Dear Contributor,

We would like to invite you to participate in the data collection effort of the World Bank’s Digital Development Practice. Inspired
by the World Development Report 2021: Data for Better Lives, the Global Data Regulation Diagnostic seeks to develop a set
of indicators to measure the enabling environment for the data-driven economy in more than 150 countries, with a particular
focus on the regulatory framework and practices for regulating the way in which data is collected, processed and used by
different stakeholders. The data will be made publicly available and will enable users to gain an understanding of current
practices across the globe and compare different approaches across income groups as well as to identify regional trends. This
exercise is closely related to the Global Data Regulation Survey that was developed as part of the World Development Report
2021, enabling comparisons across time.

The purpose of the questionnaire below is to collect data on the existence and implementation of the enabling legal and
regulatory framework that underpins the data economy. The survey includes questions about the existence and robustness of
laws “on the books” (de jure questions), as well as questions about how these laws and regulations are implemented and
enforced in practice, to determine whether they produce their intended impact or a different one. As such, the questionnaire
includes de facto questions on regulatory practices and the effectiveness of institutions and enforcement mechanisms. The de
facto questions also seek to measure the extent to which the data regulation ecosystem integrates different stakeholders to
shape and enforce data laws and regulations.

Recognizing that data regulation is a (fast) evolving area of law and governance, with countries at different stages of maturity
in the elaboration and implementation of regulatory frameworks and practices, and acknowledging that certain areas of law still
lacking in consensus around what constitutes “good practice”, the Global Data Regulation Diagnostic seeks to address these
challenges in the way it measures and develops its indicators. Some of the questions below are designed to reflect
international good practice, whereas others are designed to collect baseline data on emerging data regulation practices across
the globe to enable the identification of new approaches and emerging trends across regions or income groups.

We ask that you kindly complete as much of the questionnaire as possible, based on your knowledge and area(s) of expertise.
If you are unable to answer a particular (set of) question(s) but know of an individual or entity that might have access to that
information, we kindly ask that you provide us with the name and contact information (phone or e-mail) of that person or
agency. Please make sure to complete the section on the contributor’s information so that we can acknowledge your
participation based on your publication preferences.

In responding to this questionnaire, please note the following:

 All your responses are held in strict confidentiality. The final report is based on an analysis of all received responses
to the questionnaire.
 Ensure that answers provided are accurate as of June 30, 2022. If you are aware of any upcoming changes to laws
or regulations (or, where applicable, policies) from now until December 31, 2022, please include this information in
your response.
 When providing the legal basis of an answer, please include the complete reference (article or section, law or
regulation and year).
 Please provide a copy of the relevant laws, regulations and fee schedules, or a link to the appropriate website(s).

If you have any questions or need assistance with the questionnaire, please do not hesitate to contact us using the details
provided below. We would be happy to schedule a phone call at your convenience. We thank you in advance for your valuable
contribution to the work of the World Bank Group.

We reiterate our sincere appreciation for your participation and invite you to contact us regarding any questions or comments
you may have.

We kindly request that, if possible, you complete and submit the survey by August 31, 2022.

Sincerely,

Rong Chen David Satola Adele Moukheibir Barzelay Data collection team
Project Coordinator Lead Counsel Counsel Data survey team
Email: Email: Email: Email:
rchen5@worldbank.org dsatola@worldbank.org abarzelay@worldbank.org datasurvey@worldbank.org

Primary Contributor Information: Please check the box next to information you do not want us to publish:
1
 Name
Title (Mr., Ms., Dr.) [Dr.]
Do not publish First Name [Zandile]
Last Name [Ndebele]
Position [Associate]
(e.g. manager, associate, partner)
Never Published
Profession [Lawyer]
(e.g. judge, lawyer, architect)

Contact details
Firm name [Gill, Godlonton and Gerrans]
Do not publish
Website [     ]
Never Published E-mail address [     ]
Never Published Phone [     ]
Fax [     ]
Never Published
Mobile phone [     ]
Never Published Firm Address
Street [     ] P.O. Box [     ]
City [     ] State/ [     ]
Province
Zip/Postal code [     ] Country [     ]

Additional Contributor(s): If there are more people whom you would like us to acknowledge, kindly send us an e-mail.
Name Occupation Email Phone Address
[title] [firm] [     ] [phone] [street]
[first name] [position] [mobile] [state/province]
[last name] [profession] [city/country]
[title] [firm] [     ] [phone] [street]
[first name] [position] [mobile] [state/province]
[last name] [profession] [city/country]

Referrals: Please help us expand our list of contributors by referring us to other experts in the private or public sector (lawyers,
public officials or any expert on this field) who can respond to the questionnaire.
First name Last name Position Firm Address Phone E-mail
[      ] [      ] [      ] [      ] [      ] [      ] [      ]
[      ] [      ] [      ] [      ] [      ] [      ] [      ]

2
Please indicate the jurisdiction/country you are commenting on: Choose an item. We invite you with gratitude to complete
more than one questionnaire if you have expertise in more than one jurisdiction/country.

