State of Privacy Uganda
Table of contents
- Right to Privacy
- Communication Surveillance
- Data Protection
- Identification Schemes
- Policies and Sectoral Initiatives
The State of Privacy in Uganda is the result of an ongoing collaboration by Privacy International and Unwanted Witness.
Key privacy facts
1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy (Art. 27).
2. Data protection law: There is no specific law or regulation that regulates data protection. The draft 2015 Data Protection Bill has been passed by parliament, but is not yet law.
3. Data protection agency: Uganda has no specific body mandated to enforce and oversee data protection.
4. Recent scandals: The security services have been linked to targeted campaigns of extrajudicial surveillance against domestic opponents.
5. ID regime: The 2015 Registration of Persons Act harmonizes existing laws on the registration of persons and establishes a single central registration body and a mandatory national identification register for all Ugandans.
Right to Privacy
The 1995 Ugandan constitution explicitly recognises the right to privacy and calls for its protection. Article 27 states that "(1) No person shall be subjected to—
(a) unlawful search of the person, home or other property of that person; or
(b) unlawful entry by others of the premises of that person.
(2) No person shall be subjected to interference with the privacy of that person's home, correspondence, communication or other property."
Regional and international conventions
Uganda is a signatory of several international conventions with privacy provisions, including:
In March 2017, Uganda had 23.5 million mobile telecommunications subscribers, representing a teledensity of 63.8 %, according to statistics collected by the Uganda Communications Commission (UCC). There were 14.8 million mobile internet subscriptions, 153,150 fixed internet subscriptions and an estimated 20.3 million internet users.
The government does not collect official statistics on social media use, though several platforms including Facebook and Twitter are widely popular among Ugandans. In 2013, the National Information Technology Authority (NITA) issued guidelines to government departments to encourage and regulate the use of social media as a communication tool by government bodies.
Communications surveillance is primarily regulated by the Regulation of Interception of Communications Act (RICA) 2010. Other acts also grant the security services wide-ranging communications surveillance powers.
RICA requires intelligence officials and the Police to seek judicial authorisation for the interception of communications. The law authorises intelligence officials to apply to intercept specific communications subject to a warrant that is issued by a designated judge. However, RICA does not replace the provisions for interception contained in the Anti-Terrorism Act (2002) – it appears to contradict them. This law gives almost unfettered discretion for state officials to conduct surveillance without the need to obtain judicial authorisation. The powers of surveillance are broad. These include the interception of phone calls, emails or other communications, ‘electronic surveillance’, as well as monitoring of meetings, or doing “any other thing reasonably necessary” for the purpose of surveillance (Article 19(5)). The justifications of such surveillance are very broad, including safeguarding public interest, and protecting the national economy from terrorism (Article 19(4)).
There is no clear oversight mechanism to either RICA or the Anti-Terrorism Act.
Section 11 of RICA requires service providers to retain metadata, although the terms and conditions of the retention are not specified in the Act.
The Act also provides for the establishment of a Monitoring Centre under the control of the Minister – the “sole facility through which authorised interceptions shall be effected” (Section 3). As of late 2015, the monitoring centre was not operational though seven international firms were invited to bid for the project. It had been delayed in part because service providers have contested Government orders that they pay to connect to the future system, according to sources in the technology industry. However, Israeli firm NICE Systems is reported to have won the contract, according to Intelligence Online.
RICA requires service providers to foot the bill of connecting to the new centre or otherwise complying with the Act, a considerable cost. Current data retention capacity of the main networks including MTN Uganda was estimated at around 6 months' worth of call metadata in 2015.
The power to gather intelligence and conduct surveillance are concentrated around three institutions: the Uganda People’s Defence Force (UPDF), the Uganda Police Force (UPF), and the Office of the President (State House). The President exercises control over sensitive intelligence operations while day-to-day spying for intelligence gathering appears less centralised. Senior leaders and technical experts within intelligence circles are often reshuffled and reassigned among these agencies on Presidential direction.
Intelligence and security agencies
The 1987 Security Organisations Act established the Internal Security Organisation (ISO) and External Security Organisation (ESO). These two agencies are directed by Directors General appointed by and accountable to the President, and exist to collect intelligence and provide advice on Uganda’s security directly to him.
