GOVERNANCE: PROTECTING PAKISTAN’S PERSONAL DATA

Published Updated

Pakistan’s approach to protecting citizens’ personal data has long been reactive. Despite the Prevention of Electronic Crimes Act (2016) criminalising data theft, successive governments have done little to secure their own departments — the country’s largest repositories of personal information.

The federal government’s draft Data Governance Policy 2026, released for consultation in June, is the first serious attempt to close that gap.

Prepared by the Pakistan Digital Authority (PDA), set up in 2024 to oversee Pakistan’s digital public infrastructure initiative, the policy seeks to regulate how federal government bodies collect, process, retain and share data. More importantly, the draft moves beyond simply digitising government services to balancing efficiency with privacy and transparency.

While important questions remain about surveillance, artificial intelligence and implementation, the policy introduces several principles that could significantly improve both public service delivery and data protection.

Pakistan’s new draft Data Governance Policy tackles decades of bureaucratic data hoarding and insider leaks — but broader AI oversight and surveillance concerns remain

A STEP TOWARDS ACCOUNTABILITY

Perhaps its most important declaration appears at the start of the proposal: government data is not the property of the agency that holds it. Public institutions are custodians, not owners, of citizens’ information. This reflects a fundamental principle underpinning modern privacy frameworks around the world — that personal data ultimately belongs to the individual, not the organisation collecting it.

That principle has practical implications.

Anyone who has dealt with Pakistan’s bureaucracy knows the frustration of repeatedly submitting the same documents to different government offices.

Whether applying for a pension, transferring property, updating identity records or accessing welfare programmes, citizens are routinely asked to provide information the state already possesses. Women often face an additional burden, with some departments unnecessarily demanding copies of a husband’s or another male relative’s documents.

‘THE ONCE-ONLY PRINCIPLE’

The draft addresses this through the “once-only principle”, under which citizens should not be asked to provide the same information to the state more than once, unless required by law or for verification.

Instead of repeatedly submitting photocopies of computerised national identity cards (CNICs) and supporting documents, government departments would be able to securely verify the required information through authorised digital channels, with access limited to what is necessary for the specific service and subject to appropriate safeguards.

This is more than a convenience measure. It represents a shift towards data minimisation, another internationally recognised privacy principle that requires organisations to collect and retain only the information necessary for their work.

Rather than concentrating vast amounts of citizen data in a single location, the policy mandates government bodies to hold only the data they require, while retrieving additional information through controlled, auditable data-sharing mechanisms.

This reduces duplication and lowers the risks associated with mass centralisation. Large, centralised databases are attractive targets for hackers, insider theft and ransomware attacks; limiting what each institution stores reduces the potential damage when breaches occur.

Pakistan’s recent experience demonstrates why this matters.

Law enforcement agencies have repeatedly arrested individuals, including employees at the National Database & Registration Authority (Nadra) and commercial banks, for allegedly selling citizens’ personal information to criminal networks.

That information has been used in scams, in which fraudsters impersonate banks, telecom companies and government agencies, to trick victims into revealing financial details or transferring money.

The draft policy introduces an important measure of accountability by giving citizens the ability to know what information government institutions hold about them and which officials have accessed their records. Maintaining such audit trails not only discourages misuse by insiders but also provides a mechanism for investigating unauthorised access when it occurs.

Together, these provisions make this one of Pakistan’s strongest technology policy drafts — moving beyond broad ambition to practical mechanism.

AI AND SURVEILLANCE

Yet the policy should not be mistaken for a complete privacy framework. To ensure proper implementation, the government also needs to address other critical concerns, including artificial intelligence (AI), surveillance technologies and broader data protection.

The draft requires government bodies to disclose their AI policies through a publicly maintained directory and explain how AI systems are used in operational or decision-making processes that affect the public. Transparency is an important first step, but it is not enough.

Governments elsewhere have already seen AI systems produce fabricated official material, biased decisions and wrongful arrests via facial recognition — evidence that transparency alone doesn’t fulfil oversight requirements.

The draft recognises this need for oversight by requiring government AI systems to be audited, but meaningful oversight requires clear standards against which those systems can be evaluated.

Pakistan’s National AI Policy 2025 promotes AI adoption but offers limited guidance on safeguards for citizen-affecting decisions. Before AI is embedded across public institutions, the government should set clearer rules on transparency, human oversight, accountability and redress.

The same need for greater clarity applies to surveillance technologies.

The policy refers to Internet of Things (IoT) devices, a category that could include the expanding networks of CCTV and Safe City cameras deployed across major cities in Pakistan. Yet it says little about how data collected through these systems should be governed or what safeguards should apply when it is accessed or analysed.

This omission is significant. Many cities are reportedly introducing or expanding AI-powered capabilities, such as facial recognition and automated number plate recognition. Such technologies can serve legitimate public safety purposes, but they also create unprecedented opportunities for mass surveillance and privacy violations if left unchecked.

The policy should, therefore, establish clear rules governing the collection, retention, sharing and deletion of surveillance data, while requiring public disclosure of the circumstances under which these technologies may be used.

Law enforcement agencies should also be transparent about the safeguards governing their use of AI-assisted evidence. Surveillance-based evidence — facial matches, footage — should be treated as circumstantial, not conclusive.

THE REAL TEST

Implementation will be equally important.

Pakistan’s experience shows that many data breaches are results of insider abuse. Investigations have repeatedly uncovered cases in which officials allegedly sold citizens’ personal information to criminal networks. This writer has seen Facebook groups openly selling Nadra records, with sellers sharing screenshots of government screens as proof of access.

Protecting sensitive information, therefore, requires more than secure servers. Government agencies handling large volumes of personal data should implement stronger insider-threat protections, including comprehensive logging audits, stricter access controls and systems that detect or prevent unauthorised copying of sensitive information.

Technology alone cannot eliminate insider abuse, but better monitoring can make it significantly harder to misuse government databases without detection.

The institutional architecture proposed by the policy draft also deserves strengthening.

The National Data Governance Council, as proposed in the draft, would benefit from a human rights expert in an advisory role, so efficiency gains extend to equity for marginalised and undocumented communities.

The proposed Pakistan Data Authority Council should also play a more proactive role in responding to leaks — working with the Pakistan Telecommunication Authority, the National Cyber Crime Investigation Agency and other agencies to get citizens’ leaked data removed from platforms, rather than only requiring breach reports. Dedicated expertise in engaging technology companies would improve takedown requests and reduce delays that have hampered past cybercrime investigations.

Finally, the policy should be seen for what it is: a framework governing how the state handles data. It does not — and is not intended to — regulate the private sector’s collection and processing of personal information.

THE PRIVATE-SECTOR GAP

Pakistan still needs a comprehensive data protection law covering businesses, financial institutions and telecom operators that process personal data.

Such legislation should protect individuals’ privacy while providing regulatory certainty for businesses, following the balanced approaches adopted in many other jurisdictions.

Rather than relying on confrontational or impractical legislation aimed at global technology companies, the government should build structured channels of engagement with digital platforms and civil society organisations that already possess expertise in areas such as online harassment, child protection, trafficking and other technology-facilitated harms.

The draft Data Governance Policy is an important milestone — its emphasis on data minimisation, transparency and citizen control reflects principles long missing from Pakistan’s public sector.

However, without stronger AI safeguards, clearer surveillance limits and a data protection law covering the private sector, real gaps remain.

The writer is a freelance journalist and researcher. A former computer engineer, she reports on cybercrime, tech policy and internet infrastructure

Published in Dawn, EOS, July 19th, 2026