BarefootLaw

Menu

DATA PROTECTION FAQS

DATA PROTECTION: WHAT DOES IT HAVE TO DO WITH ME?

From the onset, we should be clear that personal data/information is not only at risk on social media but in many other dealings we engage in. HOWEVER, consider the following.

There are currently about 2.80 million social media users in Uganda as of January 2022? Of these, 2.5 million of these Users are on Facebook, about 582,100 users are found on Instagram.

If you follow us on either Facebook, Twitter, Instagram, and other social media platforms, congratulations you are part of the 2.8 million users that are based in Uganda.

Most of us tend to give permissions for other people to use information about us, to collect information (and do certain things) with our personal information.

Another interesting fact is that although in most countries a child is a person below 16-128 years, most social media platforms allow persons who are 13 years and above to sign up for an account. If you are one of the 13–18-year-olds, or a parent/guardian of one, then this is essential reading.

  1. WHAT IS DATA AND WHAT AMOUNTS TO DATA?

Simply put, it is information that describes or identifies someone or something. Personal data is any information which when exposed, can enable someone else to identify you.

Personal data can include pictures, texts, sounds, even your expression of an opinion (for instance, posts on social media). Other common examples include your National ID Number (NIN), age, nationality, occupation and academic qualifications, email addresses, phone numbers, salary details, bank account information and family member’s personal details.

It is evident, therefore, that this data should be protected at all costs because it can be harmful to the owner of the information if it is misused or falls into the wrong hands.

  1. HOW DO OTHERS GET YOUR DATA?

There are usually 3 ways that people get your data

  1. VOLUNTARILY: In a perfect world, your personal data would only be got by others if you willingly gave it to them. This is what the law also desires, that your personal data should only be given or taken with your permission (consent). If a person comes to your home and requests that you share your mobile phone number with them so they can send you messages about what they sell, you have a choice to accept and give them this information or to refuse. If you know what information is required and you make an informed decision to give it to them, then you have voluntarily shared your personal data.
  2. MANDATORY: There are instances when the law requires certain data from you as a MUST or allows someone to take that data with or without your permission for a specified and lawful purpose. For example, a population census is a must and everyone is required to disclose certain personal data to the government whether they want to or not.

Mandatory data collection can include:

1. when there is mandatory immunization of children.

2. if there is a public duty that everyone must perform such as community cleaning, data about all residents in that area may be taken without their permission to make sure that everyone participates.

3. if it is a matter of national security such as when a crime needs to be prevented or to prosecute someone or carry out investigations. For example, as the suspect of a crime, your personal details may be taken to enable investigations to be carried out.

4. for medical purposes and for compliance with a legal obligation such as the payment of taxes. URA may not need your permission to check your transactions or bank account details if they are following up on unpaid taxes.

  1. QUALIFIED (CONSENT REQUIRED AS CONDITION FOR USE): There are also times when, before you can use a certain service or product, you are required to give the service provider permission to collect and use your personal information. In this case, no one forces you to give consent (permission), but for you to proceed further in using, consuming or enjoying the product or service, you must first give the required consent. This is commonly found when you download applications for your smartphone, or if you want to sign up for an email address or open a social media account.
  2. WHAT YOU NEED TO KNOW IF YOU ARE GETTING/COLLECTING PERSONAL DATA

The law (Data Protection and Privacy Act 2019) requires that anyone who collects or handles personal data from people should consider the following when collecting it:

  • Be accountable to those whose data you are collecting. (This means telling them what you want the data for and for how long so that they can give informed consent to the collection of their personal data)
  • Make sure the information you are collecting is done with Lawfulness and for a lawful purpose.
  • Transparency and participation of data subjects in collection, processing .This means that you must be clear with how you will use the information and offer them a chance to make changes to the information collected where necessary.
  • The data collected must be the amount that is adequate for the purpose. This means that even if there is more data but you do not need it, then you should not collect it.
  • Only the data that is relevant for the project or activity should be collected.
  • Minimisation of data collected; (only take what is needed for the purpose)
  • Data must be retained for only the period authorised by law or for the purpose that was originally stated.
  • Quality and accuracy of data collected, processed, used or stored. As the person collecting personal data, you must make sure it is accurate so it does not mislead or misrepresent someone or the facts.
  • You must ensure that there are security safeguards so that the privacy of the personal data is storage of personal data.
  1. WHAT IS CONSENT?

Consent refers to the permission for something to happen or the agreement to do something. When dealing with personal data, the law requires that consent of the person whose data is being collected or handled be obtained.

4.1 HOW DO YOU SHOW THAT CONSENT WAS OBTAINED?

This person should freely (willingly) and clearly indicate either in writing or by a clear positive action that they agree to their personal data being collected or used.

WHY IS CONSENT IMPORTANT?

Consent is important for both the one who needs to collect personal data and the one whose personal data is going to be collected. As a data collector, it means that what you are doing is lawful and you have not violated anyone’s privacy. As the person who gives consent, it is what allows you to participate voluntarily and at the point you give consent, you are able to set limits on what can be lawfully done with your personal data. For example, if you gave a supermarket your address and your mobile number to deliver your groceries and later you find out they have used this information to advertise that you are their loyal customer to convince them to buy from the supermarket, then you can say that your rights were abused.

THE CONSENT EXISTS IF:

  • It is freely given,
  • After specific information about (what information they want, why, for what and for how long)
  • Unmistakable indication of the data subject’s wishes (accepting)
  1. WHAT ARE THE DIFFERENT STAGES YOUR DATA MAY GO THROUGH?

When you are approached by someone who asks for any personal information about you, your data privacy and protection journey has began.

First you are entitled to choose whether to share your personal data or refuse to do so. If you decide to share your personal data with that person, , you are at the first stage of your journey. This is the ‘collection’ stage.

COLLECTION.

This happens when someone asks and receives personal information about you. For example, if a person who is collecting information about salaries of people in your village comes to you and asks where you work and how much you earn, then you give this information out, then that person will have collected your personal data. This is the first stage, and this person is referred to in law as a Data Collector

CONTROL

Once you have given your data to someone, that person decides how to handle and deal with your data. This includes decisions such as: how long to keep it, what to do with it, and how to handle it in relation to the purpose for which it was requested. The person who does this is called a Data Controller. For example, when a doctor asks for blood samples and information about your family health history, it is because they have a purpose in mind. The doctor then decides how they want to use this information and your samples to get to that result. This may make the doctor a data controller. Once you have given your data to an individual or organization , they decide how to handle and deal with your data. The data controller is often the same as the collector but in some situations, the two are entirely different persons. For example, in the case of a hospital, a laboratory technician may collect your blood sample (which contains you personal data), making them a Data Collector. However, if it is the hospital that determines how to store and use the results, then the hospital is the Data Controller.

PROCESSING

This is the stage at which your data may be organized and analyzed. Sometimes, the person who collects your personal data is not the same person who analyses it or organizes it. For example, a company may send interns to collect personal information about people so that it can decide whether it is profitable for it to start selling its products in that area. When it gets this information, it gives it to a financial advisory firm to put it together and use it to assess whether the company should open its business in that area. This process is what we call processing of data. In this scenario, the financial advisory firm would be the Data Processor.

  1. WHAT SHOULD YOU DO IF YOU BELIEVE THAT YOUR PERSONAL DATA RIGHTS HAVE BEEN ABUSED?

As a data subject (a person whose personal data has been collected), you have several rights including the right to consent to what is collected, how it is stored or processed. However, if any of these rights are abused in any way, the law provides you with some options to choose from to make sure that this situation is fixed.

  1. WRITE TO THEM TO STOP

For certain abuses of your rights, the fix may be as simple as writing to the person or organization informing them that they are violating your rights and asking them to stop immediately. For example, if you find that there is personal data that someone has collected without your consent or that is inaccurate, then you can write to them and ask that they block the continued collection of that data, correct the information to make it accurate, erase it or destroy it. This may be a suitable option where the situation has not caused any serious harm.

  1. MAKE A COMPLAINT

However, if this does not suffice to get them to stop or if you feel that the breach of your privacy is serious, you can make a complaint to the Data Protection Office at the National Information Technology Authority (NITA) (the body that regulates data protection and privacy in Uganda) so that they can make an order against that person to do what you asked. After they carry out their investigations, you should get communication of their decision within 30 days. This must be in writing.

  1. SUE FOR COMPENSATION

If you believe that the above options are not sufficient to fix what you have gone through, and you have suffered harm or damage, then you may go to court and ask for compensation from the person or organization that violated your rights.

  1. RIGHTS OF DATA SUBJECTS

The most important right every person has is the right to limit how much of their personal information is taken. This is by giving or refusing to give consent. However apart from this, there are other rights every one of us has as a Data subjects.

  1. ACCESS TO YOUR PERSONAL DATA

You have the right to ask to access any information you gave out to another person or organisation for example you can ask the any hospital with your medical information to let you have a copy and to see ‘what they have on you.’ This may be subject to certain requirements they may have of you either by contract or conditions such as proof of identity before they can hand over this information.

You are entitled to this information immediately or within 30 days from the time of asking.

  1. PREVENT PROCESSING OF PERSONAL DATA.

When you give out personal data, the person you give it to can choose to organise it, alter how it is arranged and even erase some (these actions are known as processing). However, you are entitled to tell him/her not to stop doing of this to your personal data if you believe it is likely to cause unjustified considerable damage or distress to you.

In addition, if you find out that there is an automated mode of processing of your personal data, you can ask that the decision to alter, organise or handle your information is revised and reconsidered.

Make sure you write to the people with your personal data to tell them to stop.

  1. STOP USE OF PERSONAL DATA FOR MARKETING

If you do not want your personal data handled and used for marketing purposes, you have a right to prevent this.

  1. ENFORCE YOUR RIGHTS

If you have or attempt to enforce any of these rights and the person or entity with your personal data refuses to fulfil your request, then you still have a right to complain to NITA (the authority responsible for the promotion and regulation of personal data protection in Uganda). NITA has the power to investigate and force an entity breaching your rights to fix it. It can also order whoever has your personal data to either erase, block, rectify any errors according to what you have requested and complained about.

You may also go to court to ask to be compensated for any damage or distress you suffer because of this violation from the violator.

  1. OFFENCES

The law has created a number of offences to ensure that there is compliance with the data privacy and protection law. Such offences include;

  1. unlawfully obtaining or disclosing personal data;
  2. unlawful destruction, deletion, concealment or alteration of personal data;
  3. sale of personal data.

The penalties imposed against corporations for these offences range from the imprisonment of the corporation’s officers for a term not exceeding ten years, payment of a fine of UGX 4.9 million, or payment of 2% of the corporation’s gross income if the corporation commits any of the offences.

Picture of bfl

bfl

All Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Info

Latest Posts

Join us in Creating Peaceful Communities Where People Can Thrive

Facebook X-twitter Youtube Instagram

Contacts :

Keep up-to-date with our work

Sign Up To Our Newsletter

Address :

  • The Hague Humanity hub Fluwelen Burgwal 58 2511 CJ The Hague

What We Do

  • Access to Legal Information
  • Access to Legal Services
  • Community Building and Partnerships
  • Research
  • © 2025 BarefootLaw. All rights reserved.
Get Exclusive Discounts and More!

Join Our Newsletter

Sign up for our newsletter to stay updated on our latest pool cleaning and maintenance services. As a subscriber, you’ll receive exclusive discounts, special offers. Enter your email below to join our community!

Facebook Twitter Youtube

Keeping your community clean and green, one pickup at a time for a healthier tomorrow for a clean earth & clear future.

Address :

  • Address : 1080 Brickell Ave
  • City : Miami ( Florida )
  • Country : United States

Info :

Facebook Twitter Youtube