The Personal Data Protection Office (PDPO), a data protection authority established as an independent office under the National Information Technology Authority, Uganda (NITA-U), today celebrated 100 days since the office started its operations.
The event was organized to show the progress the office has made over the first 100 days but most important to raise awareness on the need for individuals and organizations to register and share experiences on data privacy to enable PDPO to improve the process where necessary.
PDPO is responsible for overseeing the implementation of and enforcement of the Data Protection and Privacy Act No. 9 of 2019. The office’s statutory powers and functions derive from the Data Protection and Privacy Act No. 9 of 2019 which, inter alia, gives effect to Article 27 of the Constitution of the Republic of Uganda.
PDPO is headed by a national personal data protection director, Ms. Stella Alibateese who reports directly to the NITA-U Board.
In her remarks, Alibateese thanked all those who have worked with the office during the first 100 days. “I am certain that with your support we shall ensure we implement the mandate of the Personal Data Protection Office as expected of us,” she said.
PDPO has collaborated with UNCDF to develop a registration portal which is now at 60 percent completion and will allow individuals and organizations to register and share experiences about data privacy to enable the office to improve the process where necessary to protect users’ data.
The office is putting a particular focus on creating awareness on registration for various reasons such as;
- Willingness for individuals and organizations to comply with the law when it comes to data privacy.
- Upon registration, organizations have the opportunity to review the law and create awareness of their obligations.
- Organizations will best understand what personal data they collect, why they collect it, how they use it, who they share it with, how it is secured, how long it is retained, and many other matters that come to their knowledge as they complete the forms. As such, this process can motivate organizations to start the process of developing their data protection and privacy frameworks.
With a few reasons given on why one needs to register, Alibateese urged the public not only to register but to also spread the word when it comes to data privacy protection. She noted that “Increasingly, African countries are enacting data protection and privacy laws and soon the entire continent will be enforcing data protection laws. Compliance with data protection laws will therefore seize to be a matter of choice but of necessity.”
While concluding her remarks, Alibateese said that the Office has provided what you need, including a guidance note on registration, and a webinar on registration has been done. She said, “This information can be found on our website www.pdpo.go.ug. Further, we are also available through the government service desk to respond to any inquiries on registration and other matters within the law.”
The Personal Data Protection Office’s functions and powers are to:
- Oversee the implementation of and be responsible for the enforcement of the Data Protection and Privacy Act and Regulations thereunder.
- Coordinate, supervise, and monitor data collectors, data processors, data controllers, and data subjects on all matters relating to the Data Protection and Privacy Act, 2019.
- Set, monitor, and regulate standards for personal data protection and privacy.
- Establish and maintain a data protection and privacy register.
- Monitor, investigate, and report on the observance of the right to privacy and of personal data.
- Receive and investigate complaints relating to infringement of rights of the data subject under the Data Protection and Privacy Act, 2019.
- Provide guidance to data collectors, data processors, data controllers, and data subjects about their data protection and privacy rights, obligations, and responsibilities under the Data Protection and Privacy Act, 2019.
The Data Protection and Privacy Act is a law enacted to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and obligations of data collectors, data processors and data controllers and to regulate the use or disclosure of personal information.
Where an offense that relates to the infringement of a data subject’s rights or is in violation of the Data Protection and Privacy Act or following investigations by the Authority, and such offenses are committed by a corporation, the court in addition to the punishment order the corporation pay a fine not exceeding two (2) percent of the corporation’s annual gross turnover.