Protection of personal data: a critical analysis of Uganda’s legal and institutional framework

Abstract

This dissertation critically examined the adequacy of Uganda's legal and institutional framework for the protection of personal data, focusing on its adequacy and effectiveness in an increasingly digital world. The primary objectives of the study were to assess the current legal and regulatory provisions for data protection, analyze the roles and effectiveness of institutions mandated to enforce these laws, and identify key challenges and offer solutions to counter the challenges. The study also analysed comparative jurisprudence of the legal and institutional frameworks of other countries in relation to data protection and privacy. Two countries were benchmarked that is the Republic of Kenya in the East African Region, and the Republic of Chile from Latin America. Key lessons from these countries were drawn and are contained in the dissertation. The study adopted a qualitative methodology, utilizing document analysis, expert interviews, to explore the strengths and weaknesses of existing laws, such as the Data Protection and Privacy Act, Computer Misuse Act, the Registration of Persons Act, and the roles of the various institutions tasked with the mandate to ensure compliance with the laws and the Data protection principles. The findings indicate significant gaps in the regulatory framework such as inadequate provisions of the law and several administrative challenges faced by institutions in executing their mandates, including insufficient resources and limited public awareness. Key recommendations suggested by this study include a comprehensive review and strengthening of the legal and regulatory framework to ensure that it can counter the dangers posed by the new technological developments like Artificial Intelligence, align the national laws with international standards, and effectively address emerging data protection issues in the contemporary society. Additionally, the capacity of institutions responsible for data protection like National Information Technology Authority-Uganda must be enhanced to enable them to fulfill their duties effectively, establish the Personal Data Protection Office as an Independent Authority rather than operating as a Directorate in National Information Technology Authority-Uganda that is due for rationalization and mainstreaming it in the Ministry of Information, Communication Technology, and National Guidance. Fast tracking the enactment of the East African Community Data Protection and Privacy Act among others are other key recommendations proposed by this study.