By John Walubengo
The parliamentary committee that investigated the recent Worldcoin saga made several recommendations that, among others, are stated on page 115, Section 6(d), as follows:
Amend the Data Protection Act, 2019 to provide for a Board where the Office of the Data Protection Commissioner (ODPC) reports to or accounts to on its daily operations.
The insinuation of course, is that, as currently constituted, the ODPC is not accountable to anyone other than writing an annual report that would be transmitted to parliament by the ICT Cabinet Secretary.
In most organizations, both in the public and private sectors, the CEOs do report to and are accountable to a board of directors.
Why and how did the ODPC ‘escape’ such a basic corporate governance structure? Did the framers and drafters of the 2019 Data Protection Act get the establishment structure wrong, or there may be some other reasons behind this seeming anomaly?
We explore and interrogate these questions.
Firstly, it is important to note that several public offices are not structured to have a board. The Office of the Director of Public Prosecution (DPP), the Office of the Auditor General, Office of the Registrar of Political Parties (ORPP), just to mention a few.
In essence, having no board is not always a mistake the legal drafters made. It was perhaps a deliberate intention to make certain offices more independent and less conflicted, particularly if those offices are to oversee certain important tasks that are fundamental to the rights and freedoms of citizens.
Privacy, as enshrined in Article 31 of the constitution, happens to be one of those fundamental rights that would require a strong, independent regulator to minimize violations, both from the public and private sectors.
Indeed, some would argue that globally, the executive arms of governments are more likely to violate the privacy rights of citizens than the private sector would.
Arising from this reality, the global best practice that emerges when establishing the Office of the Data Protection Commission would be to make the ODPC less accountable to the executive and more accountable to ‘the people’ by reporting directly to parliament.
This was the initial thinking of the framers and drafters of the 2019 Data Protection Act.
We must agree that it is, however, not the only model practiced.
Indeed, the Ugandan Data Protection Act does provide for a Board that recruits the National Personal Data Protection Director, who is then appointed by the Ugandan Minister for ICT, classically and traditionally, we deal with CEO recruitments in parastatals.
The challenge with this approach is that it situates the data protection regulator in an obvious position of conflict, particularly within the context and understanding that globally, the executive arms of government are more prone to privacy violations.
If the minister in charge appoints and controls the administrative, financing, functional, and operational capabilities of the data regulator, then their level of independence diminishes and ceases to exist.
From a human right as well as a business perspective, the optics would not look good.
As the country seeks to attract investors in the digital economy, many may find it uncomfortable basing their data investments and operations in an environment where the independence of the data regulator is seen to be questionable or too tightly tied to the executive.
In conclusion, the question would be whether the parliamentary committee, in proposing a Board to oversee the ODPC was a recommendation without the full information or had the full information but still felt the board was extremely necessary.
John Walubengo is an ICT Lecturer and Consultant. @jwalu.
Trackbacks/Pingbacks