A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)

I. Introduction

Uganda’s Data Protection and Privacy Act (DPPA), enacted on 1 March 2019, stands as a cornerstone for safeguarding personal and sensitive data. It specifies the regulations all public and private entities within and outside Uganda must abide by when processing personal data and the rights individuals possess in deciding how their data is to be collected and processed.

This article delineates the key elements of the DPPA, particularly highlighting its scope of application, key defined terms, obligations of organizations, data subject rights, the role of the regulatory body, penalties for non-compliance, and best practices to ensure swift compliance.

II. Who Needs to Comply with the DPPA

A. Material Scope

The DPPA applies to the processing of data by automated or by any other means, including:

• the organization, modification, or alteration of data;
• the retrieval, consultation, or utilization of data;
• disclosure of data through transmission, dissemination, or other means; and
• alignment, integration, obstruction, deletion, or disposal of data.

B. Personal Scope

The DPPA applies to all individuals, institutions, and public entities collecting, processing, storing, and using personal data within or outside Uganda.

C. Territorial Scope

The DPPA also applies to any person, institution, or public body based outside of Uganda that collects and processes data related to Ugandan citizens.

III. Definitions of Key Terms

1. Authority

This refers to the National Information Technology Authority (NITA).

2. Personal Data

Any information that results in the identification of an individual, recorded in any form, including an individual’s nationality, age, marital status, education level, occupation, personal identification number, and any other information, including opinions about the person, that is or may come into the possession of the data controller.

3. Data Subject

An individual from whom or in respect of whom personal information has been requested, collected, collated, processed, or stored.

4. Data Controller

A person who, either independently, jointly with others, or as a part of a statutory duty decides the purposes for and the manner by which personal data is or will be processed.

5. Data Processor

A person other than an employee of the data controller who processes personal data on behalf of the data controller.

6. Consent

Any voluntary, specific, informed, and clear expression of the data subject’s desire indicated through a statement or affirmative action, by which they agree to the collection and processing of their personal data.

7. Recipient

A person who receives data while it is being processed for the data controller or the data processor such as an employee or representative. However, this does not include individuals to whom information is disclosed solely for a specific inquiry under a legal mandate.

8. Third-Party

Any person other than the data subject, data collector, data controller, data processor, or other person who possesses the authority to process data for the data controller or data processor.

IV. Obligations for Organizations Under the DPPA

A. Consent & Legal Grounds For Processing

Before collecting or processing personal data, it is mandatory to obtain consent from the data subject. However, personal data may also be collected or processed if:

• Collection or processing is authorized or required by law;
• It is necessary:
  • For the performance of a public duty by a public body;
  • For national security;
  • For the prevention, detection, prosecution, or punishment of an offence.
  • It is required for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
  • It is for medical purposes;
  • It is needed to ensure compliance with a legal requirement to which the data controller is subject.

The data subject possesses the right to withdraw their consent at any time and the data collection or processing must be halted instantly. However, this right does not extend to the data collected for the aforementioned purposes.

Additionally, as specified in Section 8 of the DPPA, a child’s data cannot be collected or processed without obtaining prior consent from their parent or guardian or any individual who has assumed authority over the child or where it is required to comply with a legal obligation or it is for research or statistical purposes.

B. Privacy Notice Requirements

Under the DPPA, a person collecting personal data is required to provide the data subject with the following information before commencement of collection:

1. The nature and category of data being collected;
2. The name and address of the person undertaking data collection;
3. The reason for data collection;
4. Whether the provision of the data by the data subject is discretionary or mandatory;
5. The consequences that would result if data is not provided;
6. The particular law that authorizes the collection;
7. The recipients of the data;
8. The availability of the rights to access and request rectification of the collected data;
9. The duration for which the data will be retained to fulfill the purposes of collection.

In the case where data is collected by a third party, the data subject shall be provided with the above-mentioned information before collection commences or as soon as practicable after the collection of the data.

C. Security Requirements

The data controller, data collector, or data processor must safeguard the integrity of personal data in their possession by implementing suitable, reasonable, technical, and organizational measures to prevent any loss, damage, unauthorized destruction, unlawful access, or unauthorized processing of data.

Consequently, the data controller is required to take the following measures:

1. identify potential risks, both internal and external, to personal data within that person’s possession or control;
2. implement and maintain suitable safeguards against the identified risks;
3. consistently verify that the safeguards are effectively implemented; and
4. ensure that the safeguards regularly evolve to address new risks or deficiencies.

