MoIT Finalizes Draft for Personal Data Protection Bill 2020

[Morpheus]

MoIT Finalizes Draft for Personal Data Protection Bill 2020

Posted 16 seconds ago by ProPK Staff

The Ministry of Information Technology and Telecommunication has finalized the ‘Personal Data Protection Bill 2020’ aimed at realizing the goal of the full-scale adoption of e-government, increase users’ confidence, and protect users’ data from unauthorized access or usage.

This was confirmed by the Secretary Ministry of Information information and Telecommunications, Shoaib Ahmad Siddiqui.

He said that the draft bill is almost finalized and will be presented for the approval of the Cabinet very soon, adding that the legislation will facilitate users through the protection of their data.

The government has also proposed the constitution of a ‘Data Protection Authority’ to curb the misuse of data and to protect citizens’ personal information. However, the Secretary said that the Data Protection Authority has not been finalized yet.
The Ministry of Information Technology and Telecommunication had drafted the ‘Personal Data Protection Bill 2020’ and sought feedback from all its stakeholders while proposing a fine of up to Rs. 25 million for those who process or cause to be processed, disseminate, or discloses personal and sensitive data in violation of any of the provisions of the proposed legislation. The proposed legislation had been drafted in 2018 but was delayed numerous times.

The proposed legislation will govern the collection, processing, use, and disclosure of personal data; and will establish and make provisions for offenses related to the violation of individuals’ right to the privacy of data by collecting, obtaining, or processing personal data by any means.

It is also expedient to provide for the processing, obtaining, holding, usage, and disclosure of data while respecting the rights, freedom, and dignity of natural persons with special regard for their right to privacy, secrecy, and personal identities, and for matters connected therewith and ancillary thereto.

Furthermore, a data controller will not process personal data including the sensitive personal data of a data subject unless the subject has consented to the processing of the personal data.

If personal data is required to be transferred to any system beyond the territories of Pakistan or to a system that is not under the direct control of any of the governments of Pakistan, it will be ensured that the country where the data is being transferred offers personal data protection that is at least equivalent to the protections provided under this Act; and that the transferred data will be processed in accordance with this Act; and where applicable, consent to it is given by the data subject. Additionally, critical personal data will only be processed in a server or data center within Pakistan.

The proposed legislation states that the digitization of businesses and various public services employing modern computing technologies involves the processing of personal data. The growth of technological advancements has made the collection of personal data easier and has also enabled the processing of personal data in numerous ways that were not possible in the past.
Personal data is often being collected, processed, and even sold without the knowledge of the person in question. In some cases, such personal information is used for relatively less troublesome commercial purposes like targeted advertising. However, the data thus captured or generated can be misused in many ways like blackmail, behavior modification, phishing scams, etc.

To realize the goal of the full-scale adoption of e-government and the delivery of services to the people at their doorsteps, and to increase users’ confidence in the confidentiality and integrity of government databases, it is essential for users’ data to be fully protected from any unauthorized access or usage, and that they are provided remedies against the misuse of their personal data.

With the advent of 3G/4G in Pakistan, an accelerated increase in the use of broadband has led to an increasingly enhanced reliance on technology, calling for the protection of people’s data against misuse, and thus maintaining their fearless confidence in the use of new technologies.

Although Pakistan has sectoral arrangements/frameworks exist for the protection of data in addition to the Prevention of Electronic Crimes Act 2016 that deals with the crimes relating to unauthorized access to data, it is necessary to arrange for a comprehensive legal framework in line with the constitution and international best practices for personal data protection.

Protecting personal data is also crucial to the provision of legal certainty to businesses and public functionaries regarding the processing of personal data in their activities.

The desired legal framework will clarify the responsibilities of the data collectors and processors, and the rights and privileges of the data subjects along with institutional provisions for the regulation of activities related to the collections, storing, processing, and usage of personal data.

Within six months of the enforcement of this Act, the federal government will, by notification in the Official Gazette, establish the Personal Data Protection Authority of Pakistan to perform its functions.

This Authority will be a statutory corporate body having perpetual succession and a common seal; and may sue and be sued in its own name and; subject to and for the purposes of this Act, may enter into contracts and may acquire, purchase, take and hold moveable and immovable property of every description; and may convey, assign, surrender, charge, mortgage, reassign, transfer, or otherwise dispose of or deal with any moveable or immovable property or any interest vested in it; and will enjoy operational and administrative autonomy except as specifically provided for under this Act.

It will be responsible to protect the interest of the data subject and enforce the protection of personal data, prevent any misuse of personal data, promote awareness of data protection, and will entertain complaints under the Act.
Moreover, the Authority will be an autonomous body under the administrative control of the federal government, with its headquarters in Islamabad.

