Data Protection Legislation Suitable For Indian Context
Data Protection was never an issue in India due to its culture, but ever since economic reforms initiated from 1991, Indian economy is becoming more market oriented and now catering to service industry and on verge of becoming manufacturing hub with increasing investments from foreign and local private players. Breakthroughs in technology and its commercial values have made Indian sentiments inclined towards data protection. Due to lack of stringent data protection laws and various loop holes, incidents of data theft, Banking fraud and many other such issues are increasing. To add to that Government of India has undertaken a mammoth project of assigning unique identity number to citizens under Aadhaar and collected vast amount of personal data. Concerns are rising on security of this personal data. Potential leaks to malicious 3rd parties, and lack of governance model to prevent and punish any data breach can lead to a disastrous result as Aadhaar details of the citizen can be leaked and misused. A separate Data Protection Legislation according to the Indian context is a need of an hour.
Data protection for BPOs so far has been an important issue but it is now getting equally important for various other Private Sector entities too. Private Sector entities such as Banks, Telecom Companies, Hospitals, Insurance Companies, etc. collects huge amount of data (i.e. personal and non-personal information) about individuals. An individual’s data is at risk for lucrative misuse without his consent/knowledge.
Under EU and US laws taking consent of the data subject is given prime importance. Every entity which collects, stores and processes data is mandated to take consent in written from data subjects. Data subject has a say in deciding whether he is interested in receiving any promotional material or in agreement to let entity process his data or to be shared with any 3rd party. It is Data controller’s duty to ensure this mandate is implemented and followed with vigour.
The absence of Data Protection Law in India is a heavy loss not only to the outsourcing industry but also to the other sectors which collects and process data. The customers in the US and European Union are protected by the comprehensive privacy directive which requires that the personal and non-personal data cannot be transferred to Countries which do not have adequate protection policy. Hence this may lead to compliance issues in the out-sourcing industry in India.
Data protection legislation VS other laws/ideologies in India :–
Many doubts are raised about the fact that the enactment of a data protection law might conflict with some already existing and necessary legislations, ideologies of the Government and some private business. Let’s have a look at the existing data protection laws.
Conflict of Data Protection with the Right to Information Act :–
According to Right to Information Act citizens have right to access public information, hence, the major issue that is raised here is whether the rights granted by Data Protection Legislation would cause any conflicts to the rights available under the RTI Act? A logical analysis would be helpful to discard the misconception. Rather being contrary, these Laws can operate side by side to each other and can give each other meaning in its true sense. Information under RTI Act provides citizens with right to access information which is available with public officials including work, documents, records, sample of information etc. Thus, under RTI Act an individual has the right to access public information, while under the Data Protection Act an individual will have the right to prevent unauthorized access to his personal and non-personal information. Hence, co-existence of a well-defined separate data protection regime along with the RTI Act is possible.
Conflict of Data Protection with National Security :–
Interest of nation can create probable conflict with data protection rights of an individual. Government for the purpose of safeguarding national interest needs to access data of an individual and sometimes even needs to share such information with other Governmental agencies. Hence, national security must be the foremost provision for exemption in any Data Protection Legislation.
Conflict of Data Protection with Transparency in Government Functioning :–
Government, in order to determine transparency in its functioning and to clamp down corruption has started publishing complete details of all the Government activities sometimes with full information about the recipients of Government service. However, this initiative needs a detailed assessment to validate the fact that Government Officers have followed due diligence and there are no unintended consequence of exposing vast quantities of data in public domain.
With the introduction of the UID number the practice of publishing complete details could result in greater harm, as the UID number will be present in each and every publication of this nature and will make it easy to link various public databases and help create an identifiable profile of potential target. The Government needs to balance the need for transparency with the social obligation to provide its citizens with personal privacy and data protection.1 A stringent separate legislation for data protection would complement the Aadhaar Act enacted by the Government for the protection of the details collected by various agencies.
Conflict of Data Protection with Credit Verification :–
Recent Banking systems perform credit verification of Bank member for various reasons. For this process, Banks/financial institutions needs to access personal information about approaching borrower in order to be able to determine whether or not their loan application should be granted. Data protection provisions would not restrict collection of data instead it just controls the way in which data is collected and processed. Most data protection legislations allow processing of the data strictly for the purpose for which it is collected.
