-----------------

The Personal Data Protection Office (PDPO) has concluded its investigation into the data security breach involving the Uganda Securities Exchange (USE) and its technology partner, Soft Edge Uganda Ltd.

According to a statement released by PDPO on Thursday, the breach resulted in unauthorised access to the personal data of individuals whose data was collected by USE.

The investigation found that the data security breach was caused by non-compliance with the Information Systems Policies Manual, the Data Protection and Privacy Act, and supporting Regulations.

The breach was specifically attributed to a change in the firewall configuration that left a port open, which did not follow the established change management procedures.

Additionally, there were critical areas of non-compliance with the Data Protection and Privacy Act and supporting Regulations. For instance, the Maintenance Agreement between USE and Soft Edge Uganda Ltd lacked necessary data protection and privacy clauses.

According to PDPO, it failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy. This inadequacy left the parties without clear data protection and privacy-related responsibilities.

Another significant finding was that both USE and Soft Edge Uganda Ltd failed to regularly verify whether the implemented security safeguards were effective. This oversight led to the data security breach going unnoticed for twelve (12) days.

Furthermore, Soft Edge Uganda Ltd, a data processor for USE, was not registered with the PDPO as required by the Act. This registration was not completed even after an investigation into the data security breach started, constituting a legal violation.

Disciplinary action

PDPO has recommended that USE initiates disciplinary proceedings against errant personnel, as per its employee policies due to their role in the breach.

Furthermore, PDPO recommended that USE ensures that the Information Systems Policies Manual is implemented throughout its operations and that reviews and updates are made to the policy and data-sharing agreements to ensure compliance with the Data Protection and Privacy Act and supporting Regulations.

USE is expected to implement the recommendations and others provided in the report within three (3) months from today, July 13, 2023.

The PDPO has commenced enforcement action against USE and Soft Edge Uganda Ltd for non-compliance with the Data Protection and Privacy Act, and supporting Regulations in areas where violation of the law was established.

PDPO

The Personal Data Protection Office is the national body responsible for the implementation of and enforcement of the Data Protection and Privacy Act and attendant Regulations. PDPO coordinates, supervises and monitors all organisations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.