• Govt data declared a strategic national asset held in trust for citizens
• Public bodies defined as custodians, not owners of government data
• Citizens to have the right to know who accessed their personal data, when, and why
The Ministry of Information Technology and Telecommunication has released the draft Data Governance Policy 2026 for public consultation, declaring government data a strategic national asset to be held in trust for the people and governed to ensure sovereignty, public value, citizen empowerment and lawful use.
The draft policy, placed on the ministry’s website for public comments until July 10, states that while it serves as the primary national framework for data governance, it does not cover personal data held outside the public sector, primary legislation, judicial proceedings, or matters falling within specific national security, defence, parliamentary or judicial domains.
Responding to a query about the policy, Minister for IT and Telecommunication Shaza Fatima said data protection and usage regulations had become essential with the rapid growth of digitisation.
She said the draft policy would remain open for public feedback until July 10 and would be notified after incorporating relevant suggestions.
The policy declares that government data is not the property of the agency that holds it, adding that public bodies are custodians rather than proprietors of such data.
It grants citizens the right to know who within the government has accessed their personal data, when it was accessed and for what purpose.
“This right shall not be denied except on narrow grounds expressly provided by law, with reasons recorded,” the draft policy states.
Under the proposed framework, public bodies processing personal data will be required to adopt Privacy-Enhancing Technologies appropriate to their purpose, in accordance with the Data Security Standards Instrument and the Privacy by Design and Impact Assessment Instrument.
Citizens will also have the right to obtain personal data held about them in a structured, commonly used and machine-readable format, and to have such data transmitted directly between public bodies where technically feasible and legally permissible.
According to the draft, the Pakistan Digital Authority (PDA) will serve as the national authority responsible for the issuance, oversight and implementation of the policy and its supporting instruments under the Digital Nation Pakistan Act, 2025.
The policy further states that government data will remain under the lawful authority and effective control of Pakistan, while cross-border transfers will be permitted only under specific governance mechanisms, justified circumstances and adequate safeguards.
The proposed framework will apply to all federal ministries, divisions, departments, attached departments, subordinate offices, statutory corporations, regulators, authorities, commissions, autonomous bodies and public-sector companies under federal jurisdiction. It will also cover entities receiving public funds to manage government data, as well as contractors, processors, concessionaires, grantees and partners performing public functions or processing government data on behalf of the federal government.
The draft encourages provincial governments to adopt the policy or develop equivalent frameworks.
It proposes that public-sector data should be open by default and made available through the National Open Data Portal in machine-readable formats with appropriate metadata, except where classification or statutory restrictions apply.
The policy also requires all processing of personal data by public bodies to be lawful, fair and transparent, while respecting the constitutional right to privacy guaranteed under Article 14 of the Constitution.
Personal data may be processed only on lawful grounds recognised under applicable laws, including consent, contractual obligations, legal requirements, vital interests or the performance of public functions.
The draft states that once a comprehensive Personal Data Protection law is enacted, the policy will be updated to align with the new statutory framework.
Sensitive personal data will be subject to enhanced safeguards, including stricter access controls, mandatory encryption, shorter retention periods, explicit lawful basis and enhanced audit requirements.
Similarly, children’s data will receive additional protection through age-appropriate notices, restrictions on profiling and behavioural advertising, and parental or guardian involvement where required.
Public bodies will also be required to notify the Pakistan Digital Authority without undue delay in the event of a personal data breach. Where a breach poses a high risk to the rights and freedoms of individuals, affected citizens must also be informed.
The policy permits cross-border transfer of government data only through approved pathways based on data classification, sensitivity, intended use and the legal jurisdiction of the recipient.
Reference Link:- https://www.dawn.com/news/2011804