Important factors in framing the data protection legislation :–
The framework for the data protection legislation should highlight the basic principles that any data controlling Authority will need to subscribe and how the data as well as privacy rights of an individual would be protected. The specified features of the framework are discussed below in detail :–
1 Approach paper for a legislation on privacy, published by Government of India, Ministry of Personnel, PG & Pensions Department of Personnel Training on 25th October 2010.
a. Principles on Which the Legislation Must Be Based
1. Data must be processed lawfully.
2. Data must be gained only for one or more specified and lawful purposes, and must not be further processed in any manner inappropriate with that purpose.
3. Data must be adequate, relevant and moderate in relation to the purpose for which they are processed.
4. Data must be accurate and kept up to date.
5. Data processed for any purpose must not be kept for longer than is necessary.
6. Personal data must not be transferred to a Country outside India unless that Country ensures an satisfactory level of protection for the rights and freedoms of data subjects.2
b. Applicability :–
With “Digital India” initiative, many entities both public as well as private, have collected and are currently holding vast amounts of personal as well as non-personal data of citizen of India. With the introduction of UID project it might not be wrong to say that public or Governmental agencies directly hold much more data about a larger Section of society and even the private entities holds such data indirectly as contracts of collecting data was given to them. Hence, the data protection legislation to be enacted must apply equally to private as well as public entities.
c. Data :–
Data Protection Legislation for Indian should ensure that all forms of identifiable data are protected under the general right to privacy but a greater responsibility is imposed on entities processing, collecting and storing certain categories of information which if disclosed could result in significant financial, reputational or other associated loss to the person concerned.
d. Personal Data :–
2 Principles set down in accordance with the guidelines given by OECD.
Appropriate definition for personal data can be “information that is capable of identifying a person, either directly or indirectly (and thereby causing risk to his identity)”. It is possible that a person could be identified directly by name or indirectly by his vehicle registration number or passport number. It is important to include both types of data within the definition.
e. Sensitive Personal Data :–
Definition of Sensitive personal data unlike personal data is more specific and includes various types of information, which, if disclosed inappropriately, could result in financial and reputational loss to the person concerned. Developing and appropriate list of items that would constitute sensitive personalinformation is much needed. Such list can include following category of information :–
• racial or ethnic origin;
• religious affiliations and beliefs or other beliefs of a similar nature;
• financial and credit information;
• physical or mental health or condition;
• Criminal record;
• Biometric data.
f. Data Collection:–
Data collection must include following features :–
• Data subject should be informed about the purpose for the collection of data.
• The explicit or written consent of the data subject must be obtained for the collection of data.
• The data that is collected must only be for specific, explicitly defined and legitimate purposes.
• Collection of sensitive personal data is generally subject to more control. Explicit consent or even approval from a regulatory Authority may be obtained to collect sensitive personal data.
• Data collected must be proportional to the purpose for which it was collected.
Data subjects should also be allowed to withdraw consent for data collection even after the data has been collected. The right to withdraw consent must be the primary right to a person. Data should be collected only for a specific stated purpose. If the data is to be re-used for a different purpose the data subject should have a justiciable right against the data controller for allowing the data so collected to be re-used. This provision implies that the data controller is duty bound to collect appropriate amount of data that is required for the stated purpose.
g. Data Processing :–
It is important to put adequate measures in place to ensure fair processing of data as most data leakage takes place during processing. Data protections legislations must include the following provisions for data processing :–
• The data controller has to ensure that the data processor processes the information/data for the purpose for which it was collected.
• Data processing must be for legitimate purposes and must be with the consideration of interests of the individual.
• Data subject must have the knowledge of the purpose for which the data is being processed.
Since the data controller has obtained consent from the data subject for the collection of data it should be the responsibility of the data controller to ensure that any processing that takes place by a third party processor is done with the same standards of data protection required of the data controller. The data controller must be responsible for the faults of the data processor and should be primarily responsible for compliance by the data processor.
h. Data Storage :–
Once the data is collected it needs to be stored and larger volumes of data enters into public and private databases, the need to legislate on appropriate storage regulations becomes important. The factors to be taken care for drafting provisions for storage are such as :–
• The data once collected must be deleted after achieving the purpose for which it was collected.
• Data must not be stored in a form that allows data subject to be identified after achieving the purpose of collection.
• Aadhaar numbers must not be used for identification of data subjects.
• Some of the exceptions for deletion of data include keeping data for historical, scientific and statistical or research purposes.
• Access to the data must be blocked if the data cannot be deleted.
