By Lilian Agaba Nabwebale & Stephen Semigabo
Africa-Press – Uganda. The Digital Agenda Forum is a civic initiative that brings together technology experts, professionals, and enthusiasts dedicated to providing critical insights at the intersection of technology, society, and public policy. The Forum believes that the true digital agenda must harness technology to serve the common good, rather than become a tool of oppressive control.
It should uphold fundamental values and human dignity, not undermine them. The Forum calls for digital systems that promote transparency, accountability, and the protection of essential human freedoms in an increasingly data-driven world, without reducing individuals to mere global data points.
In line with this mission, in an open letter dated 16th June 2025 (Reference P2025-06-0001), the Digital Agenda Forum wrote to the Personal Data Protection Office (PDPO-Ug), expressing deep concern over the ongoing mass National Identification Number (NIN) renewal exercise currently being implemented by the National Identification and Registration Authority (NIRA).
As this process unfolds, the Forum has observed a significant increase in the collection of personal and biometric data, ranging from full names, birth details, tribal origins, and parentage to facial photographs, signatures, fingerprints, and iris scans.
While the Forum acknowledges the government’s intent to modernise identity systems and improve public service delivery, it is alarmed by the scope, sensitivity, and manner in which this data is being gathered, especially since the National ID has become a compulsory requirement for essential services.
The NIN has evolved into a universal identifier within Uganda. It is now required for access to banking services, business registration, licensing, public services, tax compliance, SIM card activation, and mobile money transactions exceeding one million shillings.
This consolidation of identity, economic life, and civic access into a single number raises serious legal, ethical, and governance concerns, particularly in the absence of sufficient safeguards. It centralises power in ways that increase the risks of profiling, surveillance, identity theft, and the exclusion of vulnerable populations from critical services.
Uganda’s own Data Protection and Privacy Act, 2019 provides a clear legal framework for the collection and processing of personal data. Section 10 protects the right to privacy and prohibits unlawful data processing.
Section 12 requires that data collected be adequate, relevant, and not excessive in relation to the purpose for which it is gathered. Section 13 obliges all data collectors and processors to be transparent about the purpose, nature, and recipients of the data they handle.
The Act also grants Ugandans rights under Sections 24 to 33, including the rights to access, rectify, or erase their personal data and to seek compensation in case of misuse.
Additionally, biometric data such as fingerprints, facial images, and iris scans is classified as sensitive personal data under the Act and must be processed under strict conditions. Its collection requires clear justification, purpose limitation, and appropriate safeguards, including the undertaking of Data Protection Impact Assessments (DPIAs), as provided for under Section 21.
The Digital Agenda Forum is concerned that this legal threshold is not being consistently met in the current exercise.
The Registration of Persons Act, 2015 gives NIRA certain powers to collect personal data, but the current expansion into advanced biometric capture, particularly iris scans, requires clarification. It is unclear whether such collection is authorised within NIRA’s existing legal mandate.
In addition, the Tax Procedures Code (Amendment) Bill, 2025, which designates the NIN as the Tax Identification Number, further centralises this credential in state–citizen interactions. While possibly aimed at administrative efficiency, such integration deepens the risks associated with data misuse and demands robust legal and regulatory oversight.
Uganda is also constitutionally and internationally bound to respect the right to privacy. Article 27 of the Constitution guarantees this right, and Uganda is aligned with international frameworks such as the OECD Privacy Guidelines and the European Union’s General Data Protection Regulation (GDPR), both of which consider biometric data as special category data that must be processed only under strict necessity, proportionality, and transparency.
The Digital Agenda Forum commended the Personal Data Protection Office (PDPO) for progress made in strengthening Uganda’s data protection regime. Notable achievements include enforcement actions against non-compliant entities, registration of thousands of data controllers and processors, and the rollout of public sensitisation tools such as a compliance toolkit and digital complaints platform. These efforts have laid important groundwork.
However, the Forum highlighted that the nature and scale of the NIN renewal exercise call for visible and proactive oversight by the PDPO to ensure legal compliance and public trust.
A further area of concern involves the role of third-party institutions that rely on the National ID to deliver services, such as banks, telecom operators, tax bodies, regulators, and licensors. These entities routinely require personal data through the NIN, linked to the National ID database, yet many questions remain about whether they comply with the law.
Do they provide privacy notices? Have they conducted DPIAs? Do they collect only what is necessary? Are there policies in place to regulate the retention, sharing, and protection of the data they gather? Without clear answers to these questions, Ugandans remain exposed to potential data misuse.
Accordingly, the Digital Agenda Forum respectfully requested the Personal Data Protection Office to clarify the legal basis for collecting extensive personal and biometric data, including fingerprints, facial photographs (scans), and iris scans during the National ID renewal process. The Forum asked the Office to confirm whether NIRA and all related institutions have conducted DPIAs and whether these are publicly available.
It also requested clarification on whether the current data collection methods fall within NIRA’s mandate under the Registration of Persons Act, and whether the PDPO has issued or intends to issue guidance on the integration of the NIN across essential public and private services. The Forum further sought assurance that all third-party institutions relying on the National ID are registered with the Office, have designated Data Protection Officers, and are compliant with the law.
It requested the public release of relevant data-sharing agreements and the safeguards in place for managing the personal data being collected, and asked that the steps being taken to ensure transparency, legality, and enforcement of all data processing linked to the NIN renewal be clearly outlined.
The Digital Agenda Forum chose to make this an open letter because the issues it raises affect millions of Ugandans whose personal data is being collected, often without their understanding, consent, or the means to question such practices. Many do not know their rights or where to turn for redress.
This letter, therefore, seeks not only institutional accountability but also stands in solidarity with the people of Uganda, whose data and dignity must be safeguarded. The open letter is publicly available at www.thedigitalagenda.org/openletters.
The Digital Agenda Forum emphasised that Uganda deserves an identity system that enables access to services without infringing upon constitutional rights. While acknowledging the progress made in strengthening data protection, the Forum noted that the current approach to biometric data collection warrants urgent scrutiny, public transparency, and enforcement of the law.
It formally requested a written response to the concerns raised and expressed its willingness to engage constructively to ensure that the ongoing digitisation of identity in Uganda is fair, lawful, and rights-respecting.
By this letter, the Forum copied in the Permanent Secretary of the Ministry of ICT and National Guidance, the National Information Technology Authority – Uganda (NITA-U), and the National Identification and Registration Authority.
The writers are Ugandan citizens
Source: Nilepost News
For More News And Analysis About Uganda Follow Africa-Press
