Kathmandu
Sunday, July 19, 2026

Nepalis’ data are insecure; personal information is at high risk

March 3, 2026
12 MIN READ

There is no data protection law, nor is there any reliable preparedness

A
A+
A-

KATHMANDU: Former Deputy Inspector General of Nepal Police, Rajib Subba, was stopped by police while walking along the Dhobikhola Corridor in Kathmandu and asked to provide his name, address, and phone number. However, he refused to share his personal data. He says, “I know that such data are noted down in registers and the papers are discarded carelessly. If the wrong person finds them, they can be misused.”

Traffic police also collect personal data by stopping people on the road. Police stationed at Tribhuvan International Airport publicly posted on social media the details of a recovered lost passport. As soon as he found out, Subba himself called and had it removed. Having worked in the information technology (IT) sector for three decades, Subba has had dozens of such experiences. He says, “I have repeatedly advised against collecting and publicly sharing personal data indiscriminately, but I still see police stopping people on the road and asking for their names and numbers.”

If even the police are not sensitive about data protection, what must be the condition of ordinary citizens? It is easy to imagine. Opening accounts on social media platforms like Facebook and TikTok or using other apps requires filling in various personal details. When opening a bank account or obtaining documents such as citizenship certificates, national identity cards, driver’s licenses, or passports, details including photographs, names of parents and grandparents, addresses, and phone numbers are recorded.

However, the data provided in this way and collected by the government are vulnerable to theft at any time. If misused, such data could affect individuals’ property, lives, and even national security. Various incidents have already shown that our sensitive data—whether on social media or held by state institutions—are not secure.

On March 8, 2020, the website of food delivery company Foodmandu exposed the names, addresses, emails, and phone numbers of 50,000 customers. A hacker group had stolen the personal data the previous day and made them public the next day.

A press release issued by the police after arresting the person who hacked the government office website, and a statement issued by Foodmandu after the data was stolen.

Exactly one month later, on April 7, 2020, a hacker group infiltrated the system of internet service provider Vianet and publicly released details including the names, addresses, emails, and phone numbers of 170,500 customers.

These two incidents six years ago demonstrated how easily data can be stolen in Nepal—that is, how insecure our data are. Not only that, they served as a warning about the need for data security. However, the government did not take these signals seriously.

Since then, similar incidents of data theft have continued. Even as private data of individuals and institutional data of businesses were stolen and scattered, the authorities failed to control the situation. Encouraged, hackers began challenging government bodies themselves. Nepal Police also became a target.

On April 23, 2025, a hacker group named “Kaju” claimed to have hacked the Nepal Police website and put the data up for sale. Photos, citizenship certificates, passports, and other details of Nepali citizens were listed for sale at USD7,000. The group claimed to possess data of more than 2 million citizens obtained from the Nepal Police website.

After that, hackers began attacking the data of provincial governments and various other government agencies. Still, the government did not treat the matter seriously or implement policy reforms.

The Cyber Bureau of Nepal Police registers complaints of cybercrimes including data theft, website hacking, and email misuse.

On October 12, 2025, the website of the Nepal Medical Council was hacked. When the government failed to bring those involved within the legal framework, attacks began targeting sensitive data centers. On November 16, 2025, the Election Commission’s website was hacked, and in December, hackers accessed data of the Department of National ID and Civil Registration.

After the sensitive data of the Council, Commission, and Department became insecure, police investigated and arrested 20-year-old Santosh Chimoriya of Mechinagar Municipality-9, Jhapa, and 19-year-old Bikash Poudel of Damak Municipality-9. Police investigations revealed that they had hacked many websites, including those of the Nepal Electricity Authority, Civil Aviation Authority of Nepal, and the Department of Roads.

Taking advantage of the government’s neglect of data protection, incidents of data attacks are increasing one after another. However, clear statistics on such incidents are hard to find. The Cyber Bureau of Nepal Police registers complaints of cybercrimes including data theft, website hacking, and email misuse. According to bureau data, two complaints related to data theft were registered in fiscal year 2022/23, three in 2023/24, and six in 2024/25.

