Government’s call for submissions to inform Draft Data Protection and Privacy Bill comes late but should benefit lapses that occurred in absence of a law. The Bill should effectively plug the gaps in regulating the collection and processing of personal data. Presently, an absence of a rigorous law has permitted invasive intrusion into people’s privacy.
Even though Article 27 of the Constitution provides for right to privacy of person, home and other property, it is ambiguous. Even its more specific Article 27(2) provides only general guidance, and does not accord the data subject all the rights now being proposed in the Data Protection and Privacy law. Article 27(2) states: “No person shall be subjected to interference with the privacy of that person’s home, correspondence, communication or other property”. So the measures regarding data breaches, nuisance calls, among others, are not robust enough.
As it stands, the use by businesses of personal data has been haphazard without any strong restriction or risk of attracting grave legal liability. For instance, the recent registration of mobile phone users undertaken by private telecoms company ignored key Data Protection Principles, which must be observed at collection, throughout the processing of personal data. But our processes likely compromised the privacy of many Ugandans.
The exercise was done without any processing preconditions before the personal data of Ugandans were collected and processed. No phone users as data subjects were provided with any specific information at the time of data collection, processing, or soon afterwards, and up to now. Beyond the faces of telecoms as corporate data controllers, Ugandans had no information about other intended uses of data. Neither were they provided any other information, which should have rendered the processing of their data to be fair. And no Ugandan was informed of their right to object to direct marketing that would target their data.
Finally, the proposals to create an independent supervisory body to enforce these rules, rights and practices should be well-received. But as the Ministry of ICT engages Ugandans, the Draft Bill should enjoin all entities which collect, process, hold or use paper-based and electronic personal data. This will ensure the Bill sets out the rules and practices on processing personal information.
The Bill should also give rights to individuals over their personal information. This should empower data subjects to know who their data controller is, uses of the data, duration of storage of data, and any third parties access to data. Only then should Ugandans guarantee their rights to data protection and privacy.
SOURCE: Daily Monitor