In Pakistan, the right to privacy is guaranteed under Article 14(1) of the Constitution that says, “The dignity of man and, subject to law, the privacy of home, shall be inviolable.” This article vests in its citizens the fundamental right to privacy and it has been interpreted to extend to digital communications as well. 

Data protection is about safeguarding our fundamental right to privacy by regulating the processing of personal data: providing individuals with rights over their data, and setting up systems of accountability and clear obligations for those who control or undertake the processing of the data. However, Pakistan’s constitution includes a wide-ranging exception to the primacy of fundamental rights. For example, the provisions of Article 8 do not apply to any law relating to the ‘proper discharge’ of the duties of the Armed Forces or the police. 

Employee monitoring  

As in workplaces, data law experts define that there is no (yet) related employee monitoring law. As there is no law, there is also no legislative requirement to obtain consent. Yet, consent is generally built-in within the employment contract. Moreover. Pakistan data privacy law does not cite any requirement for work councils, trade unions, employee representatives that need to be consulted. 

See also: Protecting Employees’ Data Privacy: Q&A with Thomas Matecki, Founder and CEO at Emotional Vector Analytics

Data security and data breach 

Data controllers, employers and employees, under the Personal Data Protection Bill, are responsible for taking practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. 

Furthermore, the Bill requires data controllers to report a data breach to the Personal Data Protection Authority of Pakistan within 72 hours. There is an exception where personal data breach is unlikely to result in a risk to the rights and freedoms of the data subject. In case the notification is made beyond 72 hours, those who report should state reasons for the delay. 

The notification must contain the following information: 

• Description of the nature of the personal data breach including, where possible, the categories and approximate number of data subject concerned and the categories and approximate number of personal data records concerned. 
• Name and contact details of the data protection officer or other contact point where information can be obtained. 
• Further assistance on how controllers will address the breach, including measures to mitigate its possible adverse effects. 

Depending on the case and type of breach, the maximum fine is up to PKR 30 million and the minimum fine is up to PKR 5 million. For further assistance on the breach or data protection, you may refer to DPO experts at ICLG. 

Read also: Employee Data Privacy & Protection Law in Hong Kong