The language of data protection

The Indian Express By Karishma Mehrotra
 July 30, 2018

On Friday, a committee in the Ministry of Information and Electronics Technology submitted the draft of a Bill on protection of personal and sensitive data, along with a report of analysis. Both introduce some key terms to the data protection debate:
DATA PRINCIPAL: It is the person, company, or entity whose information is being collected. “Data” means information that is represented in a form that is more appropriate for processing. “Processing” refers to the operations done to the data, often forms of organisation, searching, combining, and more to glean further information.
DATA FIDUCIARY: This can be a person, state, company, or any entity that decides why data should be processed and how it should be processed. Unlike the Ministry committee, others sometimes refer to this as the “data controller”.
SIGNIFICANT DATA FIDUCIARIES: This classification is based on the volume and sensitivity of the data as well as the fiduciary’s revenue, risk of “harm” (see below) to the principal, and type of technology use. Some regulations of the draft apply only to these significant fiduciaries, such as assessments, audits, record keeping, and hiring a data protection officer.
DATA PROCESSOR: While the fiduciary controls how and why data is processed, the processing itself may be conducted by a third-party, the “data processor”. This distinction is important to delineate responsibility as data moves from group to group. For example, in the United States, Facebook (the data controller) was hit by controversy over the actions of a third-party data processor, Cambridge Analytica.
HARM: The draft aims to protect against “harm” to the individual caused by data processing. It relates harm to mental injury, identity theft, finances, reputation, employment, discrimination, and service denial. Harm also includes any restrictions to individual action because of the fear of surveillance and any surveillance that is not “reasonably expected” by the individual.
AUTOMATED MEANS: Data processors work with data either manually or by automated means. While this definitional distinction may blur, in today’s technological landscape “automated means” colloquially connotes processes such as machine-learning algorithms. In these procedures, algorithms sift through vast amounts of data, find patterns, and apply those patterns on new information to get results.
PERSONAL, SENSITIVE DATA: “Personal data” can identify the person associated with the data while “sensitive personal data” covers a list of categories such as passwords, finances, health, biometrics, caste, and more. Personal data can be processed if there is consent, if it is for the functions of the state, if it is in compliance with the law, for prompt action such as medical and safety emergencies, for employment, or for reasonable purposes.
LIMITATIONS: Two key pillars of the Bill are “purpose limitation” and “collection limitation”. The draft limits the collection of data to what is needed for “clear, specific, and lawful” purposes or for reasons that the data principal would “reasonably expect.”
DATA PROTECTION AUTHORITY: The draft calls for the creation of an independent regulatory body, called the “data protection authority” (DPA). It has four groups of tasks. In adjudication, the DPA receives grievances and handles enforcement. In monitoring, it oversees internal assessments and external audits of the fiduciaries, as well as tracks data security breaches. In policy, the DPA defines sensitive personal data, “reasonable purposes” (see below) for processing, forms of consent, and the lawful transfer of data outside of India. Finally, the DPA conducts research and awareness building about data protection.
REASONABLE PURPOSES: The DPA can determine these by taking into account the interests of the fiduciary, public interest, individual rights, and the reasonable expectations of the individual.
DATA TRUST SCORE: The DPA can assign, register, and manage data auditors, who then may give fiduciaries a “data trust score” after a “data audit”.
ADJUDICATING OFFICERS: A wing in the DPA, they will have the power to call people forward for inquiry into fiduciaries, assess compliance, and determine penalties on the fiduciary or compensation to the principal. Adjudication decisions can be appealed against in the appellate tribunal.
RIGHT TO BE FORGOTTEN: Among the tasks of an adjudicating officer is to decide on cases of “the right to be forgotten”, a concept born out of the Internet’s so-called extended memory. With historical roots in European Union law, this right allows an individual to remove consent for data collection and disclosure. While in the EU the task for assessing requests for removal falls on the fiduciary, India’s draft asks the adjudicating officer to decide by balancing individual rights with the right to free speech and the right to information.
DATA PROTECTION OFFICER. The DPO will be appointed in “significant fiduciaries”, and the DPA will liaise with the officer to facilitate data protection and compliance. The officer is tasked with internal “data protection impact assessments”, grievance redress, record maintenance, and more. For foreign fiduciaries, the DPO must be based in India to represent the fiduciary.
DATA LOCALISATION: One of the highly debated topics in the draft, this relates to regulation about the transfer of data outside national borders. The draft Bill suggests mandating every fiduciary to store at least one copy of personal data in India, with exceptions determined by the central government. If the data is “critical personal data” (determined by the central government), then that data can only be stored and processed in India.
Personal data can be transferred out of the country in the case of contracts, with central government and DPA approval, based on adequate level of protection in destination country, or individual consent. Sensitive personal data can be transferred abroad in cases of health emergency and central government approval.
DE-IDENTIFICATION: Often the markers of data that make an individual identifiable can be removed, or masked, in a process of “de-identification.” The committee report admits a definitional grey area, weighing terms such as “anonymisation” and “pseudonymisation”. The draft deems “re-identification” — the reverse of the former — an offence.
PRIVACY BY DESIGN: This is a concept in which the de-identification process plays a role. The report conveys this to mean organisational practices that avoid harm to individuals and that process data in a transparent manner, including the assurance that business interests are achieved without harming privacy rights.
DATA PORTABILITY: The draft grants individuals this right, or the ability to access and transfer one’s own data. It specifies that the data should be received in a “structured, commonly used and machine readable format”. The committee report tempers this right with the issue of trade secrets and technical feasibility. Fiduciaries may charge fees for this process.
Reference:

