National Medical Stores

web@nms.go.ug

Data Protection

National Medical Stores (NMS) is committed to protecting the privacy, confidentiality, and security of all personal data entrusted to us. In line with the Data Protection and Privacy Act, 2019 of Uganda, NMS upholds the highest standards of data governance as part of our mandate to procure, store, and distribute essential medicines and health supplies across the country.

This page outlines how we collect, use, store, and safeguard information from the public, suppliers, partners, and health facilities.

1. Our Commitment to Data Protection & Privacy

National Medical Stores (NMS) is committed to safeguarding the privacy, confidentiality, and integrity of all personal data entrusted to us. As a statutory body mandated to procure, store, and distribute Essential Medicines and Health Supplies (EMHS), we recognise that responsible handling of personal information is central to public trust and good governance.

We comply with the Data Protection and Privacy Act, 2019, its Regulations, and all other applicable laws governing the collection, use, security, retention, and disclosure of personal data in Uganda.

This Data Protection & Privacy Statement explains how NMS protects personal data, the governance structures in place, and the standards we apply across all our operations and digital platforms.

2. Our Role as Data Controller

NMS is a designated Data Controller, determining the purpose and manner in which personal data is collected and processed. Our responsibilities include:

  • Ensuring lawful and transparent processing
  • Protecting the rights of data subjects
  • Implementing robust technical and organisational safeguards
  • Ensuring all staff, agents, and service providers comply with data protection requirements
  • Demonstrating accountability to regulators and stakeholders

All NMS directorates, departments, and programmes operate under a unified data protection framework overseen by the NMS Data Protection Office.

3. Governance, Principles & Standards

NMS processes personal data in line with the following principles:

Lawfulness, Fairness & Transparency

We collect and process data only where there is a clear legal basis, operational necessity, or documented consent.

Purpose Limitation

Personal data is used strictly for the purposes for which it was collected, including statutory operations, procurement, human resource administration, distribution of EMHS, and customer service.

Data Minimisation

We only collect data that is relevant, adequate, and necessary.

Accuracy

We take reasonable steps to ensure that personal data is accurate, complete, and up-to-date.

Integrity & Confidentiality

NMS applies administrative, physical, and technical controls to protect data against unauthorised access, loss, theft, alteration, or misuse.

Accountability

We maintain documentation, logs, controls, and oversight processes demonstrating compliance with the Act.

4. How We Protect Personal Data

  • NMS maintains a comprehensive data protection programme incorporating:

    Technical Safeguards

    • Secure servers, role-based access, and multi-level authentication
    • Encrypted data transmission and secure storage
    • Network firewalls, intrusion detection and prevention systems
    • Continuous monitoring of critical systems
    • Regular backups and disaster recovery mechanisms

    Organisational Safeguards

    • A dedicated Data Protection Office
    • Data protection policies and SOPs across all directorates
    • Mandatory confidentiality obligations for staff and service providers
    • Staff training on data handling and information security
    • Vendor and contractor compliance requirements

    Physical Safeguards

    • Controlled access to NMS facilities and repositories
    • CCTV and security monitoring
    • Secure document storage with restricted access
    • Protocols for the safe disposal of physical records

5. How Personal Data is Used

Personal data is used strictly for lawful and operational purposes relating to NMS’s mandate, including:

  • Order processing, delivery management, and accountability for health supplies
  • Supplier and contractor management
  • Digital platform access, including the Client Self Service Portal (CSSP)
  • Customer support, complaints management, and stakeholder engagement
  • Financial and procurement processes
  • System monitoring, auditing, and security control
  • Legal compliance, reporting, and support to oversight bodies

NMS does not engage in commercial profiling, selling, or monetisation of personal data.

6. Data Sharing & Third-Party Access

NMS shares personal data only when:

  • Required by law (e.g., regulators, auditors, law enforcement)
  • Necessary for statutory operations (e.g., Ministry of Health, health facilities)
  • Engaging service providers who support our ICT, logistics, or operational systems and who are bound by strict confidentiality and security obligations
  • Authorised by the data subject through explicit written consent

All third parties must comply with NMS’s data security standards and contractual controls.

7. Data Retention & Disposal

NMS retains personal data only for the period necessary to fulfil its lawful mandate and to comply with:

  • Public records and archival laws
  • Procurement and financial regulations
  • Statutory reporting and audit requirements

At the end of the retention period, NMS applies secure disposal methods including:

  • Permanent deletion
  • Secure destruction of physical files
  • De-identification or anonymisation where appropriate

8. Your Rights as a Data Subject

Under the Data Protection and Privacy Act, 2019, you have the right to:

  • Access your personal data
  • Request correction of inaccuracies
  • Object to certain types of processing
  • Request erasure or restriction (where applicable)
  • Withdraw consent for optional processing
  • Receive clear information on how your data is used

NMS will respond to such requests within the timelines provided by law and may require identity confirmation to protect your information.

9. Breach Management & Incident Response

NMS has established procedures for:

  • Detecting and assessing suspected data breaches
  • Containing and mitigating risks
  • Notifying affected individuals and the Personal Data Protection Office (PDPO) where required
  • Reviewing and strengthening controls to prevent recurrence

We take all data incidents seriously and treat them as priority security matters.

10. Contact the NMS Data Protection Office

If you have questions about how NMS handles personal data, or if you wish to exercise your data rights, please contact:

Data Protection Office
National Medical Stores
Plot 261, Kiwamirembe Road, Kajjansi Town Council, Wakiso District
Email: dataprotection@nms.go.ug 
Phone: +256 (0)417 104000

11. Updates to This Policy

NMS may update this Data Protection & Privacy Policy to reflect legal, technological, or operational changes. Updates will be published on this page, with a revised “Last updated” date.

.

This website uses cookies and asks your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy