India - Data Governance Framework: Regulating The Use Of Non-Personal Data
Legal News & Analysis - Asia Pacific - Hong Kong - Cybersecurity
16 October 2020
Data, for the purposes of regulation, can be classified into personal data and non-personal data. Currently, in India data protection and privacy is governed by Section 43A and Section 72A of the Information Technology Act, 2000 (“IT Act”) which provides for right to compensation for improper disclosure of personal information. The corresponding Information Technology (Reasonable Security Practices and Procedure and Sensitive Personal Data or Information) Rules, 2011(“Rules”) imposes additional requirements relating to collection and disclosure of sensitive personal data or information. As per Section 2(v) of the IT Act, data is included in the definition of “Information”.
Section 2(o) of the IT Act defines “Data” as a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. Thus, the definition of “Data” is very broad and can include both personal data and non-personal data within its ambit.
Currently, the Rules under the IT Act, governs the use of “information”. Further, in order to have robust and comprehensive data protection law, the Ministry of Electronics and Information Technology, has introduced the Personal Data Protection Bill 2019 (“PDP Bill”), which proposes primarily to protect the personal data of individuals. However, with the evolving data market trends in various categories and sectors such as health data and e-commerce data there is an increase in the collection of non-personal data, resulting in dire need to regulate such non-personal data. Since there is no comprehensive regulation governing the use and processing of non-personal data, the legislators are now considering regulating the use and processing of non-personal data similar to the PDP Bill. Such proposed regulations are similar to regulations in the Europe Union governing non-personal data.
Accordingly, the Ministry constituted a Committee of Experts to deliberate on a Data Governance Framework. On July 12, 2020, the Committee released its report for public consultation, seeking feedback from the public on a proposed statute on “Non-Personal Data Law (“NPDL”) for regulating the use of Non-Personal Data (“NPD”). The shared NPD may be useful for Indian entrepreneurs to develop new and innovative services and products from which citizens may benefit. The NPD may also be used by researchers, academicians, and governments for creating public goods and services.
It is in this context, that the Committee has sought to set out the regulation of NPD.
I. Definition of Non-Personal Data
The Report defines NPD as “data which is not ‘Personal Data’ (as defined under the PDP Bill), or which does not have any personally identifiable information”. Therefore, NPD could be data that is not related to: (i) an identified or identifiable natural person, such as data on weather conditions, data from sensors installed on industrial machines, data from public infrastructures, etc., or (ii) data that was initially personal data but was later made anonymous. Anonymous data is a type of data which are aggregated and to which certain data transformation techniques are applied, so that individual specific events are no longer identifiable.
The report categorizes NPD into three categories (i) public non-personal data; (ii) community non-personal data and (iii) private non-personal data.
(i) Public Non-Personal Data: The Committee defines Public NPD as “Non-Personal Data which is collected or generated by the government, or by any agency of the government, and includes data collected or generated in the course of execution of all publicly funded works”. NPD which is collected or generated by the government where such data is explicitly considered confidential under law, would not constitute public NPD. Examples of Public NPD are: anonymised data of land records, public health information, vehicle registration details, details of pollution levels in a city collected for a publicly funded project etc. are examples of public NPD.
(ii) Community Non-Personal Data: The Committee defines Community NPD as “Non-Personal Data which includes anonymised personal data, Non Personal Data about inanimate and animate things or phenomena, whether natural, social or artefactual, whose source or subject pertains to a community of natural persons”.For Example, ‘raw / factual data’, without any processing / derived insights, collected by the municipal corporations and public electric utilities, telecom, e-commerce, ride-hailing companies etc. Community NPD excludes private NPD.
(iii) Private Non-Personal Data: The Committee defines Private NPD as “Non-Personal Data collected or produced by persons or entities other than the governments, the source or subject of which relates to assets and processes that are privately-owned by such person or entity, and includes those aspects of derived and observed data that result from private effort”. For example, inferred or derived data and insights involving application of algorithms, proprietary knowledge. It may also include such data in a global dataset that pertains to non-Indians and which is collected in a foreign jurisdiction.
Concept of Sensitivity of Non-Personal Data: The Committee has also defined a new concept of ‘Sensitivity of Non-Personal Data’. The Committee has recognised that NPD could be sensitive data if: (i) it relates to national security or strategic interests; (ii) it contains business sensitive or confidential information; or (iii) it is anonymised data, that bears a risk of re-identification.
II. Consent for Anonymised Data
The Committee recommends that the data principal’s consent should be obtained for anonymisation and usage of anonymised data. The collections of anonymised data can be de-anonymised and if any subsequent harm arises from re-identification, or from processing of such NPD, the data principal shall be able to take suitable recourse.
III. Key Non-Personal roles/stakeholders
The key stakeholders in respect of NPD are (i) Data Principal, (ii) Data Custodian, (iii) Data Trustees, (iv) Data Trusts
Data Principal: Data Principal is the natural person with respect to whom such NPD relates. In case of community NPD, the community, that is the source and/or subject of community data, may be treated as the data principal for such data.
Data Custodian: The Committee recommends data custodian to undertake collection, storage, processing and use of NPD. Data custodians may be public entities such as such as government ministries, telecom companies or private sector entities such as e-commerce entities. The Committee prescribes Data custodians to adopt anonymisation standards and use NPD in a manner that is in the ‘best interest’ of the data principal. Data custodians will have a ‘duty of care’ to the individual or community from which NPD has been collected.
Data Trustees: Each data principal community would need to exercise its data rights through an appropriate community data trustee. Principles and guidelines about who can become a trustee of community data is expected to be laid out in the NPDL. The Committee has hinted that for a majority of community data, the relevant government entity or community body may act as the data trustee.
Data Trusts: The Committee recommends creating institutional structures in the form of trusts, for containing and sharing a given set of data. It is expected that the forthcoming NPD rules and regulations will lay down guidelines on how data trusts may be constituted and how they should function. The Committee has not mandated that the data trustee needs to be located in India or that the trusts should be established in India.
IV. Data Business
The Committee recommends a new a new category of business called ‘Data Business’ as most organizations (commercial, government and non-government) have the scope of deriving new or additional economic value from data, by collecting, storing, processing, and managing data. For example, a hospital derives economic value not only from providing medical services, it may derive additional value by harnessing the medical data and offering value-added services (such as personalized treatment plans, medicines etc). Many existing businesses in various sectors, collecting NPD beyond a threshold level, will get categorized as a Data Business and registration of Data Business would be required. Every Data Business must declare and disclose what they do and what data they collect process and use, in which manner, and for what purposes.
V. Purpose of Data Sharing
The Committee has identified the following three purposes for which Private, Community and Public NPD may be shared (i) sovereign purposes such as security, legal, law enforcement and regulatory purposes for mapping security, crime mapping, pandemic mapping vulnerabilities and challenges, including people’s security, physical infrastructure security and cyber security; (ii) core public interest purposes such as for benefits or public goods, research and innovation, for better delivery of publics services, policy development; (iii) economic purposes such as encourage competition and provide a level playing field in any sector, enabling domestic start-up activities.
VI. The role of Non-Personal Data Authority
The Committee recommends setting up of the NPD Authority for the purpose of (i) enabling NPD sharing for sovereign, social welfare, economic welfare and regulatory and competition purposes and thus spurring innovation, economic growth and social well-being in the country; (ii) enforcing the law relating to the NPD ensuring that all stakeholders follow the rules and regulations laid and provide data appropriately when legitimate data requests are made.
VII. Guiding Principles for Technology Architecture
The Committee has encapsulated some guiding principles that can be used for creating technology architecture for implementing the rules and regulations relating to NPD:
(i) All sharable NPD and data sets created or maintained by government agencies, companies, start-ups, universities, research labs, non-government organisations, etc. should have a Representational State Transfer (REST) application programming interface (“API”) for accessing the data;
(ii) Data sandboxes can be created where experiments can be run, algorithms can be deployed and only output be shared, without sharing the data;
(iii) Data storage should be in a distributed format so that there is no single point of leakage. Data sharing should be undertaken using APIs only, such that all requests can be tracked and logged;
(iv) The data exchange approach must be standardised, regardless of data type, exchange method or platform; (v) Prevent De-anonymization of anonymised. Best of breed differential privacy algorithms may be created to prevent de-anonymization.
It is imperative for data protection to be applied to all forms of data, whether it be personal or non-personal data. Since data is vast and there are various categories of NPD, it is expected that a regulation on NPD is likely to lead to increased transparency, better quality services, improved efficiencies, more innovation and public welfare. The report sets out the context and proposal for the forthcoming regulations on NPD. Based on consultation, public comments and feedback, a comprehensive data framework governing NPD in India may be introduced in the near future.
Article 1st published in Mondaq.
For further information, please contact:
Mini Raman, LexOrbis