1. The Data Protection Act came into force on 25th February 2019 and is aimed at protecting individual and personal data.
  2. No data shall be collected without the consent of the person giving the data.
  3. One can object to the collection or processing of personal data.
  4. Data relating to children can only be collected after obtaining prior consent from the parent or guardian.
  5. A data collector, processor or controller shall not collect, hold or process personal data in a manner that infringes on the privacy of the data subject.
  6. Collecting of personal data from another source such as a public body is permitted in exceptional circumstances.
  7. The Act provides for rights of data subjects.
  8. Complaints can be made to the National Information Technology Authority Uganda (NITA Uganda) and the Authority has power to investigate the complaints.
  9. The Act creates offences and a person who commits any of the offences is liable to pay UGX 4,800,000 or may be imprisoned for a period of ten years.
  10. One can be compensated for damages or suffering which caused by a data controller as a result of not complying with the Act. The data controller can rely on use of reasonable care as a defence.


The purpose of the Act is:

  • To protect the privacy of individuals and personal data.
  • To regulate the collection and processing of information.
  • To provide for rights of persons whose data is collected.
  • To provide for obligations of data collectors, processors and controllers.
  • To regulate the use or disclosure of personal information.

Personal data shall only be given for the following reasons

  • It is required by law
  • For the proper performance of a public duty
  • Purposes of national security, prevention, detention, investigation, prosecution, punishment of an offence or breach of the law.
  • For performance of a contract
  • For medical purposes
  • For compliance with legal obligation.

While collecting personal data, the data collector should inform the data subject;

  • The nature and category of the data being collected
  • Name and address of person collecting data
  • Purpose for which data is required.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

Rights of data subjects:

  1. To ask proof of identity of data collector
  2. To ask data collector to confirm whether or not data collector holds personal data about data subject and to give description of the personal data
  3. To ask the data collector provide identity of third party or category of a third party who has had access to the information.

Offences and Penalties

Unlawful obtaining and discovering of personal data

Unlawful destruction, deletion concealment or alteration of personal data

Sale or offer to sell of personal data

Source: The Data Protection and Privacy Act, 2019