This note provides guidance to institutions on how to comply with the requirements under the Data Protection and Privacy Act, 2019 (the Act) on the designation and role of a Data Protection Officer (DPO). <br> Among other things, it explains what data collectors, data controllers and data processors should consider when outlining the role within their institutions and what tasks the DPO should be responsible for. <br> <ol style="list-style-type: decimal;"> <li><b>Definitions</b> <ol style="list-style-type: lower-alpha;"> <li>Data Protection Officer: There is no definition of DPO in the Act.</li> <li>Data Collector: means a person who collects personal data.</li> <li>Data Controller: means a person who alone, jointly with other persons or in common with other persons, or as a statutory duty, determines the purposes for and the manner in which personal data is processed or is to be processed. </li> <li>Data Processor: in relation to personal data, means a person other than an employee of the data controller who processes the data on behalf of the controller. </li> </ol> </li> <li><b>Importance of a DPO</b> <br> The DPO plays a key role in building data protection into the institutional culture. The DPO should be involved, in a timely manner, in all issues relating to the protection of personal data. The DPO plays a major role in embedding essential aspects of the Act into the institutional culture, from ensuring the data protection principles are respected to preserving data subject rights, and ensuring establishment of appropriate technical and organizational measures with regards to processing of personal data. </li> <li><b>DPO role</b><br> The DPO may be a staff member of either the data collector, data controller or the data processor. <br> The DPO must perform a number of tasks including: <br> <ol style="list-style-type: lower-alpha;"> <li>to conduct regular assessments and audits to ensure compliance with the Act;</li> <li>to serve as the point of contact between the person, institution or public body, and the Personal Data Protection Office; </li> <li>to maintain records of all data processing activities conducted by the person, institution or public body;</li> <li>to respond to data subjects and to inform them about how their personal data is being used and what measures the person, institution or public body, has put in place to protect the data; </li> <li>to ensure that data subjects’ requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary. </li> </ol> </li> </ol>
Government of Uganda enacted, the Data Protection and Privacy Act, 2019 (the Act) to protect the privacy of the individual and of personal data. The Act further regulates the collection and processing of personal information as well as provides for the rights of the persons whose data is collected among other key areas. <p>The Act defines personal data as information about a person from which the individual can be identified. This includes a person’s name, where they stay and/or where they work and flight details that can uniquely identify them from other persons. </p> <p>The National Information Technology Authority, Uganda (NITA-U) strongly advises the public against publishing including posting online personal data of any individual under treatment, quarantine and in isolation during this response time to the COVID- 19 in Uganda as coordinated by the Ministry of Health. Failure to heed to this advice may attract a fine of up to 4.8 million Ugandan Shillings or imprisonment for ten years or both.</p> <p>This goes without saying that the public is advised to follow the Ministry of Health guidelines on reporting cases via the published numbers other than disclosing their personal details on social media and other outlets. The public is reminded that even during such times, the protection of personal data of individuals still operates.</p>
His Excellency, President Yoweri Kaguta Museveni assented to the Data Protection and Privacy Act on 25th February 2019. The law, which expands the mandate of the National Information Authority Uganda (NITA-U), protects the privacy of the individual and of personal data by regulating the collection and processing of personal data. The Data Protection and Privacy Act delivers a number of objectives, namely: <ol> <li>To protect the privacy of the individual and personal data;<li> <li>To regulate the collection and processing of personal information;<li> <li>To provide for the rights of the persons whose data is collected;<li> <li>To provide obligations of data collectors and data processors;<li> <li>To regulate the use or disclosure of personal information and for related matters<li> </ol> <p>James Saaka, the Executive Director at NITA-U applauded the signing of the law as a move that will secure citizens as Government moves to bring all services online and promote Growth in the IT sector.</p> <p>The Data Protection and Privacy law is an addition to the laws that NITA-U already regulates namely:</p> <ol> <li>The Electronic Transactions Act<li> <li>The Electronic Signatures Act<li> <li>The Computer Misuse Act<li> <li>The NITA-U Act<li> </ol> <p>The Act operationalizes Article 27 (2) of the 1995 Constitution for the Republic of Uganda which provides for the right to privacy.</p>
Globally, 28 January of every year is recognized as the Data Protection Day. This was as a result of the opening for signature of the Council of Europe’s Convention 108 which addresses the protection of individuals with regard to automatic processing of personal data. This focus is as a result of the rise in the importance of personal data in the information age powered by the fourth industrial revolution. Personal data is now the ‘gold’ or in other ways new ‘oil.’ Uganda has in place its own Law known as the Data Protection and Privacy Act, 2019. The object of the Act is to ‘protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data controllers, data processors and data controllers; to regulate the use or disclosure of personal information; and for related matters.’ This Act further gives effect to Article 27 (2) of the Constitution of the Republic of Uganda by providing for the principles of data protection and recognizing the rights of the persons from whom personal information is collected. The Act furthermore establishes a Personal Data Protection Officer responsible for personal data protection under the National Information Technology Authority – Uganda (NITA-U). The Act is based on the following globally recognized principles applicable to organizations and persons collecting and processing personal data in Uganda: <ol type="a"> <li>Accountability to the data subject (the natural person on whom personal data is processed)</li> <il>Collection and processing of personal data should be fair and lawful</li> <li>The nature of personal data collected or processed should be adequate, relevant and not excessive for the intended purpose</li> <li>Personal data should be retained for only the period authorized by law or for which the data is required</li>
The International Organisation for Standardization (ISO) released new data protection and a privacy-focused standard known as the ISO/IEC 27701:2019. This standard specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) applicable to all types and sizes of organizations. An Organisation that implements this standard will have good demonstrable assurance of having in place appropriate technical and organizational measures for the protection of personal data. This is one of the several ways for an organization to comply with Section 20 of the Data Protection and Privacy Act which addresses security measures.
A presentation on the Data Protection and Privacy Act was delivered (14/2/20) at the Digital Security Conference that was held at the Kampala Serena Conference Center. The aim of the presentation was to create awareness of the Act amongst the participants. The presentation, therefore, focused on the following areas: the purpose of the Act, principles of Data Protection and Privacy as well as a general overview of the Act.