Data protection obligations in Uganda
In brief
Anyone who collects, processes or holds personal data in Uganda must comply with the Data Protection and Privacy Act, Cap. 97. Its principles (s.3) require those handling personal data to be accountable to the data subject and to collect and process data fairly, lawfully and only to the extent adequate, relevant and not excessive. Personal data may generally only be collected and processed with the data subject's consent (s.7), for a specified purpose, after giving the data subject the required information. A data protection register is maintained by the Authority (the National Information Technology Authority - Uganda).
1. Governing law
The Data Protection and Privacy Act, Cap. 97 governs the handling of personal data. Section 3 sets the data-protection principles: a data collector, processor or controller (or anyone who collects, processes, holds or uses personal data) must be accountable to the data subject; collect and process data fairly and lawfully; and collect, process, use or hold adequate, relevant and not excessive or unnecessary personal data. Consent is central: personal data may be collected or processed with the data subject's consent (s.7), and there are stricter controls on special personal data (s.9). Data must be collected from the data subject for a specified, explicit and lawful purpose, with prescribed information given before collection (ss.11-13), and further processing must be compatible with that purpose (s.17). Data subjects have rights — including to access their personal data (s.24) and to have inaccurate data corrected (s.16). The Authority — the National Information Technology Authority - Uganda (and, operationally, the Personal Data Protection Office) — keeps a data protection register (s.29) which is open to the public (s.30); data collectors, processors and controllers register as required. The Act is supplemented by the Data Protection and Privacy Regulations, 2021. Statutory text verified against the consolidated Laws of Uganda as at 31 December 2023. Sourced from the Uganda Legal Information Institute (ulii.org).
2. Key statutes & rules
- Data Protection and Privacy Act, Cap. 97 — s.3 (principles: accountability; fair and lawful collection/processing; adequate, relevant and not excessive data); s.7 (consent to collect or process); s.9 (special personal data); ss.11-13 (collection from the data subject for a specified purpose; information before collection); s.16 (correction); s.17 (compatible further processing); s.24 (right to access); s.29 (data protection register kept by the Authority - NITA-U); s.30 (public access to the register).
- Data Protection and Privacy Regulations, 2021 — registration and procedural detail.
3. Practical guidance
Map what personal data you collect and why; collect only what is adequate, relevant and not excessive (s.3).
Obtain the data subject's consent and give the required information before collecting, stating the specified purpose (ss.7, 11-13).
Apply stricter care to special personal data (s.9) and keep data secure and accurate.
Register with the Authority (NITA-U / PDPO) where required, and honour data-subject rights to access (s.24) and correction (s.16).
Follow the Data Protection and Privacy Regulations, 2021 for registration and process detail, and only further-process data compatibly with the original purpose (s.17).
This note is a practitioner orientation, not legal advice, and does not create an advocate–client relationship. Ugandan law changes and chapter and section numbers were revised in the 2023 Laws of Uganda. Verify every statute, rule and authority against the current primary source — and the specific facts of your matter — before filing or relying on it.