D. Data Breach Requirements

As soon as the data controller, data collector, or data processor discovers that the data subject’s data has been accessed or attained by an unauthorized person, they must notify the Authority immediately and mention the remedial action they have taken. However, it is up to the Authority to decide whether or not the data subject will be informed of the breach.

In cases where the Authority determines the data subject must be informed, the notification should be made through:

• The last registered email address belonging to the data subject;
• A mail to the data subject’s last known residential or postal address;
• A placement in a prominent position on the responsible party’s website;
• Publication in a mass media outlet.

The aforementioned notification must provide sufficient information about the breach to ensure the data subject can take appropriate protective measures against the potential consequences of the unauthorized data breach.

In cases where the Authority has sufficient reasons to believe that publicity would protect the data subject affected by the data breach, the Authority will direct the responsible party to publicize in a specified manner along with the fact of the compromise to the integrity or confidentiality of their data.

E. Data Protection Officer Requirements

The institution must appoint a Data Protection Officer (DPO) as mandated by the Regulations. Particularly, the Regulations dictate that any individual, institution, or public entity engaged in processing or overseeing personal data must assign a DPO if:

• the activities involve regular and systematic monitoring of data subjects on a large scale due to their nature, scope, or purpose; or
• the primary activities entail processing special categories of personal data as outlined in the DPPA.

According to the Regulations, a DPO is responsible for the following:

• carry out frequent assessments and audits to verify compliance with the DPPA;
• work in close liaison with the person, institution, or public body, and the Personal Data Protection Office (PDPO) to coordinate necessary communication between them;
• keep records of all data processing activities conducted by a person, institution, or public body;
• notify data subjects about how their data is being used and the measures the person, institution, or public body has implemented to ensure adequate protection of their data;
• ensure data subjects’ requests to see copies of their personal data or have their data deleted are met and catered to.

F. Data Protection Impact Assessment

In the case where the collection or processing of personal data is likely to pose a threat to the data subject’s rights and freedoms, the data controller, data processor, or data collector must carry out an assessment of the impact of the proposed processing operations on the protection of personal data prior to the collection or processing of data.

The Data Protection Impact Assessment (DPIA) must include the following:

• a coherent description of the anticipated processing and the reasons for the processing;
• an evaluation of the risks to personal data and the actions to overcome those risks;
• any other information the PDPO may require.

G. Retention of Records of Personal Data

According to the DPPA, any person who collects personal data can only retain it up until the time that is required to fulfill the purpose for which it was collected, except when:

• The retention of the data has been authorized by law;
• The retention of the data serves a lawful purpose associated with a function or activity for which the data was collected or processed;
• A contract between the parties, subject to the contract, requires the retention of the data;
• The data subject has agreed to the retention of the data.

However, these aforementioned conditions are not applicable to data retained for:

• Prevention, detection, investigation, prosecution, or punishment for an offence;
• The national security purposes;
• The enforcement of a law that imposes a pecuniary penalty;
• The enforcement of legislation related to public revenue collection;
• The conduct of proceedings before a court or tribunal;
• Historical, statistical, or research purposes.

A person using the data subject’s personal data to make a decision about the data subject will:

• Retain the data for as long as legally necessary;
• In case of no legal retention period, retain the data for a period that allows the data subject an opportunity to request access to the data.

Once the retention period expires, the data controller must destroy or delete all records of personal data or de-identify it. The destruction or deletion of the data will be done in a manner that prevents its reconstruction in an intelligible form.

H. Cross-Border Data Transfer Requirements

If a data controller or data processor residing within Uganda wishes to process or store personal data outside of the country, the DPPA does not restrict that, but certain conditions must be fulfilled:

• The country in which the data will be stored or processed must have adequate security measures in place at least equal to the protection provided for by the DPPA;
• The data subject must have agreed to the transfer of their data.

V. Data Subject Rights

The DPPA grants the following exercisable rights to individuals relating to their personal data:

A. Right of Access

A data subject has the right to request the following information from the data controller:

• the reasons for which their personal data was collected;
• a confirmation as to whether the data controller possesses information about the data subject;
• the type of personal data the data controller has in possession;
• disclosure of the identity of a third party who has or has had access to the data.

