Legal Framework of Data Governance in Nepal:

In Nepal, There is no general data protection authority. The legal framework regarding data governance can be described below:

The Individual Privacy Act, 2075 (2018)

The Individual Privacy Act 2075 (2018) of Nepal is a legal framework that regulates data governance by protecting the privacy of individuals and managing the use of personal information. The Individual Privacy Act 2075 (2018), often known as "the Privacy Act," was passed in order to uphold and protect the basic right to privacy which involves data privacy that is protected by Constitution of Nepal, 2072 (2015). The provisions related to data privacy are explicitly described in Chapter 6 (Section 12) of the Individual Privacy Act, 2075 (2018) “Privacy Relating to Data”. Section 12 (1) of the Act mentions that every person shall have the right to keep personal data or details related to the individual confidential. Moreover, Section 11 mentions the document data privacy, and Section 19 mentions the electronic data privacy. The punishment regarding the violation of data privacy is mentioned in Section 29 with punishment of imprisonment not exceeding three years of term and fine not exceeding thirty thousand rupees or both of the punishment. The victim of the data privacy breach would be given compensation under Section 31 of the Act for which a complaint is to be filed in the Concerned District Court.

Statistics Act, 2079 (2022)

On September 13, 2022, Statistics Act, 2079 (2022) or (तथ्याङ्क सम्बन्धी कानून २०७९) was enacted, which came into force on October 13, 2022, with the intention of bringing together the laws that makes the production, processing, storage, publication, and distribution of data more systematic and reliable. It does, however, primarily concentrate on data collected by public and governmental bodies. The outcome of the Act was to set out clear guidelines for how data must be collected, utilized, and shared within Nepal.  It sets out guidelines for how data must be collected, utilized, and shared within Nepal, aiming to strengthen data management practices and ensure the protection and security of personal information. The Act works in conjunction with other laws such as the Individual Privacy Act 2075 (2018) and the National Civil Code and National Criminal Code, which contain general provisions relating to privacy and data protection.

Constitution of Nepal, 2072 (2015)

The Constitution of Nepal lays the foundational framework for data governance in Nepal under Article 28 “Right to privacy” under the fundamental rights. It governs data protection and privacy matters. It mentions that every person has the right to keep their personal data private and the data privacy should not be violated, except in accordance with law.

Muluki Civil Code, 2074 (2017)

The general provisions regarding privacy and data protection are prescribed in Muluki Civil Code, 2074 (2017) under Section 20 and 21.

Muluki Criminal Code, 2074 (2017)

The general provisions regarding privacy and data protection are prescribed in Muluki Criminal Code, 2074 (2017). It follows that individuals can’t secretly record conversations, take pictures without permission, or steal data. A significant punishment or jail time could result from breaking these restrictions.

New IT Bill:

The new IT Bill which is yet to be passed also includes the provisions regarding the data protection, data privacy, data security, data verification, reliability of data, data storage and use of data under certain criterias. Data storage safety is given priority by this Bill under Section 10, 39, 93, and 102. The provisions regarding data center and cloud are also prescribed by the Bill. The punishment regarding the offence relating to data governance are also prescribed by the Bill.

Procedure of Data Governance in Nepal:

The procedures regarding data governance can be given below in brief:

Data Protection Procedure:

The legal framework of data governance is provided by Individual Privacy Act 2075 (2018) and Statistics Act 2079 (2022). The data should be ensured that it is processed in a timely and systematic manner using automated and modern methodologies as stipulated by the Statistics Act. Before collecting and processing an individual’s personal data, consent ought to be obtained of the individual. DPO (Data Protection Officer) is appointed in order to oversee the compliance with data protection laws. If there occurs any data breach, relevant authorities and individuals are notified under certain protocols.

Data Storage Process:

The data is stored using secure storage solutions in order to protect data from unauthorized access and breaches. Statistics Act;s guidelines on data retention periods are followed so as to ensure that data is not kept longer than the necessary time. The access of the data should be limited to authorized personnel only and the logs are to be maintained for the access of data.

Case Laws:

The case laws regarding data governance in Nepal from the Supreme Court of Nepal can be given below:

Baburam Aryal v. Government of Nepal [NKP 2074, 25] (D.N. 9740)

The writ petition was filed by Adv. Baburam Aryal under Article 32 “Right to Privacy” of Interim Constitution 2063. In the petition, he claimed that the Data Bank wasn’t protected where confidential information of individuals and organizations existed. Call detail reports and SMS were easily accessed by police officers and many other individuals and organizations without properly authorizing the access. The Supreme Court established that neither the state nor outside parties may infringe upon the fundamental right to privacy, which is protected by the Constitution. The Supreme Court also decided that, unless otherwise allowed by law, information about an individual's body, residence, property, documentation, data, communications, and character is inviolable when it comes to their right to privacy. Information that is gathered and for which a department or organization has assumed responsibility for data security cannot be used arbitrarily. Rather, such an entity or division needs to take all necessary precautions to safeguard such a "data bank" of information. 

Sapana Pradhan Malla v. Office of the Prime Minister and Council of Ministers et. al. [N.K.P. 2064, 1208]:

The Supreme Court ruled that the Constitution's guarantee of privacy must be upheld. Information on an individual may only be shared with third parties with the prior consent of the person in question, which is an exception to the general rule.

Bhagya Narayan Baitha v. Nepal Government:

In the case that the finding obtained from the polygraph test method is supported by the evidence collected during the investigation, the conclusion and opinion obtained from the polygraph test method can be considered as evidence. If the poll of the co-accused is evaluated from different angles, it is found to be reliable and reveals the truth, it should be accepted as evidence.

Devi Gurung on behalf of Rajiv Gurung v. Nita Gurung:

Intimate Sample must be taken as evidence in case it is undisputed that it was taken from the cause. DNA is important in patterning disputes, crime investigations, etc. However, to take the DNA report as evidence, only the expert and the relevant expert should enter the laboratory room to extract the sample.

Conclusion:

It can be concluded that data governance covers many aspects such as data protection, data storage, data privacy, use of data, and data reliability. The provisions regarding data governance are majorly established by Individual Data Protection Act 2075 (2018) and Statistics Act 2079 (2022). Data governance will become even more crucial as Nepal's economy and government services continue to be digitized. The nation's dedication to these values is a reflection of its understanding of the vital role that data plays in today's world and the necessity of handling it carefully and diligently in order to promote growth, trust, and innovation in the digital era. Ensuring that Nepal can optimize the advantages of the data-driven future while mitigating the associated risks will hinge on the continuous enhancement and improvement of data governance policies and procedures.