Last modified 27 January 2025

Data Protection in Uganda

Breach notification in Uganda

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Uganda

Generally, a person’s right to informational privacy is protected under Article 27 of the Constitution of the Republic of Uganda. The protection under the Constitution is supplemented by the Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations, 2021, which regulate the collection, processing, use, storage, and disclosure of personal data. The Act and Regulations apply to any person, entity or public body:

collecting, processing, holding or using personal data within Uganda;
outside Uganda who is collecting, processing, holding or using personal data of Ugandan citizens.

The Data Protection and Privacy Act commenced on 3 May 2019 while the Regulations took effect on 12 March 2021.

There are also other sector specific laws that incorporate data protection provisions applicable to the activities governed under those laws. These laws include, but are not limited to:

The Access to Information Act, 2005;
The Regulation of Interception of Communications Act, 2010 and Regulations, 2023;
The Computer Misuse Act, 2011 (as amended); and
The Registration of Persons Act, 2015.

Related resources

Definitions

Definitions in Uganda

Definition of Personal Data

Personal data is defined under section 2 of the Data Protection and Privacy Act as information about a person from which the person can be identified such as information relating to nationality, age, marital status, education level, occupation and identity data.

This information is considered personal data regardless of the form in which the information is recorded.

Definition of Sensitive Personal Data

The term “sensitive personal data” is not defined under Uganda’s data protection law.

However, section 9 of the Data Protection and Privacy Act defines a related term, “special personal data”, as data which relates to the religious or philosophical beliefs, political opinion, sexual life, financial information, health status or medical records of an individual.

Authority

National data protection authority in Uganda

The Personal Data Protection Office established by Section 4 of the Data Protection and Privacy Act and Regulation 3 of the Data Protection and Privacy Regulations is responsible for personal data protection. The Office operates under the National Information Technology Authority-Uganda (NITA-U) and was operationalized in August 2021.

Registration

Registration in Uganda

Under Regulation 13 of the Data Protection and Privacy Regulations, every data collector, processor, or controller in Uganda (or outside Uganda collecting or processing the personal data of Ugandan citizens) is required to register with the Personal Data Protection Office. The Office maintains a Data Protection and Privacy Register relating to data collectors, processors and controllers, including the purpose for which the data is collected or processed.

Data protection officers

Data protection officers in Uganda

Every entity whose activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or whose activities consist of processing special personal data, is required to designate a personal data protection officer charged with ensuring compliance with the data protection law. There is no criteria for appointment of the data protection officers provided by the Act or Regulations.

Under Regulation 47 of the Data Protection and Privacy Regulations, the Personal Data Protection Office is required to specify the persons, institutions, and public bodies required to designate a data protection officer. This publication is yet to be released by the Office.

Collection and processing

Collection and processing in Uganda

Restrictions on the collection or processing of the personal data

There are a number of restrictions under the Data Protection and Privacy Act which ought to be complied with in the collection and processing of personal data. These include but are not limited to the following:

The informed consent of the data subject must be obtained prior to collection or processing of personal data;
The data subject must be informed of all the recipients of their personal data, including any third parties with whom such data will or may be shared;
The collection or processing of personal data relating to a child is prohibited unless:
1. done with the prior consent of the parent / guardian;
2. necessary for compliance with the law; or
3. the collection or processing is for research or statistical purposes;
Special personal data should not be collected or processed unless specifically permitted by the law;
Personal data should be collected directly from the data subject;
Personal data shall only be collected for a lawful and specific purpose which relates to the functions or activity of the data collector or data controller;
A data collector, data processor or data controller is obligated to ensure that the data is complete, accurate, up to-date and not misleading;
Further processing of personal data shall only be for the specific purpose in connection with which the personal data was collected;
Personal data shall not be retained for a period longer than is necessary to achieve the purpose for which the data is collected and processed unless specifically authorised by the Act;
A personal data record should be destroyed or de-identified after the expiry of the retention period in a manner that prevents reconstruction of the personal data in an intelligible form.

Related resources

Transfer

Transfer in Uganda

Section 19 of the Data Protection and Privacy Act permits for personal data to be processed or stored outside Uganda provided that:

the country in which the data is processed or stored has adequate measures in place for the protection of personal data which are at least equivalent to the protection provided under the Act; or
the data subject has consented.

