Public Disclosure Authorized Public Disclosure Authorized Public Disclosure Authorized Public Disclosure Authorized

Draft 4.0
October 2020

1
Version Control

Version Date Comments

1.0 February 2020 • Initial Draft
2.0 April 2020 • Revised draft to reflect feedback from MNA team
(Jordan and Morocco)
3.0 August 2020 • Revised draft to reflect additional feedback from
AFR (Nigeria) team
4.0 September- October • Revised draft to reflect additional feedback from
2020 SEA (Vietnam) team and alignment with WDR2021

2
 Table of Content

I. Data Governance: definition and purpose

II. Structure and process

III. Planned outputs and findings

IV. Overview: data governance survey

1. Enablers: enabling data infrastructure

1.1. Data-driven National Digital Transformation Vision
1.2. Broadband Connectivity
1.3. Data Infrastructure
1.4. Whole of Government Framework
1.5. Institutional Capacity

2. Safeguards: trust in the use of data

2.1. Legal system and sources of law
2.2. E-Commerce and E-Transactions
2.3. Personal Data Protection
2.4. Cybersecurity / Cybercrime
2.5. Consumer Protections
2.6. Cross-Border Data Transfers

3. Outcomes: value through data

3.1. Data-Driven Government Services
3.2. Data-Driven Business Services
3.3. Data-Driven Industry

3
 MNA Tech Initiative

Data Governance Activity

Diagnostic Tool
(Phase I)

I. Data Governance: Definition and Purpose

What do we mean by Data Governance?

There is currently a proliferation of data typologies. A distinction can be drawn between “raw” data and
data as information1. The scope of data can be broadened to include both data and metadata. Data can be
differentiated according to its source, i.e. distinguishing between public and private sector data and
information. Data can also be classified in relation to its access, on a spectrum from closed to open. Finally,
personal data protection regimes are often based on the distinction between personal and non-personal data.
Within personal data, a distinction is sometimes made between volunteered, observed and inferred data.2

Data Governance is a necessary process of managing the availability, usability, integrity, security and
responsible collection, processing and use of these types of data in public and private systems. This is
usually based on identified set of data standards and policies that also guide data usage. The process also
includes strengthening the institutional, regulatory, capacity and technical foundations to better control and
manage data across its value cycle, i.e. collecting, generating, storing, securing, processing, sharing and
(re)using data in a trusted manner to deliver development value.

This activity considers several data typologies. A comprehensive approach to embracing various types
of data is adopted to better understand how each of these data types is to be treated. Both data and metadata
as well as public and private sector data are included in the scope of the assessment. The emphasis is also
on the degree of openness of public sector data to distinct between “open” and “closed” data. A separation
between personal and non-personal data is also included to provide the appropriate safeguards to the data
rights of individuals.

What is effective Data Governance?

This diagnostic also aims to promote effective data governance. There is a need to govern the use and
reuse of these types of data for value creation, in both the public and private sectors as well as by civil
society. In this vein, data “governance” includes elements structured around the following building blocks:
a) enabling and safeguarding policies, laws and regulation to create a framework for trusted data
transactions, b) hard and soft technical infrastructure (including broadband, platforms and protocols) to
enable data transfers, interoperability and portability for more effective usage; and c) institutions that enable
data-driven usage by supporting enforcement and implementation of data governance frameworks.

It remains critical for Governments to foster public trust in the responsible use of data by developing robust
and effectively enforced legal and regulatory mechanisms to protect the fundamental rights of data subjects

1
where information is understood as “the meaning resulting from the interpretation of data (OECD, 2015).
2
Volunteered data is created and explicitly shared by individuals (e.g. social network profiles). Observed data is
captured by recording the actions of individuals (e.g. location data from mobile phones). Inferred data is data
about individuals based on an analysis of volunteered information (e.g. credit scores) (WEF, 2011).

4
in their personal data, ensure the integrity and security of data, and creating incentives for the
sharing/pooling of private sector data for public good.

What is the focus of this activity?

The premise for this activity is on building trustworthy data governance systems that enables
effective harnessing of data for development. By successfully implementing a robust data governance
framework on top of an adequate digital infrastructure, governments in the MENA region will create an
enabling environment to achieve an inclusive, safe, innovative and dynamic digital economy. They will
also be sending an important signal of accountability and transparency to incentivize individuals, civil
society organizations and businesses to trust the public and private platforms and services whose
development can respond to user needs and generate value from data.

The responsible implementation of data governance standards will also support MENA’s aspirations
to become a competitive actor in the digital economy. It also paves the way for the establishment of
common data environment principles and foundations of a digital single market in the region.

II. Structure and Process

The focus of this ASA’s first phase is on developing two case studies informed by in-country collection
of data and practices on data governance based on a modular diagnostic tool. This tool is adapted to
the MENA context and designed around the conceptual framework laid out below.

1. Enabling data infrastructure which focuses on the policies and technical architecture enabling
the collection, storage, sharing, analysis, and management of data for value creation

2. Trust in the use of data which covers personal data protection, cybersecurity, cybercrime,
consumer protection and e-transactions3 that enable the use and reuse of data while safeguarding
the fundamental rights of data subjects. Together, these “safeguards” are designed to promote trust
in data protection and security, incentivizing usage of data-driven platforms and services, and
potentially leading to improved trust in public sector institutions.

3. Value through data which includes innovation, digital skills and capacity development, increased
usage of e-services, etc. that can be enabled by an effective governance framework (pillars I & II)

In Phase II, sectoral use-cases could also be presented to illustrate the data governance practice as
articulated in the three pillars above. The suggested focus is currently on digital financial payments but may
be expanded to other verticals downstream.

In its current format, the diagnostic tool has been designed to provide a high-level landscape analysis
(a snapshot) of current data governance practices in MNA countries. It is designed as a modular,
outcome-oriented tool that is structured around key building blocks to enable an initial identification of
opportunities and gaps in the policy, legal, technical and institutional foundations of a robust data
governance ecosystem. These foundational elements are required for enabling an effective and trusted use
of data. The diagnostic tool is also taking into consideration the emerging guiding principles of data for
development illustrated in Box 1.

