We need awareness on data protection laws

Most people feel safe when they are within the confines of a perimeter wall and when there is someone watching over them.

Now more than ever, organisations and people are collecting your personal information. Your safety today goes beyond secure physical environments to include protection of your personal information.

Your personal information includes your address, national identification card number, location data, phone number, date of birth, biometrics, financial and employment history, religious or philosophical beliefs, genetic and health data. In the hands of the wrong person, this information can be commercialised or used to harm you.

What guarantee of protection do you have over the intermediaries to whom you inevitably give this information when you use any device such as a mobile phone or computer?

The right to privacy is guaranteed in the Constitution under Article 27. This right is informed and also emanates from the international framework, which includes in the Universal Declaration of Human Rights, to which Uganda is a signatory, under Article 12. The right is further augmented in Data Protection and Privacy Act 2019 and its Regulations.

Of specific importance is the Personal Data Protection Office (PDPO), which is the principal enforcer over privacy and data protection in Uganda.

The PDPO is headed by the National Personal Data Protection Director. The PDPO is mandated under the law to oversee the implementation of, and be responsible for, the enforcement of Uganda’s data privacy laws.

When you are aggrieved about how anyone has dealt with your personal data,  you may make a complaint to the PDPO, which is mandated to receive and investigate complaints relating to infringement of your rights as a data subject.

Accordingly, the PDPO is mandated to investigate each complaint raised and proceed to direct for remedies where the complaint in question is upheld.

The PDPO maintains a data protection register. The register must include every person, institution or public body collecting or processing data and the purpose for which the personal data is collected or processed. This register is accessible to the public. Currently,  377 organisations are registered with the PDPO.

Recently, the PDPO launched the Data Protection and Privacy Web Portal to ease reporting, processing, and resolving of data protection and privacy complaints and ease registration of data controllers, data collectors and data processors. This is critical because it helps to facilitate the monitoring of the processing of data.

In other countries, companies have been fined significant sums for breaching data protection laws. For instance, Marriott International, the hotel chain, was fined £18.4 million by the United Kingdom’s Information Commissioner’s Office (the equivalent of the PDPO), for various breaches. British Airways was fined £20 million for a data breach of its obligations under European data protection laws. 

This signals the importance of the investigatory powers of data protection authorities. However, in Uganda, before the imposition of any fines or sanctions, the alleged culprit must be prosecuted before a court of law.

It is inevitable that any person collecting or processing data, must comply with the law as stated above. Failing which, the PDPO has a mandate to investigate upon their own initiative or in response to a complaint.

The repercussions for global companies that have failed to comply have been financial in nature.  It remains to be seen whether similar sanctions may be imposed by the PDPO.  It is your responsibility to watch and report any cases where your data privacy rights have not been respected.

Advocate Joel Basoga ([email protected]) and Mr Asiimwe Davis Mugisha are contributors to the Tech Privacy Legal Blog.