Transacting online for work, school, banking, or pleasure, and therefore exchanging personal information, has never been more pronounced than today. Social distancing brought about by the COVID-19 pandemic has exacerbated reliance on the internet. As a result, cybercrime is a great threat and the encroachment to the right to privacy of information is heightened each day.
In Europe, the European Commission mindful of the digital age commenced its data protection reform way back in 2012 resulting in Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This is a common trend elsewhere including the USA.
Whereas Uganda on the other hand has the right to privacy enshrined in its 1995 Constitution, enforcement of this right was hardly extended to the collection and processing of personal data. This notwithstanding, it has since 2019 moved to ensure that the privacy of individuals and their personal data is protected.
The Data Protection and Privacy Act, 2019 (Act) provides for the protection of the privacy of individuals and of personal data and was enacted on 3rd May 2019. This was followed by the Data Protection and Privacy Regulations, 2021.
To buttress the importance attached to the privacy of individuals and their personal data, the Act established a Personal Data Protection Office (Office), an independent body within the National Information Authority Uganda (NITA-U) to among others, oversee the implementation and enforcement of the Act and maintain a data protection and privacy register. This Office was operationalized in August 2021.
Persons, institutions, and public bodies within Uganda that collect, process, hold or use personal data as well as persons, institutions or public bodies outside Uganda that collect personal data relating to Ugandan citizens, are all required to register with the Office.
Examples of these entities include financial institutions, insurance companies, real estate companies, telecom companies, hospitals, schools, among others.
The reason for targeting the above entities is because of the nature of data they primarily deal with, that is, personal data and special personal data, which is the focus of data protected under the Act.
Personal data as defined under the Act is any information from which a person can be identified for example information relating to a person’s nationality, age, marital status, educational level, or occupation, identification number.
Special personal data on the other hand is information relating to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual.
The Office is expected at a later stage, by notice in the gazette, to indicate which persons are exempt from the registration requirement but in the meantime, all entities that collect, process, or control the usage of personal data are required to register with the Office.
The data protection and privacy register went live in the Office’s first one hundred days since becoming operational in August 2021. At the end of November 2021, the Office had registered a handful of data collectors, data processors and data controllers comprising mostly financial institutions and the National Social Security Fund.
The Office has given a grace period of up to 31st December 2021 to those organizations that are required but have not yet registered, to do so. Effective 1st January 2022, enforcement measures against organizations or persons who have not registered will be commenced.
The enforcement measures will include being fined an amount not exceeding UGX 120,000/=, approximately USD 34, or imprisonment not exceeding three months, or both, for non-registration with the Office
In addition, where the offence of non-registration is committed by a corporation, both the corporation, and its directors will be liable to the penalty and fine stated above if they are found to have knowingly and wilfully authorized the non-registration.
As a data collector, data processor and data controller, you should visit NITA-U’s website and fill in an Application for Registration form which states among others the applicant’s name, nature, and category of personal data being processed or to be processed, purpose for collecting or processing the personal data.
The Application for Registration form is accompanied by a written undertaking by the applicant not to process or store personal data in another country unless that country has adequate measures which are at least equivalent to the protection provided for by the Act.
As an applicant, you will also be required to pay an application for registration fee of UGX 100,000/=, approximately USD 28, and attach proof of payment at the point of submitting the Application for Registration form on NITA-U’s website.
If satisfied with your application, the Office will issue a Certificate of Registration valid for 12 months from the date of registration. The Certificate may be renewed upon application, at least three months before the expiry of the current registration by filing a Renewal of Registration form.
While the feedback received so far from entities that have registered with the Office is that the process is seamless and the officials within the Office are very responsive, renewal of the registration process on an annual basis is likely to be administratively cumbersome especially for entities that collect personal data as a one-off.
The Office on the other hand is likely to experience difficulties in enforcing the Act against offshore entities based in countries whose data protection laws are more advanced than Uganda’s.
If you collect, process, hold or use personal data and have not yet registered, 31st December 2021 will be the final call. Contact us if you should need any help.