1. Who We Are – Data Controller

National Medical Stores (NMS) is a statutory body mandated to procure, store and distribute Essential Medicines and Health Supplies (EMHS) to public health facilities in Uganda.

Data Controller:
National Medical Stores (NMS)
Plot 261, Kiwamirembe Road, Kajjansi Town Council, Wakiso District, Uganda
Telephone: +256 (0)417 104000
Email: web@nms.go.ug

NMS determines the purpose and means of processing personal data and is therefore a Data Controller within the meaning of the Data Protection and Privacy Act, 2019.

2. How We Collect Personal Data

We obtain personal data through various channels, including but not limited to:

Direct interactions

• When you contact NMS by phone, email, letter, or in person
• When you submit a complaint, inquiry, or feedback
• When you visit NMS premises or attend an NMS event

Digital platforms and online services

• When you use the NMS website or online portals
• When you access or register for the Client Self Service Portal (CSSP)
• When you complete online forms (contact, feedback, supplier enquiry, etc.)

Procurement, supplier and contractor processes

• During prequalification, tendering, contracting and performance monitoring
• When you submit bids, proposals, statutory documents or invoices

Health facility and operational data

• When health facilities place orders and receive deliveries
• When facility focal persons are registered as CSSP or contact users

Surveys, research and stakeholder engagement

• When you participate in NMS surveys, consultations or studies
• When you engage with NMS through outreach, training, and joint programmes

3. Categories of Personal Data We Process

Depending on your interaction with NMS, we may process the following categories of personal data:

Identification and contact details

• Name
• Telephone number
• Email address
• Physical address or workplace
• National ID or staff number where required

Supplier and vendor information

• Company name and registration details
• TIN, statutory compliance documents and licences
• Contact persons and authorised signatories
• Bank details and payment instructions (as required for lawful payments)

Health facility and operational contact data

• Facility name, code and level
• Names and contact details of responsible officers and focal persons
• User accounts for CSSP or other platforms

Digital usage data

• IP address and device information
• Browser type and version
• Pages visited, downloads and interaction with the website
• Log-in timestamps, failed logins and other access logs on NMS systems

Complaint and feedback records

• Details of complaints or inquiries
• Supporting documentation or correspondence

NMS does not routinely collect highly sensitive categories of personal data through its website (such as health status of individuals, biometrics, political opinions, etc.), unless specifically required by law or for a clearly defined public health purpose.

4. Purposes and Legal Basis for Processing

NMS processes personal data only when there is a lawful purpose and basis, including:

1. Fulfilling our legal mandate
   • Procuring, storing and distributing EMHS
   • Managing orders, deliveries and accountability for public health commodities
2. Managing supplier and contract relationships
   • Prequalification, tendering and contract management
   • Payment of invoices and performance management
3. Providing and improving digital services
   • Managing CSSP and related online platforms
   • Monitoring system usage, performance and security
4. Customer service and complaint handling
   • Receiving and resolving inquiries and complaints from health facilities, suppliers and the public
5. Legal, regulatory and audit obligations
   • Compliance with procurement, financial and audit requirements
   • Cooperation with regulators and oversight bodies as required by law
6. Legitimate interests
   • Improving service delivery and user experience
   • Securing NMS information systems and infrastructure
7. Consent
   • Where the law or context requires explicit consent (e.g. optional subscriptions, surveys, or publication of testimonials), NMS will request and record consent and allow withdrawal in line with the Act.

5. Use of Cookies and Website Tracking

The NMS website may use cookies and similar technologies to:

• Enable essential site functions and security
• Remember user preferences and settings
• Generate aggregated statistics on site usage
• Improve user experience and content delivery

You can disable cookies in your browser settings; however, some website functions may not work as intended if cookies are blocked.

NMS does not use cookies to profile individuals or conduct behavioural advertising.

6. Sharing and Disclosure of Personal Data

NMS will not sell or commercially trade your personal data.

We may share personal data in the following circumstances:

1. With other public bodies
   • Ministry of Health, National Drug Authority and other government entities where required for coordination of national health services or compliance with the law.
2. With service providers
   • ICT, hosting, security, and other technical or operational service providers acting under contract and subject to confidentiality and data security obligations.
3. As required by law or legal process
   • Where we are compelled to disclose data by court order, regulatory authority, or other lawful request.
4. With your consent
   • Where you have expressly authorised NMS to share certain information with a third party.

In all cases, NMS will limit disclosure to what is necessary and will ensure appropriate safeguards are in place.

7. Data Security

NMS applies technical and organisational measures to protect personal data against:

• Unauthorised access, alteration, or disclosure
• Loss, theft, or destruction
• Misuse or accidental damage

Such measures include, as appropriate:

• Secure servers and access controls
• Encryption and secure transmission protocols
• Role-based access and authentication
• Regular backups and system monitoring
• Staff awareness and confidentiality obligations

Despite these measures, no system is completely risk-free. NMS continuously reviews and strengthens its controls in line with best practice and public sector requirements.

8. Data Retention

NMS retains personal data only for as long as necessary to:

• Achieve the purpose for which it was collected and processed
• Fulfil the NMS statutory mandate and contractual obligations
• Comply with legal, regulatory, audit and archival requirements

At the end of the relevant retention period, NMS will:

• Securely destroy or delete the personal data; or
• Irreversibly de-identify it so that it can no longer be linked to an identifiable person.

Retention periods may differ depending on the category of data and applicable laws or guidelines (e.g. public records, procurement, or financial regulations).

9. Your Rights as a Data Subject

In line with the Data Protection and Privacy Act, 2019, you have the following rights regarding your personal data held by NMS:

1. Right of access
   • To request confirmation whether NMS holds your personal data and to obtain a copy of such data.
2. Right to rectification
   • To request correction of inaccurate, incomplete or outdated personal data.
3. Right to object to processing
   • To object to the processing of your personal data in certain circumstances, especially where processing is not required by law or contract.
4. Right to restriction or erasure
   • To request restriction of processing or deletion of your personal data, subject to legal and operational limitations.
5. Right to withdraw consent
   • Where processing is based on consent, you may withdraw your consent at any time. This will not affect processing that occurred before withdrawal.
6. Right to be informed
   • To be informed about the collection and use of your personal data in a clear and transparent manner.

Requests to exercise these rights will be handled in accordance with the law and may require verification of identity to protect your information from unauthorised access.

10. Complaints and Redress

If you have concerns about how NMS handles your personal data, you are encouraged to contact NMS directly using the details below.

If you are not satisfied with the response from NMS, you may lodge a complaint with the Personal Data Protection Office (PDPO) in Uganda, in accordance with the Data Protection and Privacy Act, 2019.

11. Contact Information

If you have questions about how NMS handles personal data, or if you wish to exercise your data rights, please contact:

Data Protection Office
National Medical Stores
Plot 261, Kiwamirembe Road, Kajjansi Town Council, Wakiso District
Email: web@nms.go.ug 
Phone: +256 (0)417 104000

12. Changes to This Privacy Policy

NMS may update this Privacy Policy to reflect legal, technological, or operational changes. The “Last updated” date at the top of this page will indicate the latest version. Where changes are material, NMS will take reasonable steps to bring them to your attention.