The Data Protection and Privacy bill 2016 is gathering dust in the shelves of parliament, a year after it was tabled. The State Minister for Planning, David Bahati tabled the bill in parliament in April 2016. The speaker referred the bill to the Information, Communication and Technology Committee for scrutiny before it presents a report to parliament for discussion and final approval.
The bill seeks to cover areas that deal with personal data, which are not provided for in the Interception of Communication Act and the Registration of Person’s Act. The bill also seeks to regulate how personal information is collected and processed. It also contains provisions that allow Ugandans a right to withhold their personal data, inquire the purpose for which it is being sought and how long the data should be used.
Part IV of the bill talks about security of data and requires those collecting the data to keep it secure and protect its integrity. However, since then nothing has been done. The urgency of the Data Protection and Privacy bill came to the fore recently when government allowed telecom companies to access the bio data collected during the National Identity Card (ID) enrollment exercise.
The data is currently held by National Identification and Registration Authority (NIRA). The move to allow telecom companies to access the data is aimed at helping then to enforce a directive from Uganda Communications Commission on Sim card registration. Peter Gwayaka Magelah, the Program Manager Chapter Four, says the delayed enactment of the bill is a big risk to individual data.
Paula Turyahikayo, the Chairperson of Information, Communication and Technology Committee, says the committee will handle the Data Protection and Privacy bill 2016 immediately after the budgeting process. Parliament is expected to conclude the 2017/2018 financial year budget process by May 31st, 2017.
She acknowledges the importance of the bill in protecting personal data, adding that in its absence other laws like the Interception of Communication Act and the Registration of Person’s Act can be used effectively to protect data.
However, a researcher from parliament told URN later that the existing laws don’t regulate or protect personal data like personal details collected by organizations such as banks, hospitals, travel agencies and insurance companies.