The DPPA and the Regulations regulate the collection, use and disclosure of personal data in Uganda. 

The DPPA provides for the principles of data protection, data collection and processing, security of data, rights of data subjects, the data protection register, complaints and offences. 

The Regulations provide for procedural matters, such as management of the PDPO and registration of data collectors, processors and controllers, and procedures for the enforcement of personal data privacy rights.

The DPPA and the Regulations apply to persons, institutions and public bodies that collect, process, hold or use personal data within Uganda and outside Uganda, where such persons, institutions or public bodies collect, process, hold or use personal data relating to Ugandan citizens. 

Section 2 of the DPPA provides the following key definitions:

• A data collector is a person who collects personal data. 
• A data controller is a person who, alone, jointly with other persons or as a statutory duty, determines the purposes for and the manner in which personal data is processed or is to be processed. 
• A data processor is a person other than an employee of the data controller who processes the data on behalf of the data controller. 
• A data subject is an individual from whom or in respect of whom personal information has been requested, collected, collated, processed or stored. 
• Personal data means any information about a person from which the persona can be identified, that is recorded in any form, and includes data that relates to the nationality, age or marital status of the person, the educational level or occupation of the person, an identification number, symbol or particulars assigned to a person, identity data or other information which is in the possession of or is likely to come into the possession of the data controller and includes an expression of opinion on that individual.

The DPPA applies within Uganda and outside Uganda, where the personal data relates to Ugandan citizens. The DPPA and the Regulations have extraterritorial jurisdiction if the personal data of Ugandan citizens is processed.

The following are regulated in Uganda:

• Collection of personal data.
• Storage of personal data.
• Use of personal data. 
• Further processing of personal data.
• Correction or deletion of personal data.
• Retention of records of personal data.
• Processing of personal data outside Uganda.
• Controlling personal data. This is defined to mean the purpose and manner in which personal data is processed or for which it is to be processed. 
• Processing personal data. This is defined to mean any operation which is performed upon collected data, by automated means or otherwise, and includes: organisation, adaptation or alteration of the information or data; retrieval, consultation or use of the information or data; disclosure of the information or data by transmission, dissemination or otherwise making available; or alignment, combination, blocking, erasure or destruction of the information or data. 

The DPPA and the Regulations regulate information about a person from which the person can be identified that is recorded in any form and includes data that relates to: 

• Identifiers. This includes marital status, postal address, email address, unique personal or online identifier, account name, identification number, symbol or other particulars assigned to a person, social security number, driver’s licence or passport number or another form of persistent or probabilistic identifier that can identify a particular data subject. 
• Individual’s financial information. This includes records of personal property and purchasing habits.
• Sensory data. This includes photographs, video recordings and voice recordings of data subjects.
• Internet or network activity. This includes browsing history, search history or information regarding a data subject’s interaction with a website, application, or advertisement.
• Geolocation data. This means data taken from a user’s device or online activity (web or app) which indicates the geographical location of that device, including GPS data.
• Education level information. This includes educational level and education qualifications.
• Professional information. This includes professional association membership details, performance evaluations and disciplinary actions.
• Inferences drawn from other personal data to create individual profiles. This includes preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities or aptitudes.

Yes. This includes the following three categories:

• Personal data relating to children must be collected or processed only with the prior consent of a parent, guardian or any other person having authority to make decisions on behalf of the child. This is provided for under section 8(a) of the DPPA and Regulation 11 of the Regulations. Furthermore, personal data relating to children may also be processed where it is necessary to comply with the law, or where it is for research or statistical purposes. 
• Special personal data, as defined in section 9(1) of the DPPA, includes information about religious or philosophical beliefs, political opinion, sexual life, financial information, and health status or medical records of an individual, and its collection and processing are generally prohibited. Section 9(3) specifies three legal bases for processing this data, that is, when it is towards fulfilling an employer’s legal obligation, when explicit consent from the data subject is obtained, or when conducting legitimate activities by a non-profit organisation related to its members, without disclosing the data to third parties without consent.
• Personal data which poses a high risk to the rights and freedoms of natural persons is also accorded more protection under the law. Under Regulation 12 of the Regulations, a data collector, data processor or data controller must conduct a data protection impact assessment prior to collecting or processing such data, including a systematic description of the envisaged processing and the purposes of the processing and an assessment of the risks to personal data and the measures to address the risks, as well as any other matter required by the PDPO. 

• There should be a lawful basis for the processing of the personal data. The primary basis is consent. Mandatory consent is required before collection and processing of personal data unless it is excepted by the DPPA. Consent is defined by the DPPA to mean any freely given, specific, informed and unambiguous indication of the data subject’s wish, i.e., that he or she, by a statement or by a clear affirmative action, signifies agreement to the collection or processing of personal data relating to him or her. Consent should therefore be obtained in a manner that fulfils the requisites in this definition. 
• For transfers of personal data outside Uganda, one of the requirements is that the data subject has consented to the processing or storing of personal data outside Uganda. This consent must be obtained in a manner and form that takes into consideration the nature of the personal data sought to be processed or stored outside Uganda.
• As exceptions to consent, personal data may also be collected and processed where:
  • the collection or processing is authorised or required by law;
  • the collection is necessary for the proper performance of a public duty by a public body;
  • the collection is necessary for national security;
  • the collection is necessary for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law;
  • the collection is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering a contract;
  • the collection is necessary for medical purposes;
  • the collection is necessary for compliance with a legal obligation imposed on a data controller; or
  • the collection or processing is subject to the legitimate interest of a data collector, processor or controller. 

Section 3 of the DPPA requires a data collector, data processor or data controller or any person who collects, processes, holds or uses personal data to:

• be accountable to the data subject for data collected, processed held or used;
• collect and process data fairly and lawfully;
• collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data;
• retain personal data for the period authorised by law or for which the data is required;
• ensure quality of information collected, processed, used or held;
• ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and 
• observe security safeguards in respect of the data.

There is a requirement for every institution that processes or controls personal data to designate a person as a data protection officer responsible for ensuring compliance with the DPPA.

There is an obligation to obtain the prior consent of a data subject before collecting personal data. 

There is an obligation on the data controller or data processor to ensure that personal data is complete, accurate, up to date and not misleading.

There is an obligation on data controllers to implement security measures to guard the integrity of personal data in their possession, and to implement appropriate, reasonable, technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to or unauthorised processing of personal data.

There is also an obligation on the data controller to ensure that a data processor complies with security measures required under the Act, before permitting them to process personal data.

There is an obligation to notify the PDPO of data security breaches, where there is reason to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person. 

A data subject has the following rights: 

• The right to consent to collection of their personal data. 
• The right to access personal information in the possession of a data controller, upon providing proof of identity (a national identification card/alien identification card; a passport or any travel document or a driver’s licence) and making a written request to confirm possession of personal data. 
• The right to prevent processing of personal data which is likely to cause unwarranted substantial damage to the data subject or where such processing is not compatible with the purpose for which the personal data was collected. This is done by submitting a written notice to the data controller.
• The right to appeal a decision to continue processing personal data. 
• The right to prevent processing of personal data for direct marketing.
• The right to request that a data controller or data processor prevent decisions which significantly affect the data subject from being solely made based on processing by automatic means. 
• The right to request rectification, blocking, erasure and destruction of personal data by submitting a written complaint concerning inaccurate personal data in the possession of a data controller. 

Commercial or direct marketing is permitted in Uganda. However, section 26(1) of the DPPA provides that a data subject can, through a notice in writing, require a data controller to stop processing their personal data for the purposes of direct marketing. Within 14 days of receipt of this notice, a data controller is required to inform the data subject that they have complied with their request, that they intend to comply, or of the reasons for non-compliance. 

Where the data controller gives reasons for non-compliance, a copy of the notice given to them by the data subject should also be given to the PDPO. Where personal data relates to Uganda citizens, the right to stop such marketing should be noted, including the applicable timelines for responding to the data subject.

