Vanuatu’s national data protection and privacy policy (2023)
August 2023
Strategies and Action Plans
Vanuatu’s National Data Protection and Privacy Policy (2023) sets out a comprehensive framework aimed at safeguarding the personal data of individuals in line with the Constitution and international obligations. It complements the National Cyber Security Strategy 2030 and serves as a precursor to the development of a national Data Protection Act (DPA).
The policy acknowledges the increasing volume and sensitivity of personal data processed by both the public and private sectors, and seeks to establish clear principles and governance structures to ensure transparency, fairness, and accountability. Its objectives include the protection of fundamental rights, especially the right to privacy, the establishment of an independent Digital Safety Authority (DSA), alignment with international standards (notably Convention 108+ and the EU GDPR), and the implementation of strong safeguards for sensitive data and vulnerable groups, including children.
The scope of the policy extends to all forms of personal data processing, whether automated or manual, within or outside Vanuatu, when the data relates to individuals in Vanuatu or is generated or collected within its territory. Exceptions are provided for purely personal or household activities.
Key principles include lawful and fair processing, purpose limitation, data minimisation, accuracy, storage limitation, and data security. The policy mandates the use of data protection by design and by default, data protection impact assessments for high-risk processing, and breach notification obligations.
A central aspect of the policy is the enforcement mechanism through the creation of the DSA, tasked with oversight, investigations, handling complaints, issuing penalties, and ensuring public awareness. The policy also outlines the rights of individuals, including access to information, rectification, objection to processing, and access to remedies.
Special emphasis is placed on ensuring data sovereignty: data generated or collected in Vanuatu must remain subject to Vanuatu’s legal framework and cannot be transferred across borders without proper authorisation.
Monitoring and evaluation mechanisms are foreseen through periodic reporting and an implementation matrix. The policy was developed with support from the Council of Europe and the European Union under the GLACY+ initiative.