Report Flags Major Data Protection Gaps in 2026 Polls
A new report by Unwanted Witness has raised concerns about major gaps in data protection and digital governance during Uganda’s 2026 general elections, warning that millions of voters’ personal and biometric data were exposed to risks because of weak oversight and poor institutional compliance.
The report, titled “Uneven Enforcement of Data Protection Laws Puts Data Subjects’ Rights at Risk in Uganda’s 2026 Polls,” argues that although Uganda entered the elections with the Data Protection and Privacy Act in place, enforcement remained inconsistent throughout the electoral process.
Researchers describe the 2026 elections as Uganda’s “most technologically intensive electoral cycle,” driven by biometric voter verification systems, integration of National Identification Numbers, digital voter portals, electronic results management and data-driven political campaigns.
According to the findings, the Electoral Commission of Uganda deployed more than 109,000 Biometric Voter Verification Kits nationwide and heavily integrated the National Identification Number system into voter registration and verification.
The report warns that the increasing merger between civil identity systems and electoral infrastructure heightened risks of surveillance, profiling and “function creep,” where personal data collected for one purpose is reused for another.
One of the report’s strongest criticisms concerns institutional compliance with data protection requirements. Investigators found that the Electoral Commission reportedly registered with the Personal Data Protection Office only after the January 21, 2026 presidential and parliamentary elections, despite being one of the country’s largest processors of sensitive voter information.
Researchers further stated that no political party registered with the Personal Data Protection Office during the entire electoral cycle. The report also says no publicly available Data Protection Impact Assessments were demonstrated for high-risk biometric systems used during the elections. Privacy notices, retention policies and clear voter data deletion mechanisms were also reportedly lacking.
Researchers highlighted growing use of data-driven political campaigning, including bulk SMS messaging, automated calls, social media targeting and analytics-based voter segmentation. They argue that many of these activities operated without transparent consent procedures or clearly identified data controllers, raising concerns about unlawful political profiling.
The report additionally referenced the FANON voter application incident, saying it exposed weaknesses in Uganda’s digital voter data governance systems. According to the findings, weak authentication controls potentially allowed voter information to be scraped, aggregated and reused at scale.
Concerns were also raised about the performance of biometric voter verification kits on polling day. The study cites reports of machine failures, delayed opening of polling stations, connectivity problems and malfunctioning devices that forced some officials to revert to manual verification processes. Researchers say the disruptions undermined voter confidence and raised questions about transparency and auditability.
Beyond the election process itself, the report warns that Uganda’s political landscape is increasingly shaped by a complex digital ecosystem involving state agencies, telecommunications systems, global social media platforms, private technology vendors and data intermediaries. Researchers argue that this environment creates new vulnerabilities linked to surveillance, manipulation and disinformation.
The study also raised alarm over the emergence of AI-generated political disinformation, including deepfake audio and video content, which it says amplified misinformation risks during campaigns. Despite the concerns, the report acknowledged positive interventions such as a national training on ethical data practices for electoral stakeholders conducted in July 2025 and advisory notices issued to political actors ahead of polling day. However, researchers concluded that these measures failed to produce “measurable, systemic compliance outcomes.”
Among its recommendations, the report urges the Electoral Commission to publish a comprehensive electoral data governance framework, conduct independent cybersecurity audits and establish automatic deletion policies for biometric logs and voter data extracts.
The Personal Data Protection Office was also urged to adopt stronger oversight mechanisms and issue binding electoral data protection guidelines ahead of future elections.Political parties were advised to formally register with the data protection office, appoint Data Protection Officers and publish privacy notices governing campaign-related data collection and digital messaging.According to the report, Uganda’s 2026 elections did not suffer from a lack of laws, but rather from what researchers describe as “an implementation deficit.”“Privacy in elections is not merely an individual right,” the report states. “It is a precondition for trust, fairness, and legitimacy in a digitally mediated democracy.”
