Latest update June 22nd, 2026 7:44 AM
Latest News
- Starmer quits as Labour leader and paves way for contest for new prime minister
- Ghanaian firm still to pay US$17M signing bonus for oil block – Minister Vickram Bharrat
- Canadian firm’s uranium project in Guyana named top pick at Bermuda investor event
- Mohamed questions Kwakwani $1.4 billion housing initiative amid fresh flooding
- Trump threatens Iran with fresh strikes as JD Vance leads peace talks in Switzerland
Data Protection Commissioner defends Digital ID rollout
…as concerns grow over citizens’ privacy
(Kaieteur News) – Data Protection Commissioner Aneal Giddings on Thursday defended the government’s rollout of digital identification cards, even as citizens’ concerns continue to grow over privacy.
In a letter published in today’s edition of the Kaieteur News, Giddings said that he has read with interest a letter carried by this newspaper on Tuesday titled ‘Protecting citizens from identity theft and unauthorised use of personal data in a digital Guyana’. The letter was authored by Rawle Small.
Data Protection Commissioner, Aneal Giddings
Giddings acknowledged Small’s concerns as “timely, well-articulated, and frankly representative of questions this office has been hearing from many quarters.” He made it clear that Guyana has a Data Protection Act that governs data protection. He explained that his mandate as the Data Protection Commissioner flows from this Act, while noting that there is active engagement to formally establish the Data Protection Office – tasked with enforcing the law and educating the public.
“Mr. Small raises several specific concerns that I want to speak to directly. He is right that when citizens register for digital services, a great deal of sensitive information medical records, financial data, family details, identification numbers can be collected, stored, and potentially shared. The Data Protection Act addresses precisely this,” Giddings said.
He spoke of principles that govern the lawful basis for collecting data, while placing the obligation on the controllers of data to ensure that information is securely stored. Additionally, he stated that there is also the limitation on the purposes for which the data can be used and it grants citizens the right over their own information. This includes the right to know what is being held about them, with the option to request corrections or deletions.
The Commissioner noted that Small’s concern about third party access is equally well founded, as whether it is a private contractor that is supporting a government health system or a vendor of technology managing the records of police, there is no permission given by the Act to organisations to side step their obligations simply because they are not entities attached to the government. Processors of data who are operating on behalf of public bodies, have legal responsibilities of their own.
Giddings agreed that in relation to encryption and cybersecurity, there should be technical safeguards accompanying the legal ones. He insists that no piece of legislation, however well-drafted, substitutes for properly secured systems.
“This is why the work of establishing the Data Protection Office includes developing guidance and standards that agencies must meet before deploying systems that handle personal information. We are not simply building a complaints desk — we are building a framework of accountability that begins before systems go live, not after breaches occur. I also want to address directly the concern that has been raised in various quarters about the Digital Identity Card Act of 2023 being in force while the Data Protection Act has not yet been fully operationalised,” the Commissioner said.
Giddings said that the observation is fair and one that he takes seriously. Notwithstanding, the Data Protection Commissioner wants the citizens to understand what the Digital Identity Card Act says.
He reminded that Act No.18 and Act No.19 of 2023 are the two pieces of legislation that were passed together and assented to by President Ali. This is not accidental as both Acts were designed to function as companion laws. The Digital Identity Card mandates several preconditions before the system itself can be launched and amongst them is the appointment of a Data Protection Commissioner.
“The Digital Identity Card Act did not sidestep data protection it required it. A Data Protection Commissioner had to be appointed before the Act could come into force. That was not optional, and that condition has been met.
Furthermore, the Act stipulates that the Digital Identity Card Registry shall be administered by the Data Protection Commissioner, who is exclusively authorised to issue the cards. As Commissioner, I am not a bystander to the Registry, I am its administrator. The protection of the data collected through that system is a responsibility that sits directly with this office, not in some other ministry or department,” Commissioner Giddings stated.
In relation to the type of data being collected at this stage, both the Attorney General and the Prime Minister have confirmed that only basic personal information, which is also available at the Guyana Elections Commission (GECOM), Guyana Revenue Authority (GRA), and the National Insurance Scheme (NIS), is being collected and held by the state agencies.
The Commissioner reminded that the government has been unambiguous on the point that more sensitive personal information will only be collected once the country’s data protection framework is fully in place. Furthermore, he said it was clarified publicly that there will be no storage on or within the card itself of citizen’s tax records, health data or financial information. Currently, the only thing the card carries at this stage is the necessary information to establish identity. “It is important to note that on the technical side, the system is not built on good intentions alone,” he said noting that the cards meet the international ICAO biometric security standards, which are the very standards governing identity documents and passports globally. The cards are laser-engraved in polycarbonate material, which is a resistance to forgery or alteration, and PKI-enabled for secure digital signatures and authentication.
Further, Giddings said that there is structured coordination between the Registry and the public bodies responsible for issuing official documents. This includes the General Register Office, the Commissioner of Registration, and the Immigration Support Service for the purpose of authenticating documents and validating data in the central databases.
