TMT Alert: Do you collect personal data in the operation of your business? The Data Protection & Privacy Act, 2019, decoded
By: Patrick Mugalula
BACKGROUND:
In December 2018, the Parliament of Uganda passed the Data Protection and Privacy Bill, 2015 into law. The Bill received Presidential assent and force of law on the 25th February, 2019. Prior to this, the extent of the law on the right to privacy and data protection in Uganda was Article 27 of the 1995 Constitution of the Republic of Uganda (as amended) which provides, generally, for a right to privacy of the person, home, property and communications/correspondences of a person.
The Constitution is the Supreme law of Uganda and as a result, all laws must be in consonance with its provisions. Unfortunately, the provisions of the Constitution are intended as a framework, and they are, with certain exceptions, couched in general and abstract terms. In the absence of a specific statute operationalizing a provision of the Constitution, the true nature and limits of a Constitutional right may remain ambiguous.
As a result, there have hardly been any legal actions of note instituted in the Courts of Uganda based on Article 27, despite the need and wide spread desire for a law to operationalize the same. As such, the passing of the Data Protection and Privacy Act 2019 (“the Act”) is a welcome development and the Act is likely to be one of the most consequential laws entering into force in Uganda, this year.
In an international context, the Act comes just a year after the European Union passed its own (and perhaps the world’s most comprehensive) law on data protection; the General Data Protection Regulation (commonly known as ‘GDPR’). The GDPR which came into force on the 25th May, 2018 ushered in a new era of data management, especially in respect to digital data collected online through automated processes. A key aspect of the GDPR, which carried over into Uganda’s own legislation, is the imposition of large fines, pegged to the annual turnover of corporate entities that breach their obligations under the law.
APPLICATION OF THE ACT:
It is important to note that the Act applies to collection, processing, holding or using of personal data within Uganda in respect to persons in or outside Uganda, in respect to Ugandan citizens. This means that both automated and physical data collection, processing and storage is covered within the scope of the Act.
Which essentially means that if you deal in personal data in operating your business for instance, you ask your customers for their personal details for your records, this Act applies to you.
IMPLICATIONS OF THE ACT:
- Data and personal data:
Under the law, data is generally defined as information that may processed automatically, recorded for storage, recorded as a part of a filing system or any information that forms part of an accessible record.
On the other hand personal data means information about a person from which a given person may be identified, that is recorded in any form, including but not limited to nationality, age, marital status, educational level, occupation, identifiable number, symbol or other particulars assigned to a person, identity data or other information including an opinion of a person.
- Data controllers, data collectors, data processors and data subjects.
The main targets of the Act are data subjects on one hand and data controllers, data collectors and data processors on the other hand. Data subjects are individuals from whom personal data is collected and thereafter, collated, processed or stored by a data collector, data controller or data processer.
- Regulator and Government Line Ministry:
The Act will be implemented by the National Information Technology Authority (NITA) through its Data Protection Office and under the oversight of the Ministry of Information and Communications Technology.
- Obligations created by the Act:
The Act creates the following specific obligations:
Consent:
By far the most critical aspect of the Act is that it obliges data collectors, controllers and processors to seek the consent of a data subject before the collection or processing of the data, except where such data was being collected as a legal requirement/is authorized by law, for performance of a public duty by a public body, for national security purposes, for the prosecution of an offence, for the purposes of performing a contract or for medical purposes.
This consent must be informed consent and may be withdrawn by a data subject after it is given. In order to amount to informed consent, the collector must inform the subject of the nature and category of data to be collected, the name and address of the collector, the purpose for the collection, whether the collection is mandatory or discretionary, the consequences of failing to provide the data, the recipients of the data, the data subject’s right to access and rectify the data and the period for which the data will be maintained.
Special personal data:
The Act creates a special class of personal data which may not be collected in any event, including data in relation to religious and philosophical beliefs, political opinions, sexual life, financial information, health status or medical records.
