DATA PRIVACY AND PROTECTION FAQs
BarefootPosted on

1. WHAT IS DATA AND WHAT AMOUNTS TO DATA?

Simply put, is information that describes or identifies someone or something. Personal data is any information (when exposed) that can allow someone else to identify you. Personal information can include pictures, texts, sounds, even your expression of an opinion (Facebook posts) like your National ID Number (NIN), age, nationality, occupation and academic qualifications, Email addresses, phone numbers, Salary details and Bank account information, family member personal details. This data should be protected at all costs because if can be harmful to the owner of the information if it is misused or falls into the wrong hands.

2. HOW DO OTHERS GET YOUR DATA?

There are usually 3 ways that people get your data;

VOLUNTARILY
in a perfect world, you would willingly give out your data. This is what the law also desires, that your personal data should only be given or taken with your permission (consent). If a person comes to your home and requests to know if own a mobile phone and the number so they can send you messages about what they sell, you have a choice to accept and give this information or to refuse. If you know what information is required and you make an informed decision about this information and the request and give it out, then you have voluntarily given your data to someone else.

MANDATORY
However there are instances when the law requires certain data from you as a MUST or allows someone to take that data with or without your permission for a lawful specified purpose. For example a population census is a must and everyone is required to disclose certain information to the government whether they want to or not.

This can include:
1. when there is mandatory immunization of children.
2. if there is a public duty that everyone must perform such as community cleaning, data about all residents in that area may be taken without their permission to make sure that everyone participates.
3. if it is a matter of national security such as when a crime needs to be prevented or to prosecute someone or carry out investigations. For example, if a person is arrested for defilement, then whether that person wants it or not, they must be tested for HIV so they will know his status whether he/she allowed it or not.
4. for medical purposes and for compliance with a legal obligation such as the payment of taxes. You do not give URA the permission to check your transactions or bank account details if they need the taxes that you have not paid.

AS A CONDITION FOR USE (QUALIFIED)
There are also times when to use a certain a service or product, is dependent on you giving your permission to collect and use your personal information. In this case, no one forces you to give consent (permission), but for you to proceed further, you must choose to give the consent. This is found when you download apps for your smartphone, or if you want to sign up for an email address or Facebook account.


3. WHAT DO THOSE GETTING YOUR DATA NEED TO THINK ABOUT?
The law (data protection and privacy act 2019) requires that anyone who collects or handles personal data from people should consider the following when collecting data.

– Accountability to data subjects for data collected.
– Lawfulness;
– Fairness and transparency;
– Adequacy;
– Relevance
– Minimisation of data collected; (only take what is needed for the purpose)
– Data retention only for period authorised by law or purpose;
– Quality and accuracy of data collected, processed, used or stored;
– Transparency and participation of data subjects in collection, processing, use and storage of personal data; and
– Security safeguards in respect of personal data.

4. WHAT IS CONSENT?
Consent means to give permission for something to happen or agreement to do something. When dealing with personal data, the law requires that there is consent of that person whose data is being collected or handled.
This person should freely (willingly) and clearly indicates either in writing or by a clear positive action that they agree to their personal data being collected or used.
The consent exists if:
1. It is freely given,
2. After specific information about (what information they want, why, for what and for how long)
3. Unmistakable indication of the data subject’s wishes (accepting)

WHY IS CONSENT IMPORTANT?
Giving consent allows you to set limits on what can be done with your personal data. This is because your consent is what tells someone what they can collect, store and erase and how they can use your personal data. For example, if you gave a supermarket your address and your mobile number to deliver your groceries and later you find out they have used this information to advertise that you are their loyal customer to convince them to buy from the supermarket, then you can say that your rights were abused.
Consent gives you the right to seek legal help when you feel your privacy has been abused, because you know exactly what you allowed and what you rejected.

5. WHAT ARE THE DIFFERENT STAGES YOUR DATA MAY GO THROUGH?
When you are approached by someone who wants any personal information about you, your Data privacy and protection journey begins; First you are entitled to choose whether to share or keep your personal data. After giving this permission to someone, you are at the first stage of your journey.
A. COLLECTION.
This happens when someone asks and receives personal information about you. For example, if a person who is collecting information about salaries of people in your village comes to you and ask for where you work and how much you earn, then you give this information out, then that person will have collected your personal data. This is the first stage, and this person is called a Data collector.

Storage (who keeps this – controller)
B. DATA CONTROLLER
Once you have given your data to someone, that person decides what, and how to handle and deal with your data. This includes decisions such as how long to keep it, what to do with it, and how to handle it for the purpose they gave you. This person who does this is called a Data Controller. For example, when a doctor asks for blood samples and information about your family health history, it is because they have a purpose in mind. The doctor then decides how they want to use this information and your samples to get to that result. This makes the doctor a data controller. Once you’ve given your data to an organization or individual, they decide how to handle and deal with your data.

C. PROCESSING
Sometimes the person who collects your personal data is not the same person who analyses it or organizes it. For example, if a company may send interns to collect personal information about people so that it can start selling in that area. When it gets this information, it gives it to another company to put it together and keep it for them. This process is what we call processing. This company or person receives that information for one of the reasons we have talked about and is called a Data Processor.

6. WHAT SHOULD YOU DO IF YOU BELIEVE THAT YOUR RIGHTS HAVE BEEN ABUSED?
If somebody feels that their right has been abused, they would have to follow the following process to ensure that the infringer is punished:
Make a complaint in the prescribed manner to the Authority in writing. The Authority is known as National Information Technology Authority – Uganda (NITA-U)

7. RIGHTS OF DATA SUBJECTS
The most important right every person has is the right to limit how much of their personal information is taken. This is by giving or refusing to give consent. However apart from this, there are other rights every one of us has a person with personal data (We are called Data subjects).
• Access to your personal data
You have the right to ask to access any information you gave out to another person or organisation for example you can ask the any hospital with your medical information to let you have a copy and to see what ‘they have on you.’ Remember to provide proof of identity to before asking for this information.
You are entitled to this information immediately or within 30 days,

• Prevent Processing of personal data.
When you give out personal data, the person you give it to can choose to organise it, alter how it is arranged and even erase some (these actions are known as processing). However you are entitled to tell him/her not to stop doing of this to your personal data if you believe it is likely to cause unjustified substantial damage or distress to you.
In addition, if you find out that there is an automated mode of processing of your personal data, you can ask that the decision to alter, organise or handle your information is revised and reconsidered.
Make sure you write to the people with your personal data to tell them to stop.

• Stop use of personal data for marketing
If you do not want your personal data handled and used for marketing purposes, you have a right to prevent this.

If you have or attempt to enforce any of these rights and the person or entity with your personal data refuses to fulfil your request, then you still have a right to complain to NITA (the authority that regulates how your personal data is used) about your rights. As a result, you may be compensated for any damage or distress you suffer as a result of this violation.