Skip to content

Commit f26b325

Browse files
committed
docs: update README, CHANGELOG, and regulatory tracking for v1.3.0
Adds Uganda DPPA 2019, Tanzania PDPA 2022, and Ethiopia PDP (draft) to all documentation — coverage table, OPA Rego table, jurisdiction router table, Quick Start examples, and roadmap. CHANGELOG entry for v1.3.0 (306 → 384 tests, 3 → 6 jurisdictions). REGULATORY-CHANGES.md updated with initial implementation rows and three new "watch" entries including Ethiopia PDPP critical-monitoring flag.
1 parent 32991b7 commit f26b325

3 files changed

Lines changed: 59 additions & 3 deletions

File tree

CHANGELOG.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,25 @@ Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

88
---
99

10+
## [1.3.0] — 2026-06-18
11+
12+
East Africa policy expansion — Uganda, Tanzania, and Ethiopia regulatory packs.
13+
14+
### Added
15+
16+
- **Uganda DPPA 2019** (`uganda-dppa.yaml` + `rego/uganda-dppa.rego`) — Uganda Data Protection and Privacy Act 2019. Covers: NIRA national ID (CM + 12-char) blocking, biometric deny, PDPO breach-suppression detection, financial data escalation, special category (health, ethnic origin, religion) escalation, cross-border transfer controls (s.13, s.19, s.22). Permitted regions: `af-south-1`, `af-east-1`, `uganda`, `UG`. 28 tests.
17+
- **Tanzania PDPA 2022** (`tanzania-pdpa.yaml` + `rego/tanzania-pdpa.rego`) — Tanzania Personal Data Protection Act 2022. Covers: NIDA national ID (20-digit format) blocking, biometric deny, PDPC breach-suppression detection, consent-enforcement deny, special category escalation, cross-border transfer controls (s.8, s.13, s.17, s.25). Permitted regions: `af-south-1`, `af-east-1`, `tanzania`, `TZ`. 28 tests.
18+
- **Ethiopia PDP** (`ethiopia-pdp.yaml` + `rego/ethiopia-pdp.rego`) — Ethiopia Computer Crime Proclamation No. 958/2016 + draft Personal Data Protection Proclamation. Covers: Fayda/MOSIP ID blocking, biometric deny, unauthorised-access detection (Proclamation 958/2016), ECA breach-suppression detection, special category escalation, cross-border transfer controls. Permitted regions: `af-south-1`, `af-east-1`, `ethiopia`, `ET`. Pack tagged `draft` — update when dedicated PDPP is enacted. 28 tests.
19+
- **Jurisdiction router updated**`UG`, `TZ`, `ET` added to `jurisdiction_policies`. NG routes 9 packs; KE, ZA, UG, TZ, ET each route 6 (5 universal + 1 regulatory).
20+
- **README updated** — Coverage table, OPA Rego table, Jurisdiction Router table, Quick Start examples, and Roadmap all updated for the three new packs.
21+
22+
### Changed
23+
24+
- Total OPA tests: 306 → 384 (78 new tests across the three packs)
25+
- Jurisdiction count: 3 → 6 (NG, KE, ZA → NG, KE, ZA, UG, TZ, ET)
26+
27+
---
28+
1029
## [1.2.0] — 2026-06-16
1130

1231
Universal agent safety controls — 5 new policy packs applicable to any AI agent.

README.md

Lines changed: 34 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@
22

33
[![Validate Policies](https://github.com/kingztech2019/agt-policies-nigeria/actions/workflows/validate.yml/badge.svg)](https://github.com/kingztech2019/agt-policies-nigeria/actions/workflows/validate.yml)
44

5-
**Nigerian & African AI Agent Governance Policies for Microsoft's [Agent Governance Toolkit (AGT)](https://github.com/microsoft/agent-governance-toolkit)**
5+
**Pan-African AI Agent Governance Policies for Microsoft's [Agent Governance Toolkit (AGT)](https://github.com/microsoft/agent-governance-toolkit)**
66

77
A community policy pack that extends AGT with two governance layers:
88
- **Universal agent safety controls** — prompt injection, PII leakage, tool permissions, human approval, model routing (apply to any AI agent regardless of jurisdiction)
9-
- **African regulatory compliance** — NDPA 2023, CBN regulations, NFIU/AML rules, BVN/NIN data protection, Kenya DPA, POPIA (jurisdiction-routed)
9+
- **African regulatory compliance** — NDPA 2023, CBN, NFIU/AML, BVN/NIN, Kenya DPA, POPIA, Uganda DPPA, Tanzania PDPA, Ethiopia PDP (jurisdiction-routed)
1010