Please provide answers based on national laws/regulations/policies unless indicated differently in the questions (specifying
sub-national or sectoral laws/regulations in the comments section). Please make sure to include the relevant applicable article
or section.

A. Safeguards: select mechanisms that can enable trust in the collection, processing and the (re)use of data

Personal data protection

A. Legal framework for data protection
1. Is there any law (including data
protection/privacy law) of general application
explicitly governing the use, collection, and
processing of personal data (including sensitive
data)?
*If you answered “no” to this question, please
skip to section F.
If you answered “yes” to this question, please
answer all questions below until the end of
Section D, based on the law identified here.
2. If yes, does the law identified in question 1
require that the collection and processing of
personal data be made for a stated lawful
purpose (or adopts a similar standard)?
Yes, there is a data protection law of general application governing
personal data and sensitive data; please specify Data Protection Act [Chapter
11:22].
No, there are only sector-specific personal data protection and/or privacy
laws; please specify      
No, there are privacy and/or data protection rights protected in the
country's constitution
No, no laws exist but there have been significant court or administrative
decisions that form the basis of or clarify privacy or data protection rights
If there is no law of general application, please skip to section D
Yes No
If yes, please mark below as appropriate and specify the relevant legal basis
(law/regulation, article etc.): law
collection undertaken with consent
due to contractual necessity
in compliance with legal obligation
for the protection of vital interests
the public interest and/or
other legitimate interest (or similar standards)1 (please specify):      

3. Does the law provide any exceptions to the Yes No (If No, please skip to section B)
above requirement? If yes, by:
Public sector entities/government
Small Medium Enterprises (SMEs)
Other (please specify):      
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

4. If yes, are these exceptions subject to Yes, subject to a necessity and proportionality test
determination of whether they are legitimately Yes, subject to review by an independent body (e.g., a court)
applied? No

If yes, please explain and specify the relevant legal basis (law/regulation,
article etc.): Data Protection Act [Chapter 11:22] establishes a Data
Protection Authority which oversees enforces

B. Limits on processing and use of data

5. Does the law identified in question 1 require that Yes No
the collection and processing of personal data is If yes, please mark below as appropriate and specify the relevant legal basis
proportionate, relevant, adequate, limited to (law/regulation, article etc.): Data Protection Act [Chapter 11:22]
what is necessary (or similar standard)?

6. Does the law identified in question 1 require that Yes No

personal data not be kept longer than it is If yes, please specify the relevant legal basis (law/regulation, article etc.):
necessary for the purposes for which it is Section 13 of the Data Protection Act

1
Includes case of mixed data/re-use as part of algorithms or for purposes other than the original collection.

3
 processed (or which has another similar
standard)?
7. Does the law identified in question 1 authorize,
restrict or otherwise address sharing with or
transfer of personal data to third parties?
C. Obligations on those who control and/or process data
8. Where consent is a legal basis for data
collection and processing (see question 2 If yes, please mark below as appropriate and specify the relevant legal basis
above), are there conditions that must be met (law/regulation, article etc.):
before consent can be relied on as a lawful
bases for data collection and processing?
9. Does the law identified in question 1 above
require additional protections for collection
and processing of sensitive personal data
(e.g., information relating to race, ethnicity,
religion, political beliefs, sexual orientation,
health, etc.)?
10. Does the law identified in question 1 above
require those who collect or process data to
incorporate technical and organizational privacy-
by-design or privacy-by-default principles or use
privacy-enhancing technologies (PETs) in the
design and implementation of processing
systems for safeguarding personal data?
D. Individual rights
11. Do individuals have the right to withdraw his or
her consent at any time?
12. Do individuals have the right to be notified in a
timely manner, when the security of their data or
their data rights have been breached during
processing?
13. Do individuals have the right to access and
2
Consent cannot be considered as freely given if the data holder (subject) has no genuine or free choice or is unable to refuse or withdraw
consent without detriment.
3
Informed Consent requires, at a minimum, that the identity of the data controller/processor and the purpose of the processing for which the
data are intended are known by the data holder (subject)
Yes No
If yes, does such law, regulation or policy require that the individual whose
data is being transferred be notified of or give consent to such
sharing/transfer?
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
section 28 and 29 of the Data Protection Act
Yes No
     
