Consumer Rights no image

Published on March 12th, 2007 | by Babar Bhatti


Privacy and Identity Protection in Pakistan

What is digital identity and why do we need to protect it, in Pakistan of all the places? With globalization and outsourcing on the rise privacy and Identity theft is fast becoming a global problem. Here are a few reasons for concern regarding privacy and data protection in Pakistan: rise in banking and consumer credit industry,  surging number of telecom subscribers, outsourced data processing and grwoth of E-commerce transactions. I’ll provide some background, discuss the existing rules and provide recommendations for business organizations.

The question is: do we have adequate identity and privacy protection in Pakistan? Are banks and telecom companies doing enough to keep your personal information safe?  As one example, I was sent phone bills of someone else via e-mail and even after reporting the issue there was no followup. Probably similar incidents have happened with others in Pakistan as well, though statistics are not readily available.

My prediction is that gradually Asian societies (Pakistan, China, India etc) will become more sensitive to data protection and privacy issues. Now is a good time to demand good security practices to safeguard our data.

As a related item I’ll mention theITU Internet Report entitled “” (in pdf), which was prepared for ITU TELECOM World 2006 . The report examines how innovation in digital technology is radically changing individual and societal lifestyles.

Chapter four,, explores the changing nature of the digital individual and the need for greater emphasis on the creation and management of digital identity. Individuals today spend more and more time using digital means to communicate and transact, be that sending and receiving e-mail, talking on a mobile phone, participating in a social networking site, buying music, booking vacations over the internet, or playing an online game. The complexity of the interaction between technology, personal consumption and the construction of identity in the virtual space is a growing area of research. Users of digital technologies have a wide scope for constructing their virtual identity.

What are the laws for data and privacy protection in Pakistan? I found a final draft of the Electronic Data Protection Act 2005 at Pakistan Software Export Board [PSEB] website. It is a relatively short and simple document which provides very basic rules over data collection, processing and handling. The Act tries to solve two problems: a) provide guidelines for outsourced data processing and b) data collection regulation in Pakistan. To give you a flavour of this Act here are 2 definitions from it:

Sensitive Data” means data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, organizations and associations with a religious, philosophical, political or trade-union, or provide information as to the health or sexual life of an individual and financial, or proprietary confidential corporate data.

Electronic data security. Electronic data that is subject to data processing shall be kept under custody, controlled or processed in such a way as to minimize the risks of its destruction or loss, even accidental, unauthorized access, unlawful processing or processing for purposes other than those for which the electronic data were collected, by means of appropriate precautionary security measures.

I would like to hear more from those who are involved in data processing in Pakistan and get some stats about security breaches and their resolution. A few years ago there was some uproar in the US about a data processing company in Pakistan but that issue was settled. Perhaps that incident also contributed to the implementation of Electronic Data Protection Act 2005.

What is the situation in the developed (or G7) world? European Union has stricter standards than US, where laws vary from state to state. The privacy legislation in California is worth mentioning here. State of California is considered by many to be the most strict regarding privacy and identity issues. California has setup a privacy office for this purpose and you can find the legislature details here .

Based on California’s laws Forrester Research recommends the following practices for Business organizations – these recommendations can be applied to any organization:

Pick a framework. The establishment of reasonable security is best built on a foundation that is recognized and accepted. ISO17799 is currently the leading and most accepted framework to build an information security program around. The framework provides a standard architecture to document controls and make sure that everything is covered.

Identify and classify information. The focus of reasonable security is around personal California resident data. Security is first established by classifying this data — define it, assign information owners, establish controls —and identifying where in the organization this information resides. Personal data may be classified into subcategories such as employee data and customer/client data.

Determine business partners that touch your data. Identify which business partner relationships touch and store personal data; this is a critical element that is directly addressed in the legislation. Your organization’s liability does not stop with organizational boundaries — you are required to see adequate security is established in third-party relationships.

Document controls. Utilizing the framework as a structure, the next step is to document the detailed controls in place to line up with the framework. This gets into the depth of defining your policy, operational, contractual, and technical controls in place to protect personal information.

