Uganda needs laws on data protection

By Brian Kisomose

trueLiterary data refers to facts and statistics collected together for reference or analysis. However, in light of Computer Misuse Act 2011, Data entails electronic representations of information in any form.

Currently Ugandan has no direct law on data protection yet as of today the country is running various programmes that require obtaining information which could be classified as private or public from the masses.

This process has practically been spear headed by the Government directly or indirectly through various agencies for instance, Sim card registration and the new compulsory registration for national identity cards.

It is not disputed that the justifications for these processes have been put forward but it is quite unfortunate that we do not have a direct law to govern protection of data collected and it is an issue that we should not take for granted.

The Data protection and Privacy Bill 2013 in view of the spirit behind it, if it were passed into an Act of Parliament would address various key issues relating to data protection, rights and duties of data subjects, processors and controllers.

It would be very meaningful to conduct exercises such as the ongoing National ID card registration for national ID cards backed or propelled by a piece of legislation than conducting the same exercise and think of an appropriate legislation to govern data protection at a future date.

Protection of data begins from the time of acquiring such information from a data subject and to me; such a stage is very fragile because various human rights and principles in relation to data protection are likely to be violated.
 

The Computer Misuse Act 2011, under section 18 is not exhaustive in as far as data protection is concerned.

In my opinion, it is merely persuasive as it provides for an unauthorised disclosure of information by persons who have access to any electronic records, books, registers, correspondences, information documents, or any material to such persons are barred from using information for any other purpose other than for which it is obtained or to any other person.

Various institutions, organizations, government’ agencies, hospitals and individuals are in possession of data in various aspects i.e patient’s information, students, employees, employers, service consumers and others in general.

Such information in most cases requires disclosure of biometric details such as place of birth, origin, names of their parents, spouses, children or dependants, physical address, contacts, health status and so on, depending on when and on what purpose information is required.

Such information has unlawfully ended up in the hands of service providers such as telecommunication companies, food stores, restaurants and other entertainment centres that send unsolicited messages to telephone company subscribers advertising and offering various products and services for sale and on offer which to the majority of the recipients of these messages are inconveniencing, and sometimes get charged to receive these messages.
 

We need a regulatory frame work with which personal data may lawfully be processed and protected. Article 27 of the 1995 Constitution as amended provides for the right to privacy of persons, homes, correspondences, communication and property.

If such information (data) is not protected and regulated, then constitutional questions in relation to violation of rights will come into question. we all know that the Bill to Rights in the constitution is not exhaustive, which implies that in as much as data subjects have duties, they also have rights that should out rightly be protected that is, notification, consent to protection of interests, preventing processing information likely to cause damage, rectification, erasing and destruction of data where appropriate, right to be protected from indirect marketing and protection from transfer of such personal data from one territory to another, without knowledge of the bearer of such information.

The rationale for data protection basically is to give effect to the right to privacy, respect to confidentiality principles in various relations such as doctor patient, employer-employee and service providers with their clients generally.

Most the rights provided for in the 1995 constitution have qualifications which are okay, if properly implemented. So it is prudent practice that before we implement policies that amount to exceptions of data protection such a national security we should have a proper and exhaustive law in place about the same.
 

I urge all stakeholders and concerned parties that as we campaign and advocate for national ID Card registration, we should expedite enacting the Data Protection Bill 2013 into an Act of Parliament.
 

The writer is from Makerere University School of Law