Applying Data Privacy Techniques on Tabular Data in Uganda

The growth of Information Technology(IT) in Africa has led to an increase in the utilization of communication networks for data transaction across the continent. A growing number of entities in the private sector, academia, and government, have deployed the Internet as a medium to transact in data, routinely posting statistical and non statistical data online and thereby making many in Africa increasingly dependent on the Internet for data transactions. In the country of Uganda, exponential growth in data transaction has presented a new challenge: What is the most efficient way to implement data privacy. This article discusses data privacy challenges faced by the country of Uganda and implementation of data privacy techniques for published tabular data. We make the case for data privacy, survey concepts of data privacy, and implementations that could be employed to provide data privacy in Uganda.

💡 Research Summary

The paper “Applying Data Privacy Techniques on Tabular Data in Uganda” addresses the growing need for systematic privacy protection of publicly released tabular datasets in Uganda, a country experiencing rapid ICT adoption but lacking concrete legal and technical frameworks for personal data protection. The authors begin by documenting the surge in internet usage across Africa and specifically in Uganda, noting that universities, the electoral commission, and the Uganda Bureau of Statistics (UBS) regularly publish student admission lists, voter registers, and statistical micro‑data online. While the Ugandan Constitution guarantees a general right to privacy, it does not define “personally identifiable information” (PII) or prescribe any procedural safeguards for electronic data. Existing statutes such as the UBS Act of 1998 merely mention “removal of identifiers” without clarifying what constitutes an identifier, leaving a regulatory vacuum for non‑governmental entities.

A review of related work shows that most Ugandan research focuses on network security, cryptographic protocols, and electronic record management, with virtually no literature on statistical disclosure control or privacy‑preserving data mining (PPDM). The authors therefore position their contribution as the first systematic call for applying privacy‑enhancing technologies (PETs) to Ugandan tabular data.

The paper proceeds to define essential terminology—PII, quasi‑identifiers, confidential attributes, inference attacks, etc.—and distinguishes between non‑perturbative techniques (suppression, generalization) and perturbative techniques (noise addition, differential privacy). Although a broad suite of PETs exists, the authors concentrate on three methods that are relatively easy to implement in low‑resource settings: (1) k‑anonymity, which forces each combination of quasi‑identifiers to appear in at least k records; (2) suppression, which removes cells that are uniquely identifying; and (3) generalization, which replaces specific values with broader categories using domain generalization hierarchies. They acknowledge that achieving optimal k‑anonymity is NP‑hard, and that extensions such as l‑diversity and differential privacy, while theoretically stronger, impose higher computational and expertise demands.

The experimental component uses a real dataset: the Makerere University admission list containing roughly 1,200 student records. The authors adopt the US HIPAA definition of PII as a provisional standard, given Uganda’s lack of a domestic definition. They first strip explicit identifiers (full name, student number, registration number, etc.). The remaining quasi‑identifiers (nationality, sex, birthdate) are then processed through an iterative workflow: generalize birthdate to year ranges, suppress rare nationality entries, and ensure that each quasi‑identifier tuple occurs at least twice (k=2). The workflow is presented as a ten‑step algorithm, including checks for outliers that cannot be grouped and a final utility assessment to confirm that the anonymized table retains meaningful statistical properties.

Results show that the anonymized dataset satisfies k‑anonymity while preserving key aggregates such as gender distribution and enrollment year counts, demonstrating that basic privacy can be achieved without sacrificing the dataset’s analytical value. The authors argue that this lightweight approach is suitable for Ugandan academic institutions, NGOs, and small businesses that lack sophisticated data‑science teams.

In the concluding discussion, the authors propose a pragmatic roadmap for Uganda: (1) adopt an interim PII taxonomy based on international standards; (2) institutionalize a simple k‑anonymity‑based privacy pipeline for any released tabular data; (3) gradually introduce more advanced techniques (l‑diversity, differential privacy) as technical capacity grows; and (4) amend existing legislation to explicitly address quasi‑identifiers and mandate utility‑privacy trade‑off assessments. They also call for collaborative research to develop domain‑specific generalization hierarchies and open‑source tools tailored to African data contexts.

Overall, the paper makes a valuable contribution by highlighting a concrete privacy gap in Uganda, demonstrating a feasible technical solution on real data, and outlining policy recommendations that could serve as a model for other sub‑Saharan nations facing similar challenges.