Personal data is for all intent and purpose confidential information that cannot be shared without the express consent of the data subject
By Kenneth Muhangi
"The right to be let alone is a part of the right to enjoy life. The right to enjoy life is in its turn, a part of the fundamental right to life of the individual." – Chief Justice Jagdish Singh Khehar in, Justice K.S. Puttaswamy (Retd.) & Anor. v Union of India & Ors, WP (Civil) 492 of 2012.
The Uganda National Examinations Board (UNEB) recently released results of candidates from every corner of the country. These results, available through a USSD code, can be accessed by any member of the public using the candidate’s index number.
While UNEB should be applauded for making it easy for parents and students to access these results, certain members of the public have taken advantage of the simple system. Online tabloids & social media gossip pages, have acquired results of persons of interest and shared them to their multitude of followers mostly to mock poor performance.
Such communication (whether online or otherwise) is driven mostly by the innate desire to gossip. Professor Yuval Noah Harari, the author of the best seller, Sapiens, A Brief History of Humankind, postulates that the evolution of human language is for the most part attributed to the need to gossip.
In the process of breaking a story or sharing/communicating (gossiping) personal data is usually disclosed & in most cases, unintentionally. Fortunately, ignorance of the law is not a defence and if your personal information is disclosed without your consent, it is possible to hold the discloser to account.
Although Uganda is yet to enforce its proposed data protection & privacy law, sharing or disclosing personal data without the consent of the owner may be a harbinger of civil and criminal action.
Personal data has been defined by the EU General Data Protection Regulation (GDPR), The African Union Convention on Cyber Security and Personal Data Protection (CCSPDP) & case law to mean any information relating to an identified or identifiable natural person (‘data subject'). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
An Index number is personal data and so is a bank account number, phone number, medical records, email address, any identification number (driver’s
license, passport number, NIN number etc) and even an Internet Protocol (IP) address. (On 19 October 2016, the Court of Justice of the European Union (the "CJEU") published its judgment in Case 582/14 – Patrick Breyer v Germany, in which it held that IP addresses are personal data in certain circumstances).
Personal data is for all intent and purpose confidential information that cannot be shared without the express consent of the data subject. In fact, Sections 17 & 18 of the Uganda Computer Misuse Act, 2011 criminalize the unauthorized release/disclosure of such data. The aforementioned sections are reinforced by Article 17 of the International Covenant on Civil and Political Rights (ICCP) that provides that, “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation”.
Article 17 is encapsulated in Article 27 (2) of the Constitution that provides that, “No person shall be subjected to interference with the privacy of that person’s home, correspondence, communication or other property.”
In other countries like the United States of America, Canada, South Africa & the United Kingdom (among others), data is protected as personal property and any government entity or organization that collects data does so within a strict legal framework with established data retention, destruction and collection procedures.
India recently joined the fold when in August 2017, the Supreme Court of India declared that privacy is a fundamental right protected under the country's constitution for each of its over 1.3 billion citizens. In the case (Justice K.S. Puttaswamy (Retd.) & Anor. v Union of India & Ors), privacy advocates argued that the collection of biometric data in connection with an identification card (similar to Uganda’s National Identity card) was intrusive and could ubiquitously link up data to a person's spending habits, medical records and even bank transactions.
Although the court did not specifically hold that the process of collection of data was illegal, it cautioned the Indian government against embarking on such mass collections of data and surveillance without robust and adequate data protection laws.
It is imperative that UNEB & other government agencies put in place stricter measures to protect personal data. The need for protection of personal data goes beyond merely protecting the right to privacy. In the age of the internet, and with the increase in cyber-attacks & terrorism, all a hacker needs to access a bank account or to steal a person’s identity is something as seemingly innocuous as a phone number or IP address.
This author unreservedly agrees with Chief Justice Singh of India, that the right to be let alone is a part of the right to enjoy life which in turn is a part of the
fundamental right to life. And until the public in Uganda appreciates the importance of data protection and privacy, the exploitation of such fundamental rights will remain unabated.
Writer is a technology, media, telecommunications & intellectual property law practitioner and a partner at KTA Advocates