Consent must be freely given2
Consent must be informed3
Consent must be non-ambiguous
Consent must be specific
Other (please specify):      
Yes No
If yes, please mark below as appropriate and specify the relevant legal basis
(law/regulation, article etc.) and specify which types of data are considered
“sensitive” according to the law:      
If yes, is the following information considered “sensitive”?
Biometric information
Information relating to children
Other (please specify):      
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
Consent in writing is required from the data subject before genetic data,
biometric sensitive data and health data is processed. This consent can be
withdrawn by the data subject at any time and without any explanation and
free of charge.
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) the right applies vis-à-vis any actor
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
If yes, within which time period? Please specify      
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities)      
Yes No
4
 review use of personal data about them held by
those who collect and process their data?
14. Do individuals have the right to challenge the
accuracy of information, and have it rectified,
completed, amended and/or deleted?
15. Do individuals have the right to have personal
data about them (including data trails) deleted?
16. Do individuals have the right to request that their
personal data be transferred to another service
or product provider (direct data portability)?
17. Do individuals have the right to request their
data to be received in a structured, commonly
used and machine-readable format?
18. Do individuals have a right to object to the use
of personal data about them?
If yes, please mark below as appropriate and specify under which conditions
and the relevant legal basis (law/regulation, article etc.):
Unconditional full data access (i.e., ability to see and download all data
generated by the individual as well as any data inferred about them, without
any limitations or conditions)
Unconditional access to limited categories of data (e.g. categories of
personal data, information on the purposes of data processing, etc.)
Conditional limited data access
Other (please specify): In terms of section 14 of the Data Protection Act,
the data subject has a right to access their personal information in custody of
the data controller or data processor. The extent of the right to access is not
specified in the Act.
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) The right applies against the data controller and
data processor thus the right applies to any actor
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.) and
the specific right mentioned in the law: The data subject has a right to object
to the processing of all or part of their personal information, the right to the
correction of false or misleading personal information and the right to the
deletion of false or misleading data about them. This is in terms of section 14
of the Data Protection Act
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) this right applies to any person who is a data
controller or data processor
Yes No
If yes, please mark below as appropriate and specify under which conditions
and the relevant legal basis (law/regulation, article etc.):      
All personal data, unconditionally
All personal data, under certain conditions
Depends on the type of data (please specify):      
Other (please specify):      
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) As stated above, the data subject has a right to
the deletion of false or misleading data about them and this right applies
against any data controller or data processor.
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is limited vis-à-vis
government authorities)      
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities)      
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
This in terms of section 14 of the Data Protection Act
If yes, please specify whether the right applies vis-à-vis any actor or whether
there are exceptions (e.g., the right does not exist or is circumscribed vis-à-
vis government authorities) This right applies against any person who is the
5

