A Commission of One ?

/in , /by

A Nation Left to Trust

BY: Hem Kumar                               

𝙏𝙝𝙚 592 𝙂𝙪𝙖𝙧𝙙𝙞𝙖𝙣

Commissioner Giddings answered a Letter to the Editor, with  a reassuring letter. We have seven unanswered questions. And Guyana deserves answers — not assurances.

WE READ Commissioner Aneal Giddings’ letter with the full attention it deserved — and then we read it again. It is well-written. It is confident. It cites legislation. It uses the word “trust” several times. But a letter that invokes trust, without producing the names, addresses, contact details and accountability mechanisms that would allow citizens to verify that trust, is not a safeguard. It is a press release.

The Commissioner told Guyanese that a Data Protection Act is in force, that a Data Protection Office is being established, that two companion laws work in harmony, that biometric cards meet ICAO standards, and that the system is safe. We do not dispute that these things may be true. What we dispute is that a letter — however eloquent — substitutes for institutional transparency.

So let us ask, plainly, what the letter did not answer.

The Commissioner spoke of a Commission being in place. Is he, alone, the entire Commission?

QUESTION 1: WHERE IS THE COMMISSION?

Commissioner Giddings signs his letter with a title. He does not provide the physical address of the Data Protection Office. He does not provide a phone number, an email address, or a complaints hotline. He does not direct the worried citizen — the very one whose letter prompted his response — to any website, portal or walk-in location where they can exercise the rights he says they have.

Citizens were told they have the right to know what data is held about them. They have the right to correct it. They have the right to request deletion. Fine. Then where, exactly, does a citizen go to exercise those rights? What is the address? What are the office hours? What is the name of the officer who receives such requests? These are not unreasonable questions. These are the basic institutional facts that separate a functioning regulatory body from a title on a letterhead.

QUESTION 2: WHO ELSE SITS ON THIS COMMISSION?

A “Commission” implies more than one person. The Data Protection Act envisions oversight. Oversight implies a body — not a solo operator, however capable. So the public deserves to know: who are the other members of the Data Protection Commission? Were they appointed? When? By whom? Do they have fixed terms? What are their professional qualifications? Have any of them ever worked for the entities they are now charged with regulating?

The Commissioner’s letter is written entirely in the first person. That is either a stylistic choice — or a structural admission. Which is it?

QUESTION 3: WHO IS THE GATEKEEPER OF THE DATA?

Commissioner Giddings confirms that the Digital Identity Card Registry falls “directly under the administration of his office.” That means the same office that promotes the digital ID system is also the office that polices it. This is a profound conflict of interest that deserves public scrutiny, not reassurance.

Who, specifically, has access to the biometric database? What government agencies? What private contractors? Under what authorisation framework does access occur? Is there a tiered access system? Is there a formal request process? Who approves access requests? And crucially — who watches the watchers?

An immutable public ledger of who accessed citizen data, when, and why — is not a radical idea. It is the minimum standard for a government serious about accountability.

QUESTION 4: IS THERE A PUBLIC AUDIT LEDGER?

In any credible data governance framework, access to sensitive citizen data is logged. Every query. Every download. Every transfer. The log is tamper-proof, time-stamped, and — in the most accountable systems — publicly auditable or subject to independent review.

Does such a ledger exist for Guyana’s Digital Identity Card Registry? If so, who audits it? How often? Are audit reports tabled in Parliament? Are they available to the public under the Right to Information Act? Or do access logs exist only as internal records, visible to the same agencies that are being overseen?

The Commissioner acknowledged that fears of political profiling, surveillance and commercial misuse are “not paranoid.” We agree. And the very acknowledgement makes the absence of a public audit trail more alarming, not less.

QUESTION 5: WHY NOT BLOCKCHAIN?

This is not a theoretical question. It is a structural one.
Blockchain-based identity systems — deployed in Estonia, the UAE, and elsewhere — use decentralised, cryptographically secured ledgers that make it technically impossible to alter access records retroactively.
Under such a system, if any official, agency or contractor accessed a citizen’s data, that access is permanently recorded on an immutable chain — visible to regulators, auditors and, in some architectures, citizens themselves.
Guyana chose a centralised PKI-enabled system. That may be adequate. But the public was never told why blockchain was considered and rejected — or whether it was considered at all.

