DLA Piper Intelligence

Data Protection
Laws of the World

Breach Notification

Section 23 of the Data Protection and Privacy Act and Regulation 33 of the Data Protection and Privacy Regulations impose a duty on a data processor, data collector or data controller to immediately notify the Personal Data Protection Office, where there is reasonable belief that personal data has been accessed or acquired by an unauthorised person. Data collectors, processors and controllers registered with the Office are required to submit an annual report summarizing any data breaches suffered and how they were addressed.

Last modified 12 Jan 2023
Law
Uganda

Generally, a person’s right to privacy of information is protected under Article 27 of the Constitution of the Republic of Uganda. The protection under the Constitution has recently been supplemented by the Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations 2021 which were enacted primarily to regulate the collection, processing, use and disclosure of personal data. The Act and Regulations apply to any person, entity or public body:

  • collecting, processing, holding or using personal data within Uganda;
  • outside Uganda who is collecting, processing, holding or using personal data of Ugandan citizens.

The Data Protection and Privacy Act commenced on 3 May 2019 while the Regulations took effect on 12 March 2021.

There are also other sector specific laws that incorporate data protection provisions applicable to the activities governed under those particular laws. These laws include, but are not limited to:

  • The Access to Information Act, 2005
  • The Regulation of Interception of Communications Act, 2010
  • The Computer Misuse Act, 2011 (as amended)
  • The Registration of Persons Act, 2015
Last modified 12 Jan 2023
Definitions

Definition of Personal Data

Personal data is defined under section 2 of the Data Protection and Privacy Act as information about a person from which the person can be identified such as information relating to nationality, age, marital status, education level, occupation and identity data.

This information is considered personal data regardless of the form in which the information is recorded.

Definition of Sensitive Personal Data

The term “sensitive personal data” has not been defined under Ugandan law.

However, section 9 of the Data Protection and Privacy Act defines a related term, “special personal data”, as data which relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual.

Last modified 12 Jan 2023
Authority

The Personal Data Protection Office established by Section 4 of the Data Protection and Privacy Act and Regulation 3 of the Data Protection and Privacy Regulations is responsible for personal data protection. The Office operates under the National Information Technology Authority-Uganda and was operationalized in August 2021.

Last modified 12 Jan 2023
Registration

Under Regulation 13 of the Data Protection and Privacy Regulations, every data collector, processor, or controller in Uganda (or outside Uganda collecting or processing the personal data of Ugandan citizens) is required to register with the Personal Data Protection Office. The Office maintains a Data Protection and Privacy Register relating to data collectors, processors and controllers, including the purpose for which the data is collected or processed.

Last modified 12 Jan 2023
Data Protection Officers

Every entity whose activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or whose activities consist of processing special personal data, is required to designate a personal data protection officer charged with ensuring compliance with the data protection law. There is no criteria for appointment of the data protection officers provided by the Act or Regulations.

Under Regulation 47 of the Data Protection and Privacy Regulations, the Personal Data Protection Office is required to specify the persons, institutions, and public bodies required to designate a data protection officer. This publication is yet to be released by the Office.

Last modified 12 Jan 2023
Collection & Processing

Restrictions on the collection or processing of the personal data

There are a number of restrictions under the Data Protection and Privacy Act which ought to be complied with in the collection and processing of personal data. These include but are not limited to the following:

  • The informed consent of the data subject must be obtained prior to collection or processing of personal data.
  • The collection or processing of personal data relating to a child is prohibited unless: (i) done with the prior consent of the parent / guardian; (ii) necessary for compliance with the law; or (iii) the collection or processing is for research or statistical purposes.
  • Special personal data should not be collected or processed unless specifically permitted by the law.
  • Personal data should be collected directly from the data subject.
  • Personal data shall only be collected for a lawful and specific purpose which relates to the functions or activity of the data collector or data controller.
  • A data collector, data processor or data controller is obligated to ensure that the data is complete, accurate, up to-date and not misleading.
  • Further processing of personal data shall only be for the specific purpose in connection with which the personal data was collected.
  • Personal data shall not be retained for a period longer than is necessary to achieve the purpose for which the data is collected and processed unless specifically authorised by the Act.
  • A personal data record should be destroyed or de-identified after the expiry of the retention period in a manner that prevents reconstruction of the personal data in an intelligible form.
Last modified 12 Jan 2023
Transfer

