The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
It is recommended that the quantum of financial sanctions be tiered for natural and corporate personalities, with natural persons at the lower end of te spectrum and corporate persons at the higher end of the spectrum.
It's proposed a special clause added to provide for higher obligations on persons who deal with data on children & people with special needs bse children & PWDs may not adequately protect themselves against data abuse
The Bill should treat financial information as sensitive/special data requiring additional protection beyond ordinary information. This is key in light of recent unauthorised disclosure of financial details.
A data subject should be able to transfer his/her data from one controller or service provider to another if they so wish. The Bill in its current form does not provide for data portability. A section should be added to allow for #Data portability.
Clause 32(2) of the Bill prohibits data brokerage. The law ought to balance individual rights to privacy with business needs rather than hinder or encumber trade, perhaps data brokerage be regulated rather than totally prohibited.
The Bill could also consider obliging Public Controllers and Processors and those that transact with significant amounts of personal information to appoint natural or corporate personalities responsible for Privacy and #Data Protection
The concept of ‘information fiduciaries’ should be taken into consideration.
In the law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another.
It is also proposed that the Bill should include a clause on Data Localisation. Data localisation rules require entities that collect data from members of the public to ensure that the data is stored within the geographical boundaries of Uganda.