‘Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet’ – Gary Kovacs
In recent weeks, online & print media have ran stories on the ‘leaked’ account information of a well known public figure. The word, ‘leaked’ more often than not always refers to some form of data breach. Whether it is a leaked document, sex tape, bank account & mobile money information or even medical records, in all those cases the focus is always on the story (scoop) but never on the source of the information.
It is now a widely accepted practice for food vendors to wrap their delicacies in documents that contain personal data. These vendors, usually acquire these documents freely from entities that lack data retention and destruction policies. The advent of the internet has further exacerbated the scourge of data protection and privacy breaches. Users of social media platforms make available to the public their personal information with reckless abandon. Users also share leaked videos, documents and fake news that promote online defamation, without any thought of the legal implications of disseminating fake news or sharing another person’s personal data.
We’ve come to expect so little from privacy that any public display of concern is usually seen as a melodramatic rant. It is no wonder that most leading private entities and almost all government organizations lack privacy policies on their websites. It is this indifference to data protection & privacy that leads organizations like Uganda Revenue Authority, to direct banks to furnish bank account information without any assurance on the mode of storage, retention and destruction of the data that it intends to collect.
With cyber & data security breaches at an all time high, entities must act with caution when dealing with data. The more data an organization has, the harder it becomes to secure. Data is the oil of the information age, and any entity with access to personal data, has in essence, a wealth of information that may be used for nefarious purposes.
The data mining company, Cambridge Analytica (CA) has most recently come under criticism for the unauthorized use of data that it used to influence elections around the world.
In Kenya, CA, is accused of manipulating Kenyan voters by curating videos that exploited their fears. The videos warned social media users that a victory by opposition leader Raila Odinga would lead to disease, starvation and terrorism.
In Nigeria, a UK newspaper, The Guardian reported that Israeli hackers provided Cambridge Analytica with President Muhammad Buhari’s personal emails. The e-mails that included information about Buhari’s ill health and medical records, were leaked in order to dissuade voters and to weaken Buhari’s campaign.
Although Cambridge Analytica has denied all allegations, those examples show how valuable data can be and the extent that data can be used to influence people.
Without adequate data protection laws or national data security and retention policies, there can be no assurance that your personal data will not end up in the wrong hands. Data protection is globally recognized as a distinct fundamental human right. Some countries have recognized data protection as a constitutional right, thereby highlighting its importance as a crucial element for democracy to exist. The detailed article 35 of the 1976 Constitution of Portugal can be seen as an example of best practice here.
Uganda has taken steps to regulate data protection through the Data Protection and Privacy Bill. The law once in force, will regulate the collection and retention of personal data; it will also provide for the obligations of data collectors and processors.
The Bill comprehensively provides for rights of persons whose data is collected, obligations of data collectors and data processors, governance measures and procedures to administer, receive complaints and settle disputes.
It also mandates data controllers and processors with the responsibility to protect data subjects and provides for an enforcement mechanism that will allow individuals to enforce their rights and remedies in cases of infringement.
The draft Bill further requires that data subjects should be informed of who the data controller is; the purpose of collecting the data; how long the data will be kept and any third parties to whom the data will be disclosed.
It is still unclear why government entities continue to deal with sensitive personal information without first passing the Data Protection and Privacy bill into law. This oversight if unchecked, may in the end, open entities required to furnish this data (with the regulators in tow), to lawsuits over the breach of the right to privacy as enshrined under Article 27 of the Constitution of the Republic of Uganda.