Data protection is crucial in the online realm, encompassing measures to safeguard sensitive information from unauthorized access, use, or disclosure. It involves the implementation of security protocols, encryption, and access controls to ensure the confidentiality and integrity of data.
As our lives become increasingly intertwined with online platforms, the significance of safeguarding data from malicious access, use, or disclosure cannot be overstated.
The essence of data protection extends beyond mere confidentiality, encompassing the broader spectrum of ensuring data integrity. This entails preventing unauthorized alterations to information, preserving its accuracy and reliability.
In this digital era, every single person has to be vigilant to ensure that their data is not breached, which commonly occurs as a result of cyber-attacks, malware, or human error. Breaches compromise user privacy, leading to potential identity theft, financial losses, or other malicious activities, making detection and response critical to minimizing the impact of data breaches.
Personal data that can be compromised include; financial details, nationality, age, marital status, education level, occupation, address, health, identification number among others.
In 2019, Parliament passed the Data Protection and Privacy Act, 2019 that establishes Data Protection and Privacy Office to raise awareness, establish and maintain a data protection register, monitor and regulate standards for personal data protection, receive and investigate complaints relating to violations of the law, issue enforcement notices and penalties for non-compliance with the Data Protection and Privacy Act, and provide guidance to organizations on how to comply with the Data Protection and Privacy Act.
Edinah Kasozi, Manager Licensing and Legal Affairs at the Personal Data Protection Office says that the most important thing is to be aware that anyone can be a target to cyber criminals who cause data breach.
“Anybody can get hacked. There is no 100 percent way you can guard against cyber criminals. Breach is part and parcel of life. We all like to enjoy Wi-Fi, free internet. But as we enjoy the WiFi, are we conscious, how do we navigate the login credentials, do you know how to identify a secure website as you are browsing, do you regularly update your software, can you tell that there is a virus on your gadget, do you know how to identify spam, do you review the permissions granted to apps on your smartphone,” she says.
Kasozi highlights general tips to Ugandans to protect personal data online
“Acknowledge that you are a target to cyber criminals, practice good password management, ie using unique password, use free WI-FI with caution, set a strong password for your WIFI and change login credentials, check to see if the website you are browsing is secure (http v https), regularly update your software, antivirus and malware protection, be cautious with emails, avoid phishing scams, never leave devices unattended to, practice a clean desk policy,” she says.
Mrs. Kasozi also calls on Ugandans to implement two factor (2FA) and multi factor (MFA) authentication.
Two-factor authentication (2FA) is a security process that requires two different authentication factors to verify a user’s identity. This is in contrast to single-factor authentication (SFA), which only requires one factor, such as a password or a PIN.
When a user tries to access a protected resource, they will be prompted to provide both of these factors. For example, they may be asked to enter their password and then to approve a notification sent to their smartphone.
2FA is a more secure authentication method than SFA because it is more difficult for an attacker to gain access to all of the factors that are required. If a password is compromised, an attacker will still not be able to access the account if they do not have the second factor.
Kasozi also advises Ugandans to use a Virtual Private Network (VPN) for WIFI to encrypt internet connection, review App Permission granted to apps on smartphones and other devices, revoke unnecessary permissions, limit social media sharing as this can be used to guess your password, use secure messaging apps (end to end encrypted messaging apps for sensitive communications to avoid interception of your texts), protect personal information at all costs, ie. NIN, Passport details, mobile etc.
She further asks the public to beware of online scams and fraudulent websites, saying, “whatever appears too good to be true is probably a scam, get rich quick scam.”
For all online services, she says Ugandans must take time to review their financial /credit statements to identify unauthorized transactions.
“Nowadays, we all love to swipe our visa cards at supermarkets when we are buying items. Do you get time to go through all these receipts? Do you take time to review your bank statements periodically; monthly, quarterly, yearly? This is how we are going to be positioned to identify unauthorized transactions,” she said.
For verification, Kasozi says people should always use fictional security questions and avoid easily guessable ones, adding that they should always backup important data to an external hard drive/secure cloud storage device, and educate themselves to keep informed about the latest threat trends.
“How informed are we? Let’s try as much as possible to educate ourselves about the latest trends of cybercrime because once you are informed, then it is easy to identify a threat. But if you don’t like to learn, how will you know. You will get a suspicious message and you will not be able to know that it is not safe, and you can end up being robbed. Educate yourself because the breach trends keep changing and advancing with time. But if you know how to identify a breach, a potential threat, then you will be safe.”
She adds: “Adjust your privacy settings on all social media accounts to limit its visibility to the public, use encrypted messaging apps such as Signal or WhatsApp to protect some personal information, secure your devices, set up device lock codes or biometric authentication on your gadgets to prevent unauthorized access, regularly delete unused accounts especially those you no longer use. This will reduce your online footprint.”
Data sharing is the process of making data available to other parties, either within an organization or with external entities. It can be done for a variety of purposes, such as collaboration, research, analytics, or project implementation.
However, data sharing can cause data breaches. When data is shared with third parties, such as a contractor or a subcontractor, it is no longer under the control of the original data owner.
On top of a contractor sharing their client’s data to a sub-contractor which breaches the confidentiality rule, the latter may not have the same level of security as the original data owner, and this data may be more susceptible to cyberattacks.
Additionally, data that is shared with third parties may be more difficult to track and monitor, which can make it easier for attackers to steal or misuse the data.
Kasozi advises that before any individual or organization shares their data with a third party, all parties should sign data sharing agreements which are legally binding contracts that outline the terms and conditions of how data will be shared between two or more parties.
“We need to have policies, procedures and guidelines in place on data sharing because we know that in our economy, you cannot do it all alone. Sometimes you have to sub contract somebody. So, as we share data, we need to sign binding agreements with relevant parties to ensure that we speak the same language when it comes to protection of data subjects entrusted to us,” says Kasozi.
Data sharing agreements typically include provisions such as: the types of data that will be shared, the purpose for which the data will be used, the security measures that will be taken to protect the data, the rights and obligations of the parties involved.
The agreement must include clauses that require the processor to delete or return the personal data after the lapse of the contract.
Data Breach, Response and Monitoring
“Personal data security breaches may be caused by human error, cyber-attacks or privilege abuse among others. You should therefore: train staff on how to recognize a personal data security breach; ensure that there is a breach response plan which is known by staff; staff should know who to report to a suspicion or occasion of data security breach; and notify the Personal Data Protection Office immediately in compliance with the Act,” says Mrs. Kasozi.