It is common knowledge that data is one of the most vital assets for any organization. And as such, many laws that impact information security have been established to protect the privacy of individuals and shield individuals against both identity theft and the undesirable disclosure of personal information. All over the continent, various countries have laws to this effect, and Uganda has not been left behind.
In the United States, they have a patchwork of laws that affect different industries depending upon the nature of their business and the types of sensitive information that they handle. These include;
- The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. HIPAA places strict privacy and security regulations on healthcare providers.
- The Family Educational Rights and Privacy Act (FERPA) that controls how educational institutions handle student educational records.
- The Gramm Leach Bliley Act (GLBA) passed in 1999 that covers the financial services sector.
- The Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under the age of 13 when they are accessing websites.
As seen above, the United States has several laws that cover very specific use cases, countries in Europe under the European Union approach data privacy in a completely different way. On the 25th of May 2018, the General Data Protection Regulation (GDPR) went into effect after giving various entities over a year to be compliant. However, since implementation, various fines have been dished due to non-compliance.
The Data Protection and Privacy Act 2019
On the 25th of February 2019, the President of Uganda signified his assent on the Data Protection and Privacy Act (DPPA) that had been in development for several years. This act was set up to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processors and data controllers; to regulate the use or disclosure of personal information; and for related matters.
The DPPA has a total of eight parts each covering a total of 40 sections. The parts in the act are;
- Part 1: Preliminary
- Part 2: Principles of Data Protection
- Part 3: Data Collection and Processing
- Part 4: Security of Data
- Part 5: Rights of Data Subjects
- Part 6: Data Protection Register
- Part 7: Complaints
- Part 8: Offences
The DPPA covers very many types of personal information in a very broad and comprehensive way. It is no doubt that the stakeholders behind the drafting of this act are very brilliant people.
As a company that focuses on providing training and related services to ensure awareness of cybercrime and information security, this article is focusing on mainly Part 4: Security of Data.
Part 4: Security of Data
Part 4 starts at Section 20: Security Measures. Subsection one clearly states that,
‘A data controller, data collector or data processor shall secure the integrity of personal data in the possession or control of a data controller, data processor or data collector by adopting appropriate, reasonable, technical and organizational measures to prevent loss, damage, or unauthorized destruction and unlawful access to or unauthorized processing of the personal data.’
Subsection 2 further states that if a party is identified as a data controller, they shall take measure to;
- identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;
- establish and maintain appropriate safeguards against the identified risks;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies.
As an I.T Security firm that has interacted with various companies and assessed how they handle their data and I.T systems, Section 20 is currently being failed at alarming rates in this country.
There are very many organizations that have never bothered about information security. If a survey was to be taken to find out how many organizations have undertaken Vulnerability Assessments and Penetration tests, we would quickly notice how our data especially the Personally Identifiable Information is at the mercy of criminals (hackers).
Very many organizations we have interfaced with (Project frontline) run software that is very old and unpatched making it easy for hackers to access that data. In addition, the data is sent using unencrypted networks in plain text. This means that any attacker sniffing a network can easily steal login credentials.
Organizations like Financial Institutions have taken tremendous steps to ensure information security. This is mainly due to pressure from the regulators and the reputational damage that comes with a data breach that involves loss of money.
Healthcare Institutions, on the other hand, seems to still be operating in the 20th century. These entities have people’s health information, and yet take little to no measures in protecting the said information.
When you visit various hospitals, from my perspective as a cybersecurity expert, you should be extremely scared as to what will happen on a day a hacker steals health information, then asks for ransom from the hospital and the patients in exchange for not making that info publicly available.
In conclusion, as you go for your next hospital visit, take a moment and observe the following:
- Open wi-fi networks that are used both by the hospital infrastructure and patients.
- Open ethernet ports in areas accessible by the patients and or visitors.
- The Operating systems used in hospitals. Almost all computers in hospitals either have windows XP or Windows 7.
- Personnel that leaves computers unlocked and unattended in the presence of the patients.
- Old Microsoft office applications that are no longer receiving updates.
- Patient data software has never been updated.
- Computers that are left exposed to inaccessible areas.
Download the Project Frontline Report here