1111
Two policy formats:
1212
- **YAML** (`policies/*.yaml`) — drop-in rules files, validated by the AGT linter, no new infrastructure
@@ -49,6 +49,9 @@ Jurisdiction-routed: policies activate based on `customer_country` in context.
4949
| `nfiu-aml-str.yaml` | NFIU AML/CFT Regulations | STR/CTR triggers, structuring detection, velocity controls |
5050
| `popia-south-africa.yaml` | POPIA (South Africa) | Cross-border transfer controls, special personal information, SA ID masking |
5151
| `kenya-dpa.yaml` | Kenya Data Protection Act 2019 | Cross-border transfer restrictions, sensitive data, breach notification (72h to ODPC) |
52+
| `uganda-dppa.yaml` | Uganda Data Protection and Privacy Act 2019 | Cross-border transfers, biometric blocking, NIRA national ID protection, financial data, PDPO breach notification |
53+
| `tanzania-pdpa.yaml` | Tanzania Personal Data Protection Act 2022 | NIDA national ID (20-digit), special category data, PDPC breach notification, consent enforcement |
54+
| `ethiopia-pdp.yaml` | Ethiopia Proclamation 958/2016 + draft PDPP | Fayda/MOSIP ID protection, unauthorised access detection, ECA breach notification, cross-border controls |
5255

5356
### OPA Rego (structured-parameter enforcement)
5457

@@ -65,6 +68,9 @@ Jurisdiction-routed: policies activate based on `customer_country` in context.
6568
| `nfiu-aml.rego` | `agt_policies_nigeria.nfiu` | Exact ₦5M CTR threshold on `input.params.amount`, structuring zone (₦4.5M–₦4.99M) |
6669
| `kdpa-data-protection.rego` | `agt_policies_africa.kdpa` | Cross-border transfers, sensitive data, biometric blocking, ODPC accountability |
6770
| `popia-south-africa.rego` | `agt_policies_africa.popia` | `destination_country` adequacy list (POPIA s.72), SA ID 13-digit format validation |
71+
| `uganda-dppa.rego` | `agt_policies_africa.uganda_dppa` | NIRA national ID blocking, biometric deny, PDPO breach suppression detection, financial data escalation |
72+
| `tanzania-pdpa.rego` | `agt_policies_africa.tanzania_pdpa` | NIDA 20-digit ID blocking, PDPC breach suppression detection, consent enforcement, biometric deny |
73+
| `ethiopia-pdp.rego` | `agt_policies_africa.ethiopia_pdp` | Fayda ID blocking, unauthorised access detection (Proclamation 958/2016), ECA breach suppression, biometric deny |
6874

6975
---
7076

@@ -162,7 +168,6 @@ opa eval -d policies/rego/ndpa-data-residency.rego \
162168
-i examples/inputs/ndpa-allow-permitted.json \
163169
"data.agt_policies_nigeria.ndpa.decision"
164170
# → "allow"
165-
```
166171

167172
# NFIU: block a ₦6M transfer (at CTR threshold — routes to human review)
168173
opa eval -d policies/rego/nfiu-aml.rego \
@@ -187,6 +192,24 @@ opa eval -d policies/rego/popia-south-africa.rego \
187192
-i examples/inputs/popia-deny-biometric.json \
188193
"data.agt_policies_africa.popia.decision"
189194
# → "deny"
195+
196+
# Uganda DPPA: block NIRA national ID in output
197+
opa eval -d policies/rego/uganda-dppa.rego \
198+
-i examples/inputs/uganda-deny-nira-id.json \
199+
"data.agt_policies_africa.uganda_dppa.decision"
200+
# → "deny"
201+
202+
# Tanzania PDPA: block NIDA number in output
203+
opa eval -d policies/rego/tanzania-pdpa.rego \
204+
-i examples/inputs/tanzania-deny-nida-id.json \
205+
"data.agt_policies_africa.tanzania_pdpa.decision"
206+
# → "deny"
207+
208+
# Ethiopia PDP: detect unauthorised access attempt
209+
opa eval -d policies/rego/ethiopia-pdp.rego \
210+
-i examples/inputs/ethiopia-deny-unauthorized.json \
211+
"data.agt_policies_africa.ethiopia_pdp.decision"
212+
# → "deny"
190213
```
191214

192215
All example input files are in [`examples/inputs/`](examples/inputs/). See [`docs/compliance-mapping.md`](docs/compliance-mapping.md) for the full mapping of regulatory obligations → Rego rules → expected decisions.
@@ -279,6 +302,9 @@ opa eval -d policies/rego/jurisdiction-router.rego \
279302
| `NG` | CBN, BVN/NIN, NDPA 2023, NFIU AML |
280303
| `KE` | Kenya DPA 2019 |
281304
| `ZA` | POPIA |
305+
| `UG` | Uganda DPPA 2019 |
306+
| `TZ` | Tanzania PDPA 2022 |
307+
| `ET` | Ethiopia PDP (Proclamation 958/2016 + draft PDPP) |
282308
| `NG` + `transaction_countries: [NG, ZA]` | All 5 — NDPA and POPIA both enforced |
283309
| Unknown country | Advisory warning returned; action audited |
284310

