An investigation mandated under the Data Protection and Privacy Act, 2019 (DPPA), by the National Information Technology Authority – Uganda (NITA-U) has found that SafeBoda unlawfully shared clients’ data with third parties.

A complaint was made to NITA-U that SafeBoda, a platform that connects motorcycle taxi riders with passengers, was sharing users’ data with third-parties and illegally selling the data without the consent of users.

NITA-U found:

  • SafeBoda did not comply with the legal requirement to disclose to the data subjects the recipients of the data collected from them.
  • SafeBoda shared users’ personal data with an analytics company called CleverTap. Since the users did not provide specific and informed consent to share their data with data processors, it was a breach of the DDPA.
  • The contract between SafeBoda and CleverTap included a commitment to maintain confidentiality and security of the data collected as required by the DPPA. However, there were no measures put in place to ensure confidentiality and integrity of the data collected as required.
  • SafeBoda had designated a Data Protection Officer as required by the DPPA.
  • SafeBoda did not have well documented procedures for breaches in security which affected its ability to detect and immediately notify the Data Protection Officer and NITA-U of any breaches in its securities.
  • SafeBoda did not sell users’ data.

Notwithstanding the above findings, NITA-U meted out no punishment. It instead made several recommendations that SafeBoda must implement or otherwise risk criminal prosecution as provided under the DPPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.