19. Do individuals have a right not to be subject to
decision-making based solely automated
processing of personal data (i.e., without any
human intervention)?
E. Redress mechanisms (administrative bodies and courts) and institutional enforcement
20. Do individuals have a right to complain about a
violation of their rights or obligations of those If yes, please specify the relevant legal basis (law/regulation, article etc.):
who control their data according to the data
protection law identified in question 1?
21. Does the data protection law identified in
question 1 or any other law provide for the
creation of a data protection authority (DPA)?
22. Does the law identified in question 21
require DPA’s mandate include the following
roles and responsibilities?
23. Is there a law or regulation obligating members
of the DPA to avoid and disclose ethical, legal,
financial or other conflicts of interest involving
the DPA, and removing themselves from a
position of decision-making authority if so?
24. Has the data protection authority (DPA) or
equivalent institution been created within the
time specified in the data protection law or
regulation?
25. Is the DPA in control over its own budget?
data controller or data processor
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
If yes, please specify whether the right only applies to certain actor or sector:
If yes, what does the law or regulation require the disclosure of when a
decision based on automated processing/AI is challenged?
The algorithm only
The algorithm and the underlying data that was used to arrive at the
decision
Other (please specify):      
Yes No
section 6 of the Data Protection Act
If yes, are the collective data rights of indigenous communities recognized?
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
If yes, can data protection complaints be brought:
Directly by individual complainants
On behalf of individual complainants by a representative organization
On behalf of a group of complainants (collective right of action or class
action claim)
Other (please specify):      
Yes No (If No, please skip to section F)
If yes, please specify the relevant legal basis (law/regulation, article etc.):
section 5 and 6 establishes a data protection authority
Yes No
If yes, please mark below as appropriate and specify the relevant legal basis
(law/regulation, article etc.):      
Promote awareness of the risks, rules and safeguards of rights pertaining
to personal data
Provide guidance on the interpretation of the law or regulation
Encourage the creation of codes of conduct and review certifications
Enforce national data protection rights and obligations enshrined under
the law or regulation
Keep records of sanctions and enforcement actions
Regularly publish activity reports
Provide redress mechanism
Other (please specify):      
Yes No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
Yes No
If no, please specify the length of time provided for by the data protection
law/regulation (if the DPA still has not been created, please write N/A):      
Yes No
6
 If yes, please specify the following criteria:
What is the annual budget of the DPA/enforcement entity?      
On what basis is funding allocated to the DPA/enforcement entity? E.g.,
based on demand (number of investigations conducted annually), or on
population:      

26. Does the DPA have dedicated permanent staff Yes No

to discharge its functions?
If yes:
What is the number of full-time staff hired to undertake investigations and
issue decisions?      
What is the proportion of staff holding degrees in:
Law:      
Technology/Engineering:      
Economics:      
27. Have any cases or investigations been brought, Yes No
and, if so, has the DPA issued any decisions in If yes, please specify the number of decision(s):      
the past year?
If yes:
What is the percentage of decisions issues relative to the number of
complaints brought?      
On average, what is the length of time the DPA takes to issue decisions?
     
Are these decisions published on the DPA’s website or another public facing
portal?
Yes No
If yes, please specify which portal if not the DPA website:      
Non-personal data safeguards
Intermediary liability and platform regulation
F. Net Neutrality
28. Is there a law or regulation that prohibits Yes No
network service providers from restricting data If yes, please specify the relevant legal basis (law/regulation, article etc.):
traffic on their network?      

Cybercrime and cybersecurity

G. Legal basis
29. Does any law or regulation prohibit security Yes No
breaches and/or prohibits unauthorized access If yes, please mark below as appropriate and specify the relevant legal basis
to and use of databases, information systems, (law, regulation, article, etc.):      
and the related hardware? National Cybercrime Law
Criminal/penal code
Sectoral regulations
Other (please specify):      

H. Cybercrime: criminalized activities

30. Does any law or regulation criminalize the
following activities?
Yes No
If yes, please mark below as appropriate and specify the relevant legal basis
(law/regulation, article etc.):      
Unauthorized access to systems or other databases holding personal data
Unauthorized interception of data from systems or other databases
holding personal data
Unauthorized damaging deletion, deterioration, alteration or suppression
of data collected or stored as part of databases holding personal data
Unauthorized interference with databases holding personal data
Misuse of devices or data for the purpose of committing any of the above
criminal behavior
Unauthorized input, alteration, deletion or interference with a computer
system or platform to procure an economic benefit which would apply to
databases holding personal data
Fraudulent use or alteration of data or interference with a computer
system to procure an economic benefit which would apply to databases
holding personal data
Other (please specify):      

7
 I. Cybersecurity
31. Is there a law or regulation setting out
cybersecurity requirements for public and
private sector entities?
32. Do data processors/controllers have to comply
with the following cybersecurity requirements?
33. Do organizations collecting or processing
personal data have to comply with the following
security requirements?
J. Institutional enforcement
34. Does any law, regulation or policy provide for
the creation of a cyber-security strategy,
infrastructure and institutions to identify,
investigate, and address cyber-security threats?
35. Is the national CERT/CSIRT institutionalized
(formally set up, mandated, staffed and
resourced) and operational?
36. Is there a network of local/sectoral CERTs /
cybersecurity focal points across public sector
entities that monitor and report threats to the
national CERT/CSIRT?
Cross-border data flows
K. Legal basis and limits on cross-border data transfers
37. Do any laws, regulations or policies place
conditions on, or otherwise restrict, the transfer If yes, please mark below as appropriate and specify the relevant legal basis
of data outside the country?
Yes No
Yes No
If yes, please mark below as appropriate below and specify the relevant legal
basis (law/regulation, article etc.)      
Adoption of an internal policy establishing procedures for preventing and
detecting violations
Ensuring the confidentiality of data and systems that use or generate data
Appointment of a personal data processing office/manager
Performance of internal controls
Assessment of the harm that might be caused by a data breach
Awareness program among employees
Other (please specify):      
Yes No
If yes, please mark below as appropriate below and specify the relevant legal
basis (law/regulation, article etc.):      
Encryption of personal data
Anonymization/ pseudonymization of personal data
Implementation of standards or processes to ensure integrity of data and
systems that use or generate personal data
Ability to restore data and systems that use or generate personal data
after a physical or technical incident
Ongoing tests, assessments and evaluation of security of systems that
use or generate personal data
Other (please specify):      
Yes No
If yes, please mark below as appropriate and specify the relevant legal basis
(law/regulation, article etc.):      
A cyber-security plan to protect key national infrastructure
A national CERT
Other (please specify):      
Yes No
Yes No
Yes No
(law/regulation, article etc.):      
Yes, A copy of the data must be kept within the country’s borders but can
be processed abroad
A copy of the data must be kept within the country’s borders but can be
processed abroad
The data must be stored, processed and retrieved from data centers
located within the country’s borders (local storage and processing)
The data cannot be transferred outside the country for any purpose. (if
checking this answer, please indicate if exceptions are provided for transfers
between members of the same corporate group).
For restrictions on transferring personal data, the data can be transferred
to and processed in third countries that meet “equivalent” or “adequate” data
protection standards
An approval from relevant public authority must be obtained before the
transfer
8
 Other (please specify):      
No

If yes, to which kinds of data do these restrictions apply?

Non-personal data
Personal data
All personal and non-personal data
Specific categories of personal data (e.g., health records)
All government data
Specific categories of data (e.g., geospatial and map data, data from
payment systems, “critical data” for national security, “important data” in
relation to economic or social development, etc.) – please specify      
Other (please specify):      

L. Questions specific to cross-border transfers of personal data

38. Does the country have arrangements with Yes No
foreign countries or multinational entities, or are If yes, please check all that apply and specify the relevant legal basis
there decisions of domestic and foreign bodies (law/regulation, article, etc.):      
or agencies, to require, permit or limit transfers Adequacy decisions/ whitelists
of personal data across borders? Binding corporate rules
Mutual recognition arrangements
Required information sharing through the Advance Passenger Information
System
Treaties
Self-certification/self-assessment under a specific agreement
standard contractual clauses
Other (please specify):      

39. If determination of adequacy is one of the Please specify      

conditions for permitting transfers of personal
data across borders, how many adequacy
decisions have been approved?
40. Has the DPA published any Binding Corporate Yes No
Rules (BCRs) or model data transfer Please specify type of agreement:      
agreements to help facilitate compliance for
cross-border data transfers?
41. Is your country a member of any regional Yes No
enforcement or coordination bodies that support If yes, please specify which entity:      
regulatory interoperability for data regulation
(e.g., ECOWAS, APEC CPBR, etc.)?

B. Enablers: Enabling data transactions/flows and the (re)use of data

The following section focuses on legal frameworks and practices related to e-commerce/e-transactions and mechanisms that can
facilitate the use, reuse and sharing of public and private sector data between different stakeholders.

E-Transactions
Electronic Communications and Authentication
M. Legal basis
42. Is there a law or regulation that explicitly governs Yes, a law of general application
electronic transactions? Yes, a sector specific law or regulation
Yes, a sub-national law or regulation
No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

N. Legal/functional equivalence between paper-based and electronic transactions

43. Does the law referred to in question 42 include Yes No
provisions that grant legal (functional) If yes, please mark below as appropriate and specify the relevant legal
equivalence between paper-based and basis (law/regulation, article etc.):      
electronic communications, contracts, signatures Electronic communications/ messages
and records? Electronic contracts
Electronic signatures
E-evidence
9
 E-seal
Other (please specify):      

O. E-signatures
44. Does the law identified in question 42 recognize Yes No
electronic signatures as legal in your country? If yes, please mark below as appropriate which types of signatures are
recognized as legal and specify the relevant legal basis (law/regulation,
article etc.):      
All legal signatures
Only digital signatures (e.g. PKI)
Other (please specify):      

