Data Protection Commissioner defends Digital ID rollout

May 15, 2026 News

---

…as concerns grow over citizens’ privacy

(Kaieteur News) – Data Protection Commissioner Aneal Giddings on Thursday defended the government’s rollout of digital identification cards, even as citizens’ concerns continue to grow over privacy.

In a letter published in today’s edition of the Kaieteur News, Giddings said that he has read with interest a letter carried by this newspaper on Tuesday titled ‘Protecting citizens from identity theft and unauthorised use of personal data in a digital Guyana’. The letter was authored by Rawle Small.

Giddings acknowledged Small’s concerns as “timely, well-articulated, and frankly representative of questions this office has been hearing from many quarters.” He made it clear that Guyana has a Data Protection Act that governs data protection. He explained that his mandate as the Data Protection Commissioner flows from this Act, while noting that there is active engagement to formally establish the Data Protection Office – tasked with enforcing the law and educating the public.

“Mr. Small raises several specific concerns that I want to speak to directly. He is right that when citizens register for digital services, a great deal of sensitive information medical records, financial data, family details, identification numbers can be collected, stored, and potentially shared. The Data Protection Act addresses precisely this,” Giddings said.

He spoke of principles that govern the lawful basis for collecting data, while placing the obligation on the controllers of data to ensure that information is securely stored. Additionally, he stated that there is also the limitation on the purposes for which the data can be used and it grants citizens the right over their own information. This includes the right to know what is being held about them, with the option to request corrections or deletions.

The Commissioner noted that Small’s concern about third party access is equally well founded, as whether it is a private contractor that is supporting a government health system or a vendor of technology managing the records of police, there is no permission given by the Act to organisations to side step their obligations simply because they are not entities attached to the government. Processors of data who are operating on behalf of public bodies, have legal responsibilities of their own.

Giddings agreed that in relation to encryption and cybersecurity, there should be technical safeguards accompanying the legal ones. He insists that no piece of legislation, however well-drafted, substitutes for properly secured systems.

“This is why the work of establishing the Data Protection Office includes developing guidance and standards that agencies must meet before deploying systems that handle personal information. We are not simply building a complaints desk — we are building a framework of accountability that begins before systems go live, not after breaches occur. I also want to address directly the concern that has been raised in various quarters about the Digital Identity Card Act of 2023 being in force while the Data Protection Act has not yet been fully operationalised,” the Commissioner said.

Giddings said that the observation is fair and one that he takes seriously. Notwithstanding, the Data Protection Commissioner wants the citizens to understand what the Digital Identity Card Act says.

He reminded that Act No.18 and Act No.19 of 2023 are the two pieces of legislation that were passed together and assented to by President Ali. This is not accidental as both Acts were designed to function as companion laws. The Digital Identity Card mandates several preconditions before the system itself can be launched and amongst them is the appointment of a Data Protection Commissioner.

“The Digital Identity Card Act did not sidestep data protection it required it. A Data Protection Commissioner had to be appointed before the Act could come into force. That was not optional, and that condition has been met.

Furthermore, the Act stipulates that the Digital Identity Card Registry shall be administered by the Data Protection Commissioner, who is exclusively authorised to issue the cards. As Commissioner, I am not a bystander to the Registry, I am its administrator. The protection of the data collected through that system is a responsibility that sits directly with this office, not in some other ministry or department,” Commissioner Giddings stated.

In relation to the type of data being collected at this stage, both the Attorney General and the Prime Minister have confirmed that only basic personal information, which is also available at the Guyana Elections Commission (GECOM), Guyana Revenue Authority (GRA), and the National Insurance Scheme (NIS), is being collected and held by the state agencies.

The Commissioner reminded that the government has been unambiguous on the point that more sensitive personal information will only be collected once the country’s data protection framework is fully in place. Furthermore, he said it was clarified publicly that there will be no storage on or within the card itself of citizen’s tax records, health data or financial information. Currently, the only thing the card carries at this stage is the necessary information to establish identity.  “It is important to note that on the technical side, the system is not built on good intentions alone,” he said noting that the cards meet the international ICAO biometric security standards, which are the very standards governing identity documents and passports globally. The cards are laser-engraved in polycarbonate material, which is a resistance to forgery or alteration, and PKI-enabled for secure digital signatures and authentication.

Further, Giddings said that there is structured coordination between the Registry and the public bodies responsible for issuing official documents. This includes the General Register Office, the Commissioner of Registration, and the Immigration Support Service for the purpose of authenticating documents and validating data in the central databases.

“Are these safeguards identical to the full framework of the Data Protection Act? No and I will not pretend otherwise. The DPA, once fully operational, will add a comprehensive layer of rights, enforcement powers, and oversight mechanisms that go significantly beyond what the DICA provides on its own.

That work is underway and it is my office’s primary mandate to see it through. The government has stated that it is working to establish the necessary mechanisms to bring the Data Protection Act into full effect. I can tell you that this is not a distant aspiration, it is an active operational effort,” he said.

Giddings is urging citizens who have hesitated to apply for the digital ID card due to data protection concerns to do so, as they will be interacting with a system built to international security standards, that is limited in its data collection; specifically, to what it already holds about you, when they go to the regional enrolment office.

He said that beyond the mechanics of the card itself, Small raised a broader concern that deserved a direct answer; the risk of data collected being used for political profiling, commercial targeting or surveillance. The Commissioner reasoned that these are not paranoid concerns, as the international record is clear and there has been instances where, “governments and corporations have misused data at enormous scale, and smaller nations are not immune.”

However, it must be also taken into consideration that protections against these abuses, are built into the Act and they include purpose limitation, data minimisation, restrictions on automated decision-making, and independent oversight.

“Where I must respectfully take issue is on the suggestion that legal protections are not yet part of this process. They are. What I acknowledge, honestly, is that public awareness of these protections remains limited and that is a gap we take seriously,” he added.

---

• Data Protection, Digital ID, digital identification cards, privacy

---