Similarly, one complaint each related to website hacking was registered in fiscal years 2022/23 and 2023/24, two in 2024/25, and three in the first six months of the current fiscal year 2025/26. Complaints regarding unauthorized access to data numbered six in 2022/23, seven in 2023/24, and four in 2024/25. Deepak Raj Awasthi, spokesperson for the Cyber Bureau and Superintendent of Police (SP), says, “Incidents of personal, institutional, and government data being hacked or stolen, and email accounts being misused, are increasing. It has become essential to secure our important data.”

Meanwhile, Nepalis’ health-related data are also reaching India. Various clinics, hospitals, and laboratories in Nepal send collected blood samples to Indian laboratories for certain tests. As a result, Nepalis’ genetic material is reaching laboratories in India. As early as January 24, 2016, the Nepal Health Research Council decided that no health-related samples, including genetic samples, should be taken abroad for testing. However, agents are still collecting blood samples and sending them to India.

Although discussions take place about Nepali data reaching various countries under different pretexts, little has been done to protect them.

Even though those involved in data theft are occasionally arrested, there is no clear law to bring them fully under legal accountability. The government has yet to enact a separate data protection law. Those arrested are prosecuted under the Electronic Transactions Act, 2006 (2063 BS), which addresses data protection to some extent but does not comprehensively cover the issue.

Without a dedicated data protection law, not only citizens’ personal data but also business, governmental, and national security-related data remain insecure. Although there is increasing talk of making Nepal an IT hub, the absence of data protection legislation discourages foreign investment in the IT sector. Nepalis’ personal details remain at risk, yet the government has not taken credible steps toward data protection.

Although discussions take place about Nepali data reaching various countries under different pretexts, little has been done to protect them.

Major political parties participating in the upcoming House of Representatives elections have proposed plans such as “Digital Nepal” and making Nepal an “IT hub” in their manifestos. The government has also been promoting a campaign to make government offices paperless through the use of information technology, shifting from paper-based processes to software systems. However, in a paperless system, data security becomes even more sensitive, making it essential to enact data protection legislation first. According to IT expert Rajib Subba, the government has not been serious in this regard. He says, “Data theft is not like being struck by a knife and bleeding. Data are collected gradually to study your behavior and conduct social engineering. Without us even realizing it, our data are being collected.”

When Nepalis’ data reach other countries through various channels, it can also affect Nepal’s sovereignty. After the enactment of the US CLOUD Act, 2018, the challenge has increased for countries like Nepal that lack a separate data protection law. Under that Act, the US government can access the data of citizens of any country if the data are stored on American platforms. In such a situation, even if Nepal’s data are with the United States, Nepal itself may not be able to access them.

IT expert Subba says that a separate data protection law is necessary to ensure that data produced in Nepal are stored within Nepal’s borders and remain under Nepal’s sovereignty. He says, “We are moving toward digitization everywhere in the country. We are leaving footprints everywhere. In such a situation, a separate data protection law is absolutely essential.”

Relying on other laws

In the absence of a separate data protection law in Nepal, other existing laws are being relied upon. The Right to Information Act, 2007, the National Statistics Act, 2022, and others contain some provisions related to data protection. Similarly, the Privacy Act, 2018 provides for the protection and secure use of information. This Act defines personal information as details related to caste/ethnicity, religion, education, telephone number, passport, citizenship number, voter ID details, biometric information, and criminal records.

It also defines sensitive information as data relating to caste/ethnicity, political affiliation, religious belief, physical or mental condition, sexual life, and property details. The Act prohibits the processing of such sensitive information. It states that authorized persons may primarily collect personal information, and for research purposes such data may be collected with the consent of the concerned individual. However, this alone is insufficient to ensure data protection.

In 2012 (2069 BS), the Nepal Rastra Bank implemented an Information Technology Directive that included provisions on banks’ data security. Although it was supposed to be strictly enforced, it has not been effectively implemented.

