Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Privacy issues

Data protection framework

The government has not introduced any specific legislation that protects individual privacy or collection of personal information. The only legislation that refers to this area is the Telecommunication Act No. 27 of 1996,1 which regulates the interception of communications. According to Sections 53 and 54 (1) of this Act, the interception of telecommunication transmissions and the disclosure of their contents is an offense subject to penalties, including imprisonment.

The rapid developments in information and communications technologies in Sri Lanka have significantly affected the current legal system. Many privacy experts in Sri Lanka state that there is a need for new laws that adequately regulate new technologies. Recently, the Law Commission of Sri Lanka has identified "freedom of information and data protection" as one of the priority issues to be dealt with in their declared "program of work" for the year 2005-2006.2

The absence of a data protection law and a data protection authority in Sri Lanka is a real threat to the recently introduced e-Sri Lanka program.3 The e-Sri Lanka program aims to computerize all government departments in the country and facilitate electronic documentary service, as opposed to the traditional government service that still processes everything manually.

The government is currently in the preliminary stages of introducing a new data protection law. Recently, the Sri Lankan government has launched a comprehensive "Re-engineering Government" project with an ambitious goal to "provide citizen services in the most efficient manner by improving the way government works, by re-engineering and technologically empowering government business processes" with targeted government sectors like "eMotoring, ePension, eCitizen ID, eForeign Employment, Ministry of Public Administration and Home Affairs."4

The Re-engineering project identifies the necessity of security programs "to ensure the privacy of individuals and information, and the confidentiality, availability and integrity of information and the integrity of transactions."5 The two documents, Privacy Related Issues for Outside Entities and Privacy and Citizen Information Protection, outline the details of the personal information protection. The first document, Privacy Related Issues for Outside Entities, recognizes that information is both a valuable asset and an organizational risk management issue. "It is necessary to ensure that government organization information, which is generally accessible (in hard or soft copy), is protected from inappropriate access, disclosure or modification," according to the policy statement. Section 3.2.3.1.1 of the Policy, "Privacy of Information," requires that all employees with access to personal or confidential information respect the confidentiality and security of that information.6 The second document, Privacy and Citizen Information Protection, recognizes that government organizations must protect, safe-keep and use citizen information in a responsible way. The document declares that "This policy is intended to communicate the extent of the government organization's commitment to Privacy and Citizens Information Protection."7

In its Proposed National Communications Policy of 2002, Sri Lanka’s Ministry of Mass Communication mandated the Communications Regulatory Commission (CRC) to take serious note of the issue of consumers’ privacy protection. The proposed policy provides that the CRC "shall establish formal complaint review procedures, and shall require all licensed and authorized telecommunications operators and service providers to establish their own procedures for responding to customer complaints concerning inappropriate behavior and violations of privacy." It further stressed the responsibility of the CRC to "ensure that it takes all steps to prevent intrusion to individual privacy in communication..."8

Despite the clear mandate enunciated in the National Communications Policy to ensure the protection of consumer privacy rights by telecommunication service providers, the Telecommunication Regulatory Commission of Sri Lanka (TRCSL) failed to mention privacy rights in their declared "consumer protection" rights; moreover, the declaration uses vague language and leaves consumers to determine what rights they have concerning telecommunications service providers.9

In 2003, the Parliament passed the Information and Communication Technology Act No. 2710 to provide for the establishment of a national policy on information and communication technology and for the preparation of an action plan. Under this act, the Information and Communication Technology Agency (ICTA) is in charge of the implementation of the national policy in both the public and the private sectors. The agency functions as the single highest body involved in information and communications technology policy to the nation. It also assumes the role of implementing the e-Sri Lanka initiative.

In October 2004, pursuant to a decision of the Cabinet of Ministers, the ICTA has been specifically mandated and authorized to implement the e-Sri Lanka Project and to recommend to the Cabinet the appropriate regulatory and policy framework required for the development of Information and Communication Technologies (ICTs) in Sri Lanka. The Cabinet's decision is consistent with the ICT Act of 2003, which requires the ICTA to provide consultation and formulate policies for ICTs before the government adopts them.11 In November 2004, the ICTA set up a working committee to write the first draft of the ICT policy for the government.12 The document was circulated amongst members of the ICTA working and focus groups, and to academic members, to obtain their views. ICTA has now made the document public and available for comments.13 The emphasis is now on adopting legislation to facilitate electronic transactions and to prepare a Code of Practice for Data Protection, in consultation with the private sector. A committee has been set up for this task with the association of the Ceylon Chamber of Commerce. Likewise, an e-Security Working Group has been established, with the participation of state agencies and other stakeholders, to review legal and technical aspects of e-commerce.14

The Draft ICT Policy would require each government agency to appoint a Chief Innovation Officer (CIO). This CIO would be responsible for the promotion and development of ICTs within the agency, and would be the interface between a government agency and other organizations. The implementation of the ICT policy is likely to promote Sri Lanka's objective of being an information society for all. The policy will not be a static document, as the ICTA will frequently update it as required, taking into account changing trends in the environment, the technology and business processes.15

The Draft Policy requires data protection issues to be addressed in accordance with the government's Information Security Policy. Citizens' e-mail addresses gathered from government web sites16 will not be divulged, made available or sold to third parties. Also, personally identifiable information obtained through government web sites shall not be kept for longer than is necessary and only for the purpose for which it was obtained.17

The Telecommunication Regulatory Commission, part of the Ministry of Mass Communications, has set up basic guidelines that should be complied with by individuals who want to set up call centers in Sri Lanka.18 According to a recent workplace privacy survey, the majority of employees and executive managers are seriously worried about the privacy of their communications in the workplace.19

The Prevention of Computer Crime Bill of 200320 was approved by the Cabinet of Ministers and presented to the Sri Lanka Parliament, where is it still waiting approval.21.This act aims at combating computer crime in Sri Lanka.22 This act shall apply where: (a) a person commits an offence under this act while being present in Sri Lanka; (b) the computer program, data or information affected or which was to be affected, by the act which constituted an offence under this act, was at the material time within Sri Lanka; (c) the facility or service, including any computer storage or processing or communication facility, used in the commission of an offence under this act was based in Sri Lanka; or (d) loss or damage is caused by the commission of an offence under this act in Sri Lanka to a person resident in Sri Lanka.23 The act also addresses computer misuse;24 unlawful obtention of data;25 child pornography;26 cyber-stalking;27 strict liability for offences against national security;28 national economy and public safety;29 and unauthorized disclosure of confidential information and illegal interception of data.30 Part 11 of the act creates a panel of experts from police departments and other persons who possess expertise in the field of information technology for the purposes of investigations under the act.

In March 2006, the Sri Lankan government enacted the Electronic Transactions Act No. 19 of 2006 (Act).31 The Act is described as an "important development in the legal jurisprudence in Sri Lanka" and it is in conformity with international standards & practices and the requirements of IT industry. It also facilitates electronic filing of documents with Government so as to promote efficient delivery of services. The Act provides the legal recognition of electronic transactions and other transactions carried out by means of electronic communications commonly referred to as "electronic commerce."32 The legislation promotes public confidence in the authenticity, integrity and reliability of electronic communications The act is based on the UNCITRAL Model Law on E-Commerce 199633 and the 2001 UNCITRAL Model Law on Electronic signatures.

As regards the protection of intellectual property rights, the Intellectual Property (IP) Act No. 36 of 2003 replaced the Code of Intellectual Property Act No. 52 of 1979. The new IP Act34 contains several new provisions that pertain to the protection of software, trade secrets and integrated circuits.

Footnotes