National News

Nepal to Introduce Data Protection Board to Curb Data Misuse

July 1, 2025
Nepal to Introduce Data Protection Board to Curb Data Misuse

For the first time in Nepal’s history, a comprehensive policy focused on personal data protection—Personal Data Protection Policy 2082—is being unveiled. The draft policy is scheduled for public release on Tuesday, June 25, 2025, by the e-Governance Board under the Office of the Prime Minister and Council of Ministers.

This landmark draft aims to bring Nepal’s entire digital data ecosystem under a legal and policy-driven framework. According to the board, several provisions in the policy are not only new in the Nepali context but also crucial for institutional data governance.

Join Us For Instant News

Key Provisions of the Policy

One of the primary principles outlined in the draft is “minimum data collection”—only the essential amount of personal data should be collected. Arbitrary or excessive data collection will be prohibited.

The policy mandates explicit consent from individuals before any modification, transfer, or exchange of their personal data. Any such action without consent will be treated as a legal offense. Notably, for the first time, the policy proposes the creation of a Data Protection Board to regulate all aspects of personal data protection.

According to Clause 11.34, the Data Protection Board will oversee implementation and monitor risks related to data security. While Nepal had previously enacted the Privacy Act 2075, it lacked a regulatory authority, leading to confusion about whom to contact in cases of data breaches or hacking incidents.

Roles of the Proposed Data Protection Board

The proposed board will:

  • Monitor policy implementation.
  • Investigate complaints related to data breaches.
  • Recommend legal actions.
  • Ensure compliance with data security standards.

It will also verify whether all technical processes, from data collection to disposal, follow prescribed protocols. The board will have the authority to recommend penalties against individuals or institutions found in violation.

The policy also includes a provision for appointing “Data Protection Officers” within both government and private entities. These officers will oversee compliance for institutions involved in data collection, processing, or usage.

New Classifications and Access Rights

The draft introduces new classifications such as Highly Confidential, Confidential, and Biometric Data. Separate frameworks will be developed for managing each category.

Citizens will be legally entitled to access, modify, process, and dispose of their personal data without restriction—except in cases concerning national security or public interest.

Security mechanisms like multi-factor authentication, encryption, real-time notifications, replication systems, and physical safeguards will be adopted. Clause 10 of the strategy emphasizes compliance with both national and international data security standards, ensuring accountability from collection to deletion.

Legal Compliance and Enforcement

Organizations—government or private—must:

  • Clearly state the purpose of data collection.
  • Use data only for that specified purpose.
  • Refrain from collecting more data than necessary.

As per Clause 11.16, collecting excessive data poses risks of leaks, hacks, or misuse. Limiting data collection is the first step in risk mitigation.

The policy contains five main frameworks:

  1. Full data lifecycle management
  2. Security standards
  3. Legal mechanisms
  4. Institutional oversight
  5. Legal accountability for breaches

To enforce these, the policy lays out 15 strategic approaches and 35 operational directives.

Institutional Structure and Budgeting

The institutional framework includes a Directive Committee chaired by the Chief Secretary. Members will include secretaries from the ministries of Communications, Home Affairs, Law, Finance, and the Central Bureau of Statistics.

Every government agency must allocate a portion of its annual budget for data protection programs. The policy also emphasizes inter-agency coordination and periodic reviews.

Impact and Significance

Nepal previously lacked an integrated data protection policy. Experts believe this initiative will strengthen legal discipline in data handling and enhance the protection of citizens’ personal information.

According to officials at the Prime Minister’s Office, the policy will play a crucial role in asserting citizens’ ownership, rights, and control over their personal data, effectively curbing data misuse.

The background section of the policy stresses the necessity for citizens to be aware of how their personal data—including health records, property, documents, and relationships—is handled. It also highlights the need for policy-driven protection to prevent unwarranted disclosure and ensure responsible data consumption.

Related posts:

Ramechhap landslide: four people missing and six killed A ten-passenger vehicle in Dhankuta crashes off a cliff Fake notes in Gaushala have been identified of Rs 500 and Rs 1,000 School principal is killed in Salyan Nepalese student fatally murdered in Houston, USA International travel impacted as three NAC planes remain grounded The Spanish couple that went missing visited the Annapurna region without a guide Default ThumbnailShree Kesh Oil Company is fined by KMC 58 nations send FDI to Nepal, with the industrial sector accounting for the majority of the investment PM Oli congratulates Palesha Govardhan, the bronze medallist Flooding blocks the Madi-Thori road Eight people, two of whom are Indian nationals, were detained on suspicion of creating fake currency

Leave a Reply

Your email address will not be published. Required fields are marked *