In its response to the government’s report on non-personal data governance, Bangalore-based private think tank iSPIRT Foundation said that the report is “sound in premise but murky in detail” and that “more work must be done to detail compliance requirements and standardize the mechanisms of sharing such data” before the report is finalised. iSPIRT said that among its fundamental beliefs regarding data is that the “user must be in charge” and that Indian companies should be in a level-playing field, for which “some ring-fencing must exist to protect against global data monopolies”.
The MEITY Committee of Experts on governance of Non-Personal Data had recommended that a separate legislation be formulated to govern non-personal data, and that a new regulatory body should be formed for its governance. The committee, headed by former Infosys head Kris Gopalakrishnan, released its report in July and is accepting comments to it until September 13.
iSPIRT Foundation has been instrumental in the development of UPI, and is now playing a key role in the development of the Health Stack and Open Credit Enablement Network, which is modelled on the Unified Payments Interface (UPI) for retail digital transactions.
More than making recommendations, iSPIRT questioned the implications of the report, and sought clarity with regard to foreign investments and interaction with the Personal Data Protection Bill, 2019.
For instance, the report states that one of its key objectives “to promote and encourage the development of domestic industry and startups that can scale”. iSPIRT asked what the implications of this would be:
- If a foreign company invests in an Indian start-up built on non-personal data, will the startup be allowed to access community data?
- What will be the implications of a foreign firm acquiring or owing a majority stake on such a start-up?
To arrive at its recommendations, iSPIRT took the example of a fictional health start-up that seeks to generate radiology summaries from anonymised lung X-rays, which as per the NPD report and iSPIRT would qualify as community data, that the start-up obtains via a data trust. Here is a summary of the recommendations, issues, and suggestions made by iSPIRT:
iSPIRT’S recommendations and issues raised
1. E-commerce, delivery data, etc, can be considered community data: The report suggests that data generated during the course of a business’s activities may be considered private business data, which may not be mandated to be shared, iSPIRT wrote. This, the think tank said, would mean that “e-commerce, delivery and employee data fall under private business data – although an argument could be made for classifying this as community data”.
2. Raw data needs to be clearly differentiated from processed data: “The lines between raw and (various levels of) processed data should be clearly demarcated,” per iSPIRT. A fictional health start-up, as mentioned above, would need to obtain lung X-rays from laboratories. But even labs obtain such data “from anonymizing raw personal data, so presumably it is now processed and need not be shared without remuneration”.
3. It is not clear how a data principal’s rights are guaranteed: iSPIRT wrote that there is no guarantee for the data principal (user) that their interests are protected and that their data “is impervious to de-anonymization”.
4. Questions around consent need to be addressed: iSPIRT pointed out that the report says that consent must be taken from the community actors before anonymisation and use. The think tank asked how such consent would be taken, how its purpose be determined, and how its collection be enforced. iSPIRT asked, “How will its purpose be determined and collection be enforced before any data is anonymized and utilized?”
5. Report is in conflict with the Personal Data Protection Bill regarding search engines and consent: The Personal Data Protection Bill, 2019, exempts search engines from having to take consent for processing personal data, iSPIRT pointed out. At the same time, the Non-Personal Data Report mandates sharing of all raw non-personal data. As a result, search engines will “actually disincentivized from anonymizing its personal search data” and by keeping this data personally identifiable, they will be “prevented from having to share it with competing search engines and startups”. “Can misaligned incentives such as these hinder progress towards the report’s stated goals?” iSPIRT asked.
6. Data trustees are not clearly defined: iSPIRT first questioned why labs and hospitals would hand over control of their data to data trustees, which intend to share with others, such as the fictional health start-up. Further, it asked who the data trusts would be in this case — the Ministry of Health and Family Welfare, the National Health Authority, or an NGO for cancer patients? “If there are multiple data trustees that have an interest in the same underlying data, how is it ensured that every decision that each of them takes is in the best interests of the user?” it asked.
7. It is not clear how “beneficial ownership” benefits the data principal: The report says that all sharing of community data should be based on the concept of “beneficial ownership” where the benefits of this data sharing also accrue to the data principal, iSPIRT pointed out. Considering their own hypothetical example of rad.ai, iSPIRT asked, “How is the patient directly benefiting from such a data-sharing mechanism? What mechanisms are in place to enable such benefits?”
8. Responsibilities of government as a data custodian are not established, nor rights of data principal over data collected by government: iSPIRT pointed out that the report recommends that all data generated through government and government-funded activities should be classified as public non-personal data, which is in turn called a national resource. However, the report provides no guidance on compliance burden on government agency that controls such public data, iSPIRT said. “Will government hospitals still be required to make it available? More importantly, does the community (i.e. patients) have no claim to their data in this case merely because it was collected by the government instead of a private entity?” the think tank asked.
It’s worth noting that MEITY’s Non-Personal Data report says that non-personal data born from sensitive personal data — which includes health data — will yield sensitive non-personal data. At the same time, the Non-Personal Data Report says that “large anonymised data sets of health data could lend community level insights into diseases, epidemics, and community genetics – leading to better tailored health solutions for the community”. It said that if large health data sets relate to a define community of natural persons, it would constitute community non-personal data. It is thus unclear how such sharing health data, as both the NPD report and iSPIRT propose, would be allowed under the PDP Bill.
- Summary: Report on Non-Personal Data Framework released by MEITY’s Committee of Experts
- Five key concerns with India’s Non-Personal Data Report