Professional Documents
Culture Documents
World Bank Global Data Regulation Survey
World Bank Global Data Regulation Survey
We would like to invite you to participate in the data collection effort of the World Bank’s Digital Development Practice. Inspired
by the World Development Report 2021: Data for Better Lives, the Global Data Regulation Diagnostic seeks to develop a set
of indicators to measure the enabling environment for the data-driven economy in more than 150 countries, with a particular
focus on the regulatory framework and practices for regulating the way in which data is collected, processed and used by
different stakeholders. The data will be made publicly available and will enable users to gain an understanding of current
practices across the globe and compare different approaches across income groups as well as to identify regional trends. This
exercise is closely related to the Global Data Regulation Survey that was developed as part of the World Development Report
2021, enabling comparisons across time.
The purpose of the questionnaire below is to collect data on the existence and implementation of the enabling legal and
regulatory framework that underpins the data economy. The survey includes questions about the existence and robustness of
laws “on the books” (de jure questions), as well as questions about how these laws and regulations are implemented and
enforced in practice, to determine whether they produce their intended impact or a different one. As such, the questionnaire
includes de facto questions on regulatory practices and the effectiveness of institutions and enforcement mechanisms. The de
facto questions also seek to measure the extent to which the data regulation ecosystem integrates different stakeholders to
shape and enforce data laws and regulations.
Recognizing that data regulation is a (fast) evolving area of law and governance, with countries at different stages of maturity
in the elaboration and implementation of regulatory frameworks and practices, and acknowledging that certain areas of law still
lacking in consensus around what constitutes “good practice”, the Global Data Regulation Diagnostic seeks to address these
challenges in the way it measures and develops its indicators. Some of the questions below are designed to reflect
international good practice, whereas others are designed to collect baseline data on emerging data regulation practices across
the globe to enable the identification of new approaches and emerging trends across regions or income groups.
We ask that you kindly complete as much of the questionnaire as possible, based on your knowledge and area(s) of expertise.
If you are unable to answer a particular (set of) question(s) but know of an individual or entity that might have access to that
information, we kindly ask that you provide us with the name and contact information (phone or e-mail) of that person or
agency. Please make sure to complete the section on the contributor’s information so that we can acknowledge your
participation based on your publication preferences.
All your responses are held in strict confidentiality. The final report is based on an analysis of all received responses
to the questionnaire.
Ensure that answers provided are accurate as of June 30, 2022. If you are aware of any upcoming changes to laws
or regulations (or, where applicable, policies) from now until December 31, 2022, please include this information in
your response.
When providing the legal basis of an answer, please include the complete reference (article or section, law or
regulation and year).
Please provide a copy of the relevant laws, regulations and fee schedules, or a link to the appropriate website(s).
If you have any questions or need assistance with the questionnaire, please do not hesitate to contact us using the details
provided below. We would be happy to schedule a phone call at your convenience. We thank you in advance for your valuable
contribution to the work of the World Bank Group.
We reiterate our sincere appreciation for your participation and invite you to contact us regarding any questions or comments
you may have.
We kindly request that, if possible, you complete and submit the survey by August 31, 2022.
Sincerely,
Rong Chen David Satola Adele Moukheibir Barzelay Data collection team
Project Coordinator Lead Counsel Counsel Data survey team
Email: Email: Email: Email:
rchen5@worldbank.org dsatola@worldbank.org abarzelay@worldbank.org datasurvey@worldbank.org
Primary Contributor Information: Please check the box next to information you do not want us to publish:
1
Name
Title (Mr., Ms., Dr.) [Dr.]
Do not publish First Name [Zandile]
Last Name [Ndebele]
Position [Associate]
(e.g. manager, associate, partner)
Never Published
Profession [Lawyer]
(e.g. judge, lawyer, architect)
Contact details
Firm name [Gill, Godlonton and Gerrans]
Do not publish
Website [ ]
Never Published E-mail address [ ]
Never Published Phone [ ]
Fax [ ]
Never Published
Mobile phone [ ]
Never Published Firm Address
Street [ ] P.O. Box [ ]
City [ ] State/ [ ]
Province
Zip/Postal code [ ] Country [ ]
Additional Contributor(s): If there are more people whom you would like us to acknowledge, kindly send us an e-mail.
Name Occupation Email Phone Address
[title] [firm] [ ] [phone] [street]
[first name] [position] [mobile] [state/province]
[last name] [profession] [city/country]
[title] [firm] [ ] [phone] [street]
[first name] [position] [mobile] [state/province]
[last name] [profession] [city/country]
Referrals: Please help us expand our list of contributors by referring us to other experts in the private or public sector (lawyers,
public officials or any expert on this field) who can respond to the questionnaire.