• Data subjects must be provided with a mechanism to withdraw the consent at any time, without undue delay, cost or gain to the data controller.
It is important to ensure that the data is stored only till the time the purpose is achieved, unless the purpose is for archiving, national security etc. Once the purpose has been achieved, the legislation should prescribe that the data so collected should be deleted permanently.
I. Data Security :–
It is important that the data protection legislation should impose adequate data security obligations on the data controller for the duration of data storage. Data protection legislations must have provisions such as :–
• The data controller must ensure that the data is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse.
• The integrity of personal information to be secured by taking appropriate technical and organisational measures.
• Steps should be taken to prevent unauthorised access to personal data, including the right of physical access to the premises, data, and programs and to operate equipment of the data controller or processor.
• The identity of persons who have access to information network should be logged.
• Privacy impact assessments to be conducted by independent Authorities in the form of transparent audits, for the protection of data.
• A response plan to be formulated by organisations which will set out the appropriate action to be taken for breach of data protection laws.
• When processing is carried out by service providers, the controlling Authority must enter into a contract that provides the scope, content, obligations and guarantee of compliance of data protection principles.
• At the time of encountering a security breach during processing, the data subjects must be informed about the potential pecuniary and non-pecuniary effects of such a breach.
Care should be taken to ensure that the measures prescribed should be technology neutral as it is likely that data security measures will only improve in the future.
j. Data Access :–
Once data has been collected it remains under the control of the data controller. If the data changes (such as in the event the data subject moves to a different address) it is important that this data be rectified and made current. Similarly, if the data subject finds, after his data has been collected, that the database entries are incorrect, it should be open to the data subject to rectify the database in order to rectify his own data. The data protection legislations studied here include provisions such as :–
• Data subject must have access to the data, subject to applicable laws. The subjects are also granted the right to rectify.
• It is mandatory for the data controller to provide an individual with information with respect to the purpose, collection, process, recipients and storage of data.
• Clear information must be provided to the data subject.
k. Cross Border Applicability and Transfer :–
It may be advisable to ensure appropriate measures to protect the data of Indian citizens that are processed outside the Country. The legislation could include provisions that allow the regulator to proceed against data controllers not just for data protection violations committed within the Country but also outside the Country if the data concerned relates to an Indian citizen, or was collected by the data controller in India.
l. Exemptions :–
When analysed, various data protection enactments around the world have common exemptions on the grounds of national security. There could be several specific exemptions that are particular to the Indian Social and Economic Environment. In the Indian context, it will be important to include exemptions on grounds of national security, discharge of statutory functions, protection of health and safety of citizens and such other circumstances as appropriate. However, in articulating exceptions care must be taken to ensure that the purpose for framing of the legislation is not diluted so much as to make it meaningless.
M. Regulatory set up :–
Talking about Indian context, the role of data regulator would be dependent on the legislation. It is intended that the law should operate as umbrella legislation under the terms of which various sector specific legislations would spell out the more detailed sector oriented issues, then a regulator would be required to harmonise the provisions of the data protection law with the sector specific legislations. Where the legislation spells out the broad principles for data protection, it will be left to the data regulator to articulate the specific regulations.
If it was not for this rapidly increasing off-shoring business and the Unique Identification Number programme, India would perhaps never have worried much about data protection, as there are already existing provisions in the Indian legal framework for protection of data, though not at the scale at which protection is warranted under the current circumstances. The personal data of an individual is at risk, as their Aadhaar number which can identify the particular individual is available with both the public and the private domains. In an Aadhaar like setup, the biggest threat to data comes from potential insider leaks. The Aadhaar programme does not have a clear design which can strongly restrict such insider leaks. We believe that effective protection against insider leaks necessarily requires a data controller at UID headquarters as well as at the companies hired for the collection of data on behalf of the Government. UID programme has started and various complaints also have been registered against the Company hired for collection of data by the Government at several places. Thus, though there are serious privacy concerns at present, we believe that Aadhaar can be made safe from the legal perspective by enacting a legal framework for data protection for more specific significant strengthening. Perhaps the single most important specific question that begs answering is who should have the right to verify the identity of an individual, and under what circumstances? Though Aadhaar Act has been enacted but a stringent single codified law is needed for the better protection of data in India.
* Author - Nirma University Institute of Law. Shivani Bharatbhai Joshi, Ph.D. student. Published in GLH Journal Soponsored by Bar Council of Gujarat - Regent is Authorised Publisher of E-Journal GLHEL THE-LAWS