UCC welcomes the opportunity to comment on the Data Protection and Privacy Bill.
UCC associates itself with views of most Ugandans that the enactment of a law on data protection and privacy is long overdue. We are confident that a comprehensive law on the collection and processing of personal information would give effect to the right to Privacy as envisaged under Article 27(2) of the Constitution off Uganda.
UCC is generally happy that the proposed provision of the Bill will balance the concerns for both the business players and the right to privacy of the customers. The law will bring about a strong, more coherent data protection framework, backed by strong and coherent enforcement that will allow the Ugandan digital economy to thrive.
We welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
We note the following;
1. Distinction between Data collectors and data controllers.
The Data Protection and Privacy Bill in its definition section clause 2, distinguishes between Data Collectors, Data Processors and Data Controllers. This nomenclature is inconsistent with international best practice which provides for two broad categories of Data Controllers, which includes both the Data Controllers and Data Processors. These two cover what the bill is referring to as Data collectors.
We therefore propose that the Bill should clarify on this matter.
2. Enhancement of sanctions against Corporates.
While Clause 32 of the Bill provides for financial sanctions for data breach, it is recommended that the quantum of these sanctions be tiered for natural and corporate personalities, with natural persons at the lower end of the spectrum and corporate persons at the higher end of the spectrum.
Corporate are the biggest offenders of data privacy rights, and they are the ones most likely to profit out of data breaches and hence, they ought to be subjected to higher penalties.
3. Include special provision on Children and PWDs.
The Bill does not address the special needs to children and PWDs.
We propose that a special clause is added to provide for higher obligations on persons who deal with data on children and people with special needs. This fundamentally important because children and PWDs may not be able to adequately protect themselves against data abuse.
4. Categorize financial information as sensitive (Special personal) data.
Clause 5 imposes prohibitions on special personal data. The Bill does not however treat (categorize) financial information as sensitive or special data requiring additional protection beyond just ordinary personal information.
This is particularly key in light of recent events of unauthourised disclosure of financial details by some financial institutions.
5. Data Portability
A data subject should be able to transfer his/her data from one controller or service provider to another if they so wish. The Data Protection and Privacy Bill in its current form does not provide for data portability.
We propose that a section is added to allow for persons to have the choice to transfer their data from one service provider to another.
6. Data Brokerage
Clause 32(2) of the Bill prohibits data brokerage. The law ought to balance individual rights to privacy with business needs rather than hinder or encumber trade, perhaps data brokerage be regulated rather than totally prohibited.
We need to encourage the use of data for innovative and social good. Therefore, rather than prohibit data brokerage, we recommend that the clause provides mechanism through which data brokerage can be regulated in order to facilitate usage of data, without compromising the rights of the data subjects.
7. Accounting officers for data protection.
The Bill could also consider obliging Public Controllers and Processors and those that transact with significant amounts of personal information to appoint natural or corporate personalities responsible for Privacy and Data Protection or in the alternative hold the heads of the responsible public institutions accountable as an ‘Information Officer’ similar to the concept of the ‘Accounting Officer’, with a relevant technical staff.
8. Information fiduciaries
Furthermore, the concept of ‘information fiduciaries’ should be taken into consideration.
In the law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another. Information Controllers and Processors could for example be required to comply with a set of fair information practices, including providing security and privacy guarantees.
9. Data localization.
We also propose that the Bill should include a clause on Data Localization. Data localization rules require entities that collect data from members of the public to ensure that the data is stored within the geographical boundaries of Uganda. This will avert the risks associated with some operators hosting customer’s data outside Uganda and thereby exposing it to the risk of espionage and unlawful access. This will also allow easy monitoring of compliance with our data protection law.
The Bill provides for NITA-U as the authority responsible for Data Protection in Uganda. However, considering the fact that NITA-U was established as a public sector e-governance body, UCC believes that extending NITA-U’s mandate to overseeing data protection for all persons, including the private sector would not be in line with its law.
UCC recommends that the mandate to implement the provisions of the Act should be left under the respective regulatory agencies for the different sectors, under the overall oversight of the Ministry of ICT & NG
This will ensure easy monitoring of compliance with the provisions of the law, without necessarily exposing the Government to extra administrative costs. It will also avoid the potential risk of regulatory overlaps amongst the different sector regulators.
Overall, the Data Protection and Privacy Bill is a well drafted and long overdue initiative.
Dated this 15th day of August 2018