Enabling eLaws and Policies

Enabling Legal Environment

eLaws play a major role in use of ICT, as those should provide the necessary legal environment for using electronic data and documents for official as well as personnel purposes and carrying out electronic transactions. Moreover, the activities that are detrimental for the use of eGovernment should be controlled by Computer Crime laws. This page provides information and links related to eLaws which have been adopted in Sri Lanka.

Electronic Transactions Act

The most relevant legislation for use of ICT in government and establishment of e-government services is the Electronic Transactions Act No. 19 of 2006. The drafting of Electronic Transactions legislation was enabled through a joint Cabinet Memorandum of the Prime Minister, the Minister of Trade and Commerce and the Minister of Science and Technology. Consequently, on 22nd September 2004 the Cabinet of Ministers decided that legislation on Electronic Transactions should be prepared through the Legal Draftsman’s Department in conjunction with ICTA. The legislation was prepared by the Legal Draftsman with legal and policy inputs from ICTA and presented to Parliament on 7th March 2006. The Electronic Transactions Act was brought into operation with effect from 1st October 2007 (vide Gazette Extraordinary No. 1516/25 of 27th September 2007).

The Electronic Transactions Act No. 19 of 2006 is based on the standards established by United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (1996) and Model Law on Electronic Signatures (2001).

The objectives of the Act as are as follows

to facilitate domestic and international electronic commerce by eliminating legal barriers and establishing legal certainty;
to encourage the use of reliable forms of electronic commerce;
to facilitate electronic filing of documents with government and to promote efficient delivery of government services by means of reliable forms of electronic communications and
to promote public confidence in the authenticity, integrity and reliability of data messages and electronic communications. This has ensured that electronic communication is officially and legally accepted as a proper means of communication (emphasis added).

Based on this Act steps could now be taken by government organizations to provide services by electronic means as well as to retain data and information in electronic form.

As a follow-up to the enactment of the Electronic Transactions Act, Sri Lanka became one of the first three countries in the Asian Region (and first country in South Asia) to sign the United Nations Convention on the Use of Electronic Communications in International Contracts (commonly known as the e-Contracting convention). This was consequent to a Cabinet decision initiated by the Ministry of Science and Technology.

The Convention aims to enhance legal certainty and commercial predictability where electronic communications are used in relation to international contracts. It addresses the determination of a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications; the use of automated message systems for contract formation; and the criteria to be used for establishing functional equivalence between electronic communications and paper documents – including “original” paper documents – as well as between electronic authentication methods and hand-written signatures.

As another necessary follow up action, ICTA is in the process of setting up a Certifying Authority for issuing digital signatures for Sri Lankan government organizations and citizens to ensure the authenticity and Non-repudiation.
Computer Crimes

The Computer Crimes Act No. 24 of 2007 provides for the identification of computer crimes and stipulates the procedure for the investigation and enforcement of such crimes. The Bill was presented in Parliament and debated on 23rd August 2005 and thereafter extensively revised by the Parliamentary Standing Committee “B”. It was enacted as legislation in May 2007 and certified by the Speaker of Parliament on 9th July 2007.

The basis of the Computer Crimes Act No. 24 of 2007 is to criminalize attempts at unauthorized access to a computer, computer programme, data or information. It also contains a provision to deal with unauthorized use of computers regardless of whether the offender had authority to access the computer.

The Act creates offences for unauthorized modification, alteration or deletion of information and denial of access, which makes it an offence for any person to program the computer in such a manner so as to prevent authorized persons from obtaining access. Other offences sought to be created under the proposed Act include causing damage or harm to the computer by the introduction of viruses and logic bombs etc, unauthorized copying of information, unauthorized use of computer service and interception of a computer programme, data or information while it is been transmitted from one computer to another.

The Act introduces a new regime for the investigation of offences. Provisions have been made in the Act to designate a panel of ‘Experts’ to assist the Police in the investigation of computer crime offences.
Data Protection

Data protection rules have become an increasingly important legal regime in an information age where personal data has become a significant asset of many companies, especially those operating over the Internet. However, in a connected global economy, national data protection rules can be easily circumvented and protections granted to the citizens lost as data is transferred out of the jurisdiction. In an attempt to prevent such circumvention, the EU data protection regime contains provisions controlling the transfer of personal data to non-EU countries, such as Sri Lanka.

