UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution 
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Enhancement of sanctions against Corporates.
It is recommended that the quantum of financial sanctions be tiered for natural and corporate personalities, with natural persons at the lower end of te spectrum and corporate persons at the higher end of the spectrum.
It is recommended that the quantum of financial sanctions be tiered for natural and corporate personalities, with natural persons at the lower end of te spectrum and corporate persons at the higher end of the spectrum.
The rationale to tier financial sanctions is that Corporates are the biggest offenders of data privacy rights, and they are the ones most likely to profit out of data breaches and hence, they ought to be subjected to higher penalties.
The Bill should include special provision on Children & PWDs.
It's proposed a special clause added to provide for higher obligations on persons who deal with data on children & people with special needs bse children & PWDs may not adequately protect themselves against data abuse
It's proposed a special clause added to provide for higher obligations on persons who deal with data on children & people with special needs bse children & PWDs may not adequately protect themselves against data abuse
Categorise financial information as sensitive or special personal data.
The Bill should treat financial information as sensitive/special data requiring additional protection beyond ordinary information. This is key in light of recent unauthorised disclosure of financial details.
The Bill should treat financial information as sensitive/special data requiring additional protection beyond ordinary information. This is key in light of recent unauthorised disclosure of financial details.
Data Portability
A data subject should be able to transfer his/her data from one controller or service provider to another if they so wish. The Bill in its current form does not provide for data portability. A section should be added to allow for #Data portability.
A data subject should be able to transfer his/her data from one controller or service provider to another if they so wish. The Bill in its current form does not provide for data portability. A section should be added to allow for #Data portability.
Data Brokerage
Clause 32(2) of the Bill prohibits data brokerage. The law ought to balance individual rights to privacy with business needs rather than hinder or encumber trade, perhaps data brokerage be regulated rather than totally prohibited.
Clause 32(2) of the Bill prohibits data brokerage. The law ought to balance individual rights to privacy with business needs rather than hinder or encumber trade, perhaps data brokerage be regulated rather than totally prohibited.
The use of data for innovative & social good should be encouraged. Rather than prohibit data brokerage, it's recommended that a mechanisms through which data brokerage is regulated in order to facilitate usage of data, without compromising the rights of data subjects is provided
Accounting officers for data protection.
The Bill could also consider obliging Public Controllers and Processors and those that transact with significant amounts of personal information to appoint natural or corporate personalities responsible for Privacy and #Data Protection
The Bill could also consider obliging Public Controllers and Processors and those that transact with significant amounts of personal information to appoint natural or corporate personalities responsible for Privacy and #Data Protection
Alternatively, the #DataProtection and Privacy Bill should hold the heads of the responsible public institutions accountable as an ‘Information Officer’ similar to the concept of the ‘Accounting Officer’, with a relevant technical staff.
Information fiduciaries.
The concept of ‘information fiduciaries’ should be taken into consideration.
In the law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another.
The concept of ‘information fiduciaries’ should be taken into consideration.
In the law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another.
Therefore, in light of Information fiduciaries; Information Controllers and Processors could for example be required to comply with a set of fair information practices, including providing security and privacy guarantees.
Data localisation.
It is also proposed that the Bill should include a clause on Data Localisation. Data localisation rules require entities that collect data from members of the public to ensure that the data is stored within the geographical boundaries of Uganda.
It is also proposed that the Bill should include a clause on Data Localisation. Data localisation rules require entities that collect data from members of the public to ensure that the data is stored within the geographical boundaries of Uganda.
Data localisation will help avert the risks associated with some operators hosting customer’s data outside Uganda and thereby exposing it to the risk of espionage and unlawful access. This will also allow easy monitoring of compliance with our data protection law.
The Commission is happy with proposed provisions of the Bill. This will balance concerns for both business players & the right to privacy of customers. The law will bring a strong & more coherent data protection framework that will allow the Ugandan digital economy to thrive.
