“While the Draft [Data Access] Policy is a step in the right direction, it needs to be more robust and privacy-preserving, and must not be implemented until there is a Data Protection Act in place. This would ensure that minimum levels of protection are there for the citizens,” the Software Freedom Law Center (SFLC.in) said in its feedback on the Draft India Data Accessibility and Use Policy 2022.
“Moreover, the government should do away with the data ownership model and replace it with the data stewardship model, so as to ensure that the government does not monetize citizens’ data with low-security standards in place, and without any checks and balances,” SFLC said.
The draft data access policy, which was published by the Ministry of Electronics and Information Technology (MeitY) on February 21, looks to introduce measures that allow for greater data-sharing amongst government bodies and other private stakeholders. It was open for feedback until March 18, 2022.
Ownership and pricing of data
- Pricing data in conflict with Open Government Data principles: The draft data access policy claims to promote Open Government Data (OGD), but by proposing to price data there is a conflict with OGD principles because OGD refers to data collected and processed by the government that is free to use, reuse, and redistribute, SLFC submitted. Pricing this data goes against the principles of open data followed by most governments across the world, SLFC added.
- The data ownership model should be replaced by data stewardship: According to the draft policy, the datasets and databases formed by government data collection and processing are owned by the government. This should be replaced by the “stewardship” model proposed in the non-personal data (NPD) framework, which treats the data principal as the owner of the data and the government as the data trustee responsible for the management of the data, SFLC suggested. The citizens should own the data, SFLC said.
- Databases should not be copyrighted: SFLC submitted that the databases created by the government must be in the public domain as they are made by state employees using taxpayers’ money, and must not be copyrighted. Besides, copyrighting is not strong protection because modification of the original database which results in a new and better arrangement of the database is not considered copyright infringement, SFLC explained.
Lack of a data protection regime
- The Data Protection Act is yet to be passed: SLFC objected that the draft data access policy has been proposed without any statutory backing and without the Data Protection Act being passed and implemented, which could eventually result in low privacy and security safeguards for data shared under the policy. “In the absence of the enactment of a Data Protection Bill which governs data-sharing and access protocols, the Government has an absolute overreach and discretion on the sharing of data with private entities,” SFLC said.
- No security measures in place for anonymization of data: “In such a climate, the selling of data seems like a dubious thing to do – since there are no security safeguards put in place for anonymization, and the task has been delegated to the respective ministries. This would leave room for states to decide the standards for themselves,” SLFC added. Since high-security standards demand better infrastructure, government departments will not have the incentive to have proper security standards in place for the protection of data. And also the chances are that the Government will exempt itself from the provisions of the Data Protection Act when passed, further resulting in no checks and balances on government-to-government (or G2G) sharing of data. Given this, MeitY should have secure anonymization standards in the policy itself, SLFC recommended.
Grievance redressal mechanism
- Lacks a grievance redressal mechanism: The draft policy lacks a grievance redressal mechanism. While issues with the Government Open Data License and copyrights may be referred to the redressal mechanisms set up under the license and the Copyrights Act respectively, other disputes such as data protection do not have an arbitrator. “For instance, individuals might have their identity known by re-identification if the anonymization is not secure enough, and in such cases, the aggrieved party needs to have a nodal person to contact and lodge their grievance,” SLFC submitted.
The framework of the India Data Office (IDO)
- Government has excessive power in the appointment of IDO members: The draft policy proposes setting up an India Data Office (IDO) to consolidate data access and sharing of public data repositories across the government and other stakeholders, but since the members of the IDO body shall be appointed solely by MeitY, the government has excessive powers without any oversight, SFLC submitted. Furthermore, the manner of appointment will be arbitrary in the absence of transparent and reasoned guidelines and protocols, SLFC added.
- Data will be sold to the highest bidder without any say of the user: According to clause 6.6 of the draft policy, access to non-personal datasets will be provided by the IDO to interested parties such as researchers, start-ups, enterprises, individuals, and government departments. This effectively means that data can be sold to the highest bidder, with no say of the user, SLFC submitted. “For instance, under the Bulk Data Sharing Policy and Procedure, the Government effectively admitted to selling bulk data of vehicle owners to private parties from its Vahan and Sarathi databases, earning Rs. 65 Crores in the process. A similar exercise is bound to be carried out under the Draft Policy as well, involving exponentially greater amounts,” SLFC said.
- IDO’s role is not clearly defined, could overlap with DPA: SLFC submitted that the roles and responsibilities of the IDO have not been clearly defined under the draft policy and it is still unclear if the IDO will perform any grievance redressal mechanisms or simply act as an oversight body. “The precise nature of the IDO must be clarified in order to have a streamlined process of grievance redressal, and it remains to be seen whether its functions would overlap with those of the DPA,” SFLC said.
Labelling of datasets
- Classification of data into open, restricted, and non-shareable needs more safeguards: According to the draft policy, every government department will identify non-personal datasets as Open, Restricted or Non-Shareable, which implies that each of such organizations will be analyzing and identifying the non-personal datasets in order to characterize them into one of the three categories. “This raises several concerns on security measures, risk-mitigation and risk-analysis measures to safeguard such non-personal datasets from data breaches,” SFLC submitted.
- Exceptions must be clearly defined: The government must clearly identify which datasets would be non-shareable and explain the rationale behind the same in order to avoid ambiguity, SLFC submitted.
- Non-personal data can be linked to individuals using advanced techniques: SLFC explained that anonymized non-personal data can be linked back to people using advanced techniques and so it remains to be seen whether pseudonymization techniques, which involve subjecting data to technical and organizational measures, are required to ensure data cannot be linked back to identifiable natural persons.
Data retention timeline
- No data retention time period provided: The draft policy does not provide any time period for data retention and leaves it to the ministries and departments to decide for themselves. “Therefore, data retention periods can be 30 days or 3 years, or even 30 years; it shall be the sole prerogative of the Ministry to decide,” SFLC submitted. This will allow departments to store and share such data for excessively long periods of time. SFLC suggested that MeitY must specify the data retention timelines within the draft policy itself for specific categories of data.
- Summary: Draft India Data Accessibility And Use Policy, 2022
- Karnataka unveils its own consent-manager framework for data sharing by citizens
- Summary: What a new report has to say on government’s Non-Personal Data Sharing Framework
- Data Protection Bill: How government access to data is carved out of fiduciary obligations #NAM
Have something to add? Post your comment and gift someone a MediaNama subscription.