At present the Government is pursuing a policy based on the adoption of a Data Protection Code of Practice, encompassing the private sector, with the possibility of the code being placed on a statutory footing through regulations issued under the Information and Communication Technology Act of 2003. As such, this approach can be seen as self- or co-regulatory approach. (Refer section 0103)
Intellectual Property Rights (IPR)

As regards the protection of intellectual property rights (IPR), the Intellectual Property Act no. 36 of 2003 replaced the Code of Intellectual Property Act no. 52 of 1979. The IP Act of 2003 contains several new features in relation to the protection of software, trade secrets and integrated circuits. (Refer Sections 0204 and 0205 of this document for detail)

Below acts, regulations, circulars, guidelines are related to eLaws and policies of Sri Lanka government

The key objective of eGovernment is to provide better citizen services while improving the efficiency and effectiveness of government. In order to implement eGovernment in an orderly and unitary manner. eGovernment policy was formulated and approved by the Cabinet of Ministers, 2009. According to the decision made by the Cabinet of Ministers, all government organizations should implement and comply with eGovernment policy. This page also provides an introduction to eGovernment. Documents related to eGovernment policy and Information Security policy are also available for downloading.

Introduction to eGovernment

Detailed eGovernment Policy Compliance Check List

Presidential circular issued on implementation of eGovernment Policy

Condense Information Security policy

Detail Information Security policy

For more eGovernment policy related resources, visit eGovernment Policy Project page of ICTA web site

eGovernment Policy

The first eGovernment policy of Sri Lanka was approved by the Cabinet of Ministers in December 2009 to be adopted and implemented by all government organizations during the period of 2010-2012. ICTA which was given the mandate by the Cabinet of Ministers to monitor the implementation, review the policy and revise as necessary, conducted a series of conferences and workshops around the country involving government managers to create awareness on the content of the policy and approaches for implementation and review. The progress of the implementation of eGovernment policy has been described in the ICTA website.

ICTA carried out annual reviews of implementation of eGovernment policy in 2010, 2011, 2012 and 2013. Regrettably the rate of successful implementation of eGovernment policy by government organisations has been extremely low, despite the efforts made by ICTA as well as participating organisations.

Having analyzed the reasons for low implementation, the following decisions were made by ICTA with the involvement of key stakeholders.

o The eGovernment policy contained very complex policy requirements
o The policy was too extensive. It had 29 policy statements and 177 policy guidelines which should be implemented by all government organisations regardless of different eGovernment maturity levels that they are at.
o There was no clear identification of responsibilities with regard to the implementation of the policy.
o Chief Innovation Officers (CIOs) who are generally responsible for implementation of the policy had no clear idea on how to do that. Moreover, CIOs had no authority to implement those.
o It was also not clear to government why they should implement the policy. (Policy objectives were not clear)

The eGovernment Policy Review Committee

In order to draft the revised version of the policy the Chairman of ICTA appointed an eGovernment Policy Review Committee members.

The policy review committee embarked on a journey to address the above issues while revising and updating the policy as and when necessary. In order to compile the policy statements and guidelines the committees studied such requirements documented in other countries and the requirements included in the first version of the policy.

The committee agreed for a new theme for the policy and drafted 10 policy objectives under which the 32 policy statements were identified.

The committee appointed a Working Committee in order to draft the policy guidelines. The eGovernment Policy Working Committee drafted policy guidelines, identifies the responsibilities of implementation of policy by using the RACI (Responsible, Accountable, Consulted, Informed) matrix.
The Working committee also identified a convenient approach for government organisations to implement the policy requirements and identify the eGovernment maturity stage of their organisations.

The consultative process

Once the policy was drafted it is presented to government CIOs, Senior Managers of the government, ICT based and non ICT based private sector managers, academia and civil society members for receiving a wider consultation. Moreover the public consultation was requested and received for improving the policy by using public media.

How the policy should be implemented by using the checklist

The working committee prepared a policy implementation checklist for facilitating the implementation and reporting its success to ICTA.

The working committee also identified and documented an easy approach for implementing the policy by using the eGovernment maturity levels.

Once the identified approach is followed, the government organisations will be able to look at the policy requirements based on their eGovernment maturity levels. For example every government organisation should start implementation of eGovernment policy requirements which are related to the “Information” stage which is the lowest eGovernment maturity stage. Once they have implemented the policy requirements related to the “information” stage. They could start implementation of policy requirements related to next stage which is the “Interactive” stage. If any organisation has not implemented at least 70% of the requirements related to one stage they should not proceed to next level. If any government organisation is unable to proceed beyond the “interactive” stage, we identify them to be at the “Interactive” stage.

However, they are free to check whether they have implemented the requirements related to higher stages and mark the implementation check list accordingly.

Assessment of Policy implementation

The “Policy Implementation Check List” will be used in order to assess and verify the eGovernment Policy implementation by government organisations. The implementation check list has identified a set of documents which should be submitted by the government organisations as a proof of policy implementation. The policy team produced all such forms and templates required for verification process.
It is expected to assess the Policy compliance rate of each organisation based on the implementation check lists submitted by each organisation. The results of the assessment of compliance rate will be published and given some publicity for the citizens to be aware of the compliance rate of each organisation.

eGovernment Policy approved by the cabinet of ministers in 2009-12-15

Top