A corporate entity intending to carry out business in Uganda needs to address itself to the various data protection laws in Uganda and make sure it’s compliant with all of them to enable a smooth running of its business.
This write up shall give a brief overview of some of the important factors that a corporate entity will have to consider when it comes to data protection.
Data Protection in Uganda is governed by the Data Protection and Privacy Act 2019. The Act aims to regulate the way data is processed and handled by different data controllers/processors. It focuses on the principles of data processing which propose that a data controller/ processor should be accountable to the data subject for data collected, processed, held or used; data should be collected in a lawful and fair manner; it should be adequate, minimal and not excessive, accurate, not misleading & up to-date, collected transparently, shouldn’t be kept longer than necessary, should be secure and over all should only be used for the purpose for which It is collected.
WHO IS THE DATA CONTROLLER AND WHO IS THE DATA PROCESSOR?
A corporate entity registered has to clearly state who the data controller and data processor will be during the operation of its business. Since it shall be entering into agreements with the cooperative societies, this would mean the corporative societies would have access and control of a considerable amount of data.
Under the Act, a data Controller is one who alone jointly with other persons or in common with other persons or as a statutory duty determines the purpose for and the manner in which personal data is to be processed or is processed.
A data processor on the other hand is a person other than the employee of the data controller who processes the data on behalf of the data controller.
Considering the information given to us,
Knowing who the data controller and the data processor is will help determine liability in case of data breach or loss and it will also help determine each ones obligations under the Act.
Once incorporated, a corporate entity controlling data should be mindful of the following provisions in the Act that affect the way they conduct their business;/
COLLECT DATA DIRECTLY FROM THE DATA SUBJECT
When collecting data from client, an entity should endeavor to make sure that the data is collected directly from the data subject and not from a third party. Section 11 of the Act stipulates that personal data should be directly collected from the data subject.
COLLECT DATA IN A WAY THAT DOES NOT INFRINGE ON THE PRIVACY OF A DATA SUBJECT
Section 10 of the 2019 Act prohibits collection or processing of personal data in a manner that infringes on the privacy of
a data subject. Data should thus be collected in light of the principles of data protection highlighted above and also in Section 3 of the Data Protection Act.
DATA THAT SHOULD NOT BE COLLECTED
Section 9 of the 2019, act prohibits the collection and processing of data that relates to religious, philosophical, political opinion, sexual, financial, health status or medical records of an individual The exceptions being if the data is collected or processed by Uganda Bureau of Statistics, collection mandated by law on an employer, information given freely and with the consent of the data subject and collected in furtherance of the legitimate activities of a body or association.
CONSENT
Consent plays an important role in Data Protection and it is reiterated throughout the Act. The data collector should ensure that all the data it collects from individuals is consented to. The data should not be shared unless it is public record or if the client has consented to it being shared.
Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.
Section 11 of the Act states that a data controller/processor may only share data of a data subject if it is public record, the data subject has deliberately made the data public, the data subject has consented, if data is anonymized or if it is in furtherance of a law, public interest or national security.
However there are exceptions to this rule, Section 7 of the Act provides circumstances where processing of personal data by the data controller is permitted, where the collection is:
a)necessary for the proper performance of a public duty by a public body;
b) for national security
c) for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law
d) for the performance of a contract to which a data subject is party
e) for medical purposes
f) for compliance with a legal obligation to which the data controller is subject.
In all other cases, section 7 (3) gives the data subject the mandate to object to the collection or processing of personal data.
Section 11(g) of the Act also provides that consent may be removed if it is not reasonably practicable to obtain the consent of the data subject.
DEALING WITH MINORS
If at all the entity is dealing with minors, it will be required to get consent from their parent or guardian before obtaining data from them. Section 8 requires a data controller or processor to seek consent of the parent/legal guardian before dealing with any data relating to a minor. The known exceptions are if the processing of data is necessary to comply with the law or for research and/or statistical purposes.
OBLIGATIONS OF A DATA CONTROLLER
According to section 13 of the Act, a data controller shall be required to inform its clients of the following when collecting their data:
The nature and category of work collected;
b) Name and address of data collector;
c) Purpose for which the data is required;
d) Whether or not the supply of data is discretionary or mandatory;
e) Consequence of failure to provide the data;
f) What law necessitates the collection of the data;
g) The recipients of the data;
h) Existence of the right of data subject to access data, rectify and Delete it;
i) Period of retention of the data.
As a data controller the entity shall ensure that the data it collects is complete, accurate, up to date and not misleading having regard to the purpose for its collection. This is in line with section 15 of the Act.
SECURING DATA
There is an obligation on the data controller to make sure the client data they store is secured.
The 2019 act provides guidelines for securing data. Section 20 provides that a data controller shall take measures to;
a) Identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;
b) Establish and maintain appropriate safeguards against the identified risks;
c) Regularly verify that the safeguards are effectively implemented; and
d) Ensure that the safeguards are continually updated in response to new risks or deficiencies.
Under Section 22 (3) a data controller shall observe generally accepted information security practices and procedures, and specific industry or professional rules and regulations.
DATA STORED OUTSIDE UGANDA
The entity will have to ensure that the data that is stored and processed outside of Uganda is secure and safe, there should be adequate measures in place for the protection of personal data equivalent to the protection provided for in the Act. And the data subject must have consented to the same.
SECURITY MEASURES
Any unauthorized access of personal data should be reported to the National Information Technology Authority (NITA). Section 23, of the 2019 act makes it mandatory for a data controller or processor who believes that personal data has been accessed or acquired by an unauthorized person to immediately notify the National Information Technology Authority (NITA). NITA will in turn determine if there is any need to notify the data subject(s).
GANYANNA SHEBA PERCY
ADVOCATE
LLB (HONS) UCU
DIP.LP LDC