By Esther Nakkazi |
Ugandan citizens’ personal data may be at risk of misuse if the Uganda Data protection and Privacy Bill (2014) to be tabled before parliament is passed in current form. Currently, large entities like telecommunications service providers, insurers, hospitals and even schools retain the information of millions of citizens who remain unaware of how secure their information is, especially as more of it becomes digitised.
While Uganda called for comments to the Bill in late 2014, little progress was made on it over the course of 2015. According to Gloria Katuuku from the Ministry of ICT, the comments received have been incorporated into a revision of the bill. “We brought this Bill before the public so that we get conclusive remarks. The bill has been gazetted and will be tabled in parliament, meaning at this time we shall just compile the concerns,” said Katuuku. She was speaking at a workshop convened by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) where Ugandan parliamentary journalists discussed data protection and privacy with reference to the bill.
The workshop was organised in conjunction
with the Uganda Parliamentary Press Association (UPPA) and aimed to create awareness among parliament journalists about clauses in the proposed law that contravene citizens’ rights, including to privacy. Few journalists were aware that government had drafted the law and called for robust media engagement with Members of Parliament so as to generate debate on data protection and privacy issues.
The former Chairman of parliament’s ICT Committee, Edward Baliddawa, said the data protection law should have been the basis for other cyber laws in Uganda. He added that as the country edges towards e-commerce, such as business process outsourcing, there is a need to regulate data controllers.
“This Bill is good for our safety and privacy as individuals and to become an e-commerce country,” he said. However,he also called for continuous engagement with all stakeholders across the lifespan of the bill – drafting, tabling to parliament and any eventual amendments.
Although existing laws such the Electronic Signatures Act, 2011, the Computer Misuse Act, 2011, the Regulation of Interception of Communications Act 2010 and the Communications Commission Act 2013 cover aspects of data protection and privacy, they contain contradictions and potentially expose users’ information to unwarranted access and misuse by authorities. Lillian Nalwoga, CIPESA’s Policy Officer, said of the laws: “These laws have broad terminologies that should be amended to repeal contradictory provisions and this can be done within the Data protection and Privacy Bill, 2014 in the contexts of data users and collectors, and to prevent abuse.”
See this Overview of How ICT Policies Infringe on Online Privacy and Data Protection in Uganda
But the proposed data protection and privacy law that is meant to address privacy of citizens’ communications and data still has ambiguous terminologies, unclear definitions and arbitration issues that will negate its purpose.
According to CIPESA officials, the drafting phrase should further engage with and seek consultations with different stakeholders including civil society, private sector, the media and academia for an extended period prior to tabling it before parliament. This would ensure that the law passed “is inclusive, accommodative and addresses the concerns raised by all the stockholders,” said Wakabi Wairagala, the head of CIPESA.
At the workshop, CIPESA officials referred journalists to various areas of concern in the draft bill including some of its ambiguous terminologies, such as Section 4 (2) which states that personal data may be collected or processed where necessary for ’national security’ or for the ‘proper performance’ of a public duty’ by a public body. However, these words can be misinterpreted and leave room for the access to and abuse of citizens’ information.
Meanwhile, Section 7 (2) says data can be collected from another person, source or public body in certain circumstances without the consent of the owner. The length of time that the collected personal data can be retained is also not indicated. Section 14 (1) states that the data cannot be held for a period longer than is necessary and says it will be retained for national security purposes.
Overall, the bill does not explicitly state what constitutes a ‘privacy infringement’, thereby leaving users’ data open to abuse by data collectors and processors. It also does not state the procedures for citizens to access their data.
See CIPESA’s review of the Bill: Reflections on the Draft Data Protection and Privacy Bill