The Personal Data Protection Office (PDPO) has concluded its investigation into the data security breach involving the Uganda Securities Exchange (USE) and its technology partner, Soft Edge Uganda Limited.
The report revealed that the breach resulted in unauthorised access to the personal data of individuals whose data was collected by USE.
The investigation found that the data security breach was caused by non-compliance with the Information Systems Policies Manual, the Data Protection and Privacy Act, and supporting Regulations.
The breach was specifically attributed to a change in the firewall configuration that left a port open, which did not follow the established change management procedures.
The report issued on Wednesday revealed that there were critical areas of non-compliance with the Data Protection and Privacy Act and supporting Regulations. For instance, the Maintenance Agreement between USE and Soft Edge Uganda Limited lacked necessary data protection and privacy clauses.
It failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy. This inadequacy left the parties without clear data protection and privacy-related responsibilities.
Another significant finding was that both USE and Soft Edge Uganda Limited failed to regularly verify whether the implemented security safeguards were effective. This oversight led to the data security breach going unnoticed for twelve (12) days.
Furthermore, Soft Edge Uganda Limited, a data processor for USE, was not registered with the PDPO as required by the Act. This registration was not completed even after an investigation into the data security breach started, constituting a legal violation.
The PDPO recommends that USE initiates disciplinary proceedings against relevant personnel as per its employee policies due to their role in the breach. Furthermore, the PDPO recommends that USE ensures that the Information Systems Policies Manual is implemented throughout its operations and that reviews and updates are made to the policy and data-sharing agreements to ensure compliance with the Data Protection and Privacy Act and supporting Regulations. USE is expected to implement the above recommendations and others provided in the report within three (3) months from today.
The PDPO has since commenced enforcement action against USE and Soft Edge Uganda Limited for non-compliance with the Data Protection and Privacy Act, and supporting Regulations in areas where violation of the law was established.
Meanwhile, Personal Data Protection Office (PDPO) is the national body responsible for the implementation of and enforcement of the Data Protection and Privacy Act and attendant Regulations.
PDPO coordinates, supervises and monitors all organizations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.
Do you have a story in your community or an opinion to share with us: Email us at editorial@watchdoguganda.com