The National Security Council, established in 2000, reports directly to the President and comprises cabinet ministers, ISO, ESO, army and police officials, most of which are appointed by the President and up to five additional members, also appointed by the President and approved by Parliament. The Joint Intelligence Committee, composed of security experts appointed by the President and chaired by the Minister of Internal Affairs, reportedly meets once a week to share intelligence on national security threats. An Information and Communication Technologies (ICT) Technical Committee within the Joint Intelligence Committee advises on technology purchases and is responsible for many decisions related to defence and intelligence procurement. These powers are discussed in more detail in a report by Privacy International.
Law enforcement agencies
The 2004 Police Act gives the President the power to appoint the Inspector General of Police and his deputy, as well as the majority of the members of the Police authority which oversees police functions, and veto power over any potential dismissals of senior-ranking officials. As Commander-in-Chief of the defence forces, the President may appoint the Chief of Defence Forces and virtually all high-ranking officials. The President enjoys discretionary powers over the activities of the High Command.
The Regulation of Interception of Communications Act (2010) provides for the establishment of a monitoring centre. In late 2015, the monitoring centre was not operational though seven international firms had been invited to bid for the project. These seven firms included: ZTE and Huawei (China), Verint Systems Ltd and NICE Systems (Israel), Macro System (Poland), RESI Group (Italy) and Gamma Group International (UK). The monitoring centre project had been delayed in part because service providers contested government orders that they pay to connect to the future system, according to sources in the technology industry. NICE Systems was reported to have obtained the monitoring centre contract in November 2015. It is unknown if the monitoring centre is operational.
In recent years the security services have invested heavily in cyber defence. In 2013, a new forensic lab for the analysis of computer crime opened in Kampala and the UCC launched a Computer Emergency Response Team to investigate cybercrime. Despite these developments, the police’s ability to actually conduct forensic analysis on devices and trace cybercrimes is rudimentary. The police and investigating agencies often turn to private forensic companies to assist in complex investigations, according to an October 2015 investigation by Privacy International.
In 2014, the UCC opened a media monitoring centre with “digital logger surveillance equipment”. This appears to be targeted at recording and analysing public radio, television and print media rather than private communications. The police also signed an accord with the UCC to cooperate more closely on the investigation of cybercrime.
In August 2016, the government announced that it had contracted a South Korean company to supply a "pornography detection machine" with the budget of 2.6 billion Uganda shillings. The purchase was intended to aid the Parliament's anti-pornography committee to monitor and implement Uganda's anti-pornography laws by detecting pornographic pictures, videos or graphics taken or saved on individual phones, computers or cameras.
Surveillance oversight, checks and balances
We are not aware of any oversight mechanisms related to surveillance in Uganda. Please send any tips or information to: firstname.lastname@example.org
Surveillance case law
We are not aware of any surveillance case law in Uganda. Please send any tips or information to: email@example.com
Examples of surveillance
State authorities have proactively cultivated the popular perception that surveillance is systematic, centralised and technically sophisticated. This is not the case; not yet, at least. Nevertheless, human rights defenders and activist groups are regularly targeted for physical surveillance and break-ins and seizure of digital material by the police are common.
According to a Privacy International investigation in 2015, the attributes that have made Uganda’s human intelligence network strong and allowed it to infiltrate opposition and other circles considered threatening to the government are poorly suited to conducting communications surveillance on a large and automated scale. Poor levels of technical training, low pay and a culture of bribe-taking has alienated the few educated and technically competent engineers that would be required to operate a nationwide surveillance system beyond monitoring a relatively small number of high-value targets, according to industry and government sources.
The government has also reportedly placed agents within the telecommunications switching centres, but their skills vary and assignments appear to be relatively simple – for example, the generation of call and contact lists, the location of callers using cell tower data, and audio recordings of specific lines based on human intelligence.
In late 2011, officials of the Chieftaincy of Military Intelligence (CMI) and Uganda Police Force (UPF), acting on presidential orders, used an intrusion malware, short for malicious software, to infect the communications devices of key opposition leaders, media and establishment insiders. The secret operation was codenamed Fungua Macho (‘open your eyes’ in Swahili), according to documents acquired by Privacy International. The tool chosen as the ‘backbone’ of the operation, FinFisher, is intrusion malware that was at the time manufactured by the Gamma Group of companies, headquartered in the UK.