Comments

Post a Comment

Popular posts from this blog

India Joins Russia in Voting Against West-Backed Move to Expand Powers of OPCW

The Wire: June 28, 2018 New Delhi: India voted against a UK-backed move that will allow the global chemical weapons watchdog to apportion blame for illegal attacks, criticising the decision to grant “unchecked powers” to the head of the group which could be used for “partisan” purposes. On Wednesday, more than two-thirds of the member states of the Organisation for the Prohibition of Chemical Weapons (OPCW) voted to authorise the international body to identify the perpetrators and sponsors of a chemical weapons attack. It also specifically called on the OPCW’s technical secretariat to begin work on identifying the perpetrators behind the use of chemical weapons in Syria. The draft decision, sponsored by 30 countries, was adopted at the fourth special session of the conference of the states parties to the Chemical Weapons Convention at the Hague, with 82 in favour and 24 negative votes. While Europe, the United States and their allies voted ‘yes’, there was strong oppo...
Read more

As financial insecurity rises in urban India, so does investment in insurance

Image
Scroll.in March 13, 2020 Urban Indians are becoming less confident about their financial security. Up to 58% of them fret over financial independence post retirement, which is a 4% increase from last year. An equal share of urban Indians worry about meeting their daily medical expenses and sustaining their current lifestyle once they stop working. The findings are part of a survey published by Delhi-based Max Life Insurance in association with London-based consultancy Kantar. The firms surveyed 7,014 respondents in 25 cities, including six metros, nine tier-1 cities, and 10 tier-2 cities, between December 2019 and January 2020. Source: Max Life Insurance via Quartz The trends Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz A significant share of urban Indians also say their families will have no financial support in the event of the breadwinner’s death. In such a scenario, around 57% believe the family sav...
Read more

ED tracks Swiss Bank A/Cs of Agusta scamster

The Poineer February 10,2019 Rakesh K Singh The Enforcement Directorate (ED) has tracked a dozen Swiss bank accounts in the name of Rajiv Saxena, who is key accused in the Rs 3,600 crore AgustaWestland VVIP chopper scam. The ED has also found out accounts held by  his family members and associates where the kickbacks in the now scrapped deal were allegedly parked. Two bank accounts are in the name of Rajiv Saxena’s  associates Pankaj Jain and Sumita Jain who are also the authorised signatories. The  third is in the name of another associate Ajit Singh Bubber, but Rajiv and his family members are authorised signatories. The remaining nine accounts are largely owned and operated by Rajiv, his family members and associates. Rajiv Saxena was deported by the UAE authorities on January 30 and the ED formally arrested him the next day and a court later granted his remand to the agency. He is currently undergoing custodial interrogation by the ED. The agency had in 2017...
Read more