Laws & Responsibilities

This is a guest post by Jabran Rafique, who is student of MSC Web Development at Staffordshire University, UK and one of the top mapping contributors and Pakistan’s ambassador at Google Map Maker.

Title is enough to bring smile on faces of my people! and why not? Because we don’t care about law and authorities don’t know what responsibilities are!

Let’s take a moment and think that do all departments work efficiently? We can count on finger tips those who are working efficiently as compared to the rest, e.g. USF, Highway & Motorway Police, NADRA, Traffic Wardens perhaps etc.

Do we, as public, help them to work efficiently? Unfortunately the answer “NO” for most of the organizations. It is usually observed that we follow the system (of certain organizations), as long as we are sure that these particular organizations are working perfectly. For instance, almost everyone tries to keep up with the regulations of motorway!

We don’t throw wrappers on street of Islamabad, where roads are clean and one can easily find the dust bins on the footpaths.

June 2005, I visited High Commission of Pakistan in London for my passport renewal.

On my turn to data entry, (apparently the) friend of the data entry guy came and sat next to him – this made by CNIC and other personal information exposed to him. I had no idea whether he was an employee or no but it made me concerned about my data privacy!

If such non-serious and non-professional attitude takes place in front of visitors then after hours, what less could be expected.

My recent visit in March 2010 didn’t make me please at all again when I saw the similar attitude. You can also see in Google Street View snapshot that majority of citizens are being served outside of the building in a tent for over 10 years because of lack of interest in developing an organisational structure.

In November 2007, The Election Commission of Pakistan provided an online facility (http://search.ecp.gov.pk) for confirmation of registration on electoral list. The facility as of now is temporary suspended. However, for a while when it had been live for few years, the sensitive and personal data for over 8 Crore people was on stake.

Website’s privacy policy even doesn’t comply with the service; evidently department was not following their own policy they claim to work on.

In fact there is no privacy policy at all even though the website had been handling the most sensitive data for its citizens. There had also been a big hoo-ha in media over their hosting on Canada servers for such a sensitive database which was at that time excused with electricity problem.

Worst privacy breach award must go to Federal Board of Revenue. For years, FBR (ex-CBR) has an online service for National Tax Number (NTN) confirmation. Typing any name will result in not only showing a list of all likely names throughout the country but also link to their most sensitive and critical details.

All three examples raise a question if our own government departments are abiding by laws and keeping any organizational structure?

The answer is a simple No! It is indeed not a rocket science to manage departments even having qualified people among them but it obviously demonstrates the lack of interest in building any infrastructure.

Law

With enhancement in IT throughout the country, there had been definitely a need to set out rules & regulation as well as strong enforcement for a better control over. In 2004, Electronic Data Protection & Safety Act was brought into force to tackle down the security issues concerned with electronic data handling.

The EDPS Act was then revised in 2005 and final draft was issued to be enforced immediately with changes. According to that an individual carrying out a mishandling in sensitive electronic data is subject to imprisonment up to 3 years or a penalty up to of Rs. 3 millions or both. A business/corporate/enterprise is subject to a fine not exceeding Rs. 10 millions.

Complete information on filing a complaint and offences can be found in the Chapter VIII of this Act. Whereas few other law enforcement documents also states various other punishments as described in Electronic Transaction Ordinance 2002 (Chapter 8 – Offences) and in Prevention of Electronic Crimes Ordinance 2007 (Chapter III).

Responsibilities

Long ago people used to say “Well, who will listen to you”? Now, thanks to media, people listen to you, but now voices arise: “Well, what can you do”?

That’s where we abandon our responsibilities with a negative approach for ourselves and for others. Why don’t we protest over responsibility breaches? such as violating the law, keeping an unserious attitude towards something; like reading your CNIC to anyone not authorized, develops a system based on unorganized infrastructure.

However, citizens are not much to blame in such a situation because of two strong reasons.

  • Very poor law enforcement by agencies
  • Lack of awareness about the law and offences

We have rarely seen any enforcement by Police or FIA Cyber crime wing in such matters. In fact, we don’t see any action taken in this aspect at all ever.

One significant achievement was perhaps the hackers arrested a while ago from Karachi who hacked the Interior Minister website which truly represent as a personal reaction rather than being a part of any official enforcement.

The carelessness of FBR regarding sensitive data handling describes how government’s own departments are not following their own policies and so the law enforcement agencies.

For a matter of fact, to enhance the security and lessen the concerns requires a very good awareness about laws and their offences to public.

With such a low literacy rate in the country, it actually makes more powerful demand to stretch all information to more and more people by various mediums.

Today we witness various departments and businesses where necessarily handling is not being carried out at all for personnel sensitive data. Apart from above examples, the most recent one is the facility provided by PTCL to get a duplicate bill. Recent technology acquisition by Police for GSM caller location identification raises concerns in due aspects at higher level as well.

An enhancement in policy could come along with law enforcement agencies playing their role powerfully because currently personal data is being used by various end users in very unethical, unlawful manners. Where mostly the end users don’t know the terms of usage or sometimes don’t care to handle the data sensitively. Other part of our own unserious attitude as citizens doesn’t help at all our governess organisational structure to grow well.

It’s a call for both, departments and public, to mull over the responsibilities, their level of awareness and duties to respect the certain rules & regulations and their enforcements, which are set for life enhancements and a civilized society; a civilized Pakistan.


  • Nighat Dad

    Thanks Jabran for such a well researched article on Privacy issue in Pakistan, very true that we are lagging behind in privacy laws and awareness in relation to personal data, I wonder why are sensitive govt offices are unaware of how to secure super sensitive data, not only our Interior minister’s website was hecked but few days back a sweeper caught red handed while grabing highly secret files from his office in Islamabad Secretariate…