When QR Codes Fail: What Uganda’s NIRA Incident Reveals About the Need for Proper Digital Public Infrastructure Governance

Uganda’s recent public communication regarding challenges with QR codes on the new national identity cards has understandably raised questions among citizens, service providers, and policymakers. While the issue has been widely discussed as a technical malfunction, it offers a much more important national lesson: digital transformation succeeds or fails first at the level of governance, not technology.I write this from the perspective of a technocrat who recently completed an advanced, programme on Digital Transformation of Government Services and Modern Digital Public Infrastructure (DPI), delivered by the International Telecommunication Union (ITU) and the African Advanced Telecommunications Institute (AATI). As part of this programme, I developed a National Digital Public Infrastructure Action Plan for Uganda, benchmarked against the experiences of Rwanda and Kenya, and grounded deliberately in Uganda’s political, legal, and institutional realities.

The feedback on this work was unequivocal: "This is an exceptional, master-level submission. It is arguably one of the most sophisticated plans seen in this course. You have moved far beyond the "theory" of DPI and produced a document that captures the political economy of Uganda with surgical precision. The standout feature is your "Federated, Not Centralized" argument. By acknowledging Uganda’s "constitutionally autonomous agencies" and "institutional distrust," you have solved the biggest hurdle to DPI….Your comparison of the Kenya vs. Rwanda models and the justification for a "Hybrid" Ugandan model is high-level strategic thinking”. The reason for this matters here.

1. The QR Code Problem Is Not About QR Codes

QR codes are a mature and widely trusted technology, used successfully in national digital ID systems in countries such as India, Estonia, Kenya, and Rwanda. When they fail, the problem is rarely the QR code itself, but the absence of a reliable verification ecosystem—clear verification endpoints, real-time authentication, and coordinated institutional roles.

In Uganda’s case, the QR code appears to function more as a static feature than as part of an integrated verification system. This leaves banks, hospitals, telecoms, and government agencies relying on ad hoc or offline checks, ultimately weakening trust in the national ID as a whole.

2. What Proper DPI Governance Would Have Changed

A well-designed DPI framework would have reframed the QR code not as a “data container,” but as a secure pointer to verification services.

2.1 Federated Governance, Not Centralized Control

A core insight of the Uganda DPI Action Plan is that Uganda’s state architecture is constitutionally federated. Institutions such as NIRA, the Bank of Uganda, URA, and sector ministries operate with legally defined autonomy that cannot be overridden by technical solutions alone.

A well-designed DPI governance model works with this reality by keeping NIRA as the System of Record for identity, avoiding forced data centralization, and assigning a neutral DPI authority the role of standards-setter and referee rather than data owner. Under this approach, QR code verification would simply confirm validity on request, without requiring the transfer of citizens’ data.

3. “Verify, Don’t Replicate”: The Missing Principle

In the DPI Action Plan, identity verification is built around a “Data Handshake” model. Scanning a QR code triggers a secure verification request rather than extracting personal data. NIRA simply confirms whether an ID is valid, active, and consistent with the claimed attributes, returning only a minimal yes/no response.

No biometric files are shared, no full biodata is transferred, and identity records are never duplicated. With this approach, verification failures would be visible and manageable, online and offline options would coexist, and public confidence in the national ID system would be preserved.

4. Why the Current Approach Creates Public Risk

When identity tools fail without explanation, three dangerous outcomes follow:

1. Loss of trust in national ID. Citizens begin to doubt the usefulness of the card itself.

2. Fragmentation of verification. Banks, telcos, and agencies invent parallel checks, increasing fraud.

3. Political backlash. A technical issue quickly becomes a legitimacy issue for the state.

DPI governance exists precisely to prevent technical glitches from becoming state credibility crises.

5. Lessons from Kenya and Rwanda (and Uganda’s Hybrid Advantage)

Rwanda succeeded by centralizing its digital systems in a high-trust institutional environment, while Kenya moved toward federation after legal and political pushback. Uganda’s context, as outlined in the DPI Action Plan, calls for a hybrid approach—central standards and interoperability, decentralized data ownership, and strong legal safeguards.

The recent QR code challenge underscores a simple lesson: Uganda cannot resolve foundational digital identity issues by adding features to ID cards without first strengthening the underlying governance and interoperability rails.

6. How DPI Would Have Made the QR Code Boring (and That’s the Goal)

In a mature DPI system, QR codes are deliberately unremarkable. Their reliability is taken for granted, failures are handled quietly within the system, and citizens rarely have reason to question whether verification will work. Checks are fast, auditable, and trusted by all parties. This kind of quiet dependability is not achieved through better printing or frequent vendor changes, but through governance-first digital architecture that treats identity verification as national infrastructure rather than a standalone feature.

Uganda does not have to begin from scratch. A comprehensive Uganda National Digital Public Infrastructure (DPI) Action Plan has/is already been/being developed, offering a practical starting point. The framework clearly outlines agency Systems of Record, proposes governance arrangements that respect existing mandates, aligns with internationally recognized standards such as ITU-T, ISO, and W3C, and is carefully grounded in Uganda’s unique political and institutional context.

The document is intended as a living reference framework one that can inform responses to current digital identity challenges while also guiding longer-term improvements. It remains open for constructive engagement and refinement, and interested stakeholders are welcome to access it as it continues to be strengthened for broader publication and national use.

Digital transformation is a collective national learning process, and no country modernises without encountering friction along the way. Rather than assigning blame, moments like this should be used to strengthen coordination, refine digital architecture, and draw more deliberately on the technical expertise available within and beyond government. Uganda has no shortage of capable technocrats, and engaging them proactively is a sign of institutional maturity, not weakness.

Looking Forward

Uganda’s digital identity and digital government more broadly will not be secured by better cards alone, but by governance that treats digital systems as national infrastructure, built to outlast vendors, individuals, and political cycles. Done right, QR codes will simply work: quietly, reliably, and unremarkably the highest compliment in public infrastructure.

The NIRA QR code issue is not a failure; it is a signal that project-based digitalization has reached its limits. Uganda must now embrace platform-based governance through DPI. With proper oversight, digital identity can become a trusted foundation for payments, services, disaster response, and economic inclusion.

The technology exists. The standards exist. The thinking exists. What remains is the decision to govern it well.