3
The emphasis is on e-transactions as safeguards for enabling data protection rather than enabling the process of
data transactions (i.e., part of enablers).

5
The tool is designed to be able to be undertaken by non-specialist operational teams to identify entry
points for client dialogue with a view to analytically preparing future operational engagements and
technical assistance. As such, it is intended to help identify key issues based on urgency or government
priorities that may require more granular assessment. To address such recognized limitations, the use of
additional specialized diagnostic tools that were developed by the World Bank, can prove beneficial, for
example, in the case of project preparation. These additional tools cover areas such as broadband, cloud,
cybersecurity, government platforms, digital identification, and open data assessments.

• Broadband Strategies Toolkit (BST)

• Cloud Readiness Assessment Toolkit (CRAT)
• Cybersecurity Maturity Assessment (CMA)
• Digital Government Readiness Assessment (DGRA)
• ID Enabling Environment Assessment (IDEEA)
• Open Data Readiness Assessment (ODRA)

III. Planned outputs and findings

In phase I, Jordan and Morocco are two countries in MENA that were selected to provide diverse
contexts and practices of data governance. Technical missions to Jordan and Morocco were planned for
March 2020 during which the draft diagnostic tool would be disseminated in the two countries to elaborate
a “snapshot” overview of existing data governance practices.

However, the COVID-19 pandemic affected this plan, requiring an agile revision of the sequencing
and methodology of the activity components. While the Jordan mission took place in early March, the
subsequent mission to Morocco was conducted virtually due to travel restrictions. The team relied on local
capacity in the CMU to lead the various engagements with Moroccan stakeholders. Logistical
complications aside, the shift in priorities by most governments towards the emergency COVID response
led to an understandable deprioritizing of data collection efforts and response to the survey. These
conditions were particularly challenging without the assistance of a dedicated localized technical support
within public sector entities, despite effective preparation and engagement with counterparts at the high
level. There were also limitations in terms of the data information the team was able to access, and the
comprehensiveness and comparability of the information from one country to another, as data governance
remains a nascent topic in the region.

Gaps in the findings of the preliminary missions were supplemented with desk research by the team,
using externally published secondary material, existing ASAs conducted as part of project
preparation for other activities, and support from local consultants. These have been distilled into two
deep dive case studies that seek to highlight emerging good practices and challenges that could be addressed
in downstream operational work and technical assistance in MENA and inform policy dialogue.

The data collection exercise and the findings in the two case studies were used to refine the survey
questionnaire in this diagnostic tool. Inputs and comments were also provided by World Bank teams in
Nigeria and Vietnam where the MNA questionnaire is being leveraged. Once disseminated, the refined
diagnostic tool could enable the collection of information on data governance practices across all countries
in the MNA region, to enable a country-by-country analysis of practices and identify both regional gaps
and emerging best practices. Moreover, the modular diagnostic tool will be provided as a public good
available for adaptation by operational teams seeking to undertake country assessments in other regions.

6
Finally, while the COVID crisis required a shifting of priorities for the development of this activity,
it has also created opportunities for downstream engagement. Indeed, the crisis has propelled digital
transformation in the region, with more Governments open to enable a responsible data governance practice
as part of enhancing their resilience and accelerating their recovery. This context provides an opportunity
for consultation and policy dialogue on data governance through a series of outreach events to take place
following the launch of WDR21 on Data for Development and as part of events organized around and
during the Marrakesh 2021 Annual Meetings. The findings of the case studies will also continue to be
leveraged to support on-going and new operations in the region, including as inputs to the technical
preparation of two P4Rs in Jordan and Morocco in FY21.

7
 Box 1: Emerging Guiding Principles of the Data Revolution

The UN Secretary General’s Data Revolution Independent Experts’ Advisory Group has advanced
10 principles. A preliminary digest is provided below as guiding principles:

Data quality and integrity

Poor quality data can mislead.

Data disaggregation
To the extent possible and with due safeguards for individual privacy and data quality,
disaggregated data can provide a better comparative picture of what works and help inform and
promote evidence-based policymaking.

Data timeliness
Data delayed is data denied. The data cycle must match the decision cycle.

Data transparency
Publicly funded datasets, as well as data on public spending, should be available to other public
ministries or the general public. Underlying data design and sampling, methods, tools and datasets
should be explained and published alongside findings to enable greater scrutiny, understanding and
independent analysis.

Data openness
Data should be made public in ways that encourage greater use and be complete, machine-
readable, freely available for reuse without restrictions, and transparent about underlying
assumptions.

Data usability and curation

Data architecture should place great emphasis on user-centered design and user-friendly interfaces.
Communities should be fostered to develop new tools that can translate raw data into something
meaningful to a broader constituency of non-technical potential users.

Data protection and privacy

Clear international norms and robust national policy and legal frameworks must be developed.

Data governance and independence

Data quality and NSOs should be protected and improved, to ensure they are functionally
autonomous, and independent of political influence.

Data resources and capacity

National statistical systems should be established that can produce high quality statistics in line
with global standards and expectations.

Data rights
Rights include (but are not limited to) the right to be counted, the right to an identity, the right to
privacy and shared control, the right to due process, the right to freedom of expression, the right to
participation, the right to non-discrimination and equality, and the right to principles of consent.

Source: WEF. 2015. Data-Driven Development: Pathways for Progress. Advisory Group on a Data Revolution for
Sustainable Development.

