• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

Complications In The Non-Personal Data Report That Remain Unaddressed: Report

The policy does explain the concept of a “policy switch” that allows Trustees a platform to set access controls, but no mention of revocation of permission/data has been addressed in the document.

Photo Credit :

Aapti Institute, a public research institution working at the intersection of technology and society, believes that better technologies and better policy will come from understanding lived experiences on the ground, and will be submitting comments on the draft recommendations on the regulation of Personal Data, as invited by the NPD Committee.

The NPD committee came out with its report last weekend, that everyone from policy consultants, to civil society and the private sector are busy breaking down the proposed framework. But it remains to be seen how the policy will mesh with existing transactions in data as well as the regulatory mechanisms and institutions already in place.

Nominally, users have been understood to be data principals; similarly, as under the Personal Data Protection Bill, groups of users with common interests have been understood to be ‘communities’ which have their own joint common interest in data that pertains to the specific group. These communities are expected to articulate their interests and preferences over their data through ‘Data Trustees’ – and these Data Trustees are a representative body meant to represent this collective interest – however it is not entirely clear how it is ensured that the community interest is in fact expressed in the data trustee’s submissions, and how the trustee is protected from regulatory capture. What ensures that a Data Trustee does not go rogue or serve interests other than those of the Data Principal?

Commenting on Data Regulation, Siddharth Manohar, Sr. Research Associate, Aapti Institute said, “The Data Custodian is more straightforward in its scope, tasked with the actual implementation of the interests of the Data Principal, itself being a data fiduciary and therefore undertaking data processing and sharing, once again in the best interests of the Data Principal. The distinguishing factor here however is the presence of a legal duty of care –being a fiduciary, the Data Custodian can be held liable for failure to carry out its duty to protect the Data Principals’ interests”.

There are important aspects to take note of:
Lack of a clear decision-making process: This framework of Principal-Trustee-Custodian requires the presence of agile actors as part of the system to ensure smooth operation. The mechanism of data sharing itself also leaves further clarity to be desired – data requests may be made to Data Businesses (i.e. companies that work with large proprietary datasets), or alternately made to a Data Custodian. An important complication here is that the Data Custodian is also empowered to offer value-added services based on data at their disposal – this presents a direct conflict of interest if Data Custodians are in effect competing with Data Businesses. The report, while mentioning that there should be incentives and remunerations for Data Custodians, does not explicitly prohibit a for-profit operation, and nor does it indicate a mechanism to prevent third-party influence.

The report also presents the possibility of the Data Trustee setting up a Data Trust to enable easier management of the data to be shared – as per the report, the Data Trust is described merely as an institutional ‘data infrastructure’ that ensures the control of the Data Trustee of data usage. Although it has been stated that a Data Trustee would deploy Data Trusts for ‘public’ use of non-personal data, the conditions where Data Trusts may or may not be used have not been completely addressed in the policy

A lack of accountability, checks and balances:
The framework created by the policy is backed up with directions to prescribe incentives, remuneration, and rules for the operation of the Trusts, Trustees, Communities and Custodians. What is less clear however, is how Data Trusts will ensure that the purpose for which they are set up will actually be served.Another possible complication arises when a Data Principal community may disagree with the measures of the Data Trustee, or when there is a lack of consensus within the identified Data Principal community. The parameters for identification of the community itself contain some ambiguity within the policy. It is not clear how a conflict between the Data Principal Community and