45. Are there any documents that cannot be legally Yes No

accepted in electronic format and cannot be
signed electronically?
46. Are there entities authorized to issue digital
certificates?
If yes, please mark below as appropriate and specify the relevant legal
basis (law/regulation, article etc.):      
Property deeds and other contracts for the lease or sale of immoveable
property
Wills or codicils
Documents pertaining to family law
Other (please specify):      
Yes No
If yes, please mark below as appropriate and specify the relevant legal
basis (law/regulation, article etc.):      
Only public entities, please specify name      
Both Public and private entities
Other (please specify):      

47. Have any licenses been issued for private Yes No

Certification Authorities (Cas)? If yes, please provide examples of private certification authorities:      

48. Have any certificates been issued for digital Yes No

signatures (PKI)? If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

P. Technological neutrality
49. Does the law or regulations prescribe a specific Yes No
form or condition for any of the following: If yes, please mark below as appropriate and specify the relevant legal
basis (law/regulation, article etc.):      
Electronic communications/ messages
Electronic contracts
Electronic signatures
Other (please specify):      

Q. Digital authentication and verification

50. Is there a law or regulation that governs the
creation and management of a government-
recognized foundational digital ID system (ID
enabling law)?
Yes No
If yes, please specify the legal basis (law/regulation, article etc.)      
If yes, is this credential:
Issued as a permanent identity number (unique identifier)
Randomly structured (or are there numbers or letters that could identify
the individual’s legal status)
Used across multiple government database to link records to an
individual
Other (please specify):      

51. Is there a data sharing protocol for the ID system Yes No

that sets out standards to manage data sharing If yes, please specify:      
with third parties?
Public sector data
R. Data classification and public sector data reuse
52. Is there a national data classification policy or Yes No
directive issued by the government? If yes, please specify the relevant legal basis and include relevant web
site/URL (law/regulation, article etc.):      

10
 If yes, does the policy or directive prescribe the categories by which data is
to be classified (e.g., public, restricted, strictly confidential)?
Yes No
If yes, please specify the relevant categories:      

53. Is it mandatory to use the common data Yes No

classification categories across all government If yes, please specify the relevant legal basis (law/regulation, article etc.):
database applications or document management      
systems?
S. Public sector data reuse
54. Is there a law/regulation that governs the (re)use Yes No
of public sector data? If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

55. Does this law or regulation require the private Yes No

sector to share data with the public sector when
the data has been collected or generated using
public sector funding?
56. Are there specified arrangements for
administrative data sharing within the public
sector (between NSO/institutions in the National
Statistical System and other ministries)?
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
Yes No
If yes, please mark below as appropriate and specify the type of sharing
agreement:
In the statistics law (or other law – please specify)
Through technical committees
Through data sharing agreements (e.g., Memoranda of
Understanding) for partnerships with other data providers (public and
private sector, between NSO and other ministries, departments, or
agencies)
Other (please specify):      

T. Access to Information
57. Is there a law or regulation that grants individuals Yes No
the right to request access to government If yes, please specify the relevant legal basis (law/regulation, article etc.):
records or data (Access to Information/Right to      
Information/Freedom of Information Laws)?

58. Does the law provide for limitations or exceptions Yes No

to this right of requesting access to government If yes, please specify the relevant legal basis (law/regulation, article etc.)
records or data? including list of exceptions (if applicable):      

59. Does the law provide for the creation of a Yes No

centralized body to process Access to
Information (ATI) requests?
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     
If no, please explain how ATI requests received are responded to (e.g., by
individual ministries, departments, and agencies, following a decentralized
model)      

60. Are the number of requests received published Yes No

and publicly available on a citizen-facing If yes, please provide the name or link, and the date it became operational
government website?       

