Sri Lanka building data minimization into digital ID to protect privacy

Purpose limitation and data minimization will be key safeguards for data protection in Sri Lanka as the island nation rolls out its first digital ID later this year. Officials highlight that the critical principles dictate that only the essential data necessary for specific services and lawful identity functions should be collected and utilized.

Controlled access and the principle of least privilege are implemented in the national digital ID (SL-UDI) through role-based access controls, separation of duties, and strong administrative measures to ensure that only authorized personnel can access sensitive information, Deputy Minister of Digital Economy Eranga Weeraratne told Biometric Update.

“Encryption and secure key management are vital, necessitating data to be encrypted both in transit and at rest, besides secure storage and strict life cycle control. Auditability and traceability are ensured through immutable audit logs maintenance that tracks access and transactions, with regular reviews to identify illegal access or unusual activities.”

He maintained that strong, integrated governance is crucial in this regard because it prevents external systems from gaining unrestricted access. “Instead, integrations are conducted via a secure Application Programming Interface (API) that compels scoped permissions, logging, and clear authorization rules for each service. Retention and disposal rules are formed to align data retention with legal obligations and operational needs, including secure deletion and archival policies.”

Weeraratne added that mechanisms for citizen rights and redress are in place, letting individuals seek corrections, file complaints, and obtain remedies In line with the Data Protection Act. “Periodic security testing provided by Independent assurance vulnerability assessments, and audits, which include independent evaluations of high-risk components and processes,” he added noting that incident preparedness is addressed with defined response procedures, breach containment and notification protocols, and ongoing monitoring to ensure readiness for potential incidents.

The country is also in the midst of setting up a Cybersecurity Regulatory Authority.

Sri Lanka is preparing a phased rollout of the SL-UDI, Weeraratne previously told Biometric Update.

Article Topics

cybersecurity  |  data privacy  |  data protection  |  digital ID  |  SL-UDI  |  Sri Lanka