We are not blockchain evangelists. Technology is never a silver bullet. But the question deserves a substantive technical answer, not silence. If ICAO standards were cited as justification for the current architecture, then an explanation of why those standards preclude a distributed ledger — if they do — should accompany any public defence of the system.

Citizens whose biometric data is permanently enrolled in a national registry are entitled to know why the most tamper-resistant available architecture was or was not chosen for their protection.

QUESTION 6: WHAT HAPPENS WHEN THERE IS A BREACH?

The Commissioner’s letter does not mention data breaches. It does not outline the notification protocol if citizen data is compromised. It does not specify timelines for breach disclosure — to the affected individuals, to Parliament, or to the public. It does not describe what remedies are available to citizens whose data is leaked, stolen or misused.

These are not hypothetical scenarios. They are the central questions of any serious data protection framework. The European Union’s GDPR mandates breach notification within 72 hours. What does Guyana’s Act mandate? And has the Commissioner’s office established the technical capacity to detect a breach in the first place?

QUESTION 7: WHAT ARE THE PRIVATE CONTRACTORS’ OBLIGATIONS?

Commissioner Giddings asserts that private contractors handling public data are “legally bound” by the Act’s provisions. But legal obligation and operational accountability are different things. Which contractors currently have access to the registry? What are their names? Where are they incorporated? What contractual data protection clauses govern their engagement? What happens if they breach those clauses? Have any contractors been audited? Have any been found non-compliant?

The public has a right to know who, beyond government agencies, holds their fingerprints, their facial images and their personal identification data — and what remedies exist if that third party misuses it.

A letter that invokes trust without producing the facts that would allow citizens to verify that trust is not a safeguard. It is a press release.

WHAT WE ARE NOT SAYING

We are not saying the digital ID system is corrupt. We are not saying Commissioner Giddings is acting in bad faith. We are not opposing the modernisation of Guyana’s identity infrastructure, which is long overdue.

What we are saying is this: institutional trust is not declared. It is built. It is built through transparency, through publicly accessible information, through independent oversight with real teeth, and through accountability mechanisms that citizens can actually use — not just invoke in a letter to a newspaper.

The Commissioner said the system is “built on trust, transparency, accountability and genuine institutional capacity.” We hold him to those words. And we note, with respect, that trust is not demonstrated by writing about it. It is demonstrated by showing your work.

OUR CALL TO THE COMMISSIONER

We call on Commissioner Giddings to publish, within thirty days, the following:

  1. The full physical address, telephone number, email address and operating hours of the Data Protection Office.
  2. The names and qualifications of all members of the Data Protection Commission, their appointing authority, and their terms of tenure.
  3. A complete list of government agencies and private contractors with current access to the Digital Identity Card Registry, and the legal basis for each grant of access.
  4. The data access audit log framework: who logs access, how logs are stored, who audits them, and how citizens can request a review of access to their personal records.
  5. A technical explanation of why a blockchain or distributed ledger architecture was or was not considered for the registry.
  6. The breach notification protocol: timelines, responsible parties, and citizen remedies in the event of a data compromise.
  7. The names and contractual data protection obligations of all private contractors currently engaged by the registry.
  8. A step-by-step guide for citizens wishing to exercise their rights under the Act, including the right of access, correction and deletion.

Guyana’s digital future is indeed being built. Let it be built in the light.

𝙏𝙝𝙚 592 𝙂𝙪𝙖𝙧𝙙𝙞𝙖𝙣-𝙏𝙧𝙪𝙩𝙝 , 𝘼𝙘𝙘𝙤𝙪𝙣𝙩𝙖𝙗𝙞𝙡𝙞𝙩𝙮, 𝙄𝙣𝙩𝙚𝙜𝙧𝙞𝙩𝙮 𝙄𝙣 𝙂𝙪𝙮𝙖𝙣𝙖 𝘼𝙣𝙙 𝘾𝙖𝙧𝙞𝙗𝙗𝙚𝙖𝙣 𝙋𝙚𝙧𝙨𝙥𝙚𝙘𝙩𝙞𝙫𝙚𝙨.— ✦—

Discover more from 592guardian.com

Subscribe to get the latest posts sent to your email.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *