What you need to know
In today’s data-driven era, people are increasingly concerned about who may collect, use and disclose their personal information, with much emphasis on the right to privacy. Article 27 of the 1995 Constitution of the Republic of Uganda guarantees every person in Uganda the right to privacy. In particular, the Constitution prohibits Interference with the privacy of a person’s home, correspondence, communication, or other property.
To give effect to Article 27 of the 1995 Constitution of the Republic of Uganda, the Parliament of Uganda passed the Data Protection and Privacy Act 2019 to regulate the collection, use, and disclosure of people’s personal data that may be held by other persons or entities. In this context, personal data refers to any information that may be used to identify a person. This includes information regarding; nationality, age, marital status, education level, occupation, identification number (NIN), symbol or other particulars assigned to a person, or any information that includes an expression of opinion about the individual.
This short article explains the requirement to register with the Personal Data Protection Office, procedure for application and the government fees involved in the process.
Requirement to register
All persons, entities, companies, and institutions that collect or use personal data are required to register. All NGOs in Uganda are required to register because they collect and use the personal data of their employees, beneficiaries, and other individuals.
Notice by the NGO bureau on registration
On the 7 October 2022, the NGO Bureau issued a notice reminding NGOs to register with the Personal Data Protection Office not later than 31 October 2022. The NGO Bureau being the regulatory body of all NGOs in Uganda, registration with the Personal Data Protection Office must be complied with. The Personal Data Protection Office will start enforcement measures against organizations that have not registered as required by law with effect from November 2022 and any future permit renewals and review shall require the organization to be compliant with the Data Protection and Privacy Act. This will also affect the services offered by the NGO Bureau to Non-compliant NGOs.
The Data Protection Office
Registration of data collectors and users is done by the Data Protection Office, a department within the National Information Technology Authority (NITA-UGANDA) that is responsible for the protection of personal data. The Office maintains a Data Protection Register which contains the names and addresses of all entities or persons that have been registered, the nature of the information, or personal data held by the registered person, and the purpose for which the personal data was collected or is being used.
Requirements for registration
The application to register must be made online through the Personal Data Protection website (https://pdpo.go.ug/hom). In particular, the applicant must go to the website and click the register button to start the application process. The applicant will be requested to fill in the following information and more:
- State the name and address of the applicant;
- State the name and address of the applicant’s representative, where the applicant is a foreigner or situated outside Uganda;
- Specify whether the applicant is a data collector, data processor, or data controller;
- Specify the nature and category of personal data being processed or it is to be processed;
- Specify the purpose for which the applicant collects or processes personal data;
- Contain a description of the purpose for which the personal data is being processed or collected;
- Specify the duration for which personal data shall be kept;
- Contain a description of the recipient to whom the applicant intends to disclose the personal data if any;
- Specify the details of the data protection officer, if any;
- Specify the name of the country to which the applicant may transfer the data if any;
- Contain a general description of measures to be taken to secure the data, if any;
- Contain any other information that the office may require.
However, before commencing the application process, the following must be done:
- The applicant must generate an assessment from the URA website in order to make the government fee payment which is UGX 100,000. Upon making the payment, the payment slip should be scanned.
- The applicant must fill in form 3 (undertaking not to process or store personal data outside Uganda unless such country has adequate measures in place, at least equivalent to the protections provided for under Ugandan law and the person to whom the information relates has consented to the transfer), have it commissioned by the commissioner for Oaths and scan it.
- The applicant should ensure that they have a personal data protection policy or any company or organization policy with a clause on protection of personal data.
Once the above is done, the applicant may commence the application process. All the information submitted during the application for registration must be accurate. Any person or officer of an entity that knowingly submits false information commits an offence and upon conviction, is liable to a fine not exceeding UGX. 120,000 or a term of imprisonment of up to three months or both the fine and the imprisonment.
Process after submitting the application
After submitting the application, the applicant is issued a tracking number to track the progress of their application.
The Data Protection Office then reviews the application and ensures that all relevant documents and information are available to enable further processing of the information and may request the applicant to provide additional information or clarify the information provided.
After receipt of the application or additional information, the office conducts investigations and prepares a detailed report on the suitability of the applicant to be registered by the office. The office makes a decision to register or not to register the company or organization within fourteen working days after the application is made.
In order to follow up on whether the company or organization has been registered and a certificate issued to that effect, the applicant will have to login into the system using their tracking number.
Certificate of registration
After considering the application, the report and the office is satisfied that the applicant meets the requirements for registration, the office shall grant the application and the issue a certificate of registration. The certificate is valid for twelve months from the date of registration and is renewable. An application for renewal must be made at least three months before expiry.
Annual Compliance Report
All organizations or companies registered with the Personal Data Protection Office (PDPO) are required to submit an Annual Compliance Report before the 28th of September of each year in order to be compliant with the law. This report must be submitted compliance@pdpo.go.ug after it is completed, signed and stamped. Failure to submit the report on time attracts a fine or imprisonment or both.
Benefits of registering with the Data Protection Office
Registering with the Data Protection Office ensures that the organization or entity is compliant with the Country’s regulatory requirements thus avoiding unnecessary fines, penalties and prosecution of officers for non-registration. The registration procedures, framework and practical tools are now ready to facilitate registration of entities and organizations that collect personal data.
Registration with the Data Protection Office earns the entity or organization trust from Individuals whose data is collected or used. Also, Failure to register is illegal and a criminal offence that can lead to imprisonment of the directors and other officers of the organization.
Government fees involved
The government fees for registration is UGX. 100,000.
The government fees for renewal is UGX. 100,000.
Conclusion.
All persons, entities and organizations that collect or use individual’s personal information should take the requirement to register with the Data Protection Office in order guarantee the safety and privacy of the personal information held or used by them before the 31 October 2022.
Our Legal and Regulatory compliance team:
Stephen Tumwesigye
Managing Partner
M: +256 (0) 774 334 908
E: stumwesigye@taslafadvocates.com
Shadiya Uzama
Head Legal & Regulatory Compliance
M: +256 701 810050
E: suzama@taslafadvocates.com
Oluka Faith Mary
Regulatory & Compliance Associate
M: +256 (0) 778 980 861
E: foluka@taslafadvocates.com
Benjamin Ayongyera
Legal Associate
M: +256 778 512 680
E: bayongyera@taslafadvocates.com