8
IV. OVERVIEW

PILLAR COMPONENT ELEMENT

1. Enablers: Enabling Data 1.1. Data-driven National Digital • National Digital
Infrastructure Transformation Vision Transformation Leadership
• National Data Management
Strategy
1.2. Broadband Connectivity • Access to Broadband
Connectivity
• 5G Deployment
• Speed Quality
1.3. Data Infrastructure • Cloud Infrastructure and
Services
• National Data Infrastructure
Security
1.4. Whole of Government • National Interoperability
Framework Framework
• Government Secured Network
LAN
• Data Sharing Framework
• Open Datasets
• Access to Information
1.5. Institutional Capacity • Data Stewardship
• National Capabilities
• Access to Talent
• Data Culture and Mindset

2. Safeguards: Trust in Data 2.1. Legal system and sources of • Description of the Legal
law System
• International Conventions and
Treaties
2.2. E-Commerce and E- • E-Commerce Law Adoption
Transactions • Robustness of the Law
• Effective Enforcement
2.3. Personal Data Protection • Data Protection Law adoption
• Robustness of the Law
• Obligations on Data Processors
• Rights of Data Subjects
2.4. Cybersecurity / Cybercrime • Cybercrime Law adoption
• Robustness of the Law
• Substantive Protections
• Effective Enforcement
2.5. Consumer Protections • Consumer Protection Law
adoption
• Robustness of the Law
• Effective Enforcement
2.6. Cross-Border Data Transfers • International Standards
• Local Processing of Data
• Adequacy and Mutual
Recognition Arrangements

9
 • Regional Integration and
Harmonization
• Data Localization

3. Outcomes: 3.1. Data-Driven Government • Government e-Services

Value through Data Services • Big Data Analytics
3.2. Data-Driven Business Services • Business e-Services
• Private Digital Platforms
3.3. Data-Driven Industry • Start-Up Ecosystem
• Priority Sectors

10
Pillar 1 – Enablers
ENABLING DATA INFRASTRUCTURE

1.1. Data-driven National Digital Transformation Vision

1.1.1. National Digital Transformation Leadership

Questions Y/N Comments

Add Links / Attachments
• Does the Government have a shared vision for digital
transformation? is it linked to the national development
agenda? is there a digital transformation act/law?
• If Yes, is there reference to data policy, management or
principles? governance?
• Is there a clear implementation road map? What are the key
performance indicators for measuring implementation of
strategy?
• Does the organizational and governance structure enable the
co-ordination of data exchange among various government
departments and ministries?

1.1.2. National Data Management Strategy

Questions Y/N Comments

Add Links / Attachments
• Does the government have a data management strategy
(collection, storage, sharing and re-use strategy)?
• If Yes, what laws and regulations enable its implementation?
• If Yes, what government bodie(s) is/are responsible for
implementing the strategy?

1.2. Broadband Connectivity

1.2.1. Access to Broadband Connectivity

Questions Y/N Comments

Add Links / Attachments
• Is 3G and 4G are deployed? If so, what is the penetration of
Mobile-based Broadband? Population covered by 3G and 4G
mobile broadband network (per 100 individuals)

11
 • Is there a national Broadband network? If so, what is the
penetration of fixed-based Broadband (i.e., fiber)? # of
active fixed broadband subscribers (per 100 households)
• Are there incentives in place to expand and accelerate
broadband deployment? such as accelerated depreciation for
connectivity infrastructure investments, tax credits for
research and development, loans or subsidies for connectivity,
and/or PPP for Infrastructure sharing.

1.2.2. 5G Deployment

Questions Y/N Comments

Add Links / Attachments
• Did the Country start deploying 5G networks?
• If Yes, which operators are offering 5G services? What is the
current and forecasted penetration / number of subscriptions?
are there any on-going applications in use?
• If No, does the country plan to test 5G deployment (i.e.,
sandbox)? Did the national Telecommunications Regulator
develop a plan for 5G deployment?

1.2.3. Speed Quality

Questions Y/N Comments

Add Links / Attachments
• What is the Broadband download speed available in the
country (Mbps)?
• Does more than 50% of the population have access to
broadband download speed of equal or above of 20 Mbps?
• If it is less (access% and/or speed), what is the plan for
expanding access and enhancing the speed quality?
• Who is the main provider of Broadband: public or private
sector? If there is a public-private partnership, is the public or
private sector responsible for investments in speed quality?

1.3. Data Infrastructure

1.3.1. Cloud Infrastructure and Services

Questions Y/N Comments

Add Links / Attachments
• Does the country have access to Cloud Infrastructure?
• If Yes, does the accessibility include international
(Commercial) data centers (e.g., Microsoft, Amazon, etc.)?

12
• If Yes, does the accessibility include local government data
centers?
• If Yes, does the accessibility include local commercial data
centers?
• If No, is there a plan to build a local data center, a virtual
network operations center (NOC)? What is the expected
launch date?
• Does the Government use Cloud services?
• If Yes, what share of government data are stored on the
cloud?
• If Yes, are data stored on the cloud easily accessible across
departments and different levels of government
(national/local) for analysis?
• What share of cloud services are provided by international
(commercial) versus local government vs. local commercial
providers?
• What services are most used on cloud services? (e.g., AI-
enabled applications such as chatbots and machine learning
analytics tools; data storage; online services; …etc.)
• If No, is the Government planning for Cloud migration?

1.3.2. National Data Infrastructure Security **

Questions Y/N Comments

Add Links / Attachments
• Does the Government have a National Critical
Infrastructure Plan?
• If Yes, does the plan include National cloud infrastructure,
platforms, and services?
• Does the plan refer to Data Center Security (physical
practices and virtual technologies used to protect data centers
from cyber threats and attacks)?
• Are existing data centers built with advanced security
measures including redundant and dual-powered servers,
storage, network links and other IT components (i.e., Tier 3;
Tier 4)?
• Are international security standards (e.g., ISO 27000)
adopted and practices?
• Does the Government collaborate with domestic and
international organizations to mitigate cyber risks?