The police also attempted to procure further technologies from intrusion malware supplier and rival to Gamma Group, Hacking Team, in mid-2015. The local contact for the Hacking Team potential deal was Kin Kariisa, a business executive considered among Museveni’s close contacts, according to documentation obtained by Privacy International. Kariisa was the President’s special advisor on ICT from 2000 to 2009.
Earlier, in April 2014 after the Anti-Homosexuality Bill was signed into law, the LGBTI community in Uganda was reportedly targeted by Zeus malware, a spyware often used to steal banking information through techniques including keystroke logging and form grabbing. Human rights defenders routinely report office break-ins, thefts of servers and other computer material and hacking of websites.
In July 2018, MTN Uganda - a division of the South African telecoms firm MTN - claimed that government security personnel raided one of their data centres. They claimed that security personnel kidnapped one of their employees to gain access.
Data protection laws
There is no specific law or regulation that regulates data protection in Uganda. However, in late 2014, the National Information Technology Authority (NITA), the Ministry of Information and Communication and Technology (MoICT) and the Ministry of Justice and Constitutional Affairs (MoJCA) issued a draft Data Protection and Privacy Bill for public comment. During the consultation, the ICT Policy Centre for Eastern and Southern Africa (CIPESA) submitted observations that the broad justifications for collecting personal data – namely "proper performance of a public duty by a public body" and "national security" – were overly broad and vulnerable to misinterpretation. It noted that the retention of data for national security purposes was concerning for the security and use of personal data because the term 'national security' had not been defined.
The bill seeks to protect the privacy of the individual and personal data by regulating the collection and processing of personal information. It outlines the rights of individuals whose data is collected and the obligations of data collectors and data processors; and it regulates the use or disclosure of personal information. The Bill was tabled before Parliament in April 2016.
Telecommunications and internet service providers are required to ensure that their services are technologically capable of allowing lawful interception, and in such a way so that the target of the interception remains unaware of it, according to Section 8 the Regulation of Interception of Communications Act (2010).
In December 2018, the Parliament of Uganda passed the Data Protection and Privacy Bill, 2015 after conducting a two days debate on the committee report. As of January 2019, the passed bill is pending the presidential signature before becoming law.
We are not aware of any accountability mechanisms related to surveillance in Uganda. Please send any tips or information to: firstname.lastname@example.org
Data breaches: case law
We are not aware of any case law related to data breaches in Uganda. Please send any tips or information to: email@example.com
Examples of data breaches
In June 2017, the New Vision reported that confidential data held by the National Identification and Registration Authority (NIRA) could have been breached following a serious case of financial fraud. The case was condemned by Ugandan civil society group Unwanted Witness. The government denied any suggestion that NIRA's databases had not been adequately secured.
ID cards and databases
In 2015, the Ugandan parliament passed the Registration of Persons Act to harmonize existing laws on the registration of persons, establish a single central registration body and a national identification register of all persons in Uganda, and provide rules to govern the access and use of this information. The act established the National Identification and Registration Authority, which oversees the issuing of national identity cards. The act makes it compulsory for all Ugandan citizens to register with the Authority and to register minors in their care.
Commentators noted that the act does not contain data protection clauses. This could potentially lead to violation of Article 27 of the Uganda constitution, which guarantees the right to privacy.
In 2016, Ugandan media reported that according to internal memos circulated to all ministries heads of departments, as well as chief administrative officers and town clerks across the country, public servants who failed to obtain national identity cards by July 1 would have their names removed from the government payroll.
On 22ndMay 2018 the British Government, through the Department for International Development (DfID), donated biometric machines to government of Uganda worth half a million pounds. The machines were meant to monitor the attendance of public servants were installed in public facilities like hospitals and education centres in selected districts.
According to the Electoral Commission, all Ugandan citizens over the age of 18 are entitled to vote. Voters must reside or originate from the parish in which they intend to vote. Voters must be registered in the Photo-Bearing Voters’ Register (PVRIS or NVR) which holds the following data: photograph, names, electoral areas including polling station, date of birth, sex, and voter's code number.
SIM card registration
Registration of SIM cards has been mandatory in Uganda since March 2012, following a campaign by the Uganda Communications Commission, citing the Regulation of Interception of Communications Act (2010).
