How can Nepalese companies protect user data? How should they handle data breaches?

The protection of data is one of the major concerns for many firms who have the responsibility of handling their user’s data. However, a firm should be aware of the fact that Nepal still does not have unified data protection legislation.

This does not mean that Nepal does not have any policy and regulation against data breaching though. There are several laws that are there to protect user data in Nepalese companies.

What is data protection?

Data protection refers to the application of a set of strategies and processes through which you can protect the availability and privacy of your personal information or data. If your company collects, stores or uses data, it becomes more than vital for you to know about data protection and make use of it.

The most crucial steps in data protection are Authentication, Authorization, and Access Auditing and Analysis.

How can Nepalese companies protect user data?

There are many Nepalese companies that store, work with, and use their user’s data. Whatsoever, it is important that they become aware of their user’s privacy protection and try to save them from any kind of invasion.

If you are one of those companies, you should know about the legislation in Nepal for data protection. The Individual Privacy Act 2075 declares that a right to one’s personal information is an individual’s fundamental right. In the same way, Individual Privacy Regulation 2077 serves as data protection legislation.

National Civil Code 2074 and National Penal (Code) Act contain provisions for the protection of data and privacy as well.

Despite the absence of proper unified data protection legislation, these are the laws that will do all the work for data protection in Nepal.

What is the scope of the act?

These act, or especially National Civil Code 2074 works for the sake of the protection of data of the users that are entrusted to companies. The aspects include data with subject to one’s family, body, character, property, residence, correspondence, and other personal and extremely private data and information.

Also read: How to send money from Nepal to India?

Are the acts for data protection applicable to non-resident Nepalese?

It is yet not clear whether or not a non-resident Nepali individual can enjoy or benefit from this act. You either have to be living in Nepal or should have been recognized as a Nepali to get your hands on data protection rights in Nepal.

What types of data are liable for protection in Nepal?

There are a few things that should be kept in mind in order to use the data. You should know that you can only get access to these legislations under certain circumstances.

Here are a few data/information of an individual that is liable for protection through the company:

  • Detailed information about one’s demographic identity (Including ethnicity, birth, origin, caste, color, creed, marital status, etc.).
  • Access information (phone number, email address, etc.)
  • A letter containing personal information (sent only to the company)
  • Biometric information (thumbprint, blood group, finger impressions, etc.)
  • Criminal records from the past
  • Identity cards (Passport, citizenship card, PAN card, etc.)
  • Information on Academic Qualification

Things to remember before collecting data from users

A company cannot haphazardly collect data and information from a user. If you are the company that is collecting data and information about an individual, you should give them a piece of detailed information about the following:

  • The motive for collecting the information
  • Time of data collection
  • Content of data and information you will be requiring
  • Clear methods for data collection
  • Matters related to the protection of the collected data.

Your primary purpose as a company during the process is to know that the individual whose data you are collecting is consenting and known to the purpose of the data collection.

How can a company collect data?

The process of data collection really isn’t all that complicated once you are familiar with the methods and rules in the process. You have to make sure that you avoid the disclosure of the user’s personal information and data to any external and unauthorized sources.

Likewise, a company only has the right to collect data without the user’s consent given it follows some conditions directed by the law of the acts for protection in the country. If the data is collected in order to maintain peace and order in the country, collected during the investigation of a criminal offense, or seek by an Authorized body under the legislation, there may not be a need for consent from the data owner.

Furthermore, if you are to collect data from a minor or a person with an unsound mind, you have to make sure that you take consent or permission from a close family member or a guardian.

What can a company do in case of necessity for transmission of data?

In case your company requires to transmit data of an individual to a third party, you need the consent of the one who owns the data and information. These data are most likely to include one’s health examination reports, information on political affiliation, biometric details, source of income, signature, family details, etc.

How should Nepali Companies handle data breaches?

As a company, you should ensure that your employees are prepared for such a situation. Likewise, you must make sure that you keep the information of the data breach(as in who did and how they did they do it), and do not delete the data breach history. This might get you in a lot of trouble.

You can also investigate breaches and change credentials. An immediate cut from the internet connection and access to any data can help in handling data breaches to some extent. Lastly, make sure that you have enough data protection in the system.

The offense of data breaching is punishable in Nepal as per the aforementioned Acts. The culprit will be liable to pay an amount of up to Rs. 30,000 or get sentenced to imprisonment for 3 years. In some cases, both can be applicable. Moreover, the culprit will have to pay an additional amount of compensation in either way mentioned in case the court approves the victim’s demand.


As a company willing to have a good reputation, it should be a primary concern to take care of your client’s data and personal information. There should be a good formation of the privacy policy as well as an initiative for data and information protection.

Also read: What is an eSIM card? what are the features of eSIM?

Leave a Comment