. 

Ms Stella Alibateese, the Personal Data Protection Office, said they are scrutising several complaints regarding money lending applications. 

“The people who obtain loans from these digital money lenders are people who are not yet aware of their rights, and who lack knowledge that when they consent to certain actions; what the repercussions are in terms of their privacy,” she said.  

At the weekend, Ms Grace Kenganzi, the Personal Data Protection Office public relations officer, indicated there were increasing incidences of digital money lenders harassing and blackmailing third party contacts known to borrowers as a way of forcing payment of borrowed money in case of default.  

Money lending applications, she said, request for a lot of information from borrowers’ phones such as access to gallery, phone contacts and other financial details, which is a breach since the law only grants access to adequate and relevant data and must only be used for purposes it is collected for. 

“Our mandate is to investigate complaints and guide the data processor, who in this case are digital money lenders, to restore the rights of the data subjects,” Ms Kenganzi said, noting they will share findings for people affected in case they need to take legal action when a breach is confirmed. 

Some apps go as far as seeking permission to record calls, access phone contacts, monitor SMS data related to financial transactions, device name, model, user habits and location.

In a July 15 social media confession, Ms Evelyn Tashobya, said she has borrowed money from a certain app, whose managers had, on maturity of the loan, called her doctor friend. 

“I saw his call at midnight and I wondered what could have happened. He told me that I borrowed money and told the lender that he has to pay. I didn’t sleep the whole night,” she said, demonstrating the extent of abuse to both borrowers and third parties. 

Ms Alibateese was speaking on the sidelines of the release of a data protection survey on data protection compliance by Ernst & Young. 

Some of the emerging issues in the report indicated that most organisations were not reporting data privacy breaches and raising awareness was suggested, which is a key requirement under the law.  

The report highlights major risks in organisations around poor management of customer documents, limited consent rights and information confidentiality breaches. 

Mr Herculs Bizure, the Ernst & Young consulting leader, while quoting the report findings, noted that there is an emerging conversation on consent management. 

“We are being asked a lot of data as citizens, [which means] consent management will be the gold standard where I accept, and also be able to follow up and confirm the data for the purposes which you collected,” he said. 

Processing financial data 

The report shows that organisations with beyond 500 staff had larger amounts of data processed both internally and from clients, which Mr Alfred Mugume, Ernst & Young manager cybersecurity, data privacy and trusted technology, says creates an increase in  processed data. 

Majority of organisations, the report shows, process financial data, especially for people’s transactions with biometric and national identification data being the most accessed especially during know your customer  activities.

[email protected]