Dear Editor,
I READ with interest the letter published in the May 13, 2026 edition of Kaieteur News authored by Mr Rawle A Small. His concerns are timely, well-articulated, and frankly, are representative of questions this office has been hearing from many quarters. I therefore take this opportunity to respond to Mr Small directly, while also addressing the broader public concerns that his letter so clearly reflects.
Guyana does, in fact, have a Data Protection Act. This legislation is not a proposal or a future ambition — it is the law of the land. My mandate as Data Protection Commissioner flows directly from that Act, and at this very moment, we are actively engaged in the process of formally establishing the Data Protection Office, the institutional body responsible for enforcing its provisions, educating the public, and holding both government agencies and private entities accountable for how they handle personal information.
Mr Small raises several specific concerns that I want to speak to directly. He is right that when citizens register for digital services, a great deal of sensitive information — medical records, financial data, family details, identification numbers — can be collected, stored, and potentially shared.
The Data Protection Act addresses precisely this. It establishes principles governing the lawful basis for collecting data, places obligations on data controllers to ensure information is stored securely, limits the purposes for which data can be used, and grants citizens rights over their own information — including the right to know what is being held about them and to request corrections or deletions.
His concern about third-party access is equally well founded. Whether it is a private contractor supporting a government health system or a technology vendor managing police records, the Act does not permit organisations to sidestep their obligations simply because they are not government entities. Data processors operating on behalf of public bodies carry legal responsibilities of their own.
On the question of cybersecurity and encryption, I agree entirely that technical safeguards must accompany legal ones. No piece of legislation, however well-drafted, substitutes for properly secured systems. This is why the work of establishing the Data Protection Office includes developing guidance and standards that agencies must meet before deploying systems that handle personal information.
We are not simply building a complaints desk — we are building a framework of accountability that begins before systems go live, not after breaches occur.
I also want to address directly the concern that has been raised in various quarters about the Digital Identity Card Act of 2023 being in force while the Data Protection Act has not yet been fully operationalised. This is a fair observation and one I take seriously.
But I want Guyanese citizens to understand what the Digital Identity Card Act actually says — and what is built in from the outset.
The two pieces of legislation — Act No. 18 and Act No. 19 of 2023 — were passed together by the National Assembly on the same day and assented to by His Excellency the President on the same date. They were always designed to function as companion laws.
This is not accidental. The Digital Identity Card Act itself mandates several preconditions before the system could be launched, and among those preconditions is the appointment of a Data Protection Commissioner.
The Digital Identity Card Act did not sidestep data protection — it required it. A Data Protection Commissioner had to be appointed before the Act could come into force. That was not optional, and that condition has been met.
Furthermore, the Act stipulates that the Digital Identity Card Registry shall be administered by the Data Protection Commissioner, who is exclusively authorised to issue the cards. As Commissioner, I am not a bystander to the Registry — I am its administrator. The protection of the data collected through that system is a responsibility that sits directly with this office, not in some other ministry or department.
That is a meaningful structural safeguard, and it is written into the law itself.
Regarding what data is actually being collected at this stage: both the Prime Minister and Attorney General have confirmed that only basic personal information already held by state agencies is being collected — the same type of data currently held by GECOM, the Guyana Revenue Authority, and the National Insurance Scheme.
The government has been unambiguous on this point: more sensitive personal information will only be collected once the country’s data-protection framework is fully in place. I have further clarified publicly that no tax records, health data, or financial information is stored on or within the card itself. The card carries what is necessary to establish identity — nothing more at this stage.
On the technical side, the system is not built on good intentions alone. The cards meet international ICAO biometric security standards — the same standards governing passports and identity documents worldwide. They are laser-engraved in polycarbonate material to resist forgery or alteration, and PKI-enabled for secure digital signatures and authentication. There is structured coordination between the Registry and the public bodies responsible for issuing official documents — including the General Register Office, the Commissioner of Registration, and the Immigration Support Service — for the purpose of authenticating documents and validating data in the central databases.
Are these safeguards identical to the full framework of the Data Protection Act? No — and I will not pretend otherwise. The DPA, once fully operational, will add a comprehensive layer of rights, enforcement powers, and oversight mechanisms that go significantly beyond what the DICA provides on its own. That work is underway and it is my office’s primary mandate to see it through.
The government has stated that it is working to establish the necessary mechanisms to bring the Data Protection Act into full effect. I can tell you that this is not a distant aspiration — it is an active operational effort.
What I would say to any citizen who has hesitated to apply for their digital ID card because of concerns about data protection: the system you are interacting with when you go to a regional enrolment office is one administered by this office, built to international security standards, limited in its current data collection to what the state already holds about you, and structured by two laws that Parliament passed with broad support precisely because they were designed to work together.
Beyond the mechanics of the card itself, Mr Small raises a broader concern that deserves a direct answer — the risk of data being used for political profiling, commercial targeting, or surveillance. These are not paranoid concerns. The international record is clear: governments and corporations have misused data at enormous scale, and smaller nations are not immune. The protections against these abuses are built into the architecture of the Act — purpose limitation, data minimisation, restrictions on automated decision-making, and independent oversight.
Where I must respectfully take issue is on the suggestion that legal protections are not yet part of this process. They are. What I acknowledge, honestly, is that public awareness of these protections remains limited — and that is a gap we take seriously. A law that citizens do not know about cannot protect them the way it should. Public education is very much a part of what the Data Protection Office is being built to deliver.
Guyana’s digital future should be built on trust, and trust has to be earned through transparency, accountability, and genuine institutional capacity. That is exactly what we are working towards.