Ugandan Regulators must enforce compliance with the DPPA 2019

Online Spying Threatening Users
April 16, 2021
‘Chased Away and Left to Die’: New human rights report finds that Uganda’s national digital ID system leads to mass exclusion
June 8, 2021
Show all

Ugandan Regulators must enforce compliance with the DPPA 2019

By Zaidah Ramathan, Unwanted Witness.

May 6, 2021: Ugandan Data regulators urged to enforce compliance with the Data protection and privacy Act 2019 among data collectors and processors in order to ensure the safeguard of people’s personal data.

Data protection experts argue that the law which was enacted 2 years ago gives organizations like the National Information Technology Uganda the powers to ensure that all data collecting and processing organizations adhere to the law.  

According to the data protection and privacy experts, unless data collectors and processors expressly set up infrastructure and enabling systems that will facilitate adherence and compliance with the Data Protection and Privacy Act 2019, Data protection compliance will remain a myth.

According to experts who discussed various areas of concern at the Privacy Scorecard virtual conference organized by Unwanted Witness on Thursday, April 29th, they argued that setting up accountability systems spelling clearly the responsibility and obligations of the data protection desk and officer is important in ensuring compliance with DPPA by the data collectors and processors.

Alexandrine Pirlot de Corbion who is the Director of Strategy at Privacy International (UK), alluded to the fact that both data collectors and processors must have a privacy policy on top of providing mechanisms for the individuals to exercise their rights of accessing information or data processed about them.

Alexandrine further added that the law empowers the regulators to have access to the information for purposes of enforcing the law and ensuring compliance.

On his part, the Berlin-based data scientist at the Tactical Technology Collective, Varoon Bashyakara emphasized the need to enforce financial penalties whenever there is a data breach. 

He calls for the mandatory publication of the privacy policies of data collecting organizations in order to promote transparency hence ensuring compliance.

Varoon cited various data Applications being developed by both private and public entities without privacy policies and are in the end proving to be a danger to people’s lives. 

According to the Data Privacy and Protection Act 2019, a data subject has the right to lodge a complaint with the National Information Technology Authority against the breach of their personal data. 

However, Linda Alinda Ikanza who is a Ugandan commercial lawyer assured data subjects that in case NITA-U fails to investigate the data collector and processor implicated in violating the law, the victim of data breach who has suffered any damage as a result of the breach can lodge a complaint through a private lawyer in the courts of law. She cited the example of the events that happened during the 2016 general elections when people’s personal data was sold to political parties under the watch of NITA-U.

Alinda Ikanza also urged data subjects to fight against organizations that use their personal data for direct marketing without their consent.

Meanwhile, the Kenyan high court advocate Linda Bonyo who shared the Kenya experience on data protection and compliance urged data subjects to always ensure that they sign contractual agreements with data collectors before giving them their personal data. Ms. Bonyo further added that in Kenya a data subject has a right to demand a data processor to delete unsolicited messages as well as deleting their phone numbers from the unwanted mailing list. 

NITA-U director legal service Stella Alibateese assured the data subjects that the government has developed and gazetted regulations for the operationalization of the PDDA 2019 which will help regulators in enforcing compliance. Alibateese added that it’s not enough to just set up a data protection desk, but it is also necessary to ensure that all the staff members in the organizations from top to the cleaner are trained in Data protection because the lower employees are sometimes used as conduits for a data breach.

Ms. Alibateese appreciated Unwanted Witness for spearheading this important debate.

You can watch the webinar video here: