The Securities and Exchange Board of India (SEBI) has set up a standing committee to recommend a policy on access to non-personal data related to the financial securities markets, the regulator announced on Tuesday. Named the “Market Data Advisory Committee (MADC), it will recommend regulations on data privacy and data access.

SEBI’s move comes in the absence of legislation governing non-personal data (NPD) in the country — earlier this year, an expert committee had recommended a framework for the same.

The markets regulator has set up the standing committee as it believes that NPD — which it dubs as “non-private data” — within the Indian securities market is a “public good”. SEBI hopes the initiative will help make available data on the Indian securities market to researchers, policy makers and the general public.

“Financial markets are traditionally data rich and data driven. With ever growing financial markets, the volume and variety of data have also increased many fold over the years and will continue to do so. With increasing size and complexity of financial markets, the importance of data for research, decision making, and innovations in financial markets cannot be overemphasized.”

SEBI Press Release October 19, 2020

The 20-member MADC is chaired by Madhabi Puri Buch, whole-time member, SEBI and includes the chief executive officers of stock exchanges and depositories, among others, as its members.

In July this year, SEBI had signed a memorandum of understanding (MoU) with the Central Board of Direct Taxes (CBDT) to exchange “any information in their respective databases” on an automatic and regular basis. It is unclear what framework the markets regulator follows when sharing data with the CBDT or other domestic authorities, and the 22 bi-literal MoUs it has signed with markets regulators abroad.

MediaNama has reached out to SEBI, and will update the story when they respond.

Differences between SEBI’s data sharing policy and NPD report

MDAC is the latest of SEBI’s initiatives on sharing non-personal data from the securities market. Until now, the most prominent of these initiatives was the data sharing policy it had released in October 2019. This policy, meant primarily for research and analytical purposes and will likely guide the MDAC, pre-dates the expert committee report on NPD which was published in July this year.

‘Data Seeker’ defined in SEBI policy: The regulator defined entities such as educational and research institutions who request data from it as “data seekers”. However, the NPD report does not define these entities as a separate category. Instead, the report had said that everyone — both individuals and organisations — should have “controlled” access to NPD, specifically for sovereign, public-interest and economic purposes. The requests for data access would be processed by “Data Trusts”:

“Data trusts are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of data […] Data trusts can contain data from multiple sources, custodians, etc. that is relevant to a particular sector, and required for providing a set of digital or data services.”

Committee of Experts on Non-Personal Data Governance Framework

In-house SEBI body to govern NPD: Per SEBI’s policy, an in-house Data Analytics Controller (DAC) is responsible for assessing requests made by data seekers, and for enforcing rules on how this data is used. In essence, the DAC functions as a “data trust”, as defined by the NPD expert committee report, since it assesses data requests.

Meanwhile, the NPD report had called for the setting up of a Non-Personal Data Authority (NPDA) to govern all matters NPD. The NPDA is supposed to formulate and enforce rules for the collection and processing of data, along with enabling data sharing between businesses, regulators and other stakeholders.

Policies agree on definition of ‘Data Custodian’: SEBI’s data sharing policy coincides with the NPD expert committee’s report on the matter of “Data Custodians”. Per SEBI’s policy, a data custodian is any internal department that collects, generates, processes and stores data. This is similar to the definition in the NPD expert committee report.

“The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the data principal […] The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest of data principal/ group/community.”

Committee of Experts on Non-Personal Data Governance Framework

Examining SEBI’s rules on data sharing

Meanwhile, SEBI’s data sharing policy from October 2019 has placed certain safeguards and rules on data seekers that it will grant access of data. With respect to the NPD report, it is currently left to the hypothetical NPDA to decide what safeguards there should be for data access.

SEBI has announced that data seekers can ask for market data from 17 of its departments, including its Information Technology, Surveillance, Regulation, Investigations and Enforcement departments.

  • Confidentiality and non-disclosure agreements: Data seekers are mandated to sign a confidentiality and non-disclosure agreement for the data being requested from the data custodian. Data can only be requested for a maximum of one calendar month, after which the DAC would need to grant an extension to the data seeker.
  • Data must be expunged after project is completed: Per SEBI’s policy, once the data project has been completed, the data seeker must expunge the data that it has received. The data seeker will need to verify that they have expunged the data once the project is concluded.
  • DAC can inspect data seekers’s project: The DAC also has powers to inspect the data seeker’s project. This ensures that the DAC can ascertain whether the data is being misused or is being used for purposes other than for which the approval is granted. If the DAC finds an irregularity in the use of the data, the data appropriate action will be taken against the data seeker under law.

Also read: