On 26th June 2025, our own Muhindo Morgan appeared on a panel with the National Identification Registration Authority Executive Director, Ms. Rosemary Kisembo, and the Acting Executive Director of the Personal Data Protection Office, Mr. Baker Birikujja, in a press and public engagement convening organised at the Uganda Law Society House in Kampala, Uganda..
The event started with a presentation from our own, Morgan Muhindo, who raised privacy concerns, Data Subject rights issues like commercialisation of data rectification rights and cyber security concerns over NIRA’s centralised ID system, but also, he highlighted the capacity building activities HEAPI is doing in Western Uganda and Central Uganda around the National ID system; he highlighted the various trainings conducted by HEAPI in over 12 villages covering over 14 local councils 1, in villages located in Wakiso, Buliisa, Hoima, and Kiryandongo Districts.
The trainings followed HEAPI’s field findings that most of the community leaders had little to no knowledge of the legal processes in regard the National ID system. For example, rectification of errors, change of name requirements, among others, which are also data subject rights under the Data Protection and Privacy Act.
During the engagement, Morgan highlighted that:
“NIRA collects a tremendous amount of personal data from each one of us. But to date, we have never seen a Data Protection Impact Assessment [DPIA] from them”
He went to highlight the legal requirement for and importance of a DPIA in high-risk projects like that the National ID system, that is to say, to warn the members of the public interacting with the National ID system, of the kind of data being collected, the purpose for the collection, the risks involved and the mitigation measure, that is not only a transparency issue but an accountability requirement to all data controllers and collectors like NIRA.
Mr. Birikujja, re-echoed the importance of data protection and privacy, since data protection and privacy affect every Ugandan, he also noted that NIRA had indeed conducted a DPIA only that it has never been published publicly, he quickly noted that, a DPIA may contain sensitive information for it to be shared with the public, but that does not stop sharing an abridged versions.
The Executive Director of NIRA highlighted that there are 27. 8 Million registered Ugandans in NIRA ID database, for context, that is more than a half of all Ugandans. Without transparency and accountability in the ID system that has a centralised database of 27.8 million Ugandans, that would affect public trust in the entire system.
While defending NIRA, Ms. Kisembo argued that NIRA has put up the necessary cybersecurity infrastructure to protect its systems and personal data of Ugandans. On the issue of transparency and accountability, she said:
“Communication around citizen registration must be tailored to specific audiences. Sensitization is important- but equally important is how that sensitization is framed. Our messaging should be relevant and actionable for each audience, while maintaining the integrity of our systems and avoid the unnecessary disclosure of technical details.”
The panelists, including our own Mr Muhindo, highlighted exclusion issues as a result of a single and mandatory identification system. However, Ms. Kisembo highlighted that this is being addressed through mass enrolment and mobile registration even in the remotest areas of the Country. She also stated that NIRA has a reach to all the parishes of Uganda as one of the ways of increasing enrollment into the NIRA ID system.
In his parting shots, our Morgan emphasized the importance of accountability and transparency, he highlighted the feedback from the audience indicates that there is an information gap, and he implored NIRA to improve their engagement with the public. He also thanked NIRA for their recent improvement in their online interaction with members of the public, especially on Facebook and X (formerly Twitter).
We thank Uganda Law Society, under the leadership of President Isaac Ssemakadde, for organising such an engagement. As an organisation, we emphasize our commitment to engaging all actors involved in Digital Public Infrastructure systems with a sole goal of making sure they are secure and that they respect our domestic and international human rights and data protection laws and standards.