I have learned with surprise-and a hint of dismay, that the Government, through the Uganda Communications Commission (UCC), has agreed to give telecommunications operators in Uganda, access to the National Identity Card Database for verification of subscribers before confirmation of SIM card registration.
Although this may deter false registrations, the decision to grant access of personal information to profit making entities may have dire legal and data security implications. Without a clear data security policy and data protection laws, I can only speculate about the implications of a data breach or what would happen if these companies used the data for purposes other than confirmation of identity.
Data is the oil of the information age, and whoever has access to the National Identity Card Database, has in essence, a wealth of information that may be used for other purposes like customer profiling for target advertising.
So, while the Telecom companies themselves through due diligence might take steps to control and secure this data, without a national data security and retention policy, the storage and usage of the data would merely be governed by the entities privacy policies, if any. In the age of cloud computing, it would also be difficult to hold Telecoms accountable in the event of a data breach without clearly defined security guidelines.
This is what happened in the UK in November 2007, when Her Majesty’s Revenue and Customs (HMRC), lost two CD-ROMs containing 25 million records of child benefit recipients, including names, addresses and bank details.
In December 2007, sensitive data, including religious beliefs and sexual orientation, relating to junior doctors were accessible to anyone accessing a website of the UK Department of Health.
In the same month, the UK Driving Agency’s US contractor lost a computer hard drive containing contact details of three million candidates for the driving theory test.
In January 2008, the UK Ministry of Defense lost a computer containing 600,000 staff records.
In all those cases, even with data protection laws, it was difficult for the regulators to asses the extent of liability without clearly elucidated data security guidelines.
It may be wise in this case, for UCC, to issue appropriate technical data security guidelines that the Telecom companies would be contractually obligated to follow, before giving them access to the database. UCC, may also designate the Telecoms as Data controllers and require them to offer guarantees about the security of the data and put mechanisms in check to ensure compliance with defined security measures.
UCC may also provide clear guidelines on the use of the data and put in place sanctions in the event that the Data is used for reasons other than those authorized.
Data protection is globally recognized as a distinct human or fundamental right. Some countries have recognized data protection as a constitutional right, thereby highlighting its importance as an element of democratic societies. The detailed article 35 of the 1976 Constitution of Portugal can be seen as an example of best practice here.
Uganda, has taken steps to regulate data through the Data Protection and Privacy Bill. The law, once in force, will regulate the collection and retention of personal data; and will provide for obligations of data collectors and processors.
The Bill comprehensively provides for rights of persons whose data is collected, obligations of data collectors and data processors, governance measures and procedures to administer, receive complaints and settle disputes.
It also mandates data controllers and processors with the responsibility to protect data subjects and provides for an enforcement mechanism that will allow individuals to enforce their rights and remedies in cases of infringement.
The draft Bill further requires that data subjects should be informed of who the data controller is; the purpose of collecting the data; how long the data will be kept and any third parties to whom the data will be disclosed.
It is unclear in these circumstances, why the Government of Uganda would consider releasing such sensitive information about its citizens to third parties without first passing the Data Protection and Privacy bill into law. This oversight if unchecked, may in the end, open the Telecoms and the regulators, to law suits over the breach of the right to privacy as enshrined under Article 27 of the Constitution of the Republic of Uganda.