MoIT Finalizes Draft for Personal Data Protection Bill 2020

The Ministry of Information Technology and Telecommunication has finalized the ‘Personal Data Protection Bill 2020’ aimed at realizing the goal

propakistani.pk

+++++++++++++++++

 

[Samlee]

Good Step

 

[Morpheus]

PTA Introduces Critical Telecom Data and Infrastructure Security Regulations

Posted 1 hour ago by ProPK Staff

The Pakistan Telecommunication Authority (PTA) has notified the ‘Critical Telecom Data and Infrastructure Security Regulations, 2020’ aimed at ensuring the security of critical data and infrastructure related to the telecom sector.

Critical data and infrastructure will be identified and designated by the PTA’s licensee to ensure cybersecurity. Automated network monitoring systems will be installed by the licensee to detect unauthorized or malicious users, connections, devices, and software with preventive actions.

​

The PTA may also issue guidelines or specifications for deployment, operations, management, and access to information and logs of the monitoring systems.

The Critical Telecom Infrastructure (CTI) will be monitored to identify and prevent eavesdropping, unauthorized access, and cyber threats.

The PTA has devised the regulations to exercise its powers conferred via Clause (o) of sub-section (2) of Section 5 of the Pakistan Telecommunication (Reorganization) Act, 1996 (XVII of 1996).

Regulations will apply to all the PTA licensees for the security of critical telecom data and critical telecom infrastructure in accordance with the procedures specified in these regulations.
According to the regulations, the licensees will constitute a steering committee comprising high-level representation from key operational areas to govern and ensure the implementation of cybersecurity initiatives.
Keeping in view the requirements of these regulations, necessary policies will be defined, approved, and communicated by the licensee to its employees and other stakeholders like partners, contractors, and any other entities that have an interface with its telecom data or infrastructure to ensure compliance with these regulations.

The policies mentioned will be regularly reviewed by the licensee at planned intervals or upon any significant change or event. The roles and responsibilities for cybersecurity will be clearly defined and allocated by the licensee who will also maintain appropriate contact with relevant stakeholders to ensure cybersecurity.

Employees and contractors will be contractually bound by the licensee to relevant cybersecurity requirements with a formal and communicated disciplinary process for compliance. To ensure the proper implementation of security measures, employees and relevant contractors or partners will be informed by the licensee of the security policies and requirements through awareness sessions, education, and trainings.

Where applicable, the licensee will also inform its customers or subscribers of cybersecurity to safeguard them against security threats and incidents. Furthermore, physical security for secure areas should be designed and implemented by the licensee, including the definition of the security perimeters for secure areas.

The physical access to assets at secure areas will be managed and protected by the licensee, and only authorized personnel will be provided access to secure areas. The licensee will ensure that access points where unauthorized persons can enter a secure area are be controlled, and if possible, isolated from the CTI.

A physical log book or electronic audit trail will be maintained and monitored by the licensee for the personnel accessing the secure areas. The physical environment of the secure areas will be monitored or surveilled by the licensee to prevent and respond to a cybersecurity incident.

Procedures for working in secure areas will be designed and implemented to safeguard against cybersecurity incidents. Physical protection against natural disasters, hazards, malicious attacks, or accidents will be designed and applied by the licensee for the secure areas.

The secure areas should be protected from power failures and other disruptions caused by failures in the supporting utilities. Power and telecommunication cabling for the CTI should be protected from interception, interference, and damage.

The maintenance of the equipment at the secure areas will be properly carried out by the licensee for its availability and integrity. Appropriate protection will be provided by the licensee at the secure areas for unattended equipment to safeguard it against unauthorized access.

Assets pertaining to the CTI should not be taken off-site without proper authorization, and appropriate security measures will be provided by the licensee to off-site CTI assets while taking into account the risks outside the licensee’s premises. A clear desk policy for papers and removable storage media and a clear screen policy for critical data processing facilities will be adopted by the licensee.

The licensee will ensure that the event logs for users’ activities, exceptions, faults, and cybersecurity incidents are produced, stored, and regularly reviewed to identify and mitigate security threats and incidents. The CTI will also be protected against malware by the licensee.

Automated malware protection will be provided by the licensee to identify and eliminate malicious software activity. A policy will be formulated and enforced by the licensee to prohibit the use of unlicensed and unauthorized software, along with the development and implementation of a vulnerability management plan.

For the systems and software being used by the licensee, the exploitation of related technical vulnerabilities will be avoided by obtaining their information on time and by taking appropriate measures to address the associated risks.

