The Uganda Data Protection & Privacy Act, 2019 establishes a Personal Data Protection Office (PDPO) under the National Information Technology Authority (NITA). The responsibilities of the PDPO is responsible for the implementation and enforcement of the Act, for creating and keeping a register of all data processing activities and for investigating complaints. Personal data is defined as any information relating to an identified or identifiable person An identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, academic, genetic, mental, economic, cultural or social identity of that natural person. The scope of personal data includes an expression of opinion about the individual.
Section 9 of the 2019 Act prohibits the collection and processing of data that relates to religious, philosophical, political opinion, sexual, financial, health status or medical records of an individual. The right to privacy is enshrined in Article 27 of the Constitution. The Act is available here.