NIRA’s Lack of Data Privacy Policy Raises Concerns About Citizens’ Data Safety

According to experts, NIRA’s negligence not to have Data Privacy Policy in place, raises serious concerns regarding the security and privacy of residents’ personal data.

In spite of the expanding digitization of personal records and the increasing reliance on electronic databases for essential administrative functions, there is a noticeable gap in the security of individuals’ data due to NIRA’s inability to draft a comprehensive Data Privacy Policy.

According to Allan Kigozi, the legal lead from Unwanted Witness Uganda, the lack of explicit policies governing the use, processing, and distribution of personal data from an authority that a pool of citizens’s data raises worries about security lapses and illegal access of peoples’ private data.

Speaking with Watchdog Uganda, last week during the unveiling of the report at Hotel Africana, the lack of a Data Privacy Policy not only highlights a critical oversight in NIRA’s operations but also underscores the urgency for regulatory measures to ensure the security and privacy of citizens’ data.

Without clear protocols and safeguards in place, individuals may remain vulnerable to data exploitation, identity theft, and other malicious activities, posing significant risks to their privacy and security in an increasingly interconnected digital landscape.

“The report only assessed privacy Policies that are available on the website, those that were not displayed on the website however good they were not assessed. When it comes to sectors, E-commerce immigration has a privacy policy but it’s not robust, since it lacks a lot of things yet on the other hand NIRA has no privacy policy! With the massive data they collect with the information they are collecting, they don’t have a privacy policy. At least a public policy because  he said.

He added that their methodology was only considering only Privacy Policies on the website. “ NIRA performed extremely badly. If an authority like NIRA has no privacy policy. There are a lot of questions left hanging, it also shows that one has no idea of the information they are collecting and need. And also they are against the law of Data Protection and Privacy since it requires the data collector to be transparent.”

According to the report, NIRA has low scores for accountability, availability of internal redress mechanisms for data breaches as well as data collection and third party data transfers indicators.

The report also shows that on the aspect of  data collection and third-party data transfers, NIRA’s position  was unknown. Regarding informed consent, Immigration Uganda’s privacy policy lacked several crucial elements. It did not list the personal data collected, provide clear reasons for data collection, specify data storage duration, or include contact information. Additionally, it did not mention data subject rights regarding access, correction, restricting or objecting to data processing, withdrawal of consent, or permanent data deletion. While for NIRA is unknown since there was any policy.

In terms of data security practices, both Immigration Uganda and NIRA scored poorly. Immigration Uganda’s privacy policy scored 30.8%, and Privacy Badger blocked 3 potential trackers. While, NIRA’s policy scored Zero percent, and 3 potential trackers blocked by Privacy Badger. Both receive low security headers grades, with Immigration Uganda at D and NIRA at F.

On accountability aspects, neither Immigration Uganda nor NIRA had published a transparency report since 2022. In summary, Immigration Uganda has a noticeable privacy policy but lacks comprehensiveness in data collection and data security practices while NIRA lacks a privacy policy. However, NIRA’s reply suggests that although the authority is aware of the problem, they are actively addressing it.