**See also Pillar 2 – Cybersecurity and Cybercrime

13
1.4. Whole-of-Government Framework

1.4.1. National Interoperability Framework

Questions Y/N Comments

Add Links / Attachments
• Does the Government have established Enterprise
Architecture (s) for data related standards?
• Does the government have an e-Government
Interoperability Framework with mandatory standards for
each agency’s systems?
• Is there a government operated data interoperability/data
sharing platform?
• What are the features of the interoperability platform?
o Based on an open source solution
o Based on a proprietary solution
o All government agencies are connected to the
platform
o The platform is accessible to/by private sector
entities
• Is there a body responsible for setting (or reviewing) technical
standards that government entities abide by to make their
systems interoperable?
• Are government entities mandated to use common
technical standards (e.g. FAIR) that enable the
interoperability of systems, databases and registries?
• Does the government have established standards for
Application Programming Interfaces (APIs) to develop
applications or online services?
• Has the Government deployed and scaled digital
identification (e-ID)?
• Has the Government defined, digitized and shared a set of
basic data registers?
• If Yes, please identify what data registers:
o National population database;
o National land database;
o National business registration database;
o National demographic statistics database;
o National address database;
o National financial database; and,
o National insurance database.
• For each basic register, has the government defined
institutional responsibilities for the operation, update, and
sharing of the register’s data?
• Are all government agencies legally required to use basic
registers rather than collect and hold their own data?
• Is there a government data classification policy/directive?

14
• Does the policy or directive prescribe the categories of
common data classification?
• Is it mandatory to use the common data classification
categories across government database applications or
document management systems?

1.4.2. Government Secured Network LAN

Questions Y/N Comments

Add Links / Attachments
• Are there established secure Government network (s) for the
sharing of data and services among agencies?
• If Yes, are local government and local agencies also
connected?
• If No, what is the government plan to ensure inter-
connectivity across government agencies?

1.4.3. Data Sharing Framework

Questions Y/N Comments

Add Links /
Attachments
• Has the government adopted international data standards
(including metadata standards)?
• Does the government promote mainstreaming of APIs?
o For what kind of data are APIs enabled?
o Is there a platform for sharing data via APIs? Does it
facilitate G2G, G2B, and/or G2C transactions?
• Does the Government have common Data Sharing
Agreements or Data Exchange Protocols with any third party?
o What type of data analyses are conducted?

1.4.4. Open Datasets

Questions Y/N Comments

Add Links / Attachments
• Has the government adopted an Open Data policy or an Open
Data Act applicable across the public sector?
• if Yes, at what level of government is this policy applicable
(the entire public sector; central government; local
government, …)
• If Yes, is the government proactively releasing open data
sets and encouraging the use of these data sets? Which
datasets are open?

15
• Re. usage, is data collected from various sources / devices
(mobile, reactors, sensors, etc.) used within the government
for economic and/or social development purposes? Are these
datasets open to Businesses and/or third parties?
• Is government data available and used by policy makers and
service providers?
• Are government datasets accessible by businesses and
academic institutions? Are these open datasets earmarked
(e.g., for public good; for commercial services; ... etc.)?
• Has the government adopted an open licensing regime (such
as a Creative Common License by Attribution) to enable the
reuse of public sector data?
• Does the Open License apply to all government data?

1.4.5 Access to Information

Questions Y/N Comments

Add Links / Attachments
• Has Right to Information/Access to Information (ATI)
legislation been passed that grants individuals the right to
request government records or data?
• Does the law provide for limitations or exceptions to this
right of requesting access to government records or data?
Please check all that apply:
o Sensitive information on national security, defense
or foreign policy grounds
o Trade secrets or other commercial interests
o Personal data
o Law enforcement
o Privileged information
o Public investigations and audits
o Other
• Does the law provide for the creation of a centralized body to
process ATI requests?
• Does the law include a provision requiring the collection of
data on ATI requests?

If yes, please mark as appropriate:

• Number of requests submitted
• Number of requests accepted/rejected
• Reasons for successful/unsuccessful request
• Is this information published and publicly available on a
citizen-facing government website?

16
1.5. Institutional Capacity

1.5.1. Data Stewardship

Questions Y/N Comments

Add Links / Attachments

• Is there a formal government policy on data stewardship /

ownership and licensing of government data?
• If Yes, what are the obligations / rights that are set for various
actors/stakeholders:
o Government
o Individuals
o Businesses

1.5.2. National Capabilities

Questions Y/N Comments

Add Links / Attachments
• Does the government have a national Capacity Development
Plan?
• If Yes, what are the targets among the public servants:
leadership, middle to Senior, and/ or entry level?
• Does the Government Plan include specific training to develop
intermediate and advanced digital skills related to Data (data
management, data security, data sharing, data structure, data
privacy and protection, Machine Learning, etc.)? Is this
training provided directly by the Government or in partnership
with existing training providers (e.g. universities)?
• Is there a data-focused Center of Excellence or Academic
institutions nationally? Which other channels of delivery for
training (academia, specialized networks, …etc.) are available
and used?
• Is there a national Talent Development Plan to address the
supply and demand of data-driven job opportunities within
private sector? What are the KPIs for this plan?
• If Yes, does the plan also include a program for re-skilling
existing employees? Is the re-skilling initiated by the
government directly or through incentives to private
employers?
• Is there a coordination with the national education strategy?
Does this strategy prioritize STEM education?
• Is there University-Industry collaboration in Research &
Development with access to Data Lakes?

17
 1.5.3. Access to Talent

Questions Y/N Comments

Add Links / Attachments
• Are data-related talents with advanced and specialized skills
(e.g. machine learning, data science, cybersecurity) available
in the country?
• If Yes, is there any recent statistics data on the size of these
talents? Is this data structured by gender; location; sector?
• Do agencies conduct skills and talent assessments of their
existing workforce? if so, how often?
• Does the government have enough skilled, qualified staff with
technical and institutional knowledge on data related matters?
• if Yes, is there enough talent in central government? In local
government?
• Are there clear, structured career paths and incentives for
civil servants and youth to pursue data-centered functions?
o What is the average retention of employees?
o What is the average number of career steps and
promotions pursued by employees?
• If yes, are these incentives supported officially by decree or
government act?

1.5.4. Data Culture / Mindset

Questions Y/N Comments

Add Links / Attachments
• Does Government entities and Businesses adopt data
governance principles? (e.g., The UN Secretary General’s
Data Revolution Independent Experts’ Advisory Group has
advanced 10 principles: data openness, transparency, usability,
… etc.)
• If Yes, is there an operationalization / implementation of
these principles?
• Does the national budget include allocations for data-related
projects with high-impact on digital transformation?
• is there a data protection watchdog agency / commission
within the country?
• If Yes, is it empowered with appropriate resources (e.g.,
budget, capabilities, …etc.) and mandate?

