WHAT do we want? Data protection laws. When do we want them? Immediately. Without delay, if we are to prevent another disaster. A JIT formed last year to probe a Nadra data breach, affecting approximately 2.7m citizens between 2019 and 2023, has shared its findings with the interior ministry. The findings reveal that data was compromised in Nadra’s Karachi, Multan, and Peshawar offices. The incident — not the first of its kind — has exposed the vulnerability of our personal data and the crucial need for stringent laws that mandate safeguarding against such breaches. The JIT’s recommendations, including technological upgrades and disciplinary actions against responsible officials, are necessary steps towards addressing the immediate aftermath of this breach. However, piecemeal responses alone are inadequate to prevent future incidents. The root of the problem lies not only in technological shortcomings but also in the absence of comprehensive legislation to hold accountable those entrusted with safeguarding citizens’ data.

While upgrading the technology employed by Nadra, the government must consider the use of stronger encryption and limiting unnecessary access to data. Moreover, restricting database access solely to the office premises can mitigate risks associated with remote breaches. However, these technical solutions must be complemented by legislation that treats the citizens’ private data as sacred and entails severe consequences for negligence. That Pakistanis’ data had surfaced in countries like Argentina and Romania is particularly alarming. Considering the state of identity theft globally, it is imperative that data protection laws are implemented forthwith and encompass both public and private entities, recognising that public bodies often hold the most extensive troves of personal data. Moreover, given the extensive centralisation of data within Nadra, many services such as telephony, transportation, courier, banking and hospitality rely on its database for biometric verification. This centralised approach, seemingly aimed at surveillance, introduces significant vulnerabilities with multiple parties accessing and utilising this database. This data leak must serve as a wake-up call for policymakers to enact and enforce the relevant laws. Bills have been drafted, but there have been no earnest efforts to advance them. A digitised world leaves no room for such massive security gaps. Pakistan must prioritise the protection of its citizens’ privacy and ensure that their data remains secure. Failure to do so would not only undermine individual rights but also hinder socioeconomic progress and security.

Published in Dawn, March 28th, 2024