In today’s digital era, where individuals of all ages and backgrounds rely on the internet, the transmission of personal information has become a daily occurrence. However, this convenience comes with significant risks and vulnerabilities. The commercialisation of information and the lack of robust digital governance often leave users with no choice but to disclose their personal data. To address this growing concern, it is crucial to establish stringent regulations that minimise or eliminate the breach of personal data beyond its intended purposes.

Article 7 of the Constitution not only guarantees the right to privacy for individuals but also extends this right to their family members. Unfortunately, safeguarding this right has become increasingly challenging. As concerns about privacy mount, users feel insecure and vulnerable when their personal details are not stored securely or are misused for purposes other than those initially intended.

For instance, the Royal Monetary Authority, which claims to offer seamless money transfers in the country, numerous shops and individuals continue to request the mobile numbers of individuals due to instances of failed money transfers. The vast amount of data collected in such cases can be subject to abuse by those who possess it. Similarly, during the Covid-19 pandemic, government authorities developed the Covid-19 Check Post Management System (CPMS), which continues to be utilised today for a great reason. This system has been instrumental in tracking and tracing Covid-19 cases, enabling the government to respond effectively respond to the possible spread of the disease. Thus, the primary purpose of this data collection was to prevent the further transmission of Covid-19.

However, it has recently come to light that several public servants discovered the Royal Audit Authority (RAA) had accessed the information stored in the CPMS without obtaining user consent. Consequently, audit memos based on this data have escalated. On one hand, it is positive that the government can identify instances where public servants have made false claims about their whereabouts. Nevertheless, the fundamental question remains: who should have access to such data when it pertains to public institutions and government agencies? Does the government possess the authority to utilise this data indiscriminately, deviating from its primary intentions, without seeking user consent? Can individual public servants sue the data holders for breaching the data under privacy, right? The Information and Communications Act (ICM) in 2018 specifically states that breach of confidentiality and privacy amounts to a criminal offence and failure to protect data or unlawful disclosure of data or information amounts to civil liability and liable to pay the compensation caused by such disclosure.

With the imminent implementation of the national digital identity programme in the country, the government will soon have access to the personal information of all Bhutanese citizens, regardless of their location. This will include biometric data, financial records, employment history, medical records, and more. Ultimately, the government will possess a vast amount of information on every individual, rendering them susceptible to arbitrary or unethical surveillance and information abuse. For instance, medical information should solely be employed for health-related purposes and not for any other reasons and should not be given to law enforcement for investigation.

The necessity of implementing regulations to safeguard privacy is twofold. First, it will help foster user confidence and trust in the state and its authorities. Second, it will protect the nation’s reputation as a democracy founded on democratic values, upholding the right to privacy from arbitrary disclosure.

Sonam Tshering

Lawyer, Thimphu

Disclaimer: The views expressed in this article are author’s own.