Privacy Scorecard Report: An accountability tool in a Digitised world

By Unwanted Witness

Last year, Unwanted Witness conducted a sector-based investigation on several service providers in Uganda. The investigation involved analyzing software applications and websites owned by private and public entities. The purpose of this annual report now is to inform the public on the principles and standards of data protection and to empower data subjects with critical information on how service providers (data collectors and processors) comply with local and international data and privacy standards.

Last year’s report analysed the data collection and processing governance mechanism deployed by entities operating in the health, e-commerce, telecom, insurance, fintech, and government institutions that collect personal data.

The scorecard report is an accountability tool deployed by the organisation and partners to ensure compliance through analysing different legal regimes on data protection privacy, and compliance by different actors, documenting violations and remedial steps taken for the violations, and providing recommendations for improvement.

The scorecard assessment criteria is based on the best international and domestic data governance standards that are aimed at achieving consumer protection, trust, confidence, and legitimate exploitation of data for businesses and innovations. At the heart of this, is informed consent. Entities dealing with personal data are required to provide detailed information among others about the purpose, and use of the data being collected.

With highly digitised economies in Africa, the establishment of the Africa Continental free trade Area and regional common markets that facilitate free trade and services, there is expected growth in cross-border data sharing and collection, this, therefore, calls for high levels of transparency and accountability to facilitate trust and confidence in the digital economy. 

The justification of the annual scorecard reports lies in how sectors fared in last year’s report which indicates that most of the e-commerce platforms complied with privacy best practices by having a noticeable and accessible policy especially placed at the footer of their websites, the policies disclose the rights of the data subject as well. 

However, almost all of them deployed third-party trackers on their platforms yet they make no mention of the same contrary to the data protection principles of transparency and accountability that enjoin data collectors to be transparent and accountable to data subjects and regulators by among others disclosing such information like sharing of personal data with 3rd Parties.

Further, Financial Institutions and fintech that were investigated except Centenary Bank had noticeable privacy Policies. These institutions, however, deploy the most robust data security tools. Their SSL server scores from the report are good and have strong headers. Some banks which as well collect personal data including personal financial information had weak security headers and were prone to keylogging. This is contrary to the principle of data security that casts a burden on all data collectors, and processes to safeguard all the data they collect and store, lack of reasonable security safeguards exposes personal data to data breaches which have led to advanced consequences both to the victim entities and data subjects, these may include identity theft and online fraud.

The report also indicates that some banks including Standard Chartered Bank do not provide data collection information to data subjects before the collection of their data. The Data Protection and Privacy Act, 2019 requires data collectors to provide necessary information including the purpose, and use of the data being collected, this feeds into the wider principle of informed consent that is at the heart of data governance.

Whereas telecom companies scored poorly on their efforts to secure consumer data against government and 3rd party snooping, they performed better on practicing robust data security. The poor performance on data privacy is attributed to the trackers owned by Twitter, Facebook, LinkedIn, and Google that are deployed by telecom companies.

The government agencies performed very well in practicing robust data security however they also deploy third-party trackers owned by Facebook and Alphabet among others. Apart from the Ministry of Works and Transport, other government agencies lack a noticeable and accessible privacy policy on the footer of their website, like it’s a common practice.

The above positive scores and negative compliance gaps can never be known by the unsuspecting members of the public. The entities collecting and processing user personal data take advantage of the compliance knowledge gap that is entrenched by institutionally and operationally incapacitated regulators to check and enforce compliance.

As a tool for data accountability and transparency, this year’s privacy scorecard report is more exciting, it covers a wider scope of actors in Uganda and Kenya. The report will indicate how private and public organizations are performing from last year’s performance scorecard report.

This year’s edition of the Privacy Scorecard report will be launched at the grand finale of the Continental Privacy Symposium Africa to be hosted by Strathmore University in Nairobi Kenya, from 2nd to 4th November this year. 

Personal Data and privacy compliance is not only a legal obligation but a competitive advantage for the actors in the digital economy and it builds trust and confidence in users of e-governance services. 

As end-users continue to be more conscious about how their data is collected, shared, and stored, companies dealing with it must comply with the set standards in the legal regimes both locally and internationally. This includes being transparent and accountable to the regulators and data subjects, because, as a third eye, we will be watching and we will tell your users about you.

We hope to have you all attend this hybrid event.