First name Last name Position Firm Address Phone E-mail
[ ] [ ] [ ] [ ] [ ] [ ] [ ]
[ ] [ ] [ ] [ ] [ ] [ ] [ ]
2
Please indicate the jurisdiction/country you are commenting on: Choose an item. We invite you with gratitude to complete
more than one questionnaire if you have expertise in more than one jurisdiction/country.
Please provide answers based on national laws/regulations/policies unless indicated differently in the questions (specifying
sub-national or sectoral laws/regulations in the comments section). Please make sure to include the relevant applicable article
or section.
A. Safeguards: select mechanisms that can enable trust in the collection, processing and the (re)use of data
3. Does the law provide any exceptions to the Yes No (If No, please skip to section B)
above requirement? If yes, by:
Public sector entities/government
Small Medium Enterprises (SMEs)
Other (please specify):
If yes, please specify the relevant legal basis (law/regulation, article etc.):
4. If yes, are these exceptions subject to Yes, subject to a necessity and proportionality test
determination of whether they are legitimately Yes, subject to review by an independent body (e.g., a court)
applied? No
If yes, please explain and specify the relevant legal basis (law/regulation,
article etc.): Data Protection Act [Chapter 11:22] establishes a Data
Protection Authority which oversees enforces
1
Includes case of mixed data/re-use as part of algorithms or for purposes other than the original collection.
3
processed (or which has another similar
standard)?
7. Does the law identified in question 1 authorize, Yes No
restrict or otherwise address sharing with or If yes, does such law, regulation or policy require that the individual whose
transfer of personal data to third parties? data is being transferred be notified of or give consent to such
sharing/transfer?
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
section 28 and 29 of the Data Protection Act
D. Individual rights
11. Do individuals have the right to withdraw his or Yes No
her consent at any time? If yes, please specify the relevant legal basis (law/regulation, article etc.):
Consent in writing is required from the data subject before genetic data,
biometric sensitive data and health data is processed. This consent can be
withdrawn by the data subject at any time and without any explanation and
free of charge.
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) the right applies vis-à-vis any actor
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) This right applies against any person who is the
5
data controller or data processor
If yes, what does the law or regulation require the disclosure of when a
decision based on automated processing/AI is challenged?
The algorithm only
The algorithm and the underlying data that was used to arrive at the
decision
Other (please specify):
21. Does the data protection law identified in Yes No (If No, please skip to section F)
question 1 or any other law provide for the If yes, please specify the relevant legal basis (law/regulation, article etc.):
creation of a data protection authority (DPA)? section 5 and 6 establishes a data protection authority
7
I. Cybersecurity
31. Is there a law or regulation setting out Yes No
cybersecurity requirements for public and
private sector entities?
32. Do data processors/controllers have to comply Yes No
with the following cybersecurity requirements? If yes, please mark below as appropriate below and specify the relevant legal
basis (law/regulation, article etc.)
Adoption of an internal policy establishing procedures for preventing and
detecting violations
Ensuring the confidentiality of data and systems that use or generate data
Appointment of a personal data processing office/manager
Performance of internal controls
Assessment of the harm that might be caused by a data breach
Awareness program among employees
Other (please specify):
J. Institutional enforcement
34. Does any law, regulation or policy provide for Yes No
the creation of a cyber-security strategy, If yes, please mark below as appropriate and specify the relevant legal basis
infrastructure and institutions to identify, (law/regulation, article etc.):
investigate, and address cyber-security threats? A cyber-security plan to protect key national infrastructure
A national CERT
Other (please specify):
8
Other (please specify):
No
E-Transactions
Electronic Communications and Authentication
M. Legal basis
42. Is there a law or regulation that explicitly governs Yes, a law of general application
electronic transactions? Yes, a sector specific law or regulation
Yes, a sub-national law or regulation
No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
O. E-signatures
44. Does the law identified in question 42 recognize Yes No
electronic signatures as legal in your country? If yes, please mark below as appropriate which types of signatures are
recognized as legal and specify the relevant legal basis (law/regulation,
article etc.):
All legal signatures
Only digital signatures (e.g. PKI)
Other (please specify):
P. Technological neutrality
49. Does the law or regulations prescribe a specific Yes No
form or condition for any of the following: If yes, please mark below as appropriate and specify the relevant legal
basis (law/regulation, article etc.):
Electronic communications/ messages
Electronic contracts
Electronic signatures
Other (please specify):
10
If yes, does the policy or directive prescribe the categories by which data is
to be classified (e.g., public, restricted, strictly confidential)?
Yes No
If yes, please specify the relevant categories:
T. Access to Information
57. Is there a law or regulation that grants individuals Yes No
the right to request access to government If yes, please specify the relevant legal basis (law/regulation, article etc.):
records or data (Access to Information/Right to
Information/Freedom of Information Laws)?
