The governance of data has become central to modern policymaking, economic planning, and digital transformation. In Pakistan, as elsewhere, vast amounts of data, ranging from personal and financial records to environmental and demographic datasets, are collected and processed to inform public policy and service delivery. However, the country’s data governance ecosystem remains fragmented, with overlapping legal frameworks, institutional silos, and weak enforcement mechanisms. Despite significant developments such as the Digital Nation Act 2025 and the draft Data Protection Bill 2023, Pakistan continues to struggle with regulatory gaps, inconsistent implementation, and growing concerns over data security, privacy, and accessibility. The fragmented nature of Pakistan’s data governance has also created tensions between desired openness and required protection, where open data initiatives can clash with privacy laws, or innovation is held back by outdated compliance requirements.
In this context, the Sustainable Development Policy Institute (SDPI) convened a Public-Private Dialogue titled “Data Governance in Pakistan: Policy Reforms and Opportunities for Digital Transformation,” drawing on findings from the “Harnessing data for democratic development in South and Southeast Asia” study by LIRNEasia. This dialogue brought together stakeholders from government, industry, and academia to assess the current landscape, identify institutional and regulatory bottlenecks, and suggest pathways toward a more coherent, secure, and citizen-centric data governance framework.
Data Governance in Pakistan: The Contours of Change
Pakistan’s digital landscape is evolving; however, despite the recent improvements, the system faces institutional fragmentation, legal contradictions, and operational inefficiencies. Government data is siloed across federal, provincial, and local levels due to the absence of standardized protocols, common platforms, and interoperable systems. Legal contradictions have also undermined transparency and accountability. Cybersecurity remains challenging, with poor oversight of sensitive data, fragmented regulatory authority, and weak enforcement, especially in the private sector. At the same time, public institutions rely on outdated data formats and inconsistent classification practices, further limiting digital service delivery and integration. Meanwhile, opacity around major decisions—such as the national firewall—continues to erode citizen trust and disrupt digital innovation. Further, the public awareness of digital rights remains low, and legal frameworks are often developed without inclusive consultation or local adaptation. The absence of open systems, PPP models, and standardized data protocols hampers innovation, interoperability, and the delivery of citizen-centric digital services. The figure below below further summarizes these challenges that need immediate attention.
Without proactive disclosure, high-quality public data, and robust protections around personal information, Pakistan’s data governance ecosystem cannot meet the needs of a modern digital society. These challenges must be systematically addressed to build a sustainable governance system that is transparent, secure, inclusive, and capable of supporting long-term digital transformation. Given this backdrop of discussion, this brief recommends the following key actions for a more efficient data governance system.
Policy Recommendations
• Establish a national data governance council: Pakistan should urgently establish a National Data Governance Council that brings together key stakeholders, regulators, civil society, the private sector, and technical experts to coordinate national-level data governance strategies. This council must oversee the development of enforceable standards on data privacy, informed consent, and security protocols across both public and private sectors.
• Data Standardization: A data standardization policy should be enacted to mandate structured formats, metadata protocols, and interoperability standards across ministries. This will ensure that public data is machine-readable, shareable, and actionable.
• Legal and Institutional Framework: Pakistan must develop a binding legal and institutional framework to streamline data sharing among public entities. This framework should clearly define permissible use cases, roles, access rights, and duration of data retention, ensuring consistency across provinces and sectors.
• Personal Data Protection Law: Pass a Personal Data Protection Law, with clear provisions on cross-border data flows, individual rights, lawful processing, and regulatory oversight. Simultaneously, a comprehensive Open Data Law should be enacted to institutionalize open government practices, define the legal limits of openness, and ensure consistency with emerging frameworks like the Digital Nation Act and draft AI policy.
• Open Data Policy: Adopt a dual approach to transparency that combines constitutional guarantees with a proactive open data policy. Updating Pakistan’s transparency regime to include machine-readable open data, alongside Right to Information protections, would unlock new avenues for public accountability, service delivery, and civic innovation.
• Open Standards and APIs: Mandate and enforce the use of open standards and open APIs across all layers of the government. Establishing a national catalogue of digital standards, covering government-to-government, government-to-business, and government-to-citizen interactions, will enhance software interoperability, reduce vendor lock-in, and foster a resilient digital ecosystem.
• Open-Source Software Adoption: Institutionalize open-source software adoption at the federal and provincial levels. Drawing from India’s dual-level policy and the EU’s institutional frameworks, Pakistan can reduce procurement costs, increase software adaptability, and enhance long-term technological self-reliance.
• Unified Cybersecurity Governance: Accelerate the implementation of a unified cybersecurity governance framework that addresses the full threat landscape, includes continuous audits, adversarial testing, and is supported by clear provisions in the Personal Data Protection Act for consent, data minimization, time-bound usage, and rights over personal data.
• Surveillance powers: Introduce judicially supervised interception mechanisms, clearly defining authorization thresholds, procedures, and oversight bodies. Surveillance should only be permitted under transparent legal grounds with strong accountability safeguards.
• Capacity Building Programs: Launch capacity-building programs for public- and private-sector staff handling personal data. These programs should include training on data protection laws, information security, and ethical handling of sensitive records.
• Inclusive Decision Making: Formalize public justification and stakeholder engagement in all data governance lawmaking. Adopting a green paper/white paper process will ensure transparency, articulate trade-offs, and encourage contextual policymaking tailored to Pakistan’s institutional maturity and socio-economic realities.
Conclusion
Pakistan has the opportunity to transition from a fragmented data governance system to one that is rights-based, transparent, and innovation-oriented. Addressing challenges ranging from regulatory overlaps and institutional silos to limited enforcement capacity and cybersecurity vulnerabilities will require steady progress on multiple fronts; enacting harmonized legislation, investing in secure infrastructure, enhancing institutional coordination, and promoting responsible and equitable data use are critical next steps. Learning from regional examples and committing to practical, evidence-informed reforms can help Pakistan develop a governance framework that serves its people and supports a more inclusive digital transformation. In short, Pakistan needs to harness data for building robust, transparent data systems to enhance digital integrity, inform policy decisions, and empower citizen participation in governance.
