Kampala data collection company prosecuted over information breach

_________________

Dennis Habu, the finance manager at Vuka Africa Ltd, has appeared before Grade One Magistrate Geoffrey Akena at the Makindye Standards and Utilities Court over allegations of unlawfully obtaining and disclosing a client’s personal data.

The case brought by Personal Data Protection Office (PDPO) director Baker Birikujja, follows accusations of Vuka Africa, a courier services company based in Ntinda, Kampala city, in April 2025, that allegedly accessed and shared personal data belonging to a client, Aloyo Nyeko Mega.

The company had been contracted by Jumia Africa to deliver an item to the client, but delivery agents allegedly circulated the client’s personal details among themselves without authorisation, a violation of Sections 35 and 36 of the Data Protection and Privacy Act.

At the time of the incident, Vuka Africa was operating as a data collector and processor without registration from the PDPO, contrary to Section 5 of the Act. When the case came up on December 3, 2025, the accused pleaded guilty to the charge of failing to register with the PDPO. The state submitted that although he is a first-time offender and the case involves no violence, the offence has become increasingly common.

In delivering the sentence, the court noted that the accused showed remorse, had no criminal record, and did not waste judicial resources. He was therefore handed a lenient penalty: a fine of five currency points—equivalent to sh100,000—or, in default, two months’ imprisonment. The court reminded him of his right to appeal.

The case comes at a time when Uganda is grappling with a surge in cybercrime and growing questions about the safety of personal data.

Recently, the National Information Technology Authority–Uganda (NITA-U), in partnership with the PDPO, launched a nationwide cybersecurity and data-protection campaign dubbed “Beera Ku Guard”, meaning stay guarded.

The six-month mass awareness initiative aims to reach at least 70% of Ugandans through television, radio, social media, and targeted institutional engagements.

Recently, NITA-U director of information security Arnold Mangeni said digital transformation must be built on trust and responsibility.

“We cannot talk about a modern, digital Uganda without putting safety and trust at the centre. Beera Ku Guard is a call to action for every citizen and every organisation to safeguard personal data and use digital platforms responsibly,” he said.

The campaign seeks to demystify data protection laws, promote cyber hygiene, and support the registration of at least 1,000 data-controlling organisations with the PDPO by 2026.

A panel discussion at the launch, themed “Building Public Trust in Uganda’s Data Systems,” highlighted the shared roles of government, private sector, civil society and citizens in protecting sensitive information.

PDPO manager for public relations and marketing, Paul Kakeeto, said trust is the backbone of digital transformation.

“This campaign will translate rights into simple language and inspire every Ugandan to own their online safety,” he noted.

Uganda’s digital landscape has expanded rapidly, with over 13 million citizens now active online. However, awareness gaps remain stark: while 48.8% of Ugandans have some understanding of cybersecurity, only 13.6% grasp the principles of data protection and privacy. According to the Uganda Police Crime Report 2024, cybercrime cases rose by 93.5% in 2024, with 474 incidents recorded and financial losses amounting to sh72.1 billion. Only sh420 million was recovered.

Experts attribute the spike to youth unemployment, weak enforcement of cyber laws, and the rapid adoption of digital technologies. Gideon Nkurunungi, the chief executive officer of the ICT Association of Uganda (ICTAU), urged Ugandans to treat digital security as a shared responsibility. He emphasised strong authentication, system updates, cyber-awareness education in schools, and building local cybersecurity talent as essential to protecting the digital economy.

Government efforts are anchored in the National Cybersecurity Strategy (2022–2026), designed to secure critical infrastructure, grow cybersecurity skills, and strengthen international cooperation. The strategy is built on six pillars, including threat preparedness, governance frameworks, public awareness, and safeguarding Uganda’s digital identity systems.

Despite these measures, the Uganda Police Crime Report shows that cybercrime continues to escalate, driven by economic desperation and the lack of specialised cybercrime courts.

As the country pushes to build a culture of digital vigilance through initiatives such as Beera Ku Guard, cases like that of Vuka Africa highlight the urgent need for organisations to comply with data-protection obligations and for citizens to remain alert as they navigate Uganda’s fast-expanding digital space.