Data Protection and Privacy Act, 2019
Act 9 of 2019
- Published in Uganda Gazette 21 on 3 May 2019
- Assented to on 25 February 2019
- Commenced on 3 May 2019
- [This is the version of this document from 3 May 2019.]
Part I – Preliminary
1. ApplicationThis Act applies to a person, institution or public body —
2. InterpretationIn this Act unless the context otherwise requires —“Authority” means the National Information Technology Authority - Uganda;“consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wish which he or she, by a statement or by a clear affirmative action, signifies agreement to the collection or processing of personal data relating to him or her;“corporation” means an entity created under a law and is separate and distinct from its owners;“currency point” has the value assigned to it in the Schedule;“data” means information which —(a)is processed by means of equipment operating automatically in response to instructions given for that purpose;(b)is recorded with the intention that it should be processed by means of such equipment;(c)is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or(d)does not fall within paragraph (a), (b) or (c) but forms part of an accessible record;“data collector” means a person who collects personal data;“data controller” means a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed;“data processor” in relation to personal data, means a person other than an employee of the data controller who processes the data on behalf of the data controller;“data subject” means an individual from whom or in respect of whom personal information has been requested, collected, collated, processed or stored;“information” includes data, text, images, sounds, codes, computer programmes, software and databases;“Minister” means the Minister responsible for information and communications technology;“personal data” means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to —(a)the nationality, age or marital status of the person;(b)the educational level, or occupation of the person;(c)an identification number, symbol or other particulars assigned to a person;(d)identity data; or(e)other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual;“public body” includes the Government, a department, service or undertaking of the Government, Cabinet, Parliament, a court, local Government administration or a local council and any committee or commission thereof, an urban authority, a municipal council and any committee of any such council, any corporation, committee, board, commission or similar body whether corporate or incorporate established by an Act of Parliament relating to undertakings of public services or such purpose for the benefit of the public or any section of the public to administer funds or property belonging to or granted by the Government or money raised by public subscription, rates, taxes, cess or charges in pursuance of any written law and any council, board, committee or society established by an Act of Parliament for the benefit, regulation and control of any profession;“processing” means any operation which is performed upon collected data by automated means or otherwise including —(a)organisation, adaptation or alteration of the information or data;(b)retrieval, consultation or use of the information or data;(c)disclosure of the information or data by transmission, dissemination or otherwise making available; or(d)alignment, combination, blocking, erasure or destruction of the information or data;“recipient” means a person to whom data is disclosed including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment;“third party” in relation to personal data, means a person other than the data subject, the data collector, data controller, or any data processor or other person authorised to process data for the data controller or processor.
Part II – Principles of data protection
3. Principles of data protection
4. Establishment of the personal data protection office
5. Functions of the personal data protection office
6. Data protection officerFor purposes of this Act, and in so far as it applies to an institution, the head of the institution shall designate a person as the data protection officer responsible for ensuring compliance with this Act.
Part III – Data collection and processing
7. Consent to collect or process personal data
8. Personal data relating to childrenA person shall not collect or process personal data relating to a child unless the collection or processing thereof is;
9. Prohibition on collection and processing of special personal data
10. Protection of privacyA data collector, data processor or data controller shall not collect, hold or process personal data in a manner which infringes on the privacy of a data subject.
11. Collection of data from data subject
12. Collection of personal data for specific purposeA person who collects personal data shall collect the data for a lawful purpose which is specific, explicitly defined and is related to the functions or activity of the data collector, or data controller.
13. Information to be given to data subject before collection of data
15. Quality of information
16. Correction of personal data
17. Further processing to be compatible with purpose of collection
18. Retention of records of personal data
19. Processing personal data outside UgandaWhere a data processor or data controller based in Uganda processes or stores personal data outside Uganda, the data processor or data controller shall ensure that—
Part IV – Security of data
20. Security measures
21. Security measures relating to data processed by data processor
22. Data processed by operator or authorised person
23. Notification of data security breaches
Part V – Rights of data subjects
24. Right to access personal information
25. Right to prevent processing of personal data
26. Right to prevent processing of personal data for direct marketing
27. Rights in relation to automated decision-taking
28. Rectification, blocking, erasure and destruction of personal data
Part VI – Data protection register
29. Data protection register
30. Access to register by the publicThe Authority shall make the information contained in the Data Protection Register available for inspection by any person.
Part VII – Complaints
31. Complaints against breach and non-compliance
32. Authority to investigate complaintsThe Authority shall investigate every compliant made under this Part and may direct a data collector, data processor or data controller to remedy any breach or take such action as the Authority may specify to restore the integrity of data collected, processed or held by the data collector, data processor or data controller or the rights of the data subject.
33. Compensation for failure to comply with this Act
Part VIII – Offences
35. Unlawful obtaining or disclosing of personal data
36. Unlawful destruction, deletion, concealment or alteration of personal data
37. Sale of personal data
38. Offences by corporations
39. RegulationsThe Minister may, after consultation with the Authority by statutory instrument make regulations for —
40. Power of the Minister to amend ScheduleThe Minister may, with the approval of Cabinet, by statutory instrument, amend the Schedule.
History of this document
03 May 2019 this version
25 February 2019