The Privacy Act prohibits the processing of sensitive information. However, the sensitive information can also be processed in following circumstances:

• in the course of alleviation of disease, public health protection, disease identification, health treatment, management of health institution and providing health service by the health worker, without insulting or letting the concerned person feel inferior;
• if the concerned person has published the information himself or herself.

The revised Draft Information Technology and Cyber Security Bill, 2024 (“IT Bill”), which is yet to be passed and made into law by the Parliament, has also added provisions relating to privacy (Section 80). It states that personal details collected from an individual in an information technology system shall not be used, disseminated, or exchanged for any purposes other than the disclosed purpose without the consent of the data subject. It also stipulates that personal information collected and stored for a specific purpose shall be destroyed, with assurance to the data subject, within 30 days after fulfillment of that purpose. Violation of this provision will result in a fine of up to NPR 5,00,000, or three years of imprisonment, or both.