If yes, does this published data include statistics on how many requests the
government has accepted and rejected?
Yes No
If yes, please specify in what format this information is presented
U. Open data
61. Is there an Open Data Act or open data policy Yes, an Open Data Act
applicable across the entire public sector? Yes, an Open Data policy
No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
11
62. Does the government publish datasets on a Yes No
publicly available data portal/platform? If yes, where?
National/centralized (one stop shop)
National portal linked to a ministry or a sector-specific portal
Sector portal (e.g. managed by the NSO)
Other (please specify):
64. What are the features of the government Please mark below as appropriate:
operated data sharing platform? Based on an open source
Based on a proprietary solution
All government agencies are connected to the platform
Accessible to/by private sector entities
Other (please specify):
65. For the data that the government has decided to Yes No
make open to the public, has the government If yes, does the Open License apply to all government data?
adopted an open licensing regime (such as a Yes No
Creative Common License by Attribution or
Open Database License) to enable unrestricted If no, please specify exemptions (e.g., derogations for historical data, etc.).
reuse of public sector data?
Are these exceptions codified in the licensing regime?
V. Data Interoperability
66. Is there a National Interoperability Framework for Yes No
the public sector? If yes, please specify the relevant legal basis /law/regulation, article etc.):
If yes, does the Interoperability Framework include mandatory provisions
for:
Legal interoperability
Semantic interoperability (semantic vocabularies and syntactic formats)
Technical interoperability (systems and protocols)
Organizational interoperability
Other (please specify):
12
68. Are there technical standards that certain types Yes No
of data (such as “high value datasets” or “public If yes, please mark below as appropriate and specify the relevant legal
good” datasets) are required to follow to promote basis (law/regulation, article etc.):
re-use? Available free of charge
In machine readable formats
Provided via APIs
Where relevant (as bulk download)
Other (please specify):
Z. Data intermediaries and enabling data governance arrangements for reuse and sharing
73. Do any data intermediaries5 operate in your Yes No
country? If yes, please mark below as appropriate and specify the names of the
intermediaries:
Data pools
Data collaboratives
Data cooperatives
Data brokers
Data trusts
Other (please specify):
4
Data partnerships are formal data sharing agreements that can be entered into between different types of stakeholders and for different
purposes. For example, data partnerships entered into on a Public-Private-Partnership basis between private sector entities and governments
can enable private sector data to be used by the public sector to improve policymaking (e.g., the use of traffic data). Data partnerships can be
designed for profit, or for “public good” or “social good” purposes, where businesses provide their data and digital tools at no cost to
governments, academia, and non-governmental organizations.
5
Data intermediaries are emerging institutional or governance structures that play an important role in the data ecosystem by helping to
“broker” (facilitate) data transactions from where it is produced to data users. Such intermediaries include data aggregators, data brokers,
rating services, pollsters, etc. whose role is to facilitate data and information sharing. Other types of intermediaries are “accountability-
oriented” that help individuals pool and enforce their legal rights by assigning them to trustees with explicit fiduciary duties or equivalent legal
responsibility. For more information, see section on “intermediation and collaboration” in WDR2021.
13
AA. Intellectual Property Rights (IPRs)
74. Is there a legal regime that protects intellectual Yes No
property rights (IPRs) for data-driven products If yes, please specify the legal basis (law/regulation, article etc.):
and services?
If yes, what does the law or regulation provide can be protected?
Databases of raw data (“sui generis” databases)
Creative expressions only (e.g., not the raw data but the data
visualizations or analysis that is derived from it)
APIs
Other (please specify):
80. If AI systems/ADMS are required to be published Information about the AI system/ ADMS
on a database/register prior to deployment, what Information about the sectors/markets/use cases in which the AI
information about the AI system/ADMs is system/ADMS is being deployed
included on the public database/register? Information about the source code
Sample training datasets for AI systems/ADMS trained on learning data
(e.g., ML-based)
Other (please specify):
6
Fair, reasonable and non-discriminatory licensing.
14
81. Have non-regulatory/voluntary mechanisms Yes No
been developed to help ensure AI If yes, please mark below as appropriate:
systems/ADMS used in the public and private Adoption of Principles (e.g., OECD AI Principles, G20 AI Principles, NIST
sector are designed in compliance with AI Risk Management Framework, etc.) Please specify:
“trustworthy”, “responsible” or “ethical” AI Adoption of a national AI strategy
principles and practices at the national or sub- Codes of practice/conduct
national level? Certification mechanisms
Industry standards
Guidelines produced by non-government entities (e.g., standard setting
organizations, civil society organizations, academia)
Other (please specify):
We sincerely appreciate your contribution to the Global Data Regulation Diagnostic project and the World Development
Report 2021 operationalization. Your contribution will be gratefully acknowledged upon your consent.
15