Under section 19 of the DPPA and Regulation 30 of the Regulations, personal data and special personal data can be transferred outside Uganda where: 

• The country to which the personal data is to be transferred has adequate measures in place for the protection of the data equivalent to the protections in Uganda.  
• The data subject has consented to the processing or storing of personal data outside Uganda. This consent must be obtained in a manner and form that takes into consideration the nature of the personal data sought to be processed or stored outside Uganda.

Any personal data already transferred out of Uganda shall not be further transferred to or processed in a third country without the express consent of the data subject. 

Transfers to outside countries in relation to personal data of Uganda citizens should only be made with the consent of the data subjects or if the country of transfer has adequate protection. Note that the PDPO is required to publish a list of countries with adequate protection but is yet to do so. 

The PDPO has powers to monitor, investigate and report on the observance of the right to privacy and of personal data. 

The PDPO also has the mandate to receive and investigate complaints relating to infringement of the rights of the data subject under the DPPA.

This complaint must be investigated by the PDPO within 21 days. During such an investigation, the PDPO may issue a written notice requiring any person:

• to attend at a specified time and place for the purpose of being examined orally in relation to the complaint;
• to produce any document, record or article as may be required with respect to any matter that is relevant to the investigation; and
• to furnish a statement in writing made under oath or on affirmation setting out all information which may be required under the notice.

The Regulations also grant the PDPO power to serve an infringing data collector, data processor or data controller with a notice requiring them:

• to take or refrain from taking steps specified in the notice within the time stated in such a notice;
• to refrain from processing any personal data or data of a description specified in the notice;
• to refrain from processing personal data except in accordance with directions contained in the notice; or 
• to take any remedial action specified in the notice. 

• Failure to register with the PDPO is an offence under Regulation 15(1) of the Regulations. All data collectors, processors, or controllers must register. If convicted for non-registration, the company and responsible officers may face a fine of up to UGX 120,000 (approximately USD 31), imprisonment for up to three months, or both.
• Damages under order of court is a remedy for contravention of the provisions of the DPPA. Under section 33(1) of the DPPA, where a data subject suffers damage or distress through the contravention by a data controller, data processor or data collector of the requirements of the Act, that data subject is entitled to apply to a court of competent jurisdiction for compensation from the data collector, data processor or data controller for the damage or distress.
• Failure to comply with regulations on transferring personal data outside Uganda is an offence. Under Regulation 30(6) of the Regulations, data collectors, processors, or controllers must ensure adequate data protection in the destination country or obtain the data subject’s consent. The penalty for non-compliance is a daily fine of up to UGX 40,000 (approximately USD 13) or imprisonment for up to three months, or both.
• Collecting personal data without the consent of the data subject is prohibited under Regulation 34(1) of the Regulations. Offenders, on conviction, are liable to pay a daily fine of up to UGX 60,000 (approximately USD 16) or up to six months of imprisonment, or both. Corporations and their knowingly complicit officers are also liable, and the court may revoke the corporation’s registration with the PDPO.
• Unlawful obtaining, disclosure or procurement of the disclosure to another person of personal data is prohibited. This is an offence under section 35 of the DPPA and a person is liable on conviction to pay UGX 4,800,000 (approximately USD 1,247) or imprisonment for 10 years or both.
• Unlawful destruction, deletion, concealment or alteration of personal data is an offence under section 36(2) of the DPPA and the penalty is a fine not exceeding UGX 4,800,000 (approximately USD 1,247) or imprisonment of up to 10 years, or both.
• It is an offence to sell personal data. The penalty for this is a fine not exceeding UGX 4,800,000 (approximately USD 1,247) or imprisonment of up to 10 years, or both.
• Where any of the above are committed by a corporation, the corporation and every officer of the corporation who knowingly and wilfully authorises or permits the contravention commits the offence. Further, where a court convicts a person, the court may, in addition to the punishment order the corporation to pay a fine not exceeding 2% of the corporation’s annual gross turnover, taking into consideration the gravity of the offence in determining the fine to impose. 
• Failure to comply with a notice issued by the PDPO is also an offence, with the penalty on conviction being a fine not exceeding UGX 60,000 (approximately USD 16) for each day in default of the notice or to imprisonment not exceeding six months, or both.