CIPESA Submits Comments On The Uganda Data Protection and Privacy Bill, 2015

Official Submission |
Article 27 of Uganda’s constitution provides for citizens’ right to privacy, however, there is no law to protect an individual’s data privacy despite the large amounts of citizen data collected by government departments and private entities on a regular basis. More concerning, is that this data is collected with no guarantee of its protection and privacy.
Some existing legislation, for instance the Computer Misuse Act, 2011 (section 18); Access to Information Act, 2005 (section 26); Uganda Communications Act, 2013 (section 79); Electronic Signatures Act, 2011 (section 81); and the Regulation of Interception of Communications Act, 2010 (section 2) prohibit unauthorised access and disclosure of information. However, the provisions in these laws are not elaborate and do not adequately protect personal data.
The publication of the draft Data Protection and Privacy Bill 2014 was therefore a milestone. Accordingly, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) submitted comments to that version of the bill. Various concerns were raised including vague wording which left the bill open to misinterpretation, unclear procedural processes for collection and retention, as well as the costs associated with accessing personal data.
More recently on , CIPESA welcomes the Parliament of Uganda’s call for submissions on the Draft Data Protection and Privacy Bill, 2015. It once again gives opportunity for stakeholders to provide input to ensure that the law, when enacted, measures up to internationally acceptable standards of data protection.
In our latest submission, we highlight some of the positive principles and provisions of the Bill. Furthermore, we indicate areas of concern and suggest amendments to ensure that if the bill is passed into law, there are sufficient safeguards to regulate the collection, storage and use of data towards upholding citizens’ right to privacy.
See the full submission made on the Uganda Data Protection and Privacy Bill, 2015 presented to the Committee on Information and Communication Technologies (ICT) in the Parliament of the Republic of Uganda

Report: Women's Rights and the Internet in Uganda

This submission is a joint stakeholder contribution to the second cycle of the Universal Periodic Review (UPR) mechanism for Uganda. This submission focuses on women’s rights and the internet in Uganda. It explores the extent of implementation of the recommendations made in the previous cycle of the UPR and also identifies emerging concerns in Uganda regarding women’s rights online.
See the full report here

CIPESA Convenes Journalists to Discuss Uganda’s Data Protection Bill

By Esther Nakkazi |
Ugandan citizens’ personal data may be at risk of misuse if the Uganda Data protection and Privacy Bill (2014) to be tabled before parliament is passed in current form. Currently, large entities like telecommunications service providers, insurers, hospitals and even schools retain the information of millions of citizens who remain unaware of how secure their information is, especially as more of it becomes digitised.
While Uganda called for comments to the Bill in late 2014, little progress was made on it over the course of 2015. According to Gloria Katuuku from the Ministry of ICT, the comments received have been incorporated into a revision of the bill. “We brought this Bill before the public so that we get conclusive remarks. The bill has been gazetted and will be tabled in parliament, meaning at this time we shall just compile the concerns,” said Katuuku. She was speaking at a workshop convened by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) where Ugandan parliamentary journalists discussed data protection and privacy with reference to the bill.

CIPESA Policy Officer being interviewed by journalists
CIPESA Policy Officer being interviewed by journalists

The workshop was organised in conjunction
with the Uganda Parliamentary Press Association (UPPA) and aimed to create awareness among parliament journalists about clauses in the proposed law that contravene citizens’ rights, including to privacy. Few journalists were aware that government had drafted the law and called for robust media engagement with Members of Parliament so as to generate debate on data protection and privacy issues.
The former Chairman of parliament’s ICT Committee, Edward Baliddawa, said the data protection law should have been the basis for other cyber laws in Uganda. He added that as the country edges towards e-commerce, such as business process outsourcing, there is a need to regulate data controllers.
“This Bill is good for our safety and privacy as individuals and to become an e-commerce country,” he said. However,he also called for continuous engagement with all stakeholders across the lifespan of the bill – drafting, tabling to parliament and any eventual amendments.
Although existing laws such the Electronic Signatures Act, 2011, the Computer Misuse Act, 2011, the Regulation of Interception of Communications Act 2010 and the Communications Commission Act 2013 cover aspects of data protection and privacy, they contain contradictions and potentially expose users’ information to unwarranted access and misuse by authorities. Lillian Nalwoga, CIPESA’s Policy Officer, said of the laws: “These laws have broad terminologies that should be amended to repeal contradictory provisions and this can be done within the Data protection and Privacy Bill, 2014 in the contexts of data users and collectors, and to prevent abuse.”

