Modify the Data Protection & Privacy Bill, 2015 to make provision for an independent Data Protection Commission – Unwanted Witness Legal Analysis Report.

Kampala, 15th/12/2016; The Unwanted Witness and Cluster for Privacy in Uganda welcomes the development of the Data Protection Bill, 2015 to enforce Article 27 of the 1995 Constitution of Republic of Uganda but call for the modification of the bill to accommodate a provision of an Independent Data Protection Commission to oversee the protection and regulation of Personal data/Information.

Since the promulgation of the 1995 Constitution, the Uganda government, its agents and private institutions have engaged in collection of citizens’ personal data. Data has been collected for various purposes including registration of citizens for national identity cards, SIM Card registration, national census and health care visits among others. However, all this data was collected and continues to be collected without a guiding legal framework to guide the collection, storage and processing of personal information.

In 2015, government tabled the Data protection and privacy bill before parliament. The bill was debated and later sent to the Information Communication Technology Committee of parliament to gather stakeholders’ views on the bill. This bill has been analysed by Unwanted Witness in conjunction with Cluster of Privacy in Uganda, where the findings reveal both opportunities and serious gaps that risk abuse and misuse of collected personal information/data by state and non-state actors.

The 23 page analysis report proposes that a provision in the bill be introduced to carter for the establishment of an independent Data Protection commission as opposed to the existing National Information Technology Authority (NITA) Uganda. The report urges that NITA – U lacks the desired independence given the fact that the authority is under the general supervision of the minister of Information and Communication Technology.

“NITA-U Act 2009 is more centered on retention of metadata and advancement of Communication and Information Technology than Personal Data/Protection and privacy rights,” reads part of the report.

The report further highlights the following findings;

Principles of Data protection;

Clause 3 of the bill details internationally accepted principles of data protection, which include accountability, collection limitation, purpose specification, and quality of data processed, transparency and participation, retention period and security safeguards. The report commends the bill for its adherence to the data protection principles to a larger extent, but notes;

That while the bill prohibits collection of special personal data, which is regarded as sensitive, it falls short of some of the necessary categories such as racial and ethnic origin, physical or mental health condition. The report then recommends inclusion of special personal data in order to buttress article 21 of the 1995 constitution of the Republic of Uganda, which prohibits discrimination on such grounds.

The report also faults the bill for not taking into consideration information collected under the Uganda Bureau of statistics Act, which poses a high risk of misuse of personal data.

Unlawful obtaining and Disclosure of personal Data;

Data Protection and privacy bill 2015 prescribes a sentence upon conviction of a fine not exceeding two hundred and forty currency points or imprisonment not exceeding ten years or both. This prison sentence and penalty according to the report, is too hash given the exclusion of prescribing exemption to data that may be processed of artistic works, research, journalistic, academia and literally works. The report warns that if maintained, it is likely to narrow the space for freedom of expression, and thus recommend a reduction on the prison sentence from 10 years to 3 or 5years and penalty from two hundred and forty currency points to one hundred currency points.

“The bill is step in the right direction and we call upon legislators to widely consult with all stakeholders and take their views into consideration so that Ugandans can have a good law which protects personal data from being misused by both state and non state actors,” said Jeff Wokulira Ssebaggala, the Chief Executive Officer, the Unwanted Witness.

We therefore recommend that;

(1)   An independent data protection commission should be created with full powers to oversee the law as well as the ability to receive and resolve complaints about its implementation by both public and private bodies.

The decisions handed down by this commission should be subject to a rights of appeal to an impartial court.

(2)   The bill should provide for a broad exemption for the purposes of communicating information to the public, communicating ideas or opinions of general interest including for journalistic purposes, academic, artistic or literary expression.

(3)   Clause 15 on trans border transfers of personal data should include an exception for the protection of freedom of expression consistent with practice in this area.

(4)   Clause 12 should ensure that any rules on the deletion of public information are balanced with freedom of expression.