18
Pillar 2 – Safeguards

TRUST IN THE USE OF DATA

2.1. Legal system and sources of law

2.1.1. Description of the legal system

Questions Y/N Comments

Add Links / Attachments
• Which legal tradition does the government follow?
o Common law
o Civil Law
o Religious law
o Other (Please state)

2.1.2. International conventions/treaties

Questions Y/N Comments

Add Links / Attachments
• Is the government a party to any of the below data-related
international conventions and agreements?
• If Yes, what is the date of accession or ratification?
o International Covenant on Civil and Political Rights, 1966
(Article 17 on the right to privacy)
o Council of Europe Convention for the Protection of
Individuals regarding Automatic Processing of Personal
Data, 1980; revised 2016 (open to all countries in the
world)
o Convention on Cybercrime (Budapest Convention), 2001
o African Union Convention on Cybersecurity and Personal
Data, 2014
• If No, has the government indicated an intent to join any of the
above?
• If yes, please specify which

2.2. E-commerce and E-transaction

2.2.1 E-commerce law adoption

Questions Y/N Comments

Add Links / Attachments
• Is there a national e-commerce/e-transactions law?
• If Yes, what is the status? (Enacted? Draft?)
• Have relevant implementing regulations been passed?

19
 2.2.2 E-commerce law robustness

Questions Y/N Comments

Add Links / Attachments
• Does the e-commerce/e-transactions law include provisions
that grant legal equivalence between paper-based and
electronic communications, contracts, signatures and records?
• If Yes, for which types of records:
o Electronic communications/messages
o Electronic contracts
o Electronic signatures
o E-evidence
o E-seals
• What types of electronic signatures are legally recognized in
your country? Please mark as appropriate
o All legal signatures
o All legal signatures, but advanced/qualified signatures are
associated with legal presumptions, while simple
signatures are not ("two-tier approach")
o Only advanced/qualified signatures
o Only digital signatures (e.g. PKI)
• Are there any documents that cannot be legally accepted in
electronic format and cannot be signed electronically?

If yes, please mark below as appropriate and specify the legal

basis (law/regulation, article, etc.):
o Property deeds and other contracts for the lease or sale of
immoveable property
o Wills or codicils
o Documents pertaining to family law
o Other (please specify)
• Technological neutrality
Does the law or regulation prescribe a specific form or condition
for any of the following?

If yes, please mark below as appropriate and specify the legal

basis (law/regulation, article, etc.)
o Electronic communications/messages
o Electronic contracts
o Electronic signatures

2.2.3 Effective enforcement

Questions Y/N Comments

Add Links / Attachments
• Have any certificates been issued for digital signatures (e.g.
PKI)?
If yes, please specify the relevant legal basis
• Which entities are authorized to issue digital certificates?
o Only public entities (please specify name)

20
 o Both public and private entities
Please specify the relevant legal basis (law/regulation)
• Do the law/implementing regulations provide for the creation
of a Certification Authority (CA)?
• If Yes, does the Certification Authority’s mandate including
the following roles and responsibilities?
o Issuing digital certificates
o Authenticating and validating e-transactions
o Managing or regulating PKI infrastructure
• Have any licenses been issued for private CAs?
If yes, how many?

2.3. Personal Data Protection

2.3.1 Personal Data Protection law adoption

Questions Y/N Comments

Add Links / Attachments
• Is there a data protection/private law of general application
explicitly governing the collection, processing and use of
personal data (including sensitive data) and personally
identifiable information (“personal data”)?
• If Yes, what is the status?
o Enacted
o Draft
• If No, are there sector-specific personal data protection and/or
privacy laws?
• If No, are privacy and/or data protection rights protected in the
country's constitution?
• If no laws exist, have there been any significant court or
administrative decisions that form the basis of or clarify
privacy or data protection rights?
• Have relevant implementing regulations been passed?

2.3.2 Robustness of personal data protection legislation

Questions Y/N Comments

Add Links / Attachments
• Were any of the below international/regional models or
guidelines used as the basis for developing the data protection
legislation? Please mark all as appropriate
o OECD Privacy Guidelines (2013)
o EU General Data Protection Regulation (EU GDPR)
o Commonwealth model law on privacy
o APEC Privacy Framework (2015)
o AU Convention on Cybersecurity and Personal Data
Protection

21
 o Council of Europe Convention 108+
o EU Police and Criminal Justice Data Protection Directive
2016/680
o Other (please specify)
Scope
• Does the scope of application of the law extend to
o Natural persons
o Legal persons
• Does the law or regulation apply to anyone (citizen or not)
residing within the country?
• Does the law specify any exceptions to its application?
If yes, to which?
o Public sector entities/government
o SMEs
o Other categories of natural or legal persons
• If yes, are these exceptions subject to due process limitations,
such as a “necessary and proportionate” test to determine
whether the exception is legitimately applied?
Obligations
• Does the law or regulation or require that the collection and
use of personal data be done on any of the following lawful
bases? (please mark all as appropriate):
o collection undertaken with consent,
o due to contractual necessity,
o in compliance with legal obligation,
o for the protection of vital interests,
o for the public interest
o other legitimate interest (please specify)
• What are the legal grounds under which “consent” is deemed
“legitimate”?
o Consent must be freely given
o Consent must be informed
o Consent must be unambiguous
o Consent must be specific
• Does the law or regulation require that the collection and use
of personal data be done fairly and transparently (or similar
standard)?
Examples of “fair and transparent” including requiring the
data subject to be informed of the purpose of data collection
and intended use and sharing of the data
• Does the law or regulation require that the collection and use
of personal data be made for a stated purpose (or similar
standard)? (Purpose limitation)
• Does the law or regulation require that the data collected be
proportionate, adequate, relevant and limited to what is
necessary in relation to the purposes for which they are
processed (Data minimization)
• Does the law or regulation require that the collection and use
of personal data be accurate, complete and up to date (or
similar standard)? (Data integrity)