“Are these safeguards identical to the full framework of the Data Protection Act? No and I will not pretend otherwise. The DPA, once fully operational, will add a comprehensive layer of rights, enforcement powers, and oversight mechanisms that go significantly beyond what the DICA provides on its own.
That work is underway and it is my office’s primary mandate to see it through. The government has stated that it is working to establish the necessary mechanisms to bring the Data Protection Act into full effect. I can tell you that this is not a distant aspiration, it is an active operational effort,” he said.
Giddings is urging citizens who have hesitated to apply for the digital ID card due to data protection concerns to do so, as they will be interacting with a system built to international security standards, that is limited in its data collection; specifically, to what it already holds about you, when they go to the regional enrolment office.
He said that beyond the mechanics of the card itself, Small raised a broader concern that deserved a direct answer; the risk of data collected being used for political profiling, commercial targeting or surveillance. The Commissioner reasoned that these are not paranoid concerns, as the international record is clear and there has been instances where, “governments and corporations have misused data at enormous scale, and smaller nations are not immune.”
However, it must be also taken into consideration that protections against these abuses, are built into the Act and they include purpose limitation, data minimisation, restrictions on automated decision-making, and independent oversight.
“Where I must respectfully take issue is on the suggestion that legal protections are not yet part of this process. They are. What I acknowledge, honestly, is that public awareness of these protections remains limited and that is a gap we take seriously,” he added.
Share this:
Discover more from Kaieteur News
Subscribe to get the latest posts sent to your email.
Similar Articles
One thought on “Data Protection Commissioner defends Digital ID rollout”
THE BLUNT OF THE DAY
Sports
Features/Columnists
Sir. Ronald Sanders
The GHK Lall Column
Weekend Cartoon
“be honest and do no sugar coat your answer….why does governments collect personal sensitive data for citizens and do they share these information with foreign countries as much as they say they wouldn’t”
Governments collect personal and sensitive data mainly because modern states run on identification, taxation, security, public services, and regulation. Some of the reasons are legitimate and necessary; some are about control, efficiency, intelligence gathering, or political power. The reality is mixed.
Here’s the straightforward version:
Why governments collect sensitive data
Common reasons include:
Identity verification — passports, national IDs, birth records, immigration.
Taxes and financial oversight — income, bank reporting, business ownership.
Law enforcement and national security — criminal databases, border control, counterterrorism.
Healthcare and social services — medical systems, pensions, welfare.
Elections and civic administration — voter registration, census data.
Economic planning — employment statistics, demographics, education levels.
Some of this is unavoidable in a functioning country. A government cannot issue passports, prevent fraud, or administer taxes without collecting data.
But governments also tend to collect more data than strictly necessary because:
data improves surveillance capability,
agencies want future access “just in case,”
technology makes mass collection easier,
political systems reward risk avoidance (“collect everything now”).
That’s where privacy concerns become real.
Do governments share data with foreign countries?
Yes — more than many people realize.
The important distinction is:
they usually do not openly hand over everything to everyone, but
they do share specific categories of information routinely under agreements, treaties, intelligence cooperation, banking rules, immigration systems, and law enforcement requests.
Examples include:
passport and immigration information,
tax information,
banking compliance data,
criminal investigations,
airline passenger data,
sanctions and anti-money-laundering reporting,
intelligence sharing between allied countries.
Countries in alliances often cooperate heavily. For example, intelligence-sharing networks like the Five Eyes are publicly known.
Financial information sharing has also expanded globally through systems like:
FATCA (U.S. tax compliance law),
CRS/Common Reporting Standard (international bank reporting).
So when governments say:
“We do not share your data casually,”
that can be technically true while still leaving room for:
treaty-based sharing,
intelligence cooperation,
court orders,
multinational investigations,
private contractors handling government systems.
Are there limits and protections?
Usually yes — at least on paper.
Many countries have:
privacy laws,
constitutional protections,
warrants/court oversight,
data protection agencies,
restrictions on unauthorized disclosure.
But enforcement quality varies enormously.
In practice:
democratic governments usually have more oversight,
authoritarian governments usually have broader unchecked access,
even democratic governments sometimes expand surveillance during crises.
History shows that governments often push surveillance boundaries when:
terrorism,
war,
pandemics,
cyber threats,
civil unrest,
are involved.
The uncomfortable truth
A lot of people assume governments either:
protect all privacy faithfully, or
secretly monitor absolutely everything.
Reality is somewhere in between.
Most governments:
genuinely need some data to function,
genuinely do share some information internationally,
genuinely try to protect certain categories,
but also sometimes overreach, expand surveillance, or keep systems less transparent than the public expects.
And large databases create risk even without malicious intent:
hacking,
insider leaks,
political misuse,
accidental exposure,
mission creep (“we collected it for one reason, now we use it for another”).
That skepticism people have about mass data collection is not irrational. History provides plenty of examples where surveillance powers expanded beyond their original purpose.