Privacy Policy

1. Introduction

The Department of Information & Communications Technology (DICT) of Papua New Guinea operates the Digital Transformation Officers (DTO) Portal. This Privacy Policy explains how we collect, use, store, and protect the personal information of users who access and use the DTO Portal.

By registering for or using the DTO Portal, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of personal information:

• Identity Information: Full name, gender, date of birth, government employee number.
• Contact Information: Government email address, phone number.
• Employment Information: Department, position, agency name, appointment type.
• Registration Documents: Nomination letters and supporting documents uploaded during DTO registration.
• Usage Data: Login timestamps, actions performed within the portal, audit logs.
• Device Information: Browser type, IP address, session data collected automatically.

3. How We Use Your Information

Your information is used solely for the following purposes:

• To verify your identity and eligibility as a Digital Transformation Officer.
• To process and manage your DTO Portal registration and account.
• To process service requests, Certificate of Compliance applications, and enquiries.
• To send official communications including account invitations, status updates, and notifications.
• To maintain audit logs for government accountability and compliance purposes.
• To improve portal services and generate anonymised usage reports.

4. Legal Basis for Processing

DICT processes your personal data under the following legal bases:

• Consent: You voluntarily provide your information when registering for the portal.
• Public Task: Processing is necessary for the performance of a government task carried out in the public interest under Papua New Guinea's digital transformation mandate.
• Legal Obligation: Certain data retention and audit requirements are mandated by law.

5. Data Storage & Security

Your data is stored on Amazon Web Services (AWS) infrastructure hosted in the Asia Pacific (Sydney) region. We implement the following security measures:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access to personal data is restricted by role-based access controls.
• All administrative actions are logged in an immutable audit trail.
• Authentication is managed via Amazon Cognito with secure temporary passwords for new accounts.

6. Data Sharing

We do not sell, trade, or rent your personal information to third parties. Your data may be shared only in the following circumstances:

• Within DICT: Between authorised officers and administrators for operational purposes.
• Government Agencies: Where required for inter-agency digital transformation coordination.
• Cloud Service Providers: AWS processes data on our behalf under strict data processing agreements.
• Legal Requirements: Where disclosure is required by Papua New Guinea law or court order.

7. Data Retention

We retain your personal data for as long as your account is active and for a minimum of seven (7) years after account closure, in accordance with Papua New Guinea government record-keeping requirements. Registration documents and audit logs are retained for the same period.

8. Your Rights

As a user of the DTO Portal, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data where it is no longer necessary (subject to legal obligations).
• Objection: Object to certain processing activities.

To exercise any of these rights, contact us at the address below.

9. Cookies & Session Data

The DTO Portal uses session cookies strictly necessary for authentication and security. We do not use tracking or advertising cookies. Session cookies expire when you close your browser or after a period of inactivity.

10. Changes to This Policy

DICT reserves the right to update this Privacy Policy at any time. Changes will be posted on this page with an updated effective date. Continued use of the portal after changes constitutes acceptance of the revised policy.

11. Contact

For privacy-related enquiries, contact: