You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
East Africa policy expansion — Uganda, Tanzania, and Ethiopia regulatory packs.
13
+
14
+
### Added
15
+
16
+
-**Uganda DPPA 2019** (`uganda-dppa.yaml` + `rego/uganda-dppa.rego`) — Uganda Data Protection and Privacy Act 2019. Covers: NIRA national ID (CM + 12-char) blocking, biometric deny, PDPO breach-suppression detection, financial data escalation, special category (health, ethnic origin, religion) escalation, cross-border transfer controls (s.13, s.19, s.22). Permitted regions: `af-south-1`, `af-east-1`, `uganda`, `UG`. 28 tests.
17
+
-**Tanzania PDPA 2022** (`tanzania-pdpa.yaml` + `rego/tanzania-pdpa.rego`) — Tanzania Personal Data Protection Act 2022. Covers: NIDA national ID (20-digit format) blocking, biometric deny, PDPC breach-suppression detection, consent-enforcement deny, special category escalation, cross-border transfer controls (s.8, s.13, s.17, s.25). Permitted regions: `af-south-1`, `af-east-1`, `tanzania`, `TZ`. 28 tests.
18
+
-**Ethiopia PDP** (`ethiopia-pdp.yaml` + `rego/ethiopia-pdp.rego`) — Ethiopia Computer Crime Proclamation No. 958/2016 + draft Personal Data Protection Proclamation. Covers: Fayda/MOSIP ID blocking, biometric deny, unauthorised-access detection (Proclamation 958/2016), ECA breach-suppression detection, special category escalation, cross-border transfer controls. Permitted regions: `af-south-1`, `af-east-1`, `ethiopia`, `ET`. Pack tagged `draft` — update when dedicated PDPP is enacted. 28 tests.
19
+
-**Jurisdiction router updated** — `UG`, `TZ`, `ET` added to `jurisdiction_policies`. NG routes 9 packs; KE, ZA, UG, TZ, ET each route 6 (5 universal + 1 regulatory).
20
+
-**README updated** — Coverage table, OPA Rego table, Jurisdiction Router table, Quick Start examples, and Roadmap all updated for the three new packs.
21
+
22
+
### Changed
23
+
24
+
- Total OPA tests: 306 → 384 (78 new tests across the three packs)
**Nigerian & African AI Agent Governance Policies for Microsoft's [Agent Governance Toolkit (AGT)](https://github.com/microsoft/agent-governance-toolkit)**
5
+
**Pan-African AI Agent Governance Policies for Microsoft's [Agent Governance Toolkit (AGT)](https://github.com/microsoft/agent-governance-toolkit)**
6
6
7
7
A community policy pack that extends AGT with two governance layers:
8
8
-**Universal agent safety controls** — prompt injection, PII leakage, tool permissions, human approval, model routing (apply to any AI agent regardless of jurisdiction)
9
-
-**African regulatory compliance** — NDPA 2023, CBN regulations, NFIU/AML rules, BVN/NIN data protection, Kenya DPA, POPIA (jurisdiction-routed)
9
+
-**African regulatory compliance** — NDPA 2023, CBN, NFIU/AML, BVN/NIN, Kenya DPA, POPIA, Uganda DPPA, Tanzania PDPA, Ethiopia PDP (jurisdiction-routed)
10
10
11
11
Two policy formats:
12
12
-**YAML** (`policies/*.yaml`) — drop-in rules files, validated by the AGT linter, no new infrastructure
@@ -49,6 +49,9 @@ Jurisdiction-routed: policies activate based on `customer_country` in context.
|`popia-south-africa.yaml`| POPIA (South Africa) | Cross-border transfer controls, special personal information, SA ID masking |
51
51
|`kenya-dpa.yaml`| Kenya Data Protection Act 2019 | Cross-border transfer restrictions, sensitive data, breach notification (72h to ODPC) |
52
+
|`uganda-dppa.yaml`| Uganda Data Protection and Privacy Act 2019 | Cross-border transfers, biometric blocking, NIRA national ID protection, financial data, PDPO breach notification |
53
+
|`tanzania-pdpa.yaml`| Tanzania Personal Data Protection Act 2022 | NIDA national ID (20-digit), special category data, PDPC breach notification, consent enforcement |
|`popia-south-africa.rego`|`agt_policies_africa.popia`|`destination_country` adequacy list (POPIA s.72), SA ID 13-digit format validation |
71
+
|`uganda-dppa.rego`|`agt_policies_africa.uganda_dppa`| NIRA national ID blocking, biometric deny, PDPO breach suppression detection, financial data escalation |
All example input files are in [`examples/inputs/`](examples/inputs/). See [`docs/compliance-mapping.md`](docs/compliance-mapping.md) for the full mapping of regulatory obligations → Rego rules → expected decisions.
0 commit comments