The National Digital Identity (NDI) Programme is a personal initiative and vision of His Majesty aimed at revolutionizing public service efficiency, adapting to rapid global changes in technology, and ensuring strong accountability among state agencies responsible for public services. The law should provide the broadest possible protection against state agencies from unauthorized use of digital information and build public’s trust in the government’s ability to safeguard their personal information. 

NDI means “a secured centralized system that allows individuals to digitally represent their identity information, including personal details and biometric data with consent. It enables identity verification without physical documents and promotes minimal information sharing by disclosing only essential data during interactions and transactions.”

Estonia serves as a successful model of digitalization.  Estonia’s Personal Data Protection Act of 2019 establishes six data quality principles, ensuring fair, lawful, and transparent processing of personal data. It emphasizes specific purposes, data adequacy, accuracy, limited retention, and security.  Only the parents grant consent for online services involving children, and additional requirements safeguard sensitive data such as criminal records and biometrics. The law outlines the duties and accountabilities of public officers, imposing severe penalties for privacy breaches and unauthorized data disclosure. In contrast, our NDI Bill lacks adequate provisions on data protection. It appears to focus more on protecting state agencies rather than empowering citizens. Further, the Bill provides wide discretion in governance framework for the state agencies making vulnerable to abuse. 

Singapore has successfully implemented National Digital Identity (NDI) with a focus on openness, trust, and connectivity. The country benefits from uninterrupted internet speeds ranging from 80 Mbps to 100 Mbps. Singapore’s NDI system enjoys high public confidence due to strong protection measures. The Personal Data Protection Act of 2012 in Singapore imposes significant penalties for privacy breaches and unauthorized disclosure of data. Organizations can face fines of up to 10 percent of their annual turnover (if exceeding SGD 10 million) or up to SGD 1 million, as well as imprisonment for two years or more. Recent cases, such as Sing Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd, faced penalties of SGD 250,000 and SGD 750,000, respectively, for breaching data protection obligations.

The United Kingdom is actively exploring National Digital Identity (NDI) implementation with an emphasis on voluntary participation, establishing robust standards, and implementing strong regulatory mechanisms. The EU Guidelines on NDI 2023 acknowledge the potential benefits of NDI but also highlight the associated risks, including human rights concerns such as discrimination, exclusion, profiling, surveillance, and loss of identity control or identity theft.

The World Bank Group’s ID4D program states that the developing countries, especially during digital transitions, face hurdles due to limited resources, infrastructure gaps, and socio-economic complexities, weak civil registration, limited connectivity, lower literacy and government capacity, and cybersecurity insufficiencies.

Bhutan currently ranks 148th in terms of average fixed-network broadband internet download speed, with only 11.26 mbps. This highlights the immediate need for reform to establish robust and accessible internet connectivity, crucial for the successful realization of the objectives outlined in the NDI bill. The legislation should incorporate provisions that ensure accountability and impose penalties for the unauthorized disclosure of personal information. For example, the recent incident involving the unauthorized disclosure of CPMS data to auditors without consent or knowledge underscores the necessity for safeguards against such occurrences in the future. The NDI must manifest the right to privacy guaranteed by the Constitution.

Sonam Tshering

Disclaimer: The views expressed in this article are author’s own.