NO ONE IS SAFE: Report Pins Software Firm Soft Edge, Uganda Securities Exchange on Data Security Breach

Kampala, Uganda–The Personal Data Protection Office (PDPO) on Thursday 13th July, 2023 concluded its investigation into the data security breach involving the Uganda Securities Exchange (USE) and its technology partner, Soft Edge Uganda Limited.

According to findings by PDPO, the breach resulted in unauthorized access to the personal data of individuals whose data was collected by USE.

‘’The investigation found that the data security breach was caused by non-compliance with the Information Systems Policies Manual, the Data Protection and Privacy Act, and supporting Regulations’’, reads in part a report from PDPO.

The breach was specifically attributed to a change in the firewall configuration that left a port open, which did not follow the established change management procedures.

Additionally, there were critical areas of non-compliance with the Data Protection and Privacy Act and supporting Regulations.

‘’For instance, the Maintenance Agreement between USE and Soft Edge Uganda Limited lacked necessary data protection and privacy clauses. It failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy. This inadequacy left the parties without clear data protection and privacy-related responsibilities’’, the report reads further.

Another significant finding was that both USE and Soft Edge Uganda Limited failed to regularly verify whether the implemented security safeguards were effective. This oversight led to the data security breach going unnoticed for twelve (12) days.

Furthermore, Soft Edge Uganda Limited, a data processor for USE, was not registered with the PDPO as required by the Act. This registration was not completed even after an investigation into the data security breach started, constituting a legal violation.

The PDPO recommends that USE initiates disciplinary proceedings against relevant personnel as per its employee policies due to their role in the breach. Furthermore, the PDPO recommends that USE ensures that the Information Systems Policies Manual is implemented throughout its operations and that reviews and updates are made to the policy and data-sharing agreements to ensure compliance with the Data Protection and Privacy Act and supporting Regulations. USE is expected to implement the above recommendations and others provided in the report within three (3) months from today.

The PDPO has commenced enforcement action against USE and Soft Edge Uganda Limited for non compliance with the Data Protection and Privacy Act, and supporting Regulations in areas where violation of the law was established.

The Personal Data Protection Office is the national body responsible for the implementation of and enforcement of the Data Protection and Privacy Act and attendant Regulations. PDPO coordinates, supervises and monitors all organizations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.

Generally, a person’s right to privacy of information is protected under Article 27 of the Constitution of the Republic of Uganda. The protection under the Constitution has recently been supplemented by the Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations 2021 which were enacted primarily to regulate the collection, processing, use and disclosure of personal data. The Act and Regulations apply to any person, entity or public body: Collecting, processing, holding or using personal data within Uganda; outside Uganda who is collecting, processing, holding or using personal data of Ugandan citizens.

The Data Protection and Privacy Act commenced on 3 May 2019 while the Regulations took effect on 12 March 2021.

There are also other sector specific laws that incorporate data protection provisions applicable to the activities governed under those particular laws. These laws include, but are not limited to:  The Access to Information Act, 2005, The Regulation of Interception of Communications Act, 2010, The Computer Misuse Act, 2011 (as amended) and, The Registration of Persons Act, 2015.

Headquartered along Bombo Road, Makerere-Kavule, in Uganda’s capital Kampala and founded in 2007, Soft Edge is a software innovation firm started by two computer engineers.