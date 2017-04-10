opinion

Daily Monitor of the March 2 reported that government has allowed telecoms to access confidential personal data held by the National Identification and Registration Authority (NIRA) in order to enforce new directives on sim card registration.

This public-private information sharing is in response to recent criminal acts where the perpetrators have been purportedly using unregistered sim cards to coordinate their criminal enterprises.

This government's autarchic surrender of our ID information to telecom companies is a threat to the nation's cyber security and people's civil liberties.

It is not lost on me that the government's and perhaps telecom companies' move may be innocent and well-intentioned in response to recent criminal acts in the country.

However, in this quest to avert crime in the real world as it is referred to in cyber security circles, government is running a risk of a likely surrender of the nation's personal identification information (PII) database to criminals in the virtual world. Unlike the real world, the virtual world has no geographical boundaries.

The registration of sim cards is already the responsibility of telecom companies pursuant to the Uganda Communication Commission Act. The very rational of the policy of surrendering our PII to these companies concedes that telecom companies have failed in this duty which to my mind has a small logistical implication on their hefty profits.

Having tragically failed in execution of such a simple and cheap duty, what are the guarantees that they do have the will to install robust and expensive cyber security infrastructure that would protect our private information against cyber breaches?

Public-private information sharing should only be permitted in environments where currently available technological, administrative and physical protections of the shared information, particularly where such information is likely to include personally identifiable information (PII) or other potentially sensitive information are maximally robust.

This is an indictment on database holders in this era of light-speed attacks that are far too long fast and systematic. It is only possible that our private information can be compromised, disrupted or damaged long before these Ugandan telecom companies are aware of the attack vectors and possible remedial steps.

It is a bitter pill to swallow as well that the Ugandan legal regime does not provide for public disclosure of attempted and successful cyber breaches launched on these companies at the expense of consumers. This in effect means that Ugandan companies have no legal obligation whatsoever to disclose cyber-attacks to their customers and yet prudent international cyber consumer protection law and practice requires consumers to be notified of any breach on a company's data base.

It is my submission that with the recent cyber breach reports about Uganda, the currently available cyber technology infrastructure, procedures and best practices required for enhanced cyber threat protection by these companies is suspect. The surrender of our private information to these companies, some of which are multi-national and foreign-owned, is likely to put the nation's security at risk.

This government's move to surrender our PII is a violation of civil liberties on privacy and protection of personal property as well. This amounts to a tort of intrusion on seclusion which is prohibited in civilised nations. PII that is held by the National Information Registration Authority (NIRA) is private personal property whose transfer to telecom companies as third parties should be with the owner's consent.

The Uganda Registration of Persons Act, the law from which NIRA derives its authority of collecting and storing the citizens' PII expressly prohibits disclosure of information to third parties other than government departments.

The law considers such information as confidential and that no person shall disclose the same unless required by law. I am not aware of any law that has qualified these private telecom companies as government departments. It, therefore, follows that any disclosure and or surrender of our PII to these telecom companies will be a naked violation of the law and an attempt to erode our civil liberties of privacy. The law as it is at the moment prohibits government from sharing our PII with private companies.

At the very least, should the government consider it inevitable to surrender the nation's PII data base to private companies, enabling legal instruments should be enacted so as to set security parametres of such a move. Otherwise, any misuse or cyber breach on such information would not be remedied by the current law on the basis that anything not prohibited or regulated is considered lawful.

It is my submission that if the government is so bent on sharing our personal information with private companies, questions of proportionality which balance competing values in a public-private information sharing scheme should be reasonably addressed.

Therefore, any proposed legal instrument should spell out authorised uses of information on what, how and when such information should be used.

The law should enshrine provisions on protections against information repurposing by these companies and should emphasise differentiated access and selective revelation to these companies.

Mr Muhawe is a lawyer/advocate and a Master of Laws candidate (Intellectual Property & Cyber Law) at the University of Illinos- USA.