A formal policy will be formulated and enforced by the licensee to protect against risks that are associated with the data and software obtained from external networks or other media.

The licensee should also prepare an appropriate business continuity plan for recovery from malware attacks, including necessary data or software backup and recovery arrangements. Privacy will be ensured for the critical telecom data stored by the licensee, and it will only be used for the purpose for which it was obtained from customers.

Data will be protected from unauthorized disclosure, modification, loss, and destruction. Licensed data retention timeframes will be observed, and where required, clarity will be sought from the authority for the retention timeframe of any data for which a retention timeframe is not mentioned in the license.
The licensee should only use vendor-supported software versions for systems and applications that store critical data. A Computer Emergency Response Team (CERT) will be established by the licensee to ensure a quick, effective, and orderly response to cybersecurity incidents.

The CERT should be capable of planning, detection, initiation, response, recovery, and post-incident analysis while having well-defined functions and communicated processes in place that should be tested periodically.

The licensee will establish processes for collecting, analyzing, and responding to cyber threat intelligence information collected from internal and external sources, and will share the threat feeds with the PTA.

PTA Introduces Critical Telecom Data and Infrastructure Security Regulations

The Pakistan Telecommunication Authority (PTA) has notified the ‘Critical Telecom Data and Infrastructure Security Regulations, 2020’ aimed at ensuring the

propakistani.pk

++++++++++++++++++++++++++++

 

[Morpheus]

New Data Protection Bill to Prevent Social Media Platforms from Using Data Without Consent

Posted 2 hours ago by ProPK Staff

The ‘Data Protection Bill’ which will prohibit social media platforms like Facebook and Twitter from using consumers’ data without prior consent and will allow for the imposition of high fines for violations is in its final stages.

​

This was revealed by the officials of the Ministry of Information Technology & Telecommunication (MoIT&T) during a briefing of the National Assembly Standing Committee which was convened with Member National Assembly (MNA) Ali Khan Jadoon in the chair here on Wednesday.
The committee expressed serious concerns over the rising number of cybercrimes in the country while highlighting that even parliamentarians and judges of the Supreme Court have been victims of hacking.

“Even parliamentarians who are being considered as powerful are not safe from fake hacking, fake accounts, etc., imagine what issues to be faced by the general public”, said MNA Romina Khurshid Alam.

The MoIT&T officials informed the Standing Committee that the Data Protection Bill will be introduced soon and that it will help to reduce fake accounts and other such elements.
Although Facebook and other entities had expressed reservations regarding the proposed legislation, they have now agreed to either establish their offices in Pakistan or appoint their representatives in the country, said an official, adding that social media platforms will not be allowed to use consumers’ data without their prior consent. In case of violation, the social media companies responsible will be fined heavily as in other countries.

While expressing disappointment over the Cyber Crimes Wing performance, MNA Alam said that even the provision of her complete details and IDs had not aided her request in any way and that she had suffered greatly.

MNA Naz Baloch reiterated that even judges’ accounts are being hacked.
MNA Kanwal Shauzab said that money is being withdrawn from banks by the theft of data from the National Database & Registration Authority (NADRA), and that consumer data is not secure in the country.
After a thorough discussion, the Standing Committee recommended the Public Sector Development Program (PSDP) proposals of the Information Technology & Telecommunication and Special Communication Organization (SCO) for the year 2021-22 for ongoing and new projects.


It also decided to scrutinize the remaining proposals of the Organizations under Information Technology & Telecommunication in the next meeting.

While taking serious note of the non-compliance of its recommendation made in its previous meeting regarding the provision of fiber optics in District Malir of Karachi, the Standing Committee directed for the provision of the same within 30 days. It directed the MOIT&T to pursue the provision of quality telecommunication and internet services to the remote areas of the country and in Balochistan in particular. It also agreed to hold a briefing on the projects funded by the Universal Service Fund for the provision of telecommunication services to remote and underserved areas.

The meeting was attended by Sahibzada Sibghatullah, Muhammad Abdul Ghafar Wattoo, Muhammad Aslam Khan, Kanwal Shauzab, Nusrat Wahid, Muhammad Hashim, Ali Gohar Khan, Aysha Rajab Ali, Romina Khurshid Alam, Maiza Hameed, Shamim Ara Panhwar, Mahesh Kumar Malani, Naz Baloch, Syed Mehmood Shah, the Additional Secretary MOIT&T, and other officers from the concerned departments.

New Data Protection Bill to Prevent Social Media Platforms from Using Data Without Consent

The ‘Data Protection Bill’ which will prohibit social media platforms like Facebook and Twitter from using consumers’ data without prior

propakistani.pk

++++++++++++++