Unwanted Witness has released an analysis evaluating how Uganda’s top data collectors adhere to privacy standards and best practices that protect consumers’ personal data. The analysis dubbed Privacy Scorecard Report, contains three main sections of findings.

The three main sections include

  • A significant lack of compliance with Uganda’s 2019 Data Protection and Privacy Act.
  • Inconsistent privacy policies across Africa that leave consumers vulnerable in countries without strong data-protection policies.
  • The presence of location and profiling trackers across mobile and web applications that collect and sell data for commercial benefit without transparent policies.

Overall, the report found that organizations in Uganda and across Africa continue to struggle to keep citizens’ data safe. This puts Africans at risk of fraud, identity theft, discrimination, and social and reputational harm.

“We introduced the Scorecard to encourage data collectors and processors to adopt protection best practices and to empower Ugandan citizens to demand information pertaining to the ways in which their personal data is being collected and used. While also recognizing those actors that are complying with laws and best practices,” said Dorothy Makasa, Executive Director of Unwanted Witness.

The report evaluated 32 of the most active companies doing business online in Uganda. They include organizations in eCommerce, financial services, telecoms, insurance, the government, social security, and private hospitals. Companies included were; MTN, Airtel, Safeboda, Absa Bank, Stanbic Bank, Jumia, Maskini, KiKUU, and Centenary Bank.

The average overall performance of the companies and agencies is a score of 35%. More than half of those studied practice robust data security, and 40% comply with privacy best practices. Surprisingly, a lot of organizations have no Secure Sockets Layer (SSL) certificates or report poor SSL server test results, making them highly vulnerable to attacks.

In addition, organizations tend to withhold personal user information. Just 8% indicate third parties with whom personal data will be shared in their privacy policy. None of the 32 organizations disclose how much data is requested and shared with third parties such as government bodies and law-enforcement agencies.

In terms of law compliance, the report examines the privacy policies and privacy-law compliance among 11 companies with a presence in Uganda and operating across Africa. The firms assessed include MTN, Airtel Safeboda, Bolt, UAP Insurance, Absa Bank, Stanbic Bank, Jumia, Maskini, KiKUU, and Centenary Bank.

“Instead of valuing consumer privacy, this analysis shows us that companies are meeting only the minimum requirements in the countries in which they operate. We would like to see a world in which companies set high standards that value the rights of every person regardless of the strength of their countries’ data-protection laws,” said Allan Sempala Kigozi, Head of Programs for Unwanted Witness and the author of the report.

A few companies, including Jumia, Safeboda, and Kikuu have consistent privacy policies across the countries in which they operate. During the third Privacy Symposium Africa this week, participants called on organizations to make data collection and privacy a top priority.