In an era where emerging technologies such as artificial intelligence (AI), machine learning (ML), and cloud computing are reshaping healthcare delivery, the protection of patient information has emerged as a key issue in Pakistan’s digital transformation. The increasing digitization of health services has driven hospitals, clinics, and insurance providers to leverage cloud-based systems and AI-driven platforms for managing patient data, diagnostics, and telemedicine. Yet, this rapid adoption of technology has exposed gaps in Pakistan’s legal and cybersecurity frameworks, raising concerns over how sensitive patient information is handled. In response to these developments, the government introduced the Personal Data Protection Bill (PDPB) 2023, a draft law designed to provide a formal structure for safeguarding personal data, including health records. Experts agree that the bill is long overdue as Pakistan aims to modernize its healthcare infrastructure amid growing cyber threats and data breaches.
Pakistan’s approach to data privacy has historically relied on general laws such as the Prevention of Electronic Crimes Act (PECA) 2016, which criminalizes unauthorized access to data but does not provide sector-specific protections for healthcare or personal data. This regulatory gap has left institutions vulnerable, particularly amid high-profile breaches, such as the compromise of biometric information within the National Database and Registration Authority (NADRA). Tariq Pervez, additional director of the FIA’s cybercrime wing, commented that “the breach of NADRA’s biometric system during SIM card verification raised alarms about the weaknesses in protecting critical personal information.” Such incidents have amplified the urgency for specialized legislation targeting the collection, storage, and processing of sensitive data. As Pakistan increasingly integrates its healthcare sector with national digital identity systems, these vulnerabilities have direct implications for the security of patient data.
The PDPB 2023 intends to address these risks by establishing a clear regulatory framework that mandates secure practices for data controllers and processors handling personal data. The bill introduces several key requirements, including robust encryption standards, strict access controls, and limitations on cross-border data transfers unless protections are equivalent to Pakistan’s. Additionally, the law imposes a mandatory 72-hour window to notify the National Commission for Personal Data Protection of Pakistan in the event of a data breach, aligning the country with data protection norms observed under the European Union’s GDPR and similar global regulations. The bill also introduces the principle of data minimization, compelling organizations to only collect data necessary for specific purposes and to limit retention periods. These measures, if enforced properly, could significantly reduce the risk of patient data being exposed or misused. Dr. Sania Nishtar, a prominent Pakistani healthcare expert and former federal minister, emphasized the importance of such regulations, stating, “In the digital age, safeguarding patient data is paramount to maintaining trust in healthcare systems. The PDPB 2023 is a critical step towards ensuring that personal health information is protected against misuse and unauthorized access.” Dr. Nishtar’s extensive experience in public health and policy development lends significant weight to her endorsement of the bill.
Healthcare providers, in particular, will face a heightened responsibility to comply with the PDPB due to the sensitive nature of medical records and patient information. As public and private hospitals expand the use of cloud-hosted electronic health records and deploy AI-based decision support tools, the bill’s mandates will force them to implement wide-ranging technical and organizational safeguards. Compliance will require investments in next-generation cybersecurity technologies, employee awareness programs, and the appointment of dedicated Data Protection Officers to monitor adherence to the law. Providers must also review and update their contracts with third-party vendors, especially those offering cloud storage or AI solutions, to ensure all partners in the data supply chain meet the bill’s regulatory requirements. This additional burden will impact operational costs but is seen by many as necessary to preserve patient trust in an increasingly digitized healthcare environment.
While many experts support the bill’s intent, concerns have emerged around potential loopholes and enforcement. Privacy International has flagged provisions that could allow certain government agencies to bypass accountability mechanisms, raising fears about unchecked data collection and surveillance. Meanwhile, industry voices such as Jeff Paine, managing director of the Asia Internet Coalition, have warned about the unintended consequences of Pakistan’s proposed data localization requirement. Paine stated, “Data localization will limit Pakistanis’ access to many global digital services and create unnecessary complexities that will increase the cost of doing business and dampen foreign investment.” Critics argue that localization could isolate Pakistan from international cloud service providers, forcing businesses to rely on domestic data centers with potentially lower resilience and security capabilities, ultimately limiting technological innovation and healthcare modernization efforts.
Adding a technical voice to the conversation, Muhammad Saqib, an industry expert and a researcher for scalable cloud solutions across AI/ML and cybersecurity, weighed in. He emphasized the critical intersection between cloud security and regulatory frameworks. “As healthcare systems in Pakistan move more patient data into cloud environments, securing these assets according to global standards becomes critical,” Saqib said. “The proposed bill is a welcome development, but its success will depend on how well organizations implement secure cloud architecture and governance frameworks while balancing innovation with compliance.” Saqib further explained that as healthcare organizations adopt AI/ML-powered systems, it is vital to embed privacy and security into the infrastructure from the outset. “With AI-powered analytics and decision support tools now common in healthcare, there is a real need to ensure data privacy is baked into the system design, not treated as an afterthought,” he added. Saqib has worked with multinational clients as a consultant, helping to modernize healthcare systems through cloud-native solutions while ensuring adherence to frameworks such as HIPAA and GDPR. Saqib was also the youngest and first Pakistani to achieve a prominent Cloud Computing Certification, for which he received recognition. The single sign-on application in healthcare we see in prominent Karachi Hospitals was developed by Saqib and his team.
The Personal Data Protection Bill 2023 marks a pivotal step in Pakistan’s broader push to modernize its healthcare sector while upholding patient rights. If implemented effectively, the legislation could create a more secure and compliant environment that supports the safe adoption of emerging technologies. However, enforcement will be key. The National Commission for Personal Data Protection, once established, will need to work closely with healthcare providers, technology vendors, and cloud providers to ensure consistent application of the law. Ultimately, the bill offers an opportunity for Pakistan to strike a balance between fostering innovation in digital healthcare services and protecting the fundamental privacy rights of its citizens in an increasingly interconnected world.
