Protecting personal data in Digital Guyana

Dear Editor,

I thank the Data Protection Commissioner for engaging publicly with the concerns raised in my earlier letter. His response confirms that the Data Protection Act is already law, that the Commissioner’s mandate flows directly from it, and that work is underway to establish the Data Protection Office. It also confirms that the Digital Identity Card Act and the Data Protection Act were intended to function together.

Now let us return to the substantive and narrow issue, that is protecting citizens from identity theft and unauthorized use of personal data. Let us acknowledge that there are companies with a lot more sophisticated network security, data protection measures operating in complex jurisdictions whose legal and regulatory frameworks are highly complex and more rigorous than Guyana’s. Yet, still Equifax, Capital One, National Public Data, the 2025 Credentials Crisis and the Persirai botnet are a few examples of data and IP breaches that happened within the last 5-10 years.

Therefore, the existence of a law, a Commission, or a technically sophisticated card does not by minimally addresses the real concerns, neither does this answer the question – how will personal information actually be protected across the full life cycle of collection, storage, sharing, use, correction, retention, portability, and deletion? Privacy is also about WHO and WHAT sit behind the full life cycle, the databases, agencies, contractors, data governance, authentication processes, internal permissions, cross-agency sharing arrangements, and the rules governing access, accountability, and redress.

Even “basic” information can become highly sensitive when linked across systems, especially where adequate technical, operational and procedural safeguards are lacking, and with no measure to alert citizens if, when, or how their personal data has been leaked, unlawfully accessed, or otherwise misused. Names, addresses, dates of birth, telephone numbers, identification numbers, and agency held records can become powerful tools for identity theft, fraud, profiling, exclusion, or surveillance when aggregated and improperly accessed.

For example, the Data Protection Act may provide for access, correction, erasure, portability, lawful processing, registration, and security obligations. But how will those rights be exercised across linked public databases? What exceptions will limit them in practice? If data is already copied across agencies or accessed by third parties, what does correction or deletion actually mean? If processing is based not on consent, but on legal or public-interest grounds, what exactly are citizens agreeing to when they register for and access services? What rights, if any, are people waiving, limiting, or permitting the state to encroach upon? What legal authority arises from that registration or agreement, and what are the limits on any subsequent use, restriction, or repurposing of their personal data?

Assurances acknowledged and welcomed; however several grey areas, concerns and questions remain as to whether digitization in Guyana will be rights-respecting, lawful, and trustworthy. Public confidence and trust will be secured by operational transparency, enforceable rights, visible institutional capacity, and genuine accountability.

I am therefore hopeful that further public guidance will be provided on the following:

1. How will the law, commission and government agencies ensure that internal staff access to personal data is limited, monitored, and recorded so that misuse can be detected and addressed?
2. What penalties or enforcement mechanisms will apply where personal data is wrongfully accessed, negligently exposed, or used beyond lawful authority?
3. What mechanisms are in place to prevent government held personal information from being used for profiling, unauthorized surveillance, or secondary purposes unrelated to the original reason for collection?
4. If identity theft occurs as a result of a breach or wrongful disclosure, what immediate support, remedy, or compensation will be available to affected persons? Will people receive a real-time notification that their personal data has been or may be compromised? Will they also receive steps and support to prevent or reduce harm?
5. What exactly is the government legally accepting responsibility for in relation to the collection, storage, sharing, protection, and misuse of citizens’ personal data, and for what is the Commission, and the government more broadly, prepared to be held legally accountable?
6. What safeguards exist to protect citizens from identity theft where personal information is aggregated across multiple government systems?
7. What technical and operational measures are in place to identify threats, prevent unauthorized intrusion, and respond to cyber attacks against systems holding personal data?
8. What exactly are citizens consenting to when they register for services and digital ID cards?
9. How will unauthorized access, misuse, or suspicious activity involving personal data be detected, logged, and investigated?
10. What rules govern third-party access, storage, use, sharing, retention, and deletion?
11. What limits will exist on function creep, that is, the expansion of data use beyond the original reason it was collected?
12. What national data governance framework does the Commission envision for guiding how personal information is managed across public institutions, and how would that framework ensure consistent standards for access, sharing, retention, correction, deletion, and accountability?
13. Who monitors government compliance in practice, and how will that process remain transparent and credible?
14. Will breach notification rules, privacy impact assessments, and regular audits be required before and after systems go live?

I hope the Commission’s response marks the beginning of a wider and more sustained public conversation, as well as renewed efforts to place the privacy rights of Guyanese at the centre of digitization, with the ultimate objective of protecting citizens from identity theft and the unauthorized use of personal data.