22
• Does the law or regulation require that persons or entities
collecting and using personal data take responsibility for and
be capable of demonstrating compliance with applicable data
protection requirements? (Accountability)
• Does the law or regulation require additional protections for
collection and use of sensitive personal data (e.g., information
relating to race, ethnicity, religion, political beliefs, sexual
orientation, health, etc.)?
• Does the law or regulation require that personal data not be
kept longer than is necessary for the purposes for which it is
processed (or similar standard)? (Storage limitations)
• Does the law or regulation require data processors to
incorporate to incorporate privacy-by-design or data
protection-by-default principles or use privacy-enhancing
technologies (PETs) in the design and implementation of data
processing systems? For example, de-
identification/pseudonymization requirements.
• Do any policies, laws or regulations restrict the sharing of
personal data with third parties?
• Are there exceptions to limitations on the sharing of personal
data for national security or law enforcement (or other
reasons)?
• Are these exceptions subject to review by an independent
body?
Individual rights
• Do individuals have the right to be notified in a timely manner
when the security of their data or their data rights have been
breached during processing? (notification of breach)
• Do data subjects have the right to access and review use of
personal data about them held by data controllers/processors?
If YES, under which conditions?
o Unconditional full data access
o Unconditional access to limited categories of data (e.g.
categories of personal data, purposes of data processing,
etc.)
o Conditional limited data access
• Do data subjects have the right to challenge the accuracy of
information and have it rectified, completed, and amended?
• Do data subjects have the right to have personal data about
them (including data trails) deleted?
• If YES, under which conditions?
o All personal data/PII, unconditionally
o All personal data/PII, under certain conditions
o Depends on the type of data (please specify)
• Do individuals have the right to withdraw their consent to data
processing at any time?
• Do data subjects have the right to move, copy, or transfer
personal data from one system to another electronic
environment? (data portability)

23
• Does the law include mandatory breach notification?
o If yes, within which time period? and
o What is the fine (if any) for breach of regulations?
• Are there rights to limit the making of decisions about
individuals solely as a result of automated processing of
personal data (i.e. without any human intervention)
• Do individuals have a right to object to the use of personal
data about them, file complaints and seek redress?

2.3.3 Effective enforcement of personal data protection law

Questions Y/N Comments

Add Links / Attachments
Institutional arrangements to enforce personal data protection
• What entities are responsible for receiving objections and
complaints?
• What entities are responsible for conducting investigations and
applying remedies?
• Do the law/implementing regulations provide for the creation
of a Data Protection Authority (DPA)?
• If Yes, does the DPA’s mandate include the following roles
and responsibilities?
o Enforce national data protection rights and obligations
enshrined under the law or regulation
o Keep records of sanctions and enforcement actions
o Provide guidance on the interpretation of the law or
regulation
o Promote awareness of the risks, rules and safeguards of
rights pertaining to personal data
o Encourage the creation of codes of conduct and review
certifications
o Regularly publish activity reports
o Encourage the creation of codes of conduct and review
certifications
o Provide redress mechanism
• Is there a right of judicial review/external appeal for decisions
issued by the DPA?
• Are redress mechanisms available through Alternative Dispute
Resolution as an alternative to judicial review?
• Can the DPA be considered effectively independent, based on
the following criteria?
o Legal independence: Is the institution a separate legal
entity?
o Functional independence: does the entity report to a
political overseer who can effectively reverse decisions?
o Physical independence: Does the entity sit within the
ministry, department or agency that oversees it?
o Financial independence: Does the entity set its own
budget?

24
 • Can the institution be considered effectively accountable and
transparent, based on the following criteria?
o Are appointment criteria objective and transparent?
o Are removal criteria objective and transparent?
o Is there a policy obligating member to avoid and disclose
ethical, legal, financial or other conflicts of interest
involving the agency, and removing themselves from a
position of decision-making authority?
• Is the entity sufficiently resourced to undertake its functions
effectively, based on the following criteria?
o What sources of revenue does the authority rely on to
cover its costs? (Fees, public funds, penalties,
international aid, private investment, other)
o Please provide number and structure of entity staff
o Is there a formal methodology to collect business
requirements?
o Is there a methodology for project management?
o Do staff have current certification in their area of
expertise?
o Are there incentives to mitigate the risks of staff attrition?

2.4. Cybersecurity and Cybercrime

2.4.1 Cybersecurity and cybercrime law adoption

Questions Y/N Comments

Add Links / Attachments
• Is there a national cybercrime law?
• If Yes, what is the status?
o Enacted
o Draft
• Have relevant implementing regulations been passed?
• If no, do provisions criminalizing security breaches,
unauthorized access to and use of databases and information
systems exist in the country’s domestic law (e.g. penal code)?

2.4.2 Cybersecurity and cybercrime law robustness

Questions Y/N Comments

Add Links / Attachments
Cybersecurity
• Do data processors/controllers have to comply with the
following security requirements for the automated processing
of personal data? Please check all that apply:
o Encryption of personal data
o Anonymization/pseudonymization of personal data

25
 o Confidentiality of data and systems that use or generate
personal data
o Integrity of data and systems that use or generate personal
data
o Availability of data and systems that use or generate
personal data
o Ability to restore data and systems that use or generate
personal data after a physical or technical incident
o Ongoing tests, assessments and evaluation of security of
systems that use or generate personal data
o Other (please specify)
• Do data processors/controllers have to comply with the
following cybersecurity requirements?
o Adoption of an internal policy establishing procedures for
preventing and detecting violations
o Confidentiality of data and systems that use or generate
personal data
o Appointment of a personal data processing office/manager
o Performance of internal controls
o Assessment of the harm that might be caused by a data
breach
o Awareness program among employees
Cybercrime: criminalized activities
• Does the country have any laws or regulations criminalize the
following activities? Please check all that are applicable:
Criminalize unauthorized access to systems or other databases
holding personal data?
• Criminalize unauthorized interception of data from systems or
other databases holding personal data?
• Criminalize unauthorized damaging deletion, deterioration,
alteration or suppression of data collected or stored as part of
databases holding personal data?
• Criminalize unauthorized interference with databases holding
personal data?
• Criminalize the misuse of devices or data for the purpose of
committing any of the above criminal behavior?
• Criminalize unauthorized input, alteration, deletion or
interference with a computer system or platform to procure an
economic benefit which would apply to databases holding
personal data?
• Criminalize fraudulent use or alteration of data or interference
with a computer system to procure an economic benefit which
would apply to databases holding personal data?
• Were any of the below international/regional models or
guidelines used as the basis for developing the cybercrime
legislation? Please mark all as appropriate
o Council of Europe Convention on Cybercrime (Budapest
Convention) 2001
o ECOWAS Directive (01/08/11)