B. Right to Rectification

The data subject has the right to request the rectification, erasure, blocking, and destruction of their personal data that is inaccurate. Once the data subject has complained to the NITA, they must ensure that the data controller takes the necessary steps immediately. Moreover, the data controller must also inform third parties who have previously been given access to the data so that they can also rectify, block, update, or destroy the data.

C. Right to Opt-Out of Processing Personal Data

The data subject has the right to opt out of the processing of their personal data, particularly if the processing of that data has the potential to cause significant harm or distress to the data subject. Additionally, the data subject can halt the processing of their personal data for direct marketing purposes. This can be achieved by sending a written notice to the data controller or data processor, to which the data controller or data processor is obligated to respond within 14 days of receipt, highlighting either their intention to comply or the reasons for non-compliance.

D. Right Not to Be Subject to Automated Decision-Making

The data subject also has the right to request that the data controller not rely entirely on automatic means of processing data for decisions that are likely to significantly impact the data subject. This can be done by sending a formal written notice to the controller, to which they are obligated to respond within 21 days of receipt, indicating the steps they have taken to comply with the request.

E. Right to Prevent Processing Of Personal Data For Direct Marketing

The term “direct marketing” includes communication by any means of any advertising or marketing material directed at an individual.

The data subject has the right to provide a written notice to the data controller requiring them to stop processing their personal data for direct marketing purposes.

Once such a request is received, the data controller must inform the data subject about whether they’ve complied with their request or if they plan to within fourteen days. In case they will not comply, they must also provide reasons for the non-compliance within the same period.

If the data controller provides reasons for non-compliance, a copy of their notice to the data subject will be forwarded to the Authority within the fourteen day period. If the Authority determines the data subject’s request to be justified, they may direct the data controller to comply with the request.

The data subject and data controller may enter into an agreement related to processing the data subject’s personal data for direct marketing purposes for pecuniary benefits.

VI. Regulatory Authority

The National Information Technology Authority - Uganda has been appointed as the data protection authority. It is responsible for maintaining the Data Protection Register (Register)and recording and listing every institution, person, or public body that collects or processes personal data.

The Personal Data Protection Office (PDPO), headed by the National Personal Data Protection Director, operates as an independent office under the NITA. It not only oversees the implementation of the DPPA but also ensures all the relevant parties abide by the rules and regulations stated within it.

The Authority, i.e., the NITA, is authorized to keep and maintain a Register comprising details of every person, institution, or public entity that is collecting or processing personal data and the reasons for which the data is collected or processed. The data controller, data processor, or data collector is required to register themselves through a formal application. Moreover, the Authority may grant the public access to the Register for inspection.

Additionally, the NITA is responsible for the following:

• ensuring every entity collecting or processing personal data complies with the rules of data protection specified in the DPPA;
• providing timely responses to data breaches and deciding whether or not to inform the data subject about the breach;
• maintaining the Register to document entities collecting or processing personal data along with the purpose of collecting such data;
• allowing public access to the Register for inspection;
• inquiring into and addressing any complaints related to data protection and privacy.

VII. Penalties for Non-Compliance

The DPPA states various offenses that are punishable if discovered. They include:

• unlawful acquisition or disclosure of personal data
• unlawful destruction, erasure, concealment, or modification of personal data; and
• sale of personal data.

Any person who engages in the above-stated activities is liable to imprisonment for a maximum period of 10 years, payment of a fine not greater than 240 currency points, or both. In case the offense has been committed by a corporation, then 2% of the corporation’s gross income must be paid as a fine.

VIII. How Can an Organization Operationalize the PDPL

Organizations can operationalize Uganda’s Data Protection and Privacy Act (DPPA) by:

• establishing a regulatory authority tasked with enforcing the DPPA;
• developing guidelines and standards for compliance;
• conducting public awareness campaigns;
• providing training to organizations on data protection principles;
• ensuring adequate resources for implementation and enforcement;
• creating mechanisms for reporting and investigating data breaches and violations.

IX. How Securiti Can Help

Securiti empowers organizations to effortlessly adhere to Uganda’s Data Protection and Privacy Act 2019 with its AI-driven data discovery, DSR automation, universal consent management, documented accountability, autonomous data breach management, and cookie consent management solution.

Delve into the capabilities of our all-encompassing Data Command Center, which enables compliance with various sections of the DPPA and supports enterprises on their path to align with the DPPA through automation, enhanced data visibility, and identity linking.

Request a demo to learn more.