@@ -373,7 +399,12 @@ Every decision is written to a timestamped audit log satisfying NDPA s.30 accoun
373399
- [x] Kenya Data Protection Act 2019 policy pack (YAML + Rego)
374400
- [x] NFIU AML/CFT Rego policy — exact CTR threshold enforcement (`nfiu-aml.rego`)
375401
- [x] POPIA Rego policy — SA ID validation, adequacy list, biometric blocks (`popia-south-africa.rego`)
402+
- [x] Uganda Data Protection and Privacy Act 2019 — NIRA ID, biometric blocking, PDPO breach notification (`uganda-dppa.yaml` + `.rego`)
403+
- [x] Tanzania Personal Data Protection Act 2022 — NIDA ID, PDPC breach notification, consent enforcement (`tanzania-pdpa.yaml` + `.rego`)
404+
- [x] Ethiopia PDP — Fayda ID, unauthorised access detection, ECA breach notification (`ethiopia-pdp.yaml` + `.rego`)
376405
- [x] Semantic versioning — `CHANGELOG.md` + `REGULATORY-CHANGES.md`
406+
- [ ] Ghana Data Protection Act 2012 policy pack
407+
- [ ] Rwanda Data Protection Law policy pack
377408
- [ ] ECOWAS cross-border transfer rules
378409
- [ ] SIM swap fraud detection patterns
379410
- [ ] NAICOM insurtech AI governance rules

REGULATORY-CHANGES.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ When a regulation updates, open a PR that:
1212

1313
| Date | Regulation | Change | Affected files | Status |
1414
|------|-----------|--------|---------------|--------|
15+
| 2026-06-18 | Uganda DPPA 2019 | Initial implementation: s.4 lawful basis, s.13 cross-border, s.19 sensitive data, s.22 security, s.25 breach notification. NIRA ID blocking, biometric deny, PDPO breach suppression, financial data escalation. | `policies/rego/uganda-dppa.rego`, `policies/uganda-dppa.yaml` | ✅ Current |
16+
| 2026-06-18 | Tanzania PDPA 2022 | Initial implementation: s.8 lawful basis, s.13 sensitive data, s.17 security, s.25 cross-border, s.28 breach notification. NIDA 20-digit ID blocking, biometric deny, PDPC breach suppression, consent enforcement. | `policies/rego/tanzania-pdpa.rego`, `policies/tanzania-pdpa.yaml` | ✅ Current |
17+
| 2026-06-18 | Ethiopia Proclamation 958/2016 + draft PDPP | Initial implementation: Computer Crime Proclamation 958/2016 (unauthorised access), Electronic Transactions Proclamation 1205/2020, draft PDPP. Fayda/MOSIP ID blocking, unauthorised access detection, ECA breach suppression, cross-border controls. Pack tagged draft — update on enactment. | `policies/rego/ethiopia-pdp.rego`, `policies/ethiopia-pdp.yaml` | ⚠️ Draft — monitor for PDPP enactment |
1518
| 2026-06-15 | NFIU AML/CFT (MLPPA 2022) | Initial Rego implementation: CTR ₦5M, NIP cap ₦10M, structuring zone, PEP, KYC bypass | `policies/rego/nfiu-aml.rego`, `policies/nfiu-aml-str.yaml` | ✅ Current |
1619
| 2026-06-15 | POPIA (Act 4 of 2013) | Initial Rego implementation: s.72 adequacy list, SA ID, biometric, children's data | `policies/rego/popia-south-africa.rego`, `policies/popia-south-africa.yaml` | ✅ Current |
1720
| 2026-06-14 | CBN NIP Framework | Initial implementation: ₦10M single-transaction cap, tiered KYC thresholds, SOD | `policies/rego/cbn-transaction-limits.rego`, `policies/cbn-transaction-limits.yaml` | ✅ Current |
@@ -32,6 +35,9 @@ When a regulation updates, open a PR that:
3235
| FATF | NFIU / CBN | Nigeria mutual evaluation follow-ups | Biennial |
3336
| Kenya DPA 2019 | ODPC | ODPC data protection regulations and guidelines | Ongoing |
3437
| POPIA | Information Regulator SA | Information Regulator guidance notes | Ongoing |
38+
| Uganda DPPA 2019 | PDPO / NITA-U | Commencement regulations, PDPO enforcement guidelines, adequacy list updates | Ongoing |
39+
| Tanzania PDPA 2022 | PDPC | PDPC subsidiary regulations, enforcement guidance, adequacy determinations | Ongoing |
40+
| Ethiopia PDPP (draft) | ECA / MInT | Enactment and gazetting of dedicated Personal Data Protection Proclamation | Critical — review quarterly |
3541

3642
---
3743

0 commit comments

Comments
 (0)