In Pakistan, the right to privacy is guaranteed under Article 14(1) of the Constitution that says, “The dignity of man and, subject to law, the privacy of home, shall be inviolable.” This article vests in its citizens the fundamental right to privacy and it has been interpreted to extend to digital communications as well.
Data protection is about safeguarding our fundamental right to privacy by regulating the processing of personal data: providing individuals with rights over their data, and setting up systems of accountability and clear obligations for those who control or undertake the processing of the data. However, Pakistan’s constitution includes a wide-ranging exception to the primacy of fundamental rights. For example, the provisions of Article 8 do not apply to any law relating to the ‘proper discharge’ of the duties of the Armed Forces or the police.
As in workplaces, data law experts define that there is no (yet) related employee monitoring law. As there is no law, there is also no legislative requirement to obtain consent. Yet, consent is generally built-in within the employment contract. Moreover. Pakistan data privacy law does not cite any requirement for work councils, trade unions, employee representatives that need to be consulted.
Data controllers, employers and employees, under the Personal Data Protection Bill, are responsible for taking practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Furthermore, the Bill requires data controllers to report a data breach to the Personal Data Protection Authority of Pakistan within 72 hours. There is an exception where personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject. In case the notification is made beyond 72 hours, those who report should state reasons for the delay.
The notification must contain the following information:
Depending on the case and type of breach, the maximum fine is up to PKR 30 million and the minimum fine is up to PKR 5 million. For further assistance on the breach or data protection, you may refer to DPO experts at ICLG.