The UCC stated that SIM registration information would be stored confidentially by telecommunications operators in a secure database. The UCC justified the initiative as necessary to “[h]elp law enforcement agencies to identify the mobile phone SIM card owners”, “[t]rack criminals who use phones for illegal activities”, “[c]urb other negative incidents such as; loss of phone through theft, nuisance/hate text messages, fraud, threats and inciting violence”, and “[h]elp service providers (network operators) know their customers better.” In 2015, the Ministry of Security reportedly ordered the UCC to verify information provided by telephone users in the SIM card registration exercise by matching data collected during the National Identity card registration exercise with that gathered in the SIM card registration exercise.
The UCC ordered telecommunications providers to deactivate all unregistered SIM cards by 30 August 2017. The UCC directive ordering the verification exercise had previously been challenged by the Uganda Law Society.
In March 2018, Uganda Communications Commission issued a directive banning the sale of new SIM cards with fresh guidelines requiring all telecom service providers to put in place National ID card readers so as to verify information electronically against the database maintained by the National Identification Registration Authority (NIRA), a body which is a custodian of citizens’ National ID data. The directive followed a spate of murders in the country with government linking the criminals to unregistered SIM cards. The ban was however lifted on 13 April after NIRA gave 50 biometric machines to telecom companies to aid in capturing of users’ data.
Policies and Sectoral Initiatives
Uganda has a national cybersecurity policy, the National Information Security Policy, published in 2014. The policy outlines the mandatory minimum security controls that must be applied by all public and private sector organisations that use, own and/or operate protected computers, and handle official communications and personal data to reduce their vulnerability to cyber threats. The policy also defines 'critical infrastructure' and 'critical information infrastructure'. Uganda also has a National Information Security Strategy (NISS), according to the National Information Technology Authority (NITA). The National Information Security Strategy (NISS) does not provide specific actionable directives related to cybersecurity.
As regards privacy, the National Information Security Policy requires all organisations to "Ensure that remote access solutions, including contracts with IT suppliers, comply with applicable legislative or regulatory constraints in particular the Official Secrets Act, 1964 and the Access to Information Act, 2005 regarding the handling of information, which is likely to prejudice the security of the State or interfere with the right to the privacy of any other person."
The Uganda National Computer Emergency Response Team (CERT-UG) was established in 2014 to coordinate cybersecurity incident response.
In July 2017, the Daily Monitor reported that the Chinese government had agreed to offer Uganda a comprehensive cybersecurity solution through a statutory company. The solution would reportedly include technical capacity to monitor and prevent social media abuse.
Cybercrime is largely regulated by the 2011 Computer Misuse Act. The act comes after the first known case of a person (a blogger in 2010) reportedly being charged for offences relating to free expression on the internet.
The Computer Misuse Act makes provisions for the safety and security of electronic transactions and information systems. The act creates several computer misuse offences, for example, unauthorized modification of computer material, unauthorised access, access with intent to commit or facilitate commission of further offence. It also outlines mechanisms for investigation and prosecution of the offences, as well as appropriate sentences for each offence.
There does not appear to be any restriction on the use of encryption in Uganda. The use of end-to-end encrypted messaging applications, particularly WhatsApp, are popular.
Licensing of industry
Uganda's telecommunications industry is governed by the Uganda Communications Commission (UCC). The Commission's mandate is to develop "a modern communications sub-sector and Infrastucture in Uganda, in conformity with the operationalization of the Telecommunications Policy."
The National Information Technology Authority is an autonomous statutory body established under the NITA-U Act (2009), to coordinate and regulate Information Technology services in Uganda. It is supervised by the the Ministry of Information and Communication Technology (MoICT).
Uganda's main mobile network providers are a mixed group of Ugandan, African, and international providers. These include:
MTN Uganda (a subsidiary of South African company MTN);
Airtel Uganda (a subsidiary of Indian company Bharti Airtel);
Uganda Telecom (partially government-owned and partially owned by a subsidiary of the Libya Africa Investment Portfolio);
Africell Uganda (formerly Orange, Africell is an African company founded in The Gambia);
Smile Telecom (an African provider incorporated in Mauritius);
Sure Telecom (a subsidiary of Time turns Holding Ltd, Cyprus);
K2 Telecom (a private Ugandan company);
Smart Telecom (owned by the Industrial Promotion Services (IPS) Kenya, which is part of the Aga Khan Fund for Economic Development); and
Vodafone Uganda (a subsidiary of the British Vodafone group).
