Pakistan has introduced stricter controls on the cross border transfer of government data under its National Data Governance Policy, strengthening safeguards to prevent unauthorised foreign access to sensitive public sector information. The policy establishes a framework that governs where government data can be stored, processed, and transferred, placing strong emphasis on protecting national sovereignty, security, and control over official information held by the state.
Under the new framework, public sector institutions must classify government data based on its level of sensitivity before deciding whether it can be hosted or transferred outside Pakistan. Sensitive and critical government data will be subject to data residency requirements and may only be transferred overseas under prescribed conditions and after obtaining the required approvals, while open government data will generally face no such residency restrictions. The policy also introduces a Sovereignty, Residency and Cross Border Controls Profile that will define data residency tiers, hosting requirements, jurisdictional safeguards, and approval mechanisms for any cross border data transfers going forward.
The framework forms part of the broader National Data Governance Policy 2026, prepared by the Ministry of Information Technology and Telecommunication, which declares government data a strategic national asset held under the state’s lawful authority and effective control. The policy states that public bodies are custodians rather than proprietors of the data they hold, establishing a duty of stewardship that includes protecting data quality, making information discoverable, and disclosing it proportionately. To reduce duplication across government departments, the framework proposes creating a governed National Data Exchange known as WASL, through which public agencies would securely share information instead of maintaining separate copies of the same records, along with designating single authoritative sources for major national datasets such as identity records, land, and vehicle information.
The policy also grants citizens meaningful new rights over their personal data, including the right to know who within the government has accessed their information, when it was accessed, and for what purpose, with this right only deniable on narrow grounds expressly provided by law. Public bodies processing personal data will be required to adopt privacy enhancing technologies, and citizens will have the right to obtain their personal data in a structured, machine readable format. Government organisations will also be required to notify the Pakistan Digital Authority without undue delay in the event of a data breach, with affected citizens informed directly where a breach poses high risk to their rights.
Implementation of the policy will be overseen by the Pakistan Digital Authority, which will designate a National Chief Data Officer, require every federal public body to appoint its own Chief Data Officer, and establish a National Data Governance Council comprising representatives from federal ministries, provincial governments, and regulatory bodies. Compliance will be measured through annual audits and a National Data Maturity Index ranking institutions on governance, security, and citizen empowerment, with the authority also working alongside international counterparts and multilateral organisations to promote responsible cross border data governance without weakening protections for government held information. The policy will take effect following federal cabinet approval and notification in the official Gazette, with existing contracts involving government data required to be updated within twelve months of the policy becoming effective.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.