If yes, does this published data include statistics on how many requests the
government has accepted and rejected?
Yes No
If yes, please specify in what format this information is presented       

U. Open data
61. Is there an Open Data Act or open data policy Yes, an Open Data Act
applicable across the entire public sector? Yes, an Open Data policy
No
If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

11
62. Does the government publish datasets on a
publicly available data portal/platform?
63. If yes, are the data published on the platform in
an open and reusable format?
64. What are the features of the government
operated data sharing platform?
65. For the data that the government has decided to
make open to the public, has the government
adopted an open licensing regime (such as a
Creative Common License by Attribution or
Open Database License) to enable unrestricted
reuse of public sector data?
V. Data Interoperability
66. Is there a National Interoperability Framework for
the public sector?
67. Are governmental/official entities mandated to
use common technical standards (e.g. “FAIR” -
Findable, Accessible, Interoperable, Re-usable.)
that enable interoperability of systems, registries,
data bases?
Yes No
If yes, where?
National/centralized (one stop shop)
National portal linked to a ministry or a sector-specific portal
Sector portal (e.g. managed by the NSO)
Other (please specify):       
Yes No
If yes, are the data published:
Regularly maintained and updated? How frequently?
In a disaggregated format?
With accompanying metadata
With appropriate non-revocable open data license
In a standard, machine readable format (e.g. .csv)?
Available for bulk download?
Available for download via APIs?
Other (please specify):       
Please mark below as appropriate:
Based on an open source
Based on a proprietary solution
All government agencies are connected to the platform
Accessible to/by private sector entities
Other (please specify):       
Yes No
If yes, does the Open License apply to all government data?
Yes No
If no, please specify exemptions (e.g., derogations for historical data, etc.).
      
Are these exceptions codified in the licensing regime?       
If No, has the government adopted a differentiated access-to-data approach
(e.g., offering free access to not-for-profit entities but a fee-based access to
commercial actors, restricting re-use of data in certain cases, etc.)?
Yes No
If Yes, please specify the different conditions      
Yes No
If yes, please specify the relevant legal basis /law/regulation, article etc.):
If yes, does the Interoperability Framework include mandatory provisions
for:
Legal interoperability
Semantic interoperability (semantic vocabularies and syntactic formats)
Technical interoperability (systems and protocols)
Organizational interoperability
Other (please specify):      
Yes No
If yes, please mark below as appropriate and specify the relevant legal
basis (law/regulation, article etc.):      
Established standards for open APIs for G2G/G2B/G2C services
Mandated “ask once” principle
Standardized communications protocol for accessing metadata
Semantic catalogues for data and metadata
Other (please specify):      
12
 68. Are there technical standards that certain types Yes No
of data (such as “high value datasets” or “public If yes, please mark below as appropriate and specify the relevant legal
good” datasets) are required to follow to promote basis (law/regulation, article etc.):      
re-use? Available free of charge
In machine readable formats
Provided via APIs
Where relevant (as bulk download)
Other (please specify):      

Private sector data

Data Portability of non-personal data
W. Legal basis for data portability
69. Does any law or regulation mandate the Yes No
portability of non-personal data? If yes, please specify the relevant legal basis (law/regulation, article etc.):
     

X. Effectiveness of implementation of data portability requirements

70. Does the law or regulation identified in
question 69 also require entities (service
providers) to adopt common technical
standards to ensure that data being
transferred or ported is interoperable?
Yes No
If yes, what do these standards regulate?
Standardized data formats
API specifications (to enable direct and instantaneous portability)
Cybersecurity requirements
Use of open standards
Frequency with which data can be requested, please specify:      
How quickly it must be provided by the authorized entity, please specify:
Other (please specify):      

Y. Data partnerships and data sharing agreements

71. Have regulatory or public sector entities Yes No
developed model data sharing agreements or
standard contractual terms to facilitate B2B or
B2G data sharing?
72. Have any data partnerships4 been agreed in the Yes No
last 12 months? If yes, between whom?
Public sector entities and State-owned Enterprises
Public and private sector entities (PPP basis)
Large private sector data producers
Large and small and medium enterprises (SMEs)
Other (please specify):      
If yes, please specify the names of partners to known data partnerships:
     

Z. Data intermediaries and enabling data governance arrangements for reuse and sharing
73. Do any data intermediaries5 operate in your Yes No
country? If yes, please mark below as appropriate and specify the names of the
intermediaries:
Data pools
Data collaboratives
Data cooperatives
Data brokers
Data trusts
Other (please specify):      