26
 o Commonwealth Model Law on Computer and Computer
Related Crime
o AU Convention on Cybersecurity and Personal Data
Protection
• Other (please specify)

2.4.3 Effective enforcement of cybersecurity and cybercrime law

Questions Y/N Comments

Add Links / Attachments
• What are the laws, implementing regulations or policy
provided for the creation of cyber-security strategy,
infrastructure and institutions to identify, investigate, and
address cyber-security threats as described in Pillar I?
• Does the law(s) provide for the creation of:
o A cyber-security plan to protect key national infrastructure
o A CERT that is capable and ready to prevent, respond and
recover from cyber incidents
• Is the entity sufficiently resourced to undertake its functions
effectively, based on the following criteria?
o What sources of revenue does the authority rely on to
cover its costs? (Fees, public funds, penalties,
international aid, private investment, other)
o Please provide number and structure of entity staff
o Is there a formal methodology to collect business
requirements?
o Is there a methodology for project management?
o Do staff have current certification in their area of
expertise?
o Are there incentives to mitigate the risks of staff attrition?

2.5. Consumer Protection

2.5.1 Consumer protection law adoption

Questions Y/N Comments

Add Links / Attachments
• Is there a general consumer protection law
• If Yes, what is the status?
o Enacted
o Draft
• If No, are there sector-specific consumer protection
laws/regulations? Please specify
• Have relevant implementing regulations been passed?

27
 2.5.2 Consumer protection law robustness

Questions Y/N Comments

Add Links / Attachments
• Were any of the below international/regional models or
guidelines used as the basis for developing the consumer
protection legislation? Please mark all as appropriate
o OECD Guidelines for consumer protection in the context
of electronic commerce (1999)
o UN Guidelines on consumer protection
o Other
• Are consumers participating in e-commerce afforded
equivalent protection to those provided for in other forms of
commerce?
• Does the law prohibit businesses from making representations,
omissions or engaging in deceptive, misleading, fraudulent or
unfair practices?
• Are unfair contract terms prohibited?
• Are remedies for consumer's breach of contract proportionate
to the damage caused?
• Does the law provide that consumers can readily access and
monitor their personal data to ensure its accuracy?
• Does the law stipulate that consumers should be informed of
all commercial uses of their personal data, including by any
third parties their data has been shared with?
• If YES, does this provision apply to all forms of data,
including anonymized data?
• Does the law oblige commercial data processors to comply
with online information disclosure rules?
• If YES, what is the basis for these rules?
o Law/regulation
o Industry specific best practice
o Discretionary initiative
• What information are commercial data processors legally
mandated to disclose to consumers prior to online purchases?
o Legal and trading name
o Principle address
o Email
o Telephone number
o Domain name registration
o Relevant government registration or license information
• Does the law mandate that the business provide consumers
with clear information about?
o The initial price and variable/optional charges during the
transaction
o T&Cs and methods of payment including contract
duration, recurrent charges, and ways to opt out
o Terms of delivery or performance
o Conditions related to withdrawal, termination or
cancellation, exchanges, refunds, warranties

28
 o Privacy policy
o Dispute resolution and redress options
• Does the law mandate that businesses provide enough
information to enable consumers to make informed decisions
regarding transactions?
o Functionality and interoperability features
o Technical or contractual requirements
o Age restrictions
• Does the e-payment system include limitations on consumer
liability for unauthorized or fraudulent charges?
• Does the law provide consumers with access to fair, easy-to
use, transparent and effective dispute resolution mechanisms?
• If YES, do these protections apply to resolve domestic and
cross-border disputes?

2.5.3 Effective enforcement of consumer protection law

Questions Y/N Comments

Add Links / Attachments
• Do the law/implementing regulations provide for the creation
of a consumer protection enforcement authority?
• Can the institution be considered effectively independent,
based on the following criteria?
o Legal independence: Is the institution a separate legal
entity?
o Functional independence: does the entity report to a
political overseer who can effectively reverse decisions?
o Physical independence: Does the entity sit within the
ministry, department or agency that oversees it?
o Financial independence: Does the entity set its own
budget?
• Can the institution be considered effectively accountable and
transparent, based on the following criteria?
o Are appointment criteria objective and transparent?
o Are removal criteria objective and transparent?
o Is there a policy that is obligating members to avoid and
disclose ethical, legal, financial or other conflicts of
interest involving the agency, and removing themselves
from a position of decision-making authority?
• Is the entity sufficiently resourced to undertake its functions
effectively, based on the following criteria?
o What sources of revenue does the authority rely on to
cover its costs? (Fees, public funds, penalties,
international aid, private investment, other)
o Please provide number and structure of entity staff
o Is there a formal methodology to collect business
requirements?
o Is there a methodology for project management?

29
 o Do staff have current certification in their area of
expertise?
o Are there incentives to mitigate the risks of staff attrition?

2.6. Cross-Border Data Transfers

Questions Y/N Comments

Add Links / Attachments
• Do any laws, regulations or policies require non-personal
personal data to be stored, processed, managed and analyzed
within the country? (data localization)
• What are the conditions or restrictions on data processing
abroad (non-personal)?
• Do any laws, regulations or policies require personal data to
be stored within the country?
• Do any laws, regulations or policies restrict the transfer of
personal data outside the country?