Regulation 30(2) of the Data Protection and Privacy Regulations prohibits any further transfer of personal data processed outside Uganda to a third country without the consent of the data subject.

Under Regulation 30(4), the Personal Data Protection Office is required to specify the countries with adequate or equivalent protection for purposes of data transfer. This publication is yet to be released by the Office.

Related resources

Security

Security in Uganda

A data controller, data collector or data processor is required under section 20 of the Data Protection and Privacy Act to secure the integrity of personal data in its control or possession by adopting appropriate measures to prevent loss, unauthorised destruction, unauthorised processing of or unlawful access to personal data. This includes observation of generally accepted information security practices and procedures, and specific industry or professional rules and regulations.

The data controller is specifically required to use measures that:

identify reasonable risks to personal data in its possession or control;
establish and maintain appropriate precautions against the risks identified;
regularly verify the effective implementation of the precautions; and
ensure that the safeguards are continually updated.

In instances where personal data is processed by a third party, the entity must ensure that the data processor applies the security safeguards provided under the Act. The Act specifically requires that the contract between a data controller and processor relating to the processing of personal data oblige the data processor to maintain the confidentiality and security measures necessary to protect the integrity of the personal data.

Related resources

Breach notification

Breach notification in Uganda

Section 23 of the Data Protection and Privacy Act and Regulation 33 of the Data Protection and Privacy Regulations impose a duty on a data processor, data collector or data controller to immediately notify the Personal Data Protection Office, where there is reasonable belief that personal data has been accessed or acquired by an unauthorised person. The Data Protection Office is then charged with determining whether or not the affected data subjects should be notified of the breach, and guiding the reporting entity on the manner of such notification.

Data collectors, processors and controllers registered with the Office are required to submit an annual report summarizing any data breaches suffered and how they were addressed.

Related resources

Enforcement

Enforcement in Uganda

Remedial orders

The Personal Data Protection Office is empowered to investigate complaints and make orders requiring a breach or violation of the Act to be remedied, or for compliance with a request of a data subject. The exercise of these powers may be triggered by a complaint or request lodged with the Office by a person aggrieved by actions under the Act or by a data subject seeking to enforce the rights availed under the Act.

Compensation

A person is entitled to apply to a court of law with competent jurisdiction for compensation for damage or distress caused by the actions of a data collector, data controller or data processor in violation of the Data Protection and Privacy Law. The Data Protection Office is not mandated to award compensatory relief.

Sanctions

Fines — The Data Protection and Privacy Act provides for fines as a penalty for the commission of an offence under the Act. Save for the fine imposed on a corporation for non-compliance with Act, the fines provided do not exceed 245 currency points (which is equivalent to UGX 4,900,000). The exception in the case of a violation by a corporation allows a court to order a corporation to pay a fine of up to 2 percent of the corporation’s annual gross turnover.
Imprisonment — A court of law may order imprisonment of a person convicted of any of the offences under the Data Protection and Privacy Act. The imprisonment terms which are provided are limited to a period of 10 years or less. Both imprisonment and payment of a fine can be ordered by court in respect of the same offender upon conviction of an offence.

Electronic marketing

Electronic marketing in Uganda

There is no electronic marketing regulation in Uganda.

Online privacy

Online privacy in Uganda

There is no specific online privacy regulation in Uganda. However, the Computer Misuse (Amendment) Act 2022 creates additional protection for children’s online privacy, making it a criminal offence to send, share or transmit any information online about or relating to a child without lawful authorization, parental consent, or where the transmission is in the best interest of the child. The penalty for this offence is imprisonment for up to seven years of a fine of up to UGX 15,000,000, or both.

Related resources

Key contacts

Data protection lawyers in Uganda

Barnabas Tumusingize

Managing Partner

Sebalu & Lule Advocates

Kampala

Email Full bio

Paul Mbuga

Partner

Sebalu & Lule Advocates

Kampala

Email Full bio

Ruth Muhawe

Associate

S&L Advocates

Data collectors, processors and controllers registered with the Office are required to submit an annual report summarizing any data breaches suffered and how they were addressed.

Quick links

Data Protection in Uganda

Breach notification in Uganda