4
Data partnerships are formal data sharing agreements that can be entered into between different types of stakeholders and for different
purposes. For example, data partnerships entered into on a Public-Private-Partnership basis between private sector entities and governments
can enable private sector data to be used by the public sector to improve policymaking (e.g., the use of traffic data). Data partnerships can be
designed for profit, or for “public good” or “social good” purposes, where businesses provide their data and digital tools at no cost to
governments, academia, and non-governmental organizations.
5
Data intermediaries are emerging institutional or governance structures that play an important role in the data ecosystem by helping to
“broker” (facilitate) data transactions from where it is produced to data users. Such intermediaries include data aggregators, data brokers,
rating services, pollsters, etc. whose role is to facilitate data and information sharing. Other types of intermediaries are “accountability-
oriented” that help individuals pool and enforce their legal rights by assigning them to trustees with explicit fiduciary duties or equivalent legal
responsibility. For more information, see section on “intermediation and collaboration” in WDR2021.
13
 AA. Intellectual Property Rights (IPRs)
74. Is there a legal regime that protects intellectual
property rights (IPRs) for data-driven products
and services?
Yes No
If yes, please specify the legal basis (law/regulation, article etc.):      
If yes, what does the law or regulation provide can be protected?
Databases of raw data (“sui generis” databases)
Creative expressions only (e.g., not the raw data but the data
visualizations or analysis that is derived from it)
APIs
Other (please specify):      

75. Is there a law or regulation that gives Yes No

government or industry bodies (e.g., national If yes, please specify sector and type of data:      
Standard Setting Organizations, or SSOs) the
power to compel IPR holders to provide access If yes, does any law or regulation require this data to be shared in a
to “essential” data or applications on FRAND6 [or standard, machine-readable format?
similar standard] terms (e.g., data essential to Yes No
competition)?
BB. Promoting data sharing through competition in data markets
76. Have antitrust authorities initiated investigations Yes No
relating to data access, e.g., under abuse of If yes, please indicate in which sectors and specify the relevant legal basis
dominance infringements or market inquiries? (law/regulation, article etc.):      

77. Has the competition authority issued any Yes No

decisions on anticompetitive practices or If yes, please indicate the parties, market, and status of the
mergers involving data control (e.g., including investigation(s)/decision(s):      
remedies related to data access)?

C. Technology – Specific questions

Artificial Intelligence/Automated decision-making

CC. Legal basis for AI regulation
78. Is there a law or regulation of general application Yes No
for the development and use of Artificial If yes, specify how “AI” and/or “ADMS” are defined.      
Intelligence (AI) or Automated Decision-Making
Systems (ADMS)? If no, does another legal framework apply to regulate AI?
Yes No
If yes, specify which law/regulation (e.g., data protection) and provision(s)
     

79. Does the law or regulation identified in Yes No

question 78 prohibit certain uses of AI If yes, are any of the following prohibited?
systems/ADMS? Biometric surveillance and categorization of individuals
Social scoring
Emotion recognition
Unrestricted uses for law enforcement (policing, migration, asylum, and
border management)
Other (please specify):      

80. If AI systems/ADMS are required to be published
on a database/register prior to deployment, what
information about the AI system/ADMs is
included on the public database/register?
Information about the AI system/ ADMS
Information about the sectors/markets/use cases in which the AI
system/ADMS is being deployed
Information about the source code
Sample training datasets for AI systems/ADMS trained on learning data
(e.g., ML-based)
Other (please specify):      

DD. Enforcement mechanisms

6
Fair, reasonable and non-discriminatory licensing.
14
81. Have non-regulatory/voluntary mechanisms
been developed to help ensure AI
systems/ADMS used in the public and private
sector are designed in compliance with
“trustworthy”, “responsible” or “ethical” AI
principles and practices at the national or sub-
national level?
Yes No
If yes, please mark below as appropriate:
Adoption of Principles (e.g., OECD AI Principles, G20 AI Principles, NIST
AI Risk Management Framework, etc.) Please specify:      
Adoption of a national AI strategy
Codes of practice/conduct
Certification mechanisms
Industry standards
Guidelines produced by non-government entities (e.g., standard setting
organizations, civil society organizations, academia)
Other (please specify):      

82. Have regulatory sandboxes (or other agile Yes No

regulatory instruments – please specify) been
established to create controlled testing
environments for new AI systems/ADMS?
If yes, please specify which entity manages the sandbox (or agile regulatory
instrument)
If yes, are regulatory sandboxes required to provide publicly available
information regarding:
Requests to make use of the sandbox
Accepted and rejected applications
Projects currently in development in the sandbox
Follow-up information on impact of the project
Other (please specify):      

Thank you very much for completing the questionnaire!

We sincerely appreciate your contribution to the Global Data Regulation Diagnostic project and the World Development
Report 2021 operationalization. Your contribution will be gratefully acknowledged upon your consent.

15