“Who owns your data?” – a question that has become increasingly pertinent in Uganda’s rapidly growing digital landscape.
In a world increasingly driven by data, governance over personal information has never been more critical. From online banking to health records, personal data shapes the way we interact with services, businesses, and even governments. Yet, as data becomes the currency of the digital age, so do the risks associated with its mismanagement. Recognizing this, civil society organizations (CSOs) in Uganda gathered on August 21, 2024, at the Hilton Hotel in Kampala for an urgent conversation on data governance. Organized by the Africa Freedom of Information Centre (AFIC) in partnership with the Open Institute, this landmark training session sought to bridge the knowledge gap between policy and practice, ensuring that data remains a tool for empowerment rather than exploitation.
The event brought together 29 civil society organizations (CSOs), government representatives, and digital rights advocates to address critical gaps in data protection, privacy, and transparency, key pillars in Uganda’s digital transformation.

“Data is the new currency of power,” declared AFIC Executive Director Gilbert Sendugwa while speaking at the workshop highlighting the alarming reality that Uganda’s data economy is projected to grow by 23% annually, with the sector already worth $1.3 billion. However, amidst this growth, only 12% of citizens understand their rights under the Data Protection Act, and a staggering 78% of civil society organizations lack data protection policies.
Why this workshop mattered
With Uganda’s rapid adoption of digital technologies from AI to e-governance, the risks of data misuse, breaches, and weak enforcement of privacy laws have surged. The workshop aimed to:
- Demystify Uganda’s Data Protection and Privacy Act (2019) for CSOs.
- Equip advocates with tools to hold institutions accountable.
- Foster collaboration between regulators and civil society to close enforcement gaps.
The workshop exposed the dark underbelly of Uganda’s data governance crisis. Participants shared chilling cases of health data exploitation, political surveillance, and digital exclusion, which disproportionately affect rural women and marginalized communities. “We have beautiful laws, but implementation remains a question,” said Gaaba Lakel Maria, AFIC’s communications and advocacy lead. “The Data Protection Act 2019 mandates transparency, yet ministries routinely deny FOI requests.” She added.
To combat these challenges, the workshop unveiled a 5-point action plan, including
- A mass awareness campaign.
- CSO data protection certification
- Public interest litigation.
- CSO-PDPO Partnerships: Joint trainings for NGOs on data audits and compliance.
- Language: Simplify laws into Luganda, Swahili, and sign language.
The Meaning of Data Governance
Data governance encompasses the policies, regulations, and standards that guide how data is collected, stored, used, and shared. Effective data governance ensures privacy, security, and ethical use of information while preventing data breaches and misuse. In Uganda, the Data Protection and Privacy Act of 2019 established legal frameworks to protect citizens’ personal data, but implementation remains a challenge, particularly among civil society organizations handling sensitive data on human rights, healthcare, and financial inclusion.
A Crucial Conversation
The workshop was a melting pot of ideas, bringing together 29 participants from organizations such as CIPESA, SEATINI, CoST Uganda, and Transparency International. Their shared goal? To strengthen Uganda’s data governance landscape through collaboration, capacity-building, and advocacy.
Gilbert Sendugwa, executive director of AFIC, set the tone in his keynote address: “Compliance with data protection laws is not just a legal requirement but a moral obligation. Civil society organizations must lead by example in ensuring that data is collected and stored responsibly, safeguarding the rights and privacy of individuals.”
Participants delved into the historical evolution of data protection, from the Universal Declaration of Human Rights in 1948 to Uganda’s own constitutional recognition of privacy in 1995. Presentations from the Office of the Personal Data Protection Office (PDPO) and the Open Institute unpacked the complexities of the 2019 Act, highlighting the rights of data subjects and the responsibilities of data collectors, controllers, and processors.

“Uganda has some of Africa’s strongest data laws on paper—the Data Protection Act (2019) and the Computer Misuse Act—but in practice? We’re fighting ghosts.” Gaaba Lakel Maria painted a stark picture:
- Telecom companies are selling user data to third parties.
- Government agencies hoarding public datasets while citizens struggle to access to public information.
- NGOs are unknowingly violating privacy laws because “no one trained them.”
Key Takeaways from the Dialogue
One of the most pressing discussions revolved around compliance and enforcement. Many CSOs expressed concerns about limited awareness and technical expertise in handling data responsibly. As Edinah Kasozi from the PDPO noted, “We must move beyond legal provisions and work towards creating a culture of data protection.”
Group discussions further emphasized the need for:
- Capacity Building: Training programs to equip organizations with the technical skills to manage data securely.
- Civic Engagement: Raising public awareness about data privacy and citizens’ rights.
- Legislative Advocacy: Strengthening policies that hold both private and public entities accountable.
- Cross-Sector Collaboration: Enhancing cooperation between government agencies and civil society to create unified data governance standards.
Impact and the Global Picture
The ripple effects of this dialogue extend beyond Uganda’s borders. As more nations across Africa refine their data protection laws, Uganda’s approach can serve as a model for balancing innovation with privacy. The East African Community (EAC) is moving towards harmonized data governance frameworks, and workshops like these lay the groundwork for regional cooperation.
For CSOs, the dialogue was not just about compliance—it was about trust. “When people trust that their data is safe, they engage more openly with organizations, be it in healthcare, governance, or digital services,” remarked AFIC’s Communication and Advocacy Lead. “Transparency and accountability in data handling build stronger institutions and a more informed citizenry.”
Looking Ahead
With clear recommendations in place, the next step is implementation. AFIC and its partners plan to monitor progress, advocate for policy reforms, and continue training CSOs on best practices in data governance.
As Uganda navigates the digital era, one thing is certain: data governance is not just a legal issue—it is a human rights issue. The guardians of data, from policymakers to civil society leaders, have a shared responsibility to protect personal information and uphold the integrity of Uganda’s digital landscape.
This workshop was a pivotal step in that journey, ensuring that data remains a force for good, not a tool for exploitation.