Privacy of a data subject’s personal data is important to the Fund. The Data Protection and Privacy Act 2019 and Regulations made thereunder mandate the Fund to ensure that a data subject’s personal data is protected from unauthorised access and usage. This privacy statement informs our members and stakeholders about how the Fund Personal data of its data subjects. The Data Protection and Privacy Act 2019 and Regulations mandate the Fund, as data controller, to take responsibility of the data subjects’ personal data.
2.0 Who we are?
The National Social Security Fund (Fund) is a licensed retirement benefits scheme established by the National Social Security Fund Act Cap 222. The Fund receives social security contributions for eligible employees (members) and their employers, invests the contributions and income derived therefrom and pays benefits to its members in accordance with the NSSF Act.
The National Social Security Fund address is;
14th Floor, Workers House
Plot 1 Pilkington Road
P.O Box 7140
3.0 How we receive personal data
Personal data is received by the Fund through various methods, including but not limited to those listed below:
- Through physical interaction during registration, phone, email and meetings when conducting regulatory activities or answering enquiries about social security.
- Through our website, e-channels, NSSF GO mobile application and SMS short code
- Through financial literacy training of members
- Through consultations and customer surveys
- Through audit of employers’ social security remittance records, employee salary payment records and PAYE returns.
- During the processing of claims
- During verification of documents submitted to the Fund
4.0 Why the Fund collects your personal data and how is it processed?
The Fund collects your personal data, as by law required to carry on all its lawful activities and also to enable the opening of an account for each member, which gives that member a onetime unique identity.
The personal data the Fund collects is crucial during the processing of payments, entering into contracts, payment of claims for benefits and all other lawful activities as permitted under the NSSF Act and in compliance with other laws in Uganda.
We also use the data subjects’ personal data to update members and all other stakeholders on the status of their contributions, interest, projected benefits over period of time, payments and any products or services that may be available.
5.0 Can a member Control the personal data availed to the Fund?
A data subject may be allowed to update, erase or include specific information to their personal data held by the Fund in accordance with the law.
6.0 Does the Fund share a data subject’s s personal data with a third party?
The Fund will only share a data subject’s personal data where there is prior consent of the member or where the law expressly requires the Fund to do so in accordance with the Data Protection and Privacy Act 2019 and Regulations made thereunder.
7.0 How long will the data subject’s personal data be retained by the Fund?
The Fund will retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be identify with you), for research or statistical purposes in which, case we may use this information indefinitely without further notice to you.
8.0 Data subject’s legal rights
Under certain circumstances, a data subject enjoys rights, as set out in the Data Protection and Privacy Act 2019 and regulations thereunder in relation to his or her personal data and the privacy thereof, as set out below:
- Right to access personal information
A data subject has a right to request a copy of the personal data the Fund holds about them.
- Right to Rectify Personal Data
Subject to laws and regulations, a data subject has a right to request the Fund to rectify or update any incomplete or inaccurate data the Fund holds about them. The Fund, where necessary, shall verify the accuracy of the new data provided by the data subject before any update or rectification
- Right to prevent processing of personal data
A data subject has a right to object to or prevent the Fund from processing their personal data for particular purposes. In some cases, the Fund may demonstrate that it has compelling legitimate grounds to process a data subject’s personal data, which overrides his or her right to object or prevent processing of his or her personal data.
- Transfer of personal data
A data subject has a right to request the transfer of his or her personal data to a third party. The Fund will provide to the data subject, or a third party chosen, the data subject’s personal data in a structured, commonly used, machine-readable format.
- Withdrawal of consent
Subject to the provisions of the laws of Uganda, a data subject may withdraw consent at any time, where the Fund is relying on consent to process personal data. However, this will not affect the lawfulness of any processing carried out before the data subject withdraws the consent. If a data subject withdraws his or her consent, the Fund may not be able to provide certain services to that member. The Fund shall advise the data subject if this is the case at the time of the withdraw of consent.
9.0 Information we require to process requests
The Fund may request for specific information from a data subject to help in confirmation of identity in order to grant the right to access personal data (or to exercise any other rights).
This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. The Fund may also contact the data subject to ask for further information in relation to a request.