Uganda

Fast Facts
Law
The Data Protection and Privacy Act, 2019 (the Act), while not yet in effect, is intended to support privacy protections already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.

Under the Act, data subjects have the right to:
- access all personal data concerning them;
- prevent processing of personal data concerning them where it would cause undue damage or distress;
- prevent processing of personal data for purposes of direct marketing; and
- rectify, update, block, erase, or destroy personal data when it is inaccurate.
Personal Data
Personal data means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to:
- the nationality, age or marital status of the person;
- the educational level, or occupation of the person;
- an identification number, symbol or other particulars assigned to a person;
- identity data; or
- other information in the possession of, or likely to come into the possession of the data controller and includes an expression of opinion about the individual.
Unless an exception applies, special personal data may not be processed, which is personal data relating to:
- religious or philosophical beliefs;
- political opinion;
- sexual life;
- financial information; or
- health status or medical records.
Collection and Processing
A data collector, data processor, or data controller or any person who collects, processes, holds or uses personal data shall:
- be accountable to the data subject for data collected, processed held or used;
- collect and process data fairly and lawfully;
- collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data;
- retain personal data for the period authorised by law or for which the data is required;
- ensure quality of information collected, processed, used or held;
- ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and
- observe security safeguards in respect of the data.
Registration and Enforcement
The Act establishes a personal data protection office. Although this office is housed within the National Information Technology Authority (NITA), it is not under the direction or control of any person or Authority. The office is responsible for:
- overseeing the implementation of and being responsible for the enforcement of the Act;
- promoting the protection and observance of the right to the privacy of a person and of personal data;
- monitoring, investigating, and reporting on the observance of the right to privacy and of personal data;
- formulating, implementing, and overseeing programmes intended to raise public awareness about the Act;
- receiving and investigating complaints relating to infringement of the rights of the data subject under the Act;
- establishing and maintaining a data protection and privacy register of every person, institution or public body that collects or processes personal data; and
- performing such other functions as may be prescribed by any other law or as the office considers necessary for the promotion, implementation and enforcement of the Act.
The Minister of Information and Communications Technology will announce implementation regulations at some point in the future. Data controllers and processors will be required to appoint a data protection officer responsible for ensuring compliance with the Data Protection and Privacy Act, but the Act does not specify criteria for the appointment of data protection officers.
Cross-border Transfer
Security and Breach Protocol

Data protection law not yet enforced

Last updated: 31 March 2020

Murchison Falls by S. Salle | Courtesy of hillsofafrica.com

Privacy | Information | Activism

Read our Legal Notice and Terms of Use.

Uganda