NITA-U, UNCDF announce partnership to protect privacy and personal data of Ugandans

The National Information Technology Authority of Uganda (NITA-U) through its Personal Data Protection Office and United Nations Capital Development Fund (UNCDF) have entered into a partnership to develop a data protection portal in Uganda.

The partnership was virtually launched on Thursday.

The data protection portal will ease registration of data controllers, data collectors and data processors as well as the reporting, processing and resolving of data protection and data privacy complaints and breaches.

During the launch, Ms. Stella Alibateese, National Director Personal Data Protection Office urged all organisations that collect, process and/or control personal data to start registering with the office since its now fully operational with a competent and experienced team up to the task.

“The door is also open for data subjects to raise complaints,”Ms. Alibateese said.

“The increased digitization of services and the need to work remotely presents numerous challenges for organisations and consequently the need to be more vigilant towards personal data protection. These include data theft, data extortion, data alteration and destruction among other threats. Most of this data will include large volumes of personal data because most services require valid identification and therefore must collect one’s particulars before they can provide the appropriate service. Before and after they collect that personal data, it is incumbent upon the organisations to comply with the Data Protection and Privacy Act 2019 and other relevant laws,” she added.

UNCDF’s support to NITA-U to develop the data protection portal is part of its strategy:“Leaving No One Behind in the Digital Era,” funded by SIDA, the Swedish International Development Cooperation Agency. The strategy aims to empower millions of Ugandans to use digital services that will leverage innovation and technology to improve their well-being and productivity while contributing to achievement of the Sustainable Development Goals.

“Our Inclusive Digital Economies practice aims at driving universal access to secure, affordable and trusted digital systems – a key prerequisite for the growth of a digital economy. UNCDF recognizes that increased public trust in digital technology including personal data will further catalyze the adoption of digital solutions across all sectors,” Mr Chris Lukolyo, Digital Country Lead at UNCDF said.

The Data Protection platform will be designed with a robust back end, user friendly front end and strong reporting capability. The service will also include SMS/USSD functionality to enable universal access and usage by most citizens.

The Data Protection Portal will: i) offer electronic seamless registration for data collectors, data processors and data controllers; ii) give a platform for data subjects to easily file a complaint with the Personal Data Protection Office; iii) act as a platform to promote knowledge about personal data protection and privacy best practices, guidelines, and tips.

The Data Protection and Privacy Act, 2019 was assented to by His Excellency the President of Uganda on 25th February 2019 and gazetted on 3rd May 2019. Subsequently, the Data Protection and Privacy Regulations were gazetted on 12th March 2021. The law establishes the Personal Data Protection Office under the National Information Technology Authority, Uganda (NITA-U) to among other functions oversee the implementation of and be responsible for the enforcement of the Act.

The Data Protection and Privacy Act (2019)aims to:protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processors and data controllers; and to regulate the use or disclosure of personal information.The law provides that all personal data must be handled in accordance with the principles of data protection and privacy as provided in the Act including; Accountability, Lawfulness, Minimality, Retention, Quality, Transparency and Security.

In addition, the Act requires all data collectors, data processors and data controllers to: i) Register with the Personal Data Protection Office; ii) Appoint or designate a data protection officer; iii) Conduct data protection impact assessments where the collection or processing poses a high risk to the rights and freedoms of natural persons among other requirements.