In 2019 (2076 BS), the central bank issued another directive. The Nepal Telecommunications Authority also introduced a “Cyber Security Bylaw” in 2020 (2077 BS), which states that IT service providers cannot share personal data without an individual’s consent and must secure data stored in the cloud. However, a 2023 (2080 BS) study by researcher Harshaman Maharjan for Martin Chautari concluded that existing laws fail to address various aspects of data protection. The study notes that, in the absence of a separate data protection law, there is confusion about what data collectors are permitted or not permitted to do.

On August 9, 2023, the Cabinet approved the National Cyber Security Policy. Its objectives include establishing legal and institutional arrangements for a secure cyberspace, reducing the risk of cyberattacks while protecting sensitive national infrastructure, and strengthening cyberspace through research, human resource development, and capacity building in cybersecurity.

In 2024 (2081 BS), the government presented the “Bill to Regulate the Operation, Use, and Regulation of Social Media” in the House of Representatives, but it failed to move forward after widespread opposition. The bill was viewed as more of a mechanism to control social media than to regulate it.

In 2012 (2069 BS), the Nepal Rastra Bank implemented an Information Technology Directive that included provisions on banks’ data security. Although it was supposed to be strictly enforced, it has not been effectively implemented.

In fact, even Nepal’s government bodies are not sensitive about data protection. On May 19, 2020, the National Information Commission issued a directive ordering the government to disclose the place of residence and permanent address of individuals infected with or deceased from COVID-19 when publishing such details. Arguing that this directive seriously affected individuals’ constitutional and legal right to privacy, Advocate Roshni Poudel filed a writ petition in the Supreme Court against the government. A joint bench of Justices Sapana Pradhan Malla and Prakash Kumar Dhungana ruled in favor of protecting the right to privacy.

In a writ petition filed by Advocate Baburam Aryal against the Government of Nepal concerning the confidentiality of call detail records and SMS messages, the Supreme Court in 2015 (2072 BS) directed the government to enact necessary legislation. The order issued by then Chief Justice Kalyan Shrestha and Justice Devendra Gopal Shrestha stated: “In the absence of clear legal provisions, no unauthorized or unlawful access to an individual’s confidential information should be permitted and necessary measures must be taken to prevent such violations.” Nearly a decade after receiving that directive, the government has still not enacted a separate data protection law.

The e-Governance Board under the Office of the Prime Minister has initiated positive steps by introducing the “Personal Data Protection Policy, 2082 BS (2025).” The policy itself acknowledges the need for a separate law on data protection. However, there is no certainty about when such legislation will be enacted. Advocate Baburam Aryal, who has long advocated for data protection policy, says, “In today’s world, data are a person’s lifeline, so protecting them is crucial. But the government has not yet fully understood this. Until a separate law is enacted, concepts like e-governance or Digital Nepal will remain mere slogans.”

Zero preparedness in data protection

Today, every activity we perform is considered data. It is impossible to imagine anything without data. Therefore, data are regarded as a person’s “lifeline,” as communication, education, work, health, and economic life are all connected to data. When someone’s important data are stolen or made public, it not only violates privacy but can disrupt their entire life.

Individuals themselves upload data on social media and other platforms, while the state collects other data. The data collected by the state must be securely stored. Nepal’s Constitution guarantees citizens the right to privacy. Researcher Kailash Rai notes that because data in Nepal are scattered and unorganized, they are vulnerable to misuse, posing risks to society. She says, “Citizens themselves must also be aware about data protection, but most importantly, the state must enact laws and regulate it systematically.”

Personal Data Protection Policy developed by the e-Governance Board.

International practice shows that countries enact dedicated data protection laws to regulate this area. Advocate Aryal says that Nepal’s Ministry of Communications and Information Technology or the Ministry of Home Affairs should take the initiative to draft such legislation. According to him, a separate law should address limits on data collection, standards for storage, and legal remedies in cases of violations. He says, “Without data security legislation, we cannot be trusted in the international market; we cannot be considered reliable.”

Data protection is both sensitive and crucial. Yet due to the state’s indifference, citizens’ personal details remain at high risk. Ensuring data security and protection is a prerequisite for citizen safety. Without safeguarding personal information, protecting citizens’ lives and property is impossible. Advocate Aryal says, “The state must prioritize data security and take effective measures. Because if data are insecure, citizens cannot be secure.”