Section 19 of the Data Protection and Privacy Act permits processing or storage of personal data outside Uganda provided that:

  • adequate measures are in place in the country in which the data is processed or stored which are at the least equivalent to the protection provided under the Act; or
  • the data subject has consented.

Regulation 30(2) of the Data Protection and Privacy Regulations prohibits any further transfer of personal data processed outside Uganda to a third country without the consent of the data subject.

Last modified 12 Jan 2023
Security

A data controller, data collector or data processor is required under section 20 of the Data Protection and Privacy Act to secure the integrity of personal data in its control or possession by adopting appropriate measures to prevent loss, unauthorised destruction, unauthorised processing of or unlawful access to personal data.

The data controller is specifically required to use measures that:

  • identify reasonable risks to personal data in its possession or control;
  • establish and maintain appropriate precautions against the risks identified;
  • regularly verify the effective implementation of the precautions;
  • ensure that the safeguards are continually updated.

In instances where personal data is processed by a third party, the entity must ensure that the data processor applies the security safeguards provided under the Act.

Last modified 12 Jan 2023
Breach Notification

Section 23 of the Data Protection and Privacy Act and Regulation 33 of the Data Protection and Privacy Regulations impose a duty on a data processor, data collector or data controller to immediately notify the Personal Data Protection Office, where there is reasonable belief that personal data has been accessed or acquired by an unauthorised person. Data collectors, processors and controllers registered with the Office are required to submit an annual report summarizing any data breaches suffered and how they were addressed.

Last modified 12 Jan 2023
Enforcement

Remedial orders

The Personal Data Protection Office  is empowered under the Data Protection and Privacy Regulations to make orders requiring a breach or violation of the Act to be remedied or for compliance with a request of a data subject. The exercise of these powers may be triggered by a complaint or request lodged with the Office by a person aggrieved by actions under the Act or by a data subject seeking to enforce the rights availed under the Act.

Compensation

A person is entitled to apply to a court of law with competent jurisdiction for compensation for damage or distress caused by the actions of a data collector, data controller or data processor in violation of the Data Protection and Privacy Law.

Sanctions

  • Fines — The Data Protection and Privacy Act provides for fines as a penalty for the commission of an offence under the Act. Save for the fine imposed on a corporation for non-compliance with Act, the fines provided do not exceed 245 currency points (which is equivalent to UGX 4,900,000). The exception in the case of a violation by a corporation allows a court to order a corporation to pay a fine of up to 2 percent of the corporation’s annual gross turnover.
  • Imprisonment — A court of law may order imprisonment of a person convicted of any of the offences under the Data Protection and Privacy Act. The imprisonment terms which are provided are limited to a period of 10 years or less. Both imprisonment and payment of a fine can be ordered by court in respect of the same offender upon conviction of an offence.
Last modified 12 Jan 2023
Electronic Marketing

There is no electronic marketing regulation in Uganda.

Last modified 12 Jan 2023
Online Privacy

There is no specific online privacy regulation.

Last modified 12 Jan 2023
Contacts
Barnabas Tumusingize
Barnabas Tumusingize
Managing Partner
Sebalu & Lule Advocates
T +256 213 250 013
Paul Mbuga
Paul Mbuga
Principal Associate
Sebalu & Lule Advocates
T +256 0312 2500013
Josephine Muhaise
Josephine Muhaise
Associate
Sebalu & Lule Advocates
T +256 414 233 063
Last modified 12 Jan 2023