Author: Zainab Durrani
Program Manager

One of the latest developments shared by the National Database and Registration Authority (NADRA) is the new data protection service rolled out by them called ‘Ijazat Ap Ki’ (‘With Your Consent’). Though limited information is available online regarding the initiative, we have gleaned the following from various sources:

How it works: Since March 2nd 2023, as per news reports covering NADRA’s public release, all national identity-related data acquisition of citizens will be accompanied by a 6-digit code authentication process to verify their consent in all service transactions. 

It is important to note that the NADRA database encompasses the biometric data of ‘125 million unique identities’ as per its own admission, labeling it as the ‘world’s largest singular citizen database,’ holding sensitive data including biometric personal information. The accompanying onus thus falls much more heavily on the Authority to provide safe systems to curtail data breaches, especially in the absence of data protection regulations in the country.

Although the details are not available on NADRA’s website, the news coverage states that the service has been put into motion and will accompany the use of a one-time password (OTP) to collect the authorization of the individual before verification of their Computerized National Identity Card (CNIC).

This development safeguarding the rights of Pakistani citizens in digital spaces, especially through data privacy, is a positive first step and one that must be accompanied by the principles of transparency and accountability. NADRA’s previous record as a data retainer and processor is unfortunately rife with several instances of data breaches.

When we at DRF attempted to register for the service, by sending a 13-digit CNIC number to 8009, a confirmation message was received almost instantaneously stating that the phone number was indeed linked to the CNIC in question, however, no more details were provided regarding the ‘Ijazat Ap Ki’ service itself.

Since the publicly available information was limited, we shared our queries with NADRA and encouragingly, received responses. The exchange is shared verbatim for our readers:

Question: How many citizens (and what percentage of the total citizens on the database) have signed up for the ‘Ijazat Ap Ki’ service so far? What efforts are being made to ensure all citizens sign up?

Response: ‘Ijazat Ap Ki’ service is a backend dynamic service. It doesn’t require any pre-registration. Instead at the time of verification, it generates a verification pass and sends it to the citizen on his/her recently reported mobile number. At the same time this service allows citizens to pair their default number to receive verification code. So far over a million citizens have paired their number to receive the code.’

Question: What checks are in place to ensure that NADRA will be sending the OTP for every CNIC-related transaction?

Response: ‘Data privacy and consent management is a fairly new idea in Pakistan therefore it needs to be rolled out gradually for its acceptance and minimize resistance. Therefore, it is planned to be rolled out in phases. The first phase was rolled out earlier this year and over 250 entities were moved to ‘Ijazat Ap Ki’ service. We receive feedback and adjust the service so that the verifying agencies are involved and made part of the system. After gradual rollout, eventually the plan is to ensure that every CNIC related transaction has the consent of the citizen. It may be a verification code, biometric verification or any other means that the organization may find appropriate in coming times.’

Question: What efforts, if any, are in place to ensure transparency in this process? Has NADRA considered instituting a live counter or roster hosted on the NADRA’s website, which can boost confidence in the Authority’s claim to added privacy protection?

Response: ‘As mentioned above, it is a gradual process. First challenge is to get the [sic] acceptance and introduce the consent management regime. As the whole system is automated and there are strict control measures and audit trails available to trace back any irregularity. NADRA takes data misuse [as] a very serious crime and take[s] strict action against the offenders.’

Question: Which transactions will be covered under this service, financial, retail, e-commerce?

Response: ‘Consent management is a universal phenomenon and all CNIC related transactions will be covered. Its rollout is gradual but eventually the whole industry will adopt this regime.’

While the answers provided by NADRA, helped clarify some of the broader details of  the service, left a few of our concerns unaddressed. We believe it would be prudent that NADRA lays out a step-by-step guide to clarify the registration process, to increase accessibility. NADRA shared a video they developed with us that accomplishes just that; sharing this video widely through social media and TV channels would help bolster registration. The link to NADRA’s video on ‘Ijazat Ap Ki’ service is available here. 

We are also concerned by the lack of specificity around the ‘strict control measures and audit trails’ and whether these audits will be available to the public. Additionally, more information on which entities have been moved to the ‘Ijazat Ap Ki’ service roster and generally applying a more forthcoming approach would be a welcome step in progressing towards a nation more in line with open governance principles. 

Another move that could bolster confidence in the Authority’s progress with regards to a citizen-centric vision would be the development of SOPs or perhaps a policy that quantifies and operationalises the ‘consent management regime’ that NADRA referred to in their responses. 

We would like to reiterate the need for a data protection instrument to oversee the regulation of data subject privacy is greater now than ever. Such a law would also be beneficial in institutionalizing changes that require public and private data processors, such as NADRA and the telecom and ISP sector to implement coherent privacy policies across the board. An overhaul of the existing perspective and strategy is required for Pakistan to keep up with the pace at which its citizens are adapting to digital lives.

Regardless, as a digital rights organization, we appreciate the commendable move to institute safeguards to further protect the vulnerable data of citizens and will continue to monitor the developments under this new service and the overall state of privacy in the country. 

https://www.geo.tv/latest/473813-nadra-rolls-out-pakistans-first-data-protection-service

https://www.nadra.gov.pk/wp-content/uploads/2016/02/Corporate-Brochure-11.4.16.pdf

https://www.dawn.com/news/1660199