The Safety of Our Personal Data
So often we share our data with several bodies including Government agencies like National Identification Regulatory Authority (NIRA), and Telecom Companies like MTN- Uganda without questioning its safety with such entities or the implications of sharing to our privacy. Privacy is a constitutional right guaranteed under Article 27 of the 1995 Constitution of the Republic of Uganda.
Though it is not absolute, its limitation should be within the acceptable standards as per Article 43 of the 1995 constitution of the Republic of Uganda. To enforce the provisions of Article 27 of the Constitution and in light of protecting personal data in Uganda, Uganda enacted the Data Protection and Privacy Act of 2019 which borrows a lot from the General Data Protection Regulation of the European Union 2016/679 (GDPR). Further several bodies in Africa have invested efforts in ensuring that data protection is prioritised by its member states. For Example the African Union adopted the convention on cyber security and data protection in 2014, the southern Africa development community (SADC) developed a model law on data protection which it adopted in 2013, and the East African Community developed a framework on cyber laws in 2008.
A few principles have been designed for protection of data in Uganda which among others include; being accountable to the data subject, collecting the data fairly and lawfully, only collect adequate and relevant not excessive or unnecessary data, only retain the said data for the period authorised by law, ensuring transparency and participation of the data subject in the process of collecting and using their data. Uganda has gone ahead by creating a data protection office which is headed by a national data protector.
For one’s data to be collected clear and valid consent should be obtained from the data subject. This is emphasized by notifying the data subject the purpose of collecting the data and the need for additional consent in the event the data collected may be shared by a third party. The Act does not provide a particular manner within which the consent must be obtained but the GDPR has stipulated that the data collector is expected to keep the consent forms on which the data subject authorised the collection of the data. To obtain consent by implication means that the data subject has the rights to object to the same and should this happen, then the data collector should stop forthwith. The Data protection principles of fairness, lawfulness and transparency require the data controller to inform the data subject about the sharing of personal data with third parties and the data subject shall have the right to stop the further processing and sharing of the data unless it is proved that sharing of the said data with third parties is necessary to provide a service as a data controller.
The data collected should be processed within the law, in a transparent manner and for the intended purpose. Therefore data collectors should not disguise the purpose of collection of the data and the data subject should consent to such kind of processing. Further in the event the data is to be processed outside the country the data collector should ensure that there are adequate measures of protecting that data. This can be ensured if that country has an equivalent of our Data protection and Privacy Act or the GDPR. It is also worth noting that the data controller should not allow the data processor to process personal data unless they comply with the security measures established under the Act.
Despite the available security measures, personal data may still be accessed by unauthorized persons. However, when this happens the data collector, data controller or the data processor is bound to immediately notify the Authority of the unauthorized access or acquisition and the remedial action taken. However, the Act goes short by leaving the authority with the discretion on whether the data subject should be notified of the breach or not. I believe this does not meet up the standards as the GDPR since under it the data breach should be reported to the supervisory Authority within 72 hours and to the concerned parties if the breach poses an implementation challenge and the controller is supposed to communicate to the data subject of the breach without undue delay.
Our Data protection and privacy Act also gives the data subject a right to object to the use of their data for direct marketing purposes. If this objection is made then the data controller is expected to notify the data subject on whether they have complied with the objection or give reasons why they will not comply. However, where the data controller does not comply they must also communicate such reasons to the Authority and the Authority shall make a decision on the same. Direct marketing has been defined to include communication by whatever means of any advertising or marketing material which is directed to an individual.
The Act further creates offences against individuals who mishandle personal data which comes into their possession which include unlawful obtaining and disclosing of personal data, unlawful destruction-deletion-concealment or alteration of personal data and sale of personal data.
Therefore, it is prudent for all individuals involved in the process of data collection, data processing and data controlling to ably comply with the Data protection and privacy Act. Majority of companies have set down the above principles in line with the Act.