See this Overview of How ICT Policies Infringe on Online Privacy and Data Protection in Uganda

But the proposed data protection and privacy law that is meant to address privacy of citizens’ communications and data still has ambiguous terminologies, unclear definitions and arbitration issues that will negate its purpose.
According to CIPESA officials, the drafting phrase should further engage with and seek consultations with different stakeholders including civil society, private sector, the media and academia for an extended period prior to tabling it before parliament. This would  ensure that the law passed “is inclusive, accommodative and addresses the concerns raised by all the stockholders,” said Wakabi Wairagala, the head of CIPESA.
At the workshop, CIPESA officials referred journalists to various areas of concern in the draft bill including some of its ambiguous terminologies, such as Section 4 (2) which  states that personal data may be collected or processed where necessary for ’national security’ or for the  ‘proper performance’ of a public duty’ by a public body. However, these words can be misinterpreted and leave room for the access to and abuse of citizens’ information.
Meanwhile, Section 7 (2) says data can be collected from another person, source or public body in certain circumstances without the consent of the owner. The length of time that the collected personal data can be retained is also not indicated. Section 14 (1) states that the data cannot be held for a period longer than is necessary and says it will be retained for national security purposes.
Overall, the bill does not explicitly state what constitutes a ‘privacy infringement’, thereby leaving users’ data open to abuse by data collectors and processors. It also does not state the procedures for citizens to access their data.

See CIPESA’s review of the Bill: Reflections on the Draft Data Protection and Privacy Bill


Promoting Online Safety in Africa

The global community on February 10 marked Safer Internet Day which promotes safe and responsible use of Information and Communication Technologies (ICT) mainly amongst children and young people across the world.
The day provided an opportunity to see what African stakeholders are doing in promoting access to the internet and ensuring that this access comes with a culture of digital safety habits.
Companies like Google Africa in partnership with local organisations marked the day by hosting a series of events across the continent targeting youth and advocating for better internet practices. This included a hangout session that brought together audiences from Nigeria, Senegal, South Africa and Kenya.
In East Africa, the OpenNet Africa initiative held a twitter chat, to explore internet safety and security while questioning how various organisations are addressing these issues.

The discussion noted that a number of challenges exist in the online sphere due to the increased internet exposure for youth and adults alike. While the internet is a useful educational resource, it has become home to online child predators and even sparked trends in online bullying and the sharing of sensitive information amongst youth unaware of the repercussions that this may have.

According to the State of Internet Freedom in East Africa 2014 report, increasing internet usage in the region particularly access to social network sites such as Facebook and Twitter, has led to an increment in democratic participation and the expansion of opinion expressed in the public domain. Mobile phones were indicated as the main tool used to access the internet and youth constituted the largest proportion of social media users.
Many governments in the region, however, keep trying to play catch up with the rapidly changing digital landscape and in many instances fall short on guaranteeing the human rights afforded in their constitutions. This has been seen in the policy and legislative environment of many East African countries which impede internet freedoms, including by granting excessive surveillance power to the police without sufficient oversight, and curbing freedom of expression and freedom of the press primarily against those critical of the state.
The Twitterthon participants shared that despite the existence of pan-African frameworks such as African Union Convention On Cyber Security And Personal Data Protection and the Declaration of Principles on Freedom of Expression in Africa of 2002, few countries have adopted laws that safeguard privacy, protect data and guarantee freedom of expression in the online sphere.
Meanwhile, efforts to promote ICT access for the youth, including through ICT literacy curriculums, remained low. Consequently, incidents and concerns about cyber bullying, online abuse, data protection, surveillance and privacy have risen alongside the exponential growth that internet access has seen in Africa.  

For instance, chat participants from Tanzania expressed concern at not having adequate laws that protect the online rights of users, also pointing out the lack of a data protection law. In Kenya, a data protection Bill drafted back in 2013 has made little progress to date. While in Uganda, the review of the Data Protection and Privacy Bill drafted towards the end of 2014 is ongoing.

Other efforts towards safeguarding online safety shared included an online safety education toolkit  for Young People in Uganda developed by the Internet Society Uganda as part of its ongoing activities in the country.
See more of the Safer Internet Day Twitter chat on Promoting internet Safety in Africa on Storify.

Reflections on Uganda’s Draft Data Protection and Privacy Bill, 2014

Towards the end of 2014, Uganda’s government through the National Information Technology Authority (NITA-U), Ministry of Information Communication and Technology (MoICT) and the Ministry of Justice and Constitutional Affairs (MOJCA) issued a draft Data Protection and Privacy Bill for public comment. The Bill seeks to protect the privacy of the individual and personal data by regulating the collection and processing of personal information. It provides for the rights of persons whose data is collected and the obligations of data collectors and data processors; and regulates the use or disclosure of personal information.
The Collaboration on International ICT Policy in East and Southern Africa (CIPESA) welcomes the move by the Uganda Government, however, following an analysis of the Bill, we identified some areas of concern and gaps that need to be addressed. We have assembled our comments as part of the CIPESA ICT briefing series and have also submitted official comments to the government as part of the public comments phase.
Read more on our Reflections on Uganda’s Draft Data Protection and Privacy Bill, 2014 in the CIPESA ICT Briefing series and see our Formal Comments Submitted for consideration.