From whom data may be collected:
The Act requires data collectors to collect data directly from the data subjects.
Minimality, quality and retention:
The Act requires that data should be collected for a specific reason and that only the minimum amount of data necessary to achieve that purpose should be collected. However, once the data collector has the data, he/she is obliged to ensure that the data is complete, accurate, up to date and not misleading in respect to the purpose of collection.
Additionally, data should only be retained for the period of time necessary to achieve the original purpose of collection.
Compatibility of purpose:
Any further processing of collected data must be compatible with the original purpose of collection of the data.
Security measures:
The Act requires all data collectors, controllers and processors to put in place security measures that ensure the integrity of the personal data in their possession and control. These measures should safe guard against loss, damage, unauthorized destruction and unlawful access of the said personal data. This obligation also applies in the event that the data collectors, controllers and processors are different entities. In such a case, the data collector is required to ensure that the processor and controller to whom it shall pass on the data has adequate security measures to ensure the data’s integrity. Naturally, this extends to data externalization such that, Ugandan collectors, controllers or processors may only transfer data to third parties abroad for further processing if these foreign third parties have adequate security measures in place and are in a country with a data protection regime at least as stringent as our own.
Notification of data security breaches:
The Act requires data collectors, controllers and processors to notify the Authority in the event that they are faced with any data security breaches or in the event that they believed they had faced data security breach.
Registration of data collectors, controllers and processors:
The Act creates an obligation on all data controllers, data collectors, data processors to register with the Authority specifically the fact that they collect, control or process data as the case may be and the purpose of the collection or processing of the data.
- Rights created by the Act:
The Act creates a myriad of rights for data subjects including:
- The right to demand that a data collector, either corrects or deletes the data in the data controller’s control if that data is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
- The right to demand that the data controller deletes data about the data subject which the controller has no authority to retain.
- The right to be notified once the data controller has deleted or corrected the data as in (i) and (ii) above.
- The right to access one’s personal information upon providing proof of identity.
- The right to prevent processing of personal data collected from the data subject.
- The right to prevent processing of personal data for direct marketing.
- The right to access the Data Protection Register.
- Civil liability and offences:
Civil Liability:
The Act entitles a data subject or any person who thinks that a data collector, controller or processor is infringing upon their rights to make a complaint to the Authority which can then investigate the said complaint.
In the event a data subject suffers damage or distress through a contravention by a data collector, controller or processor, then that data subject will be entitled to apply to a court of law for compensation from that data collector, controller or processor. However, it is a defence available to that data collector, controller or processor to submit evidence that it took reasonable care in all circumstances to comply with the requirements of the Act.
Offences:
The Act creates the following offences:
(i) unlawful obtaining or disclosing of personal data;
(ii) unlawful destruction, deletion, concealment or alteration of personal data; and
(iii) sale of personal data;
all of which are punishable, upon conviction, by a fine of UGX 4,800,000 (approximately USD 1285) and/or a sentence of ten years imprisonment.
Offences by corporations: Where the offence is by a company, the company in its corporate capacity and every officer who knowingly and willingly permits/authorizes the offence is separately liable. The punishment is, in addition to a fine of UGX 4,800,000 (approximately USD 1285) and/or a sentence of ten years imprisonment, the court may ask the company to pay an additional fine not exceeding 2% of its gross annual turnover.
There is no doubt that the Act has filled a glaring legal and regulatory lacuna. There is no denying that the provisions of the Act are deftly crafted to provide a safe framework for data protection. It however remains to be seen how the Act will be implemented and whether it will have the desired impact, especially given the context of increasing digital data engagement in Uganda.
If you have any questions relating to the Data Protection and Privacy Act, 2019, or are wondering where to start, in order to be compliant, please contact Patrick.
This Telecom, Media and Technology alert provides general information only. It is not intended to provide advice with respect to any specific set of facts, nor is it intended to advise on all developments in the law.