By Soujanya Sridharan and Shefali Girish
In May 2022, the Ministry of Electronics and Information Technology (MEITY) introduced the National Data Governance Framework Policy (NDGFP) to propel India’s development through data-driven research and innovation. More specifically, the Policy seeks to build a vast repository of anonymised, non-personal data obtained from government ministries, departments and organisations, alongside anonymised data voluntarily disclosed by private entities. Such a non-personal data repository, termed the ‘India Datasets Platform’, will be available for research purposes and innovation by start-ups operating in India.
This revision – one which removes licensing requirements for data access in favour of a repository maintained by the government – is significant as the Policy attempts to overcome critique directed at its now-scrapped predecessor, the Draft India Data Accessibility and Use Policy (IDAUP). While the IDAUP alarmingly called for monetisation of anonymised public datasets, the current Policy remedies this through the introduction of the India Datasets Platform that is to be managed under the auspices of the proposed ‘India Data Management Office’. (IDMO). And herein lies the conundrum.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
IDMO and the mechanics of data sharing
The IDMO, to be set up under the Digital India Corporation, is tasked with developing the necessary rules, standards and policies for sharing of anonymised data, as envisaged by the Policy. Notably, however, the Policy remains glaringly silent on the specifics of the composition and the processes by which the IDMO would go about performing its role of standard-setting and policymaking for the India Datasets Platform, opening doors for arbitrary executive action.
Beyond framing policies, rules and setting standards, the IDMO must also ensure continuous monitoring of data sharing activities and set up oversight mechanisms for conducting risk assessments and external data audits.The IDMO could be structured as an independent body, such as the Financial Data Management Centre (FDMC) which was set up under the aegis of the Reserve Bank of India’s Financial Stability and Development Council (FSDC) to facilitate integrated data aggregation and analytics in the financial sector.
More fundamentally, the IDMO’s functions should include establishing standards for data storage, interoperability and appropriate controls for data use such that data quality, usability and privacy are upheld through the lifecycle of a dataset. For tasks such as standard formulation, different expert committees need to be set up. To this end, the IDMO could borrow from the US Federal Data Strategy that has expert working groups such as the Data Sharing Working Group which focuses on data sharing between federal agencies and supports the Chief Data Officer Council on communicating use cases, challenges and various data sharing needs.
Further, Section 5.2 of the Policy provides for the IDMO to hold at least 2 semi-annual consultations with representation of government and industry. However, the extent of participation of stakeholders and the manner in which consultations will be structured is yet to be determined. Embedding a robust consultation process with active involvement of all relevant stakeholders including academia, civil society, government bodies that would work alongside start-ups is required to develop the required flexibility in guidelines for data management. The Telecom Regulatory Authority of India (TRAI) provides a useful rubric for the IDMO to contemplate participatory consultation processes. TRAI has constituted advisory committees with representation from consumer groups and industry stakeholders, with a common charter to promote consumer participation in the process.
Additionally, the Policy governs access of non-personal datasets to researchers and startups. It therefore becomes imperative to assess the gaps in the technical capacities of start-ups pertaining to data management before suggesting a framework that encourages businesses to share data. The IDMO should also focus on building capacity and supporting government departments in development and implementation of data sharing mechanisms. This can be achieved by building digital public infrastructure which enables basic functions essential for public and private service delivery, i.e. collaboration, commerce, and governance. DPIs comprise a foundational layer upon which the government can collaborate with the private sector and enable sharing of data for social benefit.
An encouraging precedent for DPIs exists in the form of UPI, which is an interoperable real-time payment platform connecting users and merchants to raise simultaneous payment requests, with an essential infrastructure which is scalable and powered by a set of open APIs. While this illustrates how a unified public technological ecosystem with multi-layered platforms can significantly improve access to financial services, its governance suffers from shortcomings. This is because the NPCI, the governing authority for all digital transactions that occur on the UPI, remains opaque and is a private body which is not subject to mandatory disclosure under the Right to Information Act. The lack of any accountability framework coupled with the absence of an overarching data protection law creates possible vulnerabilities for UPI users and avenues for misuse of data – two drawbacks that the IDMO must be alive to while setting up technical infrastructure for the India Datasets Platform.
Way forward for data sharing
What is needed to make the Policy a meaningful and implementable regulatory instrument is an enabling ecosystem which creates mechanisms for sharing of non-personal data such as data exchange platforms and data collaboratives. Much can be gleaned from Estonia’s X road which enables the exchange of data amongst different government departments, citizens, and other private sector stakeholders. X-road follows an open digital ecosystem approach by making decentralised public and private databases interoperable, building on reusable and shareable components, ensuring privacy and secure data exchange and having accountable institutions (the Estonian Information Systems Authority) to monitor and regulate the ecosystem.
Lastly, the IDMO’s actions to unlock non-personal data for research and innovation would be meaningless without appropriate protections afforded to a variety of potential harms arising from data sharing. This includes breach of individual and group privacy due to re-identification of people through combinations of datasets available on the India Datasets Platform. Therefore, it is essential that the current Policy be placed on hold until a data protection legislation is passed. Such a regulation is indispensable to secure the data rights of Indians, paving the way to hold data requesters accountable if they fail to comply with the provisions of the NDGFP.
Soujanya Sridharan and Shefali Girish are researchers working with Aapti Institute, a think tank studying the impact of technology on society.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- What Are The Concerns Plaguing Industry On The National Data Governance Framework?
- New Data Governance Framework Ditches Monetisation, Encourages Businesses To Share Non-Personal Data
- Summary: A Data Governance Framework Based On Granular Consent
- #NAMA: Anja Kovacs On The Problems With India’s Report On Non-Personal Data Governance Framework
- Why ‘Group Privacy’ Should Be Recognised, And How ‘Non-Personal’ Data Becomes A Regulatory Blindspot
- Deep Dive: What Will Be The Impact Of A Non-Personal Data Framework On M2M Communication?