THE draft ‘Data Governance Policy’, released by the IT ministry recently, is a welcome step towards modernising the state’s data management. However, the success of the policy will depend less on the principles it has ambitiously outlined and more on the legal, institutional and administrative reforms that must accompany it. As seen in the debate surrounding tax authorities’ bid to directly access and cross-match citizens’ banking information, data is becoming an increasingly important tool for the government as it attempts to improve service delivery, formulate better policies and regulate the digital economy. However, data-led decision-making is not possible without a coherent framework governing who can access public-sector data and under what conditions.
Concerns over data privacy are bound to arise, as was seen in the banking data case. Encouragingly, this draft policy appears to address such concerns. It gets much right: it establishes that the government is a custodian rather than the owner of public data, seeks privacy safeguards built into data collection, transmission and sharing mechanisms, wants open access to data and responsible data sharing, etc. It also promises citizens meaningful rights over personal data. However, these principles must be enforced through legal force. In the absence of a personal data protection law, which the policy acknowledges has yet to be legislated, the questions of what happens if the promised rights are denied, who the people can appeal to, which courts will enforce the policy, and which regulator will investigate data-related complaints, among many others, remain unanswered. There is also the matter of institutional capacity. Are our institutions adequately equipped and technically capable of implementing and adhering to this policy? Are they sufficiently independent? Whose oversight will they operate under? These are all important points that the government must address. In recent years, Pakistan has announced many ambitious digital initiatives without frameworks to support them. This policy should not be another entry on that list.
Published in Dawn, July 2nd, 2026





