The report, titled “Uneven Enforcement of Data Protection Laws Puts Data Subjects’ Rights at Risk in Uganda’s 2026 Polls,” argues that although Uganda entered the elections with the Data Protection and Privacy Act in place, enforcement remained inconsistent throughout the electoral process.
Researchers describe the 2026 elections as Uganda’s “most technologically intensive electoral cycle,” driven by biometric voter verification systems, integration of National Identification Numbers, digital voter portals, electronic results management and data-driven political campaigns.
According to the findings, the Electoral Commission of Uganda deployed more than 109,000 Biometric Voter Verification Kits nationwide and heavily integrated the National Identification Number system into voter registration and verification.
The report warns that the increasing merger between civil identity systems and electoral infrastructure heightened risks of surveillance, profiling and “function creep,” where personal data collected for one purpose is reused for another.
One of the report’s strongest criticisms concerns institutional compliance with data protection requirements. Investigators found that the Electoral Commission reportedly registered with the Personal Data Protection Office only after the January 21, 2026 presidential and parliamentary elections, despite being one of the country’s largest processors of sensitive voter information.
Researchers further stated that no political party registered with the Personal Data Protection Office during the entire electoral cycle. The report also says no publicly available Data Protection Impact Assessments were demonstrated for high-risk biometric systems used during the elections. Privacy notices, retention policies and clear voter data deletion mechanisms were also reportedly lacking.
Researchers highlighted growing use of data-driven political campaigning, including bulk SMS messaging, automated calls, social media targeting and analytics-based voter segmentation. They argue that many of these activities operated without transparent consent procedures or clearly identified data controllers, raising concerns about unlawful political profiling.
The report additionally referenced the FANON voter application incident, saying it exposed weaknesses in Uganda’s digital voter data governance systems. According to the findings, weak authentication controls potentially allowed voter information to be scraped, aggregated and reused at scale.
Concerns were also raised about the performance of biometric voter verification kits on polling day. The study cites reports of machine failures, delayed opening of polling stations, connectivity problems and malfunctioning devices that forced some officials to revert to manual verification processes. Researchers say the disruptions undermined voter confidence and raised questions about transparency and auditability.
Beyond the election process itself, the report warns that Uganda’s political landscape is increasingly shaped by a complex digital ecosystem involving state agencies, telecommunications systems, global social media platforms, private technology vendors and data intermediaries. Researchers argue that this environment creates new vulnerabilities linked to surveillance, manipulation and disinformation.
The study also raised alarm over the emergence of AI-generated political disinformation, including deepfake audio and video content, which it says amplified misinformation risks during campaigns. Despite the concerns, the report acknowledged positive interventions such as a national training on ethical data practices for electoral stakeholders conducted in July 2025 and advisory notices issued to political actors ahead of polling day. However, researchers concluded that these measures failed to produce “measurable, systemic compliance outcomes.”
Among its recommendations, the report urges the Electoral Commission to publish a comprehensive electoral data governance framework, conduct independent cybersecurity audits and establish automatic deletion policies for biometric logs and voter data extracts.
The Personal Data Protection Office was also urged to adopt stronger oversight mechanisms and issue binding electoral data protection guidelines ahead of future elections.Political parties were advised to formally register with the data protection office, appoint Data Protection Officers and publish privacy notices governing campaign-related data collection and digital messaging.According to the report, Uganda’s 2026 elections did not suffer from a lack of laws, but rather from what researchers describe as “an implementation deficit.”“Privacy in elections is not merely an individual right,” the report states. “It is a precondition for trust, fairness, and legitimacy in a digitally mediated democracy.”
The Future Belongs to Adaptable Workers-Kagina
The youth and professionals in the county must prepare for a rapidly changing global labou…
Report Flags Major Data Protection Gaps in 2026 Polls
A new report by Unwanted Witness has raised concerns about major gaps in data protection and digital governance during Uganda’s 2026 general elections
