A review of the Laws of Uganda and Policies for Data Privacy and Security

Abstract

Data privacy and security are integral components of the digital age, significantly impacting the rights and interests of individuals, organizations, and society at large. This review explores the legal laws and policies on data protection and security in Uganda, with a particular focus on the Data Protection and Privacy Act 2019. Additionally, the review explores the data protection implementations of a management consultancy firm as a reference case study. Furthermore, it delves into the challenges and methods for presenting computer-related evidence in legal contexts given its often assumption of a non-physical form. In conclusion the review underscores the critical importance of legal compliance and ethical practices in the realm of data privacy and security in an increasingly digital world.

Introduction

Data privacy and security are important aspects of the digital world, as they affect the rights and interests of individuals, organizations, and society. [1] defines data privacy as the ability of individuals to control their personal information and how it is collected, used, and shared by others. [1] further explains that data security is the protection of data from unauthorized access, use, modification, or destruction. Both data privacy and security are governed by laws and policies with respect to a given country and unique to each industry, however all aim to balance the benefits and risks of data processing, acquisition and use [2].

In this review, the laws of Uganda and the policies of data privacy are explored with a focus on major three computer-related privacy offences for each domain, and suggestions of how computer-related evidence can be presented given its sometimes non-physical form. Furthermore, policies were explored a management consultancy firm regarding data privacy and security.

Laws of Uganda

The laws of Uganda that regulate data privacy and security are mainly the Data Protection and Privacy Act 2019, It was enacted to give effect to Article 27 of the Constitution of the Republic of Uganda, 1995, which guarantees the right to privacy of persons, property, and information. The law aims to protect the personal data of individuals from unauthorized collection, processing, use, disclosure, or transfer by any person, institution, or public body. The law defines various offences and penalties for violating data privacy and security, as well as provides for the rights of data subjects and the obligations of data collectors, data processors and data controllers[3]. The law establishes the National Information Technology Authority-Uganda (NITA-U) as the supervisory authority for data protection and privacy in Uganda. The NITA-U is responsible for enforcing the law, issuing guidelines and standards, conducting audits and investigations, imposing sanctions and penalties, and handling complaints and appeals[3].

Three computer-related privacy offences for laws of Uganda include:- (1) as stated in the Data Protection and Privacy Act 2019 [3], Computer-related fraud or forgery, which is the intentional input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic. This offence is punishable by a fine not exceeding two hundred and forty currency points or imprisonment not exceeding ten years or both; (2) Computer-related identity offences is also considered an offense as elaborated under the Data Protection act 2019 [3], which are the use of a computer system to unlawfully assume the identity of another person or entity, or to create a false identity, for the purpose of deceiving or defrauding. This offence is punishable by a fine not exceeding one hundred and twenty currency points or imprisonment not exceeding five years or both; and (3) Sending or controlling sending of spam, which is the transmission of unsolicited electronic messages to multiple recipients without their consent. This offence is punishable by a fine not exceeding twenty-four currency points or imprisonment not exceeding one year or both as stated too in the Data Protection and Privacy Act 2019.

Data Privacy Policies at management consultancy firm

In a Management Consultancy Firm that handles business, investment and research tasks on behalf of other companies. Regarding data privacy and security, it subscribes and complies to the data protection and privacy laws and regulations of Uganda and the General Data Protection Regulation (GDPR) of the European Union as required by its European clients. Also, a management consultancy firm, has a comprehensive data privacy and protection policy implementation across the firm to ensure the protection of client, stakeholder and company data. The include the Data security measures, Consent and Purpose Limitation and Data Subject Rights.

These firm should employ robust data security measures which include no personal computer allowed for company work, no visitors allowed in working spaces but only to designated visitor meeting spaces, encryption, secure access controls, regular security audits, and mandatory data protection training for all employees. This has enabled the firm to implement strict data handling procedures to protect sensitive client information. Additionally, it considers the principles of consent and purpose limitation. The firm obtains explicit consent from clients and beneficiaries before collecting their data and ensures that data is only processed for the specific purposes agreed upon in consultancy agreements. It clearly explains how it collects, uses, shares, transfers, stores, and retains in consent forms with respect to tasks.

Computer-Related Evidence

In [4], Computer-related evidence is considered as any information stored or transmitted using a computer system that can be used to prove or disprove a fact in a legal case. [4] [5] Explains that computer-related evidence may pose some challenges for presentation given its sometimes non-physical form.

However, [5] explores various ways in which computer-related evidence can be presented. Som of them are: - (1) using digital forensic tools and techniques to extract, analyse, and preserve data from digital devices or media, and generating reports that document the findings and methods used. [6] Is indifferent that these reports can provide reliable and admissible evidence that can be presented in court or tribunal; (2) Using authentication methods such as hash values or digital signatures to verify the integrity and origin of digital evidence. These methods can ensure that the evidence has not been tampered with or forged and can identify the source or author of the evidence [7]; (3) using visual aids such as screenshots, graphs, charts, or animations to illustrate the content and context of digital evidence which can help explain complex or technical concepts to judges, jurors, lawyers, or other parties involved in the case that are note technical in computer science [5].

Conclusion

In conclusion, data privacy and security are essential aspects of the digital world that require legal and ethical regulation. Computer-related privacy offences may have serious consequences for both individuals and organizations, and computer-related evidence may require special methods and techniques for presentation. Therefore, it is important to be aware of the rights and responsibilities of data subjects and data processors, and to follow the best practices and guidelines for data privacy and security.

References

1. Bélanger, F. and Crossler, R. E. Privacy in the digital age: a review of information privacy research in information systems. MIS quarterly (2011), 1017-1041.
2. Bertino, E. Data security and privacy: Concepts, approaches, and research directions. IEEE, City, 2016.
3. Data Protection and Privacy Act 2019 – Ministry of ICT & National Guidance. Ict.go.ug (2019).
4. Norris, S. Digital Evidence and Computer Crime. Instructor's manual (2011).
5. Welch, T. Computer crime investigation and computer forensics. Information systems security, 6, 2 (1997), 56-80.
6. Ieong, R. S. FORZA–Digital forensics investigation framework that incorporate legal issues. digital investigation, 3 (2006), 29-36.
7. Saleem, S., Popov, O. and Dahman, R. Evaluation of security methods for ensuring the integrity of digital evidence. IEEE, City, 2011.