Govt seeks feedback on draft Data Governance Policy 2026

The Ministry of Information Technology and Telecommunication has released the draft Data Governance Policy 2026 for public consultation, proposing a national framework for the use, protection and sharing of government data.

The draft policy has been placed on the ministry’s website for public comments until July 10.

Minister for IT and Telecommunication Shaza Fatima said data protection and usage regulations had become necessary due to rapid digitisation. She said the policy would be notified after relevant public feedback is reviewed and incorporated.

The draft declares government data a strategic national asset held in trust for citizens. It says public bodies are custodians of government data and not its owners.

The proposed policy gives citizens the right to know who within the government accessed their personal data, when it was accessed and for what purpose. This right may only be restricted on legal grounds with recorded reasons.

It also gives citizens the right to obtain their personal data held by public bodies in a structured, commonly used and machine-readable format. Where technically feasible and legally allowed, citizens may also have their data transferred directly between public bodies.

Under the policy, public bodies processing personal data will be required to adopt Privacy-Enhancing Technologies in line with the Data Security Standards Instrument and the Privacy by Design and Impact Assessment Instrument.

The Pakistan Digital Authority (PDA) will serve as the national authority responsible for issuing, overseeing and implementing the policy and its supporting instruments under the Digital Nation Pakistan Act, 2025.

The framework will apply to federal ministries, divisions, departments, attached departments, subordinate offices, statutory corporations, regulators, authorities, commissions, autonomous bodies and public-sector companies under federal jurisdiction.

It will also apply to entities receiving public funds to manage government data, as well as contractors, processors, concessionaires, grantees and partners performing public functions or processing government data on behalf of the federal government.

The draft encourages provincial governments to adopt the policy or develop equivalent data governance frameworks.

The policy says public-sector data should be open by default and made available through the National Open Data Portal in machine-readable formats with appropriate metadata, except where classification or legal restrictions apply.

It states that all processing of personal data by public bodies must be lawful, fair and transparent, while respecting the constitutional right to privacy under Article 14 of the Constitution.

Personal data may be processed only on lawful grounds recognised under applicable laws, including consent, contractual obligations, legal requirements, vital interests or performance of public functions.

Sensitive personal data will be subject to stricter safeguards, including tighter access controls, mandatory encryption, shorter retention periods, explicit lawful basis and enhanced audit requirements.

Children’s data will receive additional protection through age-appropriate notices, restrictions on profiling and behavioural advertising, and parental or guardian involvement where required.

Public bodies will be required to notify the Pakistan Digital Authority without undue delay in case of a personal data breach. If a breach poses a high risk to individuals’ rights and freedoms, affected citizens must also be informed.

The policy permits cross-border transfer of government data only through approved pathways based on data classification, sensitivity, intended use and the legal jurisdiction of the recipient.

It says government data will remain under Pakistan’s lawful authority and effective control, while cross-border transfers will be allowed only under specific governance mechanisms, justified circumstances and adequate safeguards.

The draft policy does not apply to personal data held outside the public sector, primary legislation, judicial proceedings, or matters falling within specific national security, defence, parliamentary or judicial domains.

The policy will be updated once a comprehensive Personal Data Protection law is enacted.