The National Information Technology Authority-Uganda (NITA-U) is mandated by the NITA-U Act of 2009 to "promote and provide technical guidance for the establishment of e-Government, e-Commerce and other e-Transactions in Uganda."
The government is engaged in various e-governance initiatives including: the Nationwide ICT Backbone and e-Government Infrastructure and central government intranet system; the Ministry of Finance's Integrated Financial Management System (IFMS); the Uganda Revenue Authority's tax filing system; the Ministry of Health's Health Management Information System; and the Ministry of Public Service's Integrated Personnel and Payroll System (IPPS).
Health sector and e-health
Patients of Uganda's overburdened health sector often have little privacy; maintaining confidentiality is difficult in circumstances where multiple patients are often treated in the same rooms. A draft Patients' Rights and Responsibilities Bill (2015), reportedly contains some provisions ensuring patient privacy and the confidentiality of medical information.
The Ugandan government has been investing heavily in CCTV. The number of cameras in the capital Kampala appears to have increased over the last several years and the government periodically announces new purchases of CCTV technology, primarily in Uganda's main cities.
In 2014, it was reported that a Chinese telecommunications technology company, Huawei, had donated a multi-tracking system worth US$ 750,000 to the Kampala Capital City Authority of the Ugandan government. In March 2017, President Museveni announced that new CCTV cameras would be installed in all major towns of Uganda and along highways following the murder of a senior police officer. In February 2015, the Ugandan Parliament reportedly spent UGX 28 billion (over US$ 9.8 million) on CCTV cameras and other security measures provided by Chinese technology firm ZTE. Nevertheless, the police requested a further investment of 203 billion UGX (US$ 43 million) in CCTV in April 2017,
In early 2017, the Uganda Police Force launched a new smartphone app to encourage citizens to report crimes. Civil society groups including PI partner Unwanted Witness raised concerns about the wide range of access permissions the app requires from its users.
We are not aware of any privacy issues related to transportation in Uganda. Please send any tips or information to: firstname.lastname@example.org
The 2015-2019 strategic plan of the Kampala Capital City Authority announced a 700,000 USD initiative to turn Uganda's capital into a "smart city". The KCCA considers a "smart city" to be "a city that uses Information and Communication Technology (ICT) as an enabler to the services that a city delivers in dimensions such as smart payments, smart planning, smart transportation, smart environment, smart education, smart communities and social services and smart governance."
Among the proposed initiatives are setting up ICT Infrastructure (called “K-NETWORK”): Wide Area Network connectivity, structured Local Area Networks and system power, enterprise licenses management for server/client computers and a modern data centre.
In August 2017, the Speaker of the House, Rebecca Kadaga, met with officials from Chinese audiovisual surveillance company Dahua to discuss collaboration on safe city projects, according to media reports.
We are not aware of any privacy issues related to migration in Uganda. Please send any tips or information to: email@example.com
We are not aware of any privacy issues related to emergency response in Uganda. Please send any tips or information to: firstname.lastname@example.org
Humanitarian and development programmes
We are not aware of any privacy issues related to humanitarian and development programmes in Uganda. Please send any tips or information to: email@example.com
The Ugandan government has shown a strong desire to monitor social media over the past several years.
In April 2011, the UCC reportedly instructed ISPs to block access to social networking sites Facebook and Twitter for 24 hours “to eliminate the connection and sharing of information that incites the public,” allegedly at the request of security agencies concerned over demonstrations linked to the ‘Walk to Work’ protest movement.
On 30 May 2013, Security Minister Muruli Musaka announced the formation of a Social Media Monitoring Centre allegedly “to weed out those who use it to damage the government and people’s reputations.”
On 18 February 2016, shortly before the Presidential election, the UCC shut down access to social networking sites Facebook and Twitter and instant messaging service WhatsApp, citing unspecified security concerns and directives.
The Ugandan government has unsuccessfully attempted to block Tom Voltaire Okwalinga (TVO), a vocal pseudonymous critic of the government who publishes frequently on Facebook. In March 2017, the government appealed a ruling by the High Court of Ireland, where Facebook is headquartered, which refused the government's attempt to force Facebook to reveal TVO's identity.
In June 2018, Parliament passed the Excise Duty Amendment Bill 2018 which among others introduced a tax on the access of social media. The amendment which commenced on July 1st 2018 imposed a daily payment of UGX 200 (5 US cents) for service access but exempting educational or research purposes. This move received criticism from human rights activists.