Protecting privacy

The Government is moving forward with efforts to gather public data under one centre as a way to increase efficiency of the public sector with a progress review meeting presided over by the President this week. However without data protection laws there is fear such a centralised population information system can invade people’s privacy, infringe on their rights, and be abused in multiple ways.  

Data protection refers to the practices, safeguards, and binding rules put in place to protect personal information and ensure that a person can remain in control of it, even to the extent of demanding it be erased. In short, the citizen should be able to decide whether or not they want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.

Centralising data without legal means to protect personal information is deeply problematic, especially since it can include personal information, financial position and even details such as sexual orientation. Precise delivery of pensions and subsidies is important but it does not have to exclude proper protections for the information that is gathered about citizens.  

The move towards a centralised data centre was not one that appeared recently but it certainly gained more traction after the horrific Easter attacks. To fight terrorism, and more broadly in the name of security, many laws that attack freedom of expression and the right to a private life have been adopted, and given extraordinary surveillance rights to the State. The Government has already started this process by introducing electronic ID cards that were rolled out in 2017. 

Sri Lanka has no privacy/data protection laws, but hitherto privacy has been protected by the fact that most data is held in either manual form, or on isolated computer systems. Information was never shared, and if needed for investigative or other purposes, would have been provided only with a court order.  

No longer; wide powers have been granted to the Commissioner-General, his officials and other authorities to collect and record any personal details from all public – and potentially private – databases in the case of the e-ID cards. 

There is no question that people want to feel safe, and want services to be efficient but there are many steps that can be taken to make the public sector competent without taking away the people’s right to privacy. The public sector needs to be depoliticised, trimmed where unproductive, given a technological infusion and independence. An empowered public sector will not just provide better services but also be a solution to many other challenges the Government is facing including creating fiscal space, increasing profitability of State Owned Enterprises (SOEs), delivering higher quality of education, housing and other services as well as attracting investment. These efforts deserve public funds more than digital platforms that have questionable outcomes, and reduce the rights of law-abiding citizens. 

Data protection laws can also assist the IT industry and help draw better investment to Sri Lanka. There is also an existing data protection law that was drafted by the former administration, which could be evaluated and taken forward so there will not be any significant delays to Government plans. But there can be no doubt of the necessity and the need for data protection before data centralisation.