If yes, does such law require that controllers file a security

assessment with the authority prior to transferring personal data
abroad?
• Under what conditions can local personal data be transferred
to non-domestic third parties?
o Adequacy approach (where the country in which a non-
domestic third party is based has an “adequate level of
protection”, “an equivalent protection”, “a sufficient level
of protection”, or any provision entailing an adequacy
approach)
o Accountability approach (where the original data
controller remains accountable for compliance with the
original privacy framework that applied when and where
the data was collected.)
• Does the country have arrangements with foreign countries or
multinational entities or schemes, including decisions of
domestic and foreign bodies or agencies, to require, permit or
limit transfers of personal data between countries? Please
check all that apply:
o Adequacy decisions/whitelists
o Binding corporate rules
o Mutual recognition arrangements
o Required information sharing through the Advance
Passenger Information System
o Treaties
o Self-certification/self-assessment under a specific
agreement
o Standard contractual clauses

Please specify the relevant legal basis

30
• If the regime requires an “adequacy” or similar mechanism,
what circumstances constitute an “adequate level of
protection” when transferring personal data internationally?
Please check all that apply:
o The nature of the personal data
o The country of origin of the information contained in the
data
o The country of destination
o The purposes for which and period during which the
data are intended to be processed
o The domestic law in force in the host country
(general application and sectoral, including defense
and access of public authorities to personal data)
o The existence and effective functioning of one or more
independent supervisory authorities in the third country to
enforce compliance
o Presence of effective rule of law and judicial redress for
data subjects (individuals)
o The international treaties the host country is a party
to
o Relevant codes of conduct or other rules enforceable
in the host country (SCCs; BCRs)
o Other (please specify)
• Is there a regional "One Stop Shop" Agency (e.g. European
Data Protection Bureau equivalent in the case of personal data
protection) to harmonize processing of decisions and
regulatory enforcement?

31
Pillar 3 – Outcomes

VALUE THROUGH DATA: OUTCOME

1.1. Data-Driven Government Services

4.2.1. E-Gov Services

Questions Y/N Comments

Add Links / Attachments
• Does the government offer its services to Citizens and
Businesses digitally?
• If Yes, what specific data-enabled government services
(services catalogue) are currently being offered by the
government digitally?
o Government (G2G)
o Citizens (G2C)
o Businesses (G2B)
• Are these e-services delivered through multiple- channels (i.e.,
Web, Mobile, Chatbots, …etc.)?
• Are these e-services user-centered and inclusive by-design
which male them being used regularly? Please specify the
level of usage.

3.2.2. Big Data Analytics

Questions Y/N Comments

Add Links / Attachments
• Does the government have an adopted framework to use Big
Data?
• Does the government use digital analytics to regularly analyze
Big Data for development purposes?
• If Yes, to which use purposes: policymaking, governance,
and/or private sector? Please specify.
• Does the government have a national strategy for artificial
intelligence (AI)?
• If Yes, which areas AI are used in: operations (e.g., Fraud
detection; Tax); services delivery; productivity augmentation;
predictions; judicial/crime issues; health?
• If No, is there an intention to prepare a national AI strategy?
o What is the biggest obstacle to the creation of this
strategy?

32
3.3. Data-Driven Business Services
3.3.1. Business e-Services
Questions Y/N Comments
Add Links / Attachments
• Does the private sector offer its services or products to
Citizens, Businesses and Government digitally?
• If Yes, what specific data-enabled services are currently being
offered by the private sector digitally?
o Government (B2G)
o Citizens (B2C)
o Businesses (B2B)
• Please specify the size / number of e-transactions related to
B2G; B2C; and B2B

3.3.2. Private Digital Platforms

Questions Y/N Comments

Add Links / Attachments
• Are there any private digital platforms used in the country?
• If Yes, how many platforms are currently operation in the
country?
o local vs. foreign-owned platforms?
o Breakdown by sector (transportation; tourism; e-
commerce; entertainment)
• Does the platform ecosystem in the country have an overall
impact or effect in terms of creation of new market
activities? The emphasis is on the extent to which
companies can benefit from the data they acquire based on
data regulations.
• If Yes, are the main private digital platforms monetizing
platform data by sharing, selling and/or using it for other
platform operations?
• If No, are there any policy and/or regulatory obstacles for
private platforms launch and operation?

3.4. Data-Driven Industry

3.4.1. Start-Up Ecosystem

Questions Y/N Comments

Add Links / Attachments

33
 • Does the policy and regulatory framework in the country
support the creation / existence of a single data-driven digital
market?
• If Yes, are there facilities (i.e., incubators, labs, tech parks,
sandboxes) to enhance the start-up ecosystem? What kind of
data-driven services or products do they provide?
• Specifically, what technology corporate accelerators (e.g.,
by AWS, Google, Microsoft, etc.) are established to support
data-driven startups in country? What services are provided
(e.g., accessing cloud infrastructure)?
• If No, are there any plans to strengthen a data-driven digital
market?
• Are there female entrepreneurs in the country?
• If Yes, what is the extent of female participation in the founder
team and contractor team of data-driven start-up businesses in
the country?
• What is the top source(s) of funding for startups (e.g.
government grants, venture capital, angel investment,
strategic investors)?
• How many startups were contracted directly for digital
government contracts in the last year?
• Does the government crowdsource solutions form
startups (e.g., via open source platforms like GitHub or
others like InnoCentive4)?

3.4.2. Priority Sectors**

Questions Y/N Comments

Add Links / Attachments
• Are there priority sectors in which data-driven digital
transformation had significant impact in terms of usage and
market size?
• If Yes, what are the top three of these sectors?
• Are there key enabling policies, regulations and/or practices
that accelerated the transformation of these sectors? (e.g., e-
Identity credentials; access to Data Vaults; …etc.)
• If No, what are the policies and/or regulations obstacles that
hindered such transformation? (e.g., lack of e-documentation,
e-payments, e-signature, cross border consumer protection,
intellectual property protection, cybersecurity, …etc.)

** Specific sectors can include: Digital Financial Services; e-Commerce; e-Health; etc.

4
InnoCentive is an open platform for crowdsourcing data-driven solutions. https://www.innocentive.com/

34
35
36