Registration for PSA 2024 is ongoing. Learn More.

Privacy Scorecard Report

The Privacy Scorecard report is a tool used to assess and evaluate the privacy practices of organizations and companies.
It provides a comprehensive overview of how organizations handle personal data and how they protect the privacy of individuals. The purpose of the Privacy Scorecard report is to give consumers and stakeholder’s information to make informed decisions about the privacy and security of their personal information.

The scope of the report typically covers an organization’s privacy policies, data collection and use practices, and security measures. The privacy scorecard utilizes objective, quantifiable parameters for analyzing the policies and practices of the selected data collectors.

In 2023, the Privacy Scorecard Report provided an overview of the privacy and data protection regimes in Uganda, KenyaZimbabwe and Mauritius, highlighting their strengths and weaknesses. 
The role of The Privacy Scorecard is to provide objective measurements for analyzing the policies and practices of major data collectors when it comes to handling data. We focus on a handful of specific, measurable criteria that can act as a vital stopgap against unfettered abuse of user data.
The report is based on a systematic evaluation of the existing laws and regulations, as well as the implementation of these laws in practice. The report provides insights into the current state of privacy and data protection in these countries and makes recommendations for improvement. This report is valuable for policymakers, businesses, and individuals who are interested in ensuring privacy and data protection in these countries.



Over the last decade, trends at the global scene indicate growing interest and commitment to enactment/adoption and strengthening of data protection laws. This has largely been motivated by wide spread social media complaints and scrutiny of violations, abuses and breaches and the general interest for countries to comply with internationally recognised laws and standards. By 2020, it was projected that about 137 new countries globally would enact data protection laws in addition to the 50 countries that strengthened their laws in this area in the last decade alone.

This great ray of hope transcends to the African continent. By February 2023, 36 out of 54 African countries are for example said to have adopted data protection and privacy laws with 16 signing onto ‘the African Union Convention on Cyber Security and Personal Data Protection adopted on 27 June 2014 (“Malabo Convention”) and thirteen countries have ratified it. As a result, 2022 was projected to be a year of more robust enforcement of this newly adopted framework. The 2023 privacy score card to a large extent aims at establishing how this prediction played out in selected countries of Zimbabwe, Uganda, Kenya and Mauritius.



The 2022 Privacy Scorecard report develops onto the 2021 one and expands the scope to include Kenya. The methodology adopted in the 2022 report is deeper with focus on only three sectors of telecommunication, financial services and the e-commerce sectors. The 2022 report is made possible by a collaboration between Unwanted Witness and the Centre for Intellectual Property and Information Technology Law (CIPIT).

The main objective of the 2022 report is to generate research that could be used to empower data collectors/processors to adopt data protection best practices; and citizens to demand for accountability in the area of personal data protection. The report could also inform legal and policy reform for the between management of personal data of data subjects by especially non state actors.



The 2021 Scorecard report focuses on the law, corporate policies and practices. It will turn a spotlight on how the policies of private and public sectors either advance or hinder the privacy rights of users and it will recognize those companies or government agencies that buttress and ensure data protection and privacy best practices. The idea is to protect data privacy rights of individuals by ensuring that data collector/processors bring more.

Data collectors/processors are required to be transparent about access to and use of personal data, and to respect our right to privacy and dignity at all times as stipulated in the data protection law. And some companies are increasingly meeting those expectations, but there are still many companies that lag behind, fail to enact best practices around transparency, or don’t prioritize user privacy and dignity.