Iran Taking Legal Steps toward Management of Public Data & Information

National Data and Information Management Act (NDIMA).

On Monday, 31st October 2022, the President of the Islamic Republic of Iran circulated to the Ministry of Communication and the High Council of Cyberspace the National Data and Information Management Act, a new law of its kind awaiting ratification for a while. The Parliament has approved the NDIMA to equip the Government with the additional tools it needs for a more digitalised governance.

The NDIMA, regardless of certain ambiguities yet to be addressed, consists of 12 Articles and 9 Notes and was approved by the Parliament on 21st September 2022 and was confirmed by the Guardians Council on October 12th.

The NDIMA deals with the management of Information and Data that is possessed and comes to the possession of any Government body and considers those data and information as “public” assets that the Government can only manage.

It is no secret that for the past two decades and since o, online processing of data became widespread across government entities, entities’ information has been obtained, processed and kept by the respective government entities. This aside, people have been left with no clear answer regarding what happens with their information. The NDIMA aims to respond to those questions and move towards integrated data and information management within the Government bodies. The responsibility to coordinate such a process lies with the Ministry of Communication.

A more technical look at the NDIMA:

What is data and information under the new law?

According to Article one of the Law, any data and information belonging to the institutions subject to this law, or otherwise any data and information transferred to the organisations and bodies subject to this law following the relevant laws and regulations, are considered national data and information.

The three primary arms of the Islamic Republic of Iran, i.e., the Judiciary, the Parliament, and the Government Administration, including all the ministries, organisations, institutions and universities, government offices, profit and non-profit institutions owned by state organisations, banks and credit institutions, governmental insurance companies, the Guardians Council, State Radio and Television, research institutions and science and technology parks are all amongst the institutions that the NDIMA governs.

Facilitation of Access to information related to businesses

According to Article 2 of the NDIMA, policy-making and approving high-level strategies for production, maintenance, processing, access, integration, and ensuring the security of national information and data rest with the High Council of Cyberspace; and this is, as the law states, for increasing governing power, organisation and unification of access to data and information and to expand the exchange of information between the government entities.

According to Article 3 of the Law, a workgroup titled  “Coordination of Digital Governance” is responsible for supervising how the information and data are stored, processed, accessed, integrated, secured, exchanged and shared. The High Council of Cyberspace will determine the workgroup’s members and organisation.

Each organisation/sector receiving and processing data under this Law will be responsible for securing the data and information and their confidentiality, as stated under Article 6 of the Law.

One of the most important provisions of the Law could be Article 4, which sets the ownership of the Government over the data and information. According to Article 4 of the Law, under authorisation by the Workgroup on Coordination of Digital Governance, the Government can store the information and data that come into its possession. However, the Workgroup must determine the level of access to the databases.

The Law also provides sanctions in case of wrongdoing [by the government bodies] in processing the data and information, which can result in dismissal from service from 6 months to five years or imprisonment from 81 days to 6 months.

A careful review of the provisions of NDIMA also reveals that little has been reflected in the law concerning the rights of individuals (i.e. public) who opt to provide their data and information to the Government. For instance, in comparison with the Data Privacy regulations in Europe (GDPR), which set very robust mechanisms for handling personal data, there is still a long way to go to bridge the gap between the emerging regulations in the Iranian legal system and standards being practiced globally.