Ugandan companies face increased pressure to secure sensitive data

According to the Data Privacy and Protection Regulations published in 2021, organizations that collect personal biodata are now required to register with the Personal Data Protection Office (PDPO) of Uganda.

Banks, micro-financiers, insurance companies, auditing firms, law firms, telecommunications companies, government ministries and agencies, hospitals, schools, utility companies, airlines, and many more organizations are among the impacted organizations.

The Uganda Securities Exchange (USE), which faced a significant breach at the local exchange last year that disclosed glaring flaws in the stock market’s data storage systems, has so far received criticism from the personal data protection authorities. A local civil society organization informed the PDPO of the data security incident in 2022.

In June of this year, the PDPO conducted an investigation into the situation, and its results exposed serious flaws in the bourse’s data management procedures. As a result of the data leak, it also criticized USE’s technical services supplier.

“The USE had experienced a personal data security breach which continued for 12 days without the knowledge of either the USE or its service provider. Personal information accessed included national identification numbers, names, dates of birth, email addresses, physical addresses, and telephone numbers, which could be used to identify data subjects,” the legal brief by PWC Uganda last month, reads.

“The information accessed included personal information that Soft Edge had accessed by virtue of its contractual relationship with the USE,” the brief adds.

The USE data management platforms were found to have glaring deficiencies, but the PDPO nonetheless gave the bourse’s management a three-month corrective order to fix them. This month marks the end of the compliance window.

“There is a growing volume of personal data being collected in many sectors and there is a need to sensitize those that collect it and those that provide it on their rights and obligations,” Stella Alibateese, PDPO Uganda Chief, said.

“We have realized that many people do not understand their rights as owners of personal data and organizational levels of understanding in matters of data protection differ a lot in this market,” she added.

Following a pause last year, recent agreements between the PDPO Uganda Communications Commission and the NGO Registration Board demonstrate the data protection regulator is now more strict.

“The biggest challenge here is capturing correct personal data in an environment where the government struggles to issue national identification cards to its citizens. Protecting data from hackers is another dilemma. Hackers are always active towards select targets,” a data analyst in the country noted.

“Some of the underlying costs are difficult to figure out because of a weak technology regulatory environment in Uganda. For example, if an agency brings certain creative work to us that includes an image of someone picked from Instagram but is not marked and there is no way to verify the price of that image using online tools, how would you comply with data protection guidelines in this case?” he added.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button