With the story out that some officials had accessed the National Data Base Registration Authority’s database to seek personal information of the family of the Chief of Army Staff General Asim Munir Shah, questions are being raised about other institutions that have access to the same data, and what have they done to flush out elements that were involved in data breach in these organizations.
Further investigation into this matter revealed that NADRA provides identity verification services to multiple financial institutions, the Telecommunication industry, Government institutions and Law Enforcement Agencies for their legitimate usage under legally signed contracts. The investigation points out that multiple users of different organizations had accessed the data of Chief of Army Staff General Asim Munir before his appointment as Chief of Army Staff, which seemingly was done with illegitimate motives. Other than NADRA, nine institutions including law enforcement agencies (including some intelligence agencies), Banks and a Housing Authority accessed COAS’s family data during the period in question.
When approached, sources in NADRA said that a thorough internal inquiry was initiated when NADRA’s indigenous data analytics system had raised alarm when the data of some prominent public figures was accessed a few months back. This led to a startling revelation that various institutions including law enforcement agencies, Banks and Housing Authority accessed unauthorizedly the personal data of leading politicians and government functionaries.
Chairman NADRA Tariq Malik immediately instituted an inquiry to ascertain the facts and find the responsible for the data breaches within NADRA, and as soon as the responsible people were identified they were asked to leave.
It is Interesting however that no other organization has come up with an inquiry so far and no responsible individuals have been identified.
Meanwhile inside NADRA after these revelations, on an urgent basis a zero-tolerance policy protocol was implemented and further tightening of access to personal data was introduced.
Chairman NADRA had forewarned all the employees of the authority with respect to the data protection regime through official communication respectively on 18th November 2022, 19th December 2022 and 3rd February 2023. The employees were duly informed that an Artificial Intelligence-based system had been implemented to protect citizens’ data by monitoring the behavior and working of all employees at workplace. Unauthorized access to citizens’ data is a non-bailable offense under Section 28 of NADRA Ordinance 2000 punishable with imprisonment of 5 years, a fine of 1 million, or both.
The auditing software resultantly held to identify more than three thousand employees’ user access which had been reviewed and withdrawn. This helped to initiate inquiries against 377 employees terminating 131 employees who unauthorizedly accessed the citizens’ data. Stern action as per Government Servants (Efficiency & Discipline) Rules 1973 will also be taken against all in this regard.
In another significant development to protect the privacy of citizens’ data in the wake of March 2023, NADRA launched the ‘Ijazat Aap ki’ service, an initiative that puts citizens in charge of their own personal data. The cutting-edge service empowered citizens to give their consent before verification of the CNIC, ensuring that their sensitive data is always protected and secure.