Nepal needs robust data protection legislation

- Harsha Man Maharjan | 2023-03-27

Data protection is a legal mechanism that regulates the collection and processing of personal data, and arrangements can only be made transparently and with the user’s consent. The General Data Protection Regulation passed by the European Union in 2016 establishes certain principles and rights for data subjects that must be respected by data processors. These include the right to access, correct, and delete collected data, and to receive compensation for any violation of their rights. Data protection is not just a matter of data security, but also of protecting the rights and interests of individuals and the state.

Legal lacuna

An ongoing investigation into the state of data protection shows the lack of adequate data protection laws in Nepal. It is crucial to understand how Nepali law regulates the collection, security and the use of personal information.

Fortunately, there is a policy system in Nepal that governs data collection. The Privacy Act, 2018 not only specifies how to collect personal information, but also classifies it. For example, this law defines caste, religion, education, telephone number, passport/citizen number, voter ID card details, biometric information, and criminal offense details as personal information. Article 10 of this law allows for collection of information by authorized personnel, with the consent of the person concerned. While collecting information this way, it is necessary to inform the person about the time, content, nature, purpose, method, process, confidentiality, and safety of the information.

There are also policy laws concerning data security. For instance, the Privacy Act, 2018 states that the agency collecting information must protect it. Section 25 of the law mandates that the public body shall make appropriate security arrangements against the risk of unauthorized access to personal information or the unauthorized use, manipulation, disclosure, publication or transmission of such information.

Different regulatory bodies have also paid attention to data security. After the online network was launched in banks around 2010, Nepal Rastra Bank introduced Information Technology Guidelines (in 2012). These guidelines and procedures require banks to establish strategies and policies related to information technology, provide information security education to employees, and conduct information technology audits or information system audits. During the IT audit, the security of the hardware and system is evaluated, and improvement measures suggested in case of weak security. In response to a series of hacking incidents, the Nepal Telecommunication Authority has mandated that internet service providers submit IT audit reports since 2020. Similarly, in 2020, Nepal Insurance Authority made it mandatory for its respective organizations to undergo such audits as well.

However, the policies and laws related to the use of data held by public bodies have not received enough attention. For example, Section 26 of the Privacy Act, 2018 states that information collected for open purpose, with consent for investigation and prosecution during criminal cases, or to solve certain questions can be used if the information officer makes a written request. The right to correct personal information in public institutions is mentioned in Section 28 of the Act. If the information is incorrect or not based on facts, it can be corrected, but if a benefit or advantage has been obtained based on the same information, an application for correction cannot be made. This law does not provide the data subject with the right to correct wrong information, which is provided for in data protection laws in other countries.

This law is silent on many aspects of the use of information held by public institutions. It does not address how long the first collected information should be kept, what punishment will be meted out if such information is used for other purposes, or what should be done with public organizations if the collected personal information is not provided with security and becomes public.

Way ahead

The digital landscape of Nepal is rapidly evolving, with people increasingly relying on digital media technologies to access services ranging from education to healthcare. However, as this transformation takes place, both state and private companies are collecting vast amounts of personal data and processing it for various purposes. But it’s often difficult for people to know what data is being collected and how it’s being used. To address this issue, the state must play a leading role in establishing governance mechanisms to protect personal data in Nepal.

Given the lack of clear policies, it is crucial to formulate a comprehensive data protection law in Nepal. There is growing concern that organizations processing data may also be collecting non-essential information. Furthermore, when personal data is used for purposes other than for which it was given, such as for advertising, there is a question of whether such data is being bought and sold. If personal data in different sectors is exposed, it could violate individuals’ privacy and create difficulties in their lives. For instance, if sensitive patient data in the healthcare sector were made public, the consequences would be even more severe.

There are two ways to legislate data protection in Nepal. One approach is to amend the existing Personal Privacy Act by adding necessary provisions. The preamble of this Act mentions the “protection and safe use of information” as its purpose, indicating that data protection issues were already intended to be covered. However, when the law was passed, the inclusion of data protection issues was not addressed. Therefore, new provisions could be added to the Act, including responsibilities for data users and rights for data providers. Additionally, a separate body could be established to determine what data can be collected and used.

Alternatively, a separate data protection law can be formulated and implemented to ensure clear responsibilities and rights. This law could cover data protection issues across various sectors and establish guidelines for data collection, use, and storage. With such a law, individuals’ privacy rights would be better protected, and organizations would be held accountable for misuse of personal data.

The author is a senior researcher at Martin Chautari

Published: 27 March 2023

About the Author

More Blogs