Home

SevisWallet Privacy Policy

Your privacy and data protection in Papua New Guinea's digital wallet

Effective Date: 01 November 2025

Security First

End-to-end encryption and multi-factor authentication protect your data

Transparency

Clear disclosure of data collection and usage practices

Your Control

Full rights to access, correct, and delete your personal information

Data Minimization

We collect only what's necessary following the Once Only Principle

Introduction

SevisWallet is a secure digital wallet application that allows users to access and manage their verified government digital identity (Sevis Pass) and related services. We are committed to protecting your privacy and ensuring your personal information is handled safely, transparently, and in compliance with Papua New Guinea laws, including:

  • Constitution of Papua New Guinea (Section 49: Right to Privacy)
  • Digital Government Act 2022
  • National Data Governance & Data Protection Policy 2024
  • International best practices such as the APEC Cross-Border Privacy Guidelines and OECD principles

Information We Collect

When you use SevisWallet, we may collect the following information in accordance with the principles of data minimization, necessity, and explicit consent, especially for sensitive personal data such as biometrics:

Personal Information

  • Name, date of birth, national ID number, email, and phone number
  • Biometric data for identity verification (e.g., face scan, fingerprints). This is classified as highly sensitive data and requires your informed, explicit, and voluntary consent

Technical Information

  • Device type, operating system, app version, and usage analytics
  • IP address and location data (if enabled for service functionality)

Transaction Data

  • Digital credentials, wallet transactions, service usage history

Note: Data collection adheres to the Once Only Principle (OOP) under the National Data Governance & Data Protection Policy 2024, ensuring data is captured only once at the source to avoid duplication and is stored in compliance with the Central Electronic Data Repository (Section 28 of the Digital Government Act 2022).

How We Use Your Information

We use your information for legitimate and specified purposes, with transparency and accountability:

  • Verify your identity and authenticate access to government services
  • Enable secure wallet functions, including storing and presenting digital credentials
  • Improve app performance, user experience, and service quality through data analytics, ensuring ethical and non-discriminatory practices
  • Comply with legal obligations or government regulations, including reporting to authorized authorities

Processing of personal and biometric data is conducted fairly, lawfully, and transparently, with pseudonymization or anonymization applied where appropriate to protect privacy. For any automated processing (e.g., AI in biometric verification), we adhere to OECD AI principles for fairness, robustness, and respect for human rights.

Data Sharing and Disclosure

SevisWallet does not sell your personal information.

We may share data only with:

  • Authorized government agencies delivering services through SevisWallet, via the Secure Data Exchange (SDE) Platform (Section 31 of the Digital Government Act 2022)
  • Third-party service providers contracted to support secure app functionality, subject to strict data processing agreements
  • Where required by law, to protect public safety, or in response to data breaches, with prompt notification to affected individuals as per the National Data Governance & Data Protection Policy 2024

All data sharing is strictly controlled, monitored under government security standards, and limited to authorized purposes. For cross-border data flows (e.g., cloud services), we ensure compliance with data sovereignty principles, using secure mechanisms aligned with APEC guidelines. Sensitive data like biometrics is shared only with explicit consent and necessary safeguards.

Data Security

We implement strong security measures in alignment with the National Cyber Security Centre (NCSC) and the forthcoming Cybersecurity and Critical Infrastructure Law, including:

  • End-to-end encryption of personal and transactional data, both at rest and in transit
  • Secure authentication, including PINs, biometrics, multi-factor authentication, and OTPs
  • Storage on secure cloud infrastructure (AWS) with compliance to international security standards and PNG data localization requirements where feasible for sensitive data
  • Regular security audits, vulnerability monitoring, threat intelligence, and incident response plans, including breach notification protocols
  • Access based on the principle of least privilege, with continuous monitoring to prevent unauthorized access

User Rights

In line with the data subject rights under the National Data Governance & Data Protection Policy 2024, you have the right to:

  • Access and review the personal data stored in your SevisWallet account
  • Request updates or corrections to your personal data
  • Request deletion of your account and associated data (right to be forgotten), where legally permitted
  • Object to processing, withdraw consent at any time (especially for biometrics), and request data portability in a structured format
  • Be informed of data breaches affecting your information
  • Contact us with privacy-related questions or complaints, with responses provided promptly

These rights can be exercised through the app or by contacting the designated Data Protection Authority once established.

Children's Privacy

SevisWallet is intended for users aged 18 and above. We do not knowingly collect personal data from children under 18.

For any data involving minors, explicit parental or guardian consent is required, with enhanced safeguards as a special category of sensitive data under the National Data Governance & Data Protection Policy 2024.

Third-Party Development and Publication

The SevisWallet application is developed and temporarily published by TECH5 on behalf of SevisPNG, Department of Information and Communications Technology (DICT), Papua New Guinea.

SevisPNG remains the sole data controller for all personal information processed through the App. All data collected via the App is transmitted directly to and stored on systems operated and controlled by SevisPNG, located within Papua New Guinea.

TECH5 acts solely as a technical service provider and operates the App strictly in accordance with SevisPNG's written instructions. TECH5 does not determine the purposes or means of processing, and it does not use, share, or retain any personal data for its own purposes.

If App Store or Play Store publication is transferred to SevisPNG's developer account in the future, this Privacy Policy will continue to apply without changes.

Data Security and Compliance of Third Parties

Any third-party technical operators such as TECH5 must comply with SevisPNG's data protection and cybersecurity standards, including encryption, secure transmission, and controlled access mechanisms.

Periodic audits may be conducted by SevisPNG to ensure continued compliance.

Changes to this Privacy Policy

We may update this policy periodically to reflect changes in law, technology, or our services, in alignment with the review mechanisms in the National Data Governance & Data Protection Policy 2024.

Changes will be posted in the app and on the official SevisPNG website, with notice provided for material updates affecting your rights or data handling.

Contact Information

Data Controller

SevisPNG, Department of Information and Communications Technology (DICT)

Waigani, Port Moresby, Papua New Guinea

Email: support@sevis.gov.pg

Website: sevis.gov.pg

Technical Operator / Service Provider

TECH5 SA

c/o SYNERGIX S.A., succursale de Genève
Rue de Neuchâtel 8, 1201 Geneva, Switzerland

Email: info@tech5-sa.com

For data protection inquiries or complaints, you may also contact the forthcoming Data Protection Authority, but in the interim, DICT can be contacted.