Companies not implementing privacy policy protection laws - report

A report by Unwanted Witness, a civil society organization that deals in defending and protecting digital and online rights and freedoms, has shown that companies in the country are not implementing data protection laws.

“The findings of the report show that the performance of the companies is below average with the best company getting 47 per cent. Many of these companies have privacy policies just to shield them from liability, but not to guard the privacy of the users. So increasingly, people think that once a company has a privacy policy it won’t misuse their information,” Mr Allan Kigozi, the head of legal at Unwanted Witness said.

He added: “We want to see that companies improve their positions in terms of promises to their customers and always use the information they are collecting for solely the purposes they are collecting it for and won't share it anywhere and we want to see that policy strong.”

The report which was released Thursday, captured findings in the four countries of Uganda, Kenya, Zimbabwe and Mauritius from 12 companies in each country.

The report however noted that personal data has become one of the most valuable assets in the world and that Uganda has taken significant steps in the realm of data privacy.
The different sectors were financial, e-commerce, e-government, financial sector, and telecom sector.

“In Uganda's evolving data privacy landscape, notable developments include the rapid digitization of transactions and telecommunication. These innovations offer substantial benefits but simultaneously raise concerns about the security and privacy of personal data. So far, the National Data Protection Office is making noticeable efforts to receive and resolve complaints as observed in the cases that have been previously raised,” the 2024 report reads in part.

Adding: “Overall considerable challenges continue to persist. Particularly, the implementation and enforcement of data protection laws are in their early stages, with concerns about the Data Protection Office's capacity and resources, low public awareness of data privacy rights and the lack of effective mechanisms for addressing breaches underscores the need for comprehensive education and awareness campaigns.”

The Data Protection and Privacy Act 2019 states that a person should not collect or process personal data without the prior consent of the data subject except where the collection is; authorized by law, for the performance of a public duty, for national security, for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law, for medical purposes and for compliance with a legal obligation to which the data controller is subject.

The Act further states that offences regarding breach include; unlawful obtaining or disclosing of personal data, unlawful destruction, deletion, concealment or alteration of personal data, and sale of personal data.

Penalty for any of the above offences by an individual is conviction to a fine not exceeding two hundred and forty-five currency points (UGX 4,800,000) or imprisonment not exceeding 10 years or both.