The draft of 'Personal Data Protection Policy-2082' is being made public for the first time on Tuesday, with provisions to bring the entire digital data system of Nepal under the scope of legal and policy management.

The draft policy prepared by the e-Governance Board under the Office of the Prime Minister and the Council of Ministers is about to be published for opinions and suggestions.  The board claims that some of the provisions included in the

draft are new in the Nepali context and necessary from an institutional point of view. It has provisions including that the principle of 'minimum necessary only' should be followed in data collection and random data collection should not be allowed.

The proposed policy mentions that the prior consent of the concerned person is mandatory when modifying, transferring or exchanging personal data. There is also a provision in the policy that if such acts are done without consent, they will be considered as 'crimes' and brought under the law. For the first time, it is proposed in the policy that a Data Protection Board will be formed to regulate all aspects of personal data protection. 

"The Data Protection Board will monitor data security risks and mitigations as necessary," policy 11.34 states. Earlier, although the 'Personal Privacy Act 2075' was made for the protection of personal data, no regulatory body or authority was specified in it. Due to this, even in the case of data misuse or hacking, there was confusion about who to complain about. 

The proposed Data Protection Board will be responsible for monitoring policy implementation, investigating data breach complaints, recommending legal action and enforcing data protection standards. The board will also ensure that the technical procedures as mentioned have been adopted or not in all activities from personal data collection to disposal. The Board shall have the authority to recommend action against any person or organization found to be in violation of the policy. The Board will conduct a detailed investigation of the data breach incident upon receipt of a complaint or information.

Provisions for appointing 'Data Protection Officers' in various agencies are also included in the draft policy. "In organizations that act as data collectors, custodians, processors and users, arrangements will be made to appoint a data protection officer," the policy section says, "Personal data protection law will be formulated and implemented." Provisions relating to personal data in existing laws will be updated to be consistent with provisions in this policy.' 

The draft proposed policy includes another new provision on personal data classification. "Separate frameworks will be created and implemented for data such as top secret, secret, and biometrics," strategy 11.1 to 11.15 states, "except in cases of sensitive and public interest, including national security, the right of individuals to access, collect, process, modify, use, and dispose of their data at any time without restriction will be provided in the law." The concept of adoption of other methods/technologies such as encryption, multiple and replication systems, physical security and other methods/technologies has been introduced. "To protect personal data, personal data will be made correct, accessible and safe by following the security standards used at the national and international level," says Strategy 10, "Individuals and organizations will be held accountable and responsible from the collection and disposal of personal data." According to the proposed provisions of the

policy, the purpose of use must be clearly stated when collecting data by government or private entities. They will only be able to use that data for that purpose. It is clearly mentioned that the government and private bodies cannot even collect more data than is required for work. Policy 11.16 states that ``when collecting personal data based on the purpose, only the minimum necessary data will be collected.'' If more data is collected, it is at risk of being hacked, leaked or misused. Therefore, not taking more data than necessary is also the first step in risk reduction.

The proposed policy includes 5 policies such as the process from data collection to disposal, standards for data protection, legal and institutional arrangements, and legalization of data breaches. 15 strategies have been identified to implement these policies. Based on the strategies, 35 strategies have been decided.  In the proposed institutional arrangement for the implementation of the

policy, a directorate committee and a data protection board have been envisioned. It is mentioned that the directorate committee which will be chaired by the chief secretary will include the chief statistics officer of the National Statistics Office along with the secretaries of the Ministry of Communication, Ministry of Home Affairs, Law and Finance.

Under the resource-resources arrangement, every agency is said to include a data protection program in its annual budget. The proposed policy has emphasized the issue of ensuring coordination, annual review and review among related agencies. 

Nepal did not have a unified data protection policy before. If this policy is implemented, it is believed that legal discipline will be strengthened in the country's data system and the use of private information of citizens. Officials of the Prime Minister's Office claim that this policy plays an important role in controlling the abuse of data and ensuring citizens' ownership, rights and access to data.