Validate controls. Establishing reasonable security does not stop with documenting controls. In fact, documenting controls that you do not have in place may only open the doors of liability wider. It is necessary to demonstrate that controls are implemented and working as defined in your security control architecture.

A few words about outsourcing and data security. As more firms enter into outsourcing agreements, liability coverage especially for data security and protection becomes more critical. While outsourcers are unlikely to accept unlimited liability, customer organizations can insert limits of liability into their contracts and receive cost reimbursement for any incidents that the outsourcer is responsible for, if they are willing to aggressively negotiate. However, customers must be aware of the real consequences and costs associated with enforcing these clauses or they may find that these clauses have very little real impact. Customers need to protect themselves in outsourcing agreements, but they must balance those needs with realistic expectations from their vendor.

About the Author

Founder and Editor of

9 Responses to Privacy and Identity Protection in Pakistan

  1. Asad Durrani says:

    What about monitoring of your employees using IP cameras? does that breach the privacy? And specially when cameras are not installed on entrance and exit of the work premises ( that may be used for security) but are installed in such places that you can monitor your employees during whole hours of work?
    Any one knows anything on this? Cause I recently joined an organization which is kind of a government department and the managing director has installed Ip cameras all around the premises so that he could view all males and females working around even if he is not in office.

    Any expert opinion on this?

    • Salman says:

      As far as my knowledge is concern, there are no privacy laws in Pakistan. In Europe its illegal to install cameras and store data of employees without their prior consent.

  2. Zafar Ali Mahar says:

    Thanks Babar,

    For voicing against unauthorised use of personal information by FIs and Telecom companies, I real realy feels that law making body should adhere to address this issue.

  3. SANA UL HAQ says:


    I am Sanaulhaq donig MS leading to PhD thesis in mechanismsof protection of personal healthcare information captured by sensors and wirelessly transmitted to have an integreted system of patient monitoring in hospitals or in homes etc without the trouble of patients to have visits to healthcare professionals.

    Basically I belong to Pakistan, studing at NUST Pakistan, and I have to defend the said research from the persoective of my own country. As I know an act of HIPPA in USA has been passed to protect the personal healthcare information of a patient.

    Is there any law in Pakistan to protect personal healthcare information of a patient? or in near future such law will be inacted to insure protection of healthcare information?

    Kindly refere to me to the said information, so that I may positively defend my research in front of my committee. I will be greatly thankful to you for that.
    NUST Pakistan

  4. Pingback: Your Privacy is an Illusion - Sohaib Athar

  5. Shoaib Ghauri says:

    Now a days its a right time to promote these kind of products in Pakistan.
    Its really Good.
    Best Of Luck..


  6. firdos alam says:

    very good sarvice

  7. danny says:

    Dear Sirs,

    Thanks for your kind attention. Pls help and pass to the right person if you are not responsible for this.

    We would like to introduce here our latest portable solar laptop charger, a very convenient and environmental battery charger. It is a good partner for outing and remote operation. It can power or charge your laptop any time or anywhere so long as there is sunshine, with its 40W/20V’s solar panel; 14V/5AH’ built in battery and 19V/3A’s output. Besides laptop, it also solves your power problem for your mobile phone/DC/DV/ipod/mp3/game player and etc. It can even charge your car or auto-boat and be your power source for the communication station. What is more? An optional function of 3W/80LM will even light up your dark outing night.

    We have many other solar products like solar power system/solar light/solar bag/solar traffic warning series and etc. You can go to our website or our show room

    Pls don’t be hesitate to contact with me should you have any questions about our products.

    Thanks and best regards,

    Respectfully yours,

    Danny Zhang
    Green Energy Technology Co., Ltd
    Tel: 86-755-26444492/26384603
    Fax: 86-755-26444689
    E-mail: or

  8. Pingback: State of Telecom Industry in Pakistan » Unsolicited Calls: Marketing Without Permission

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top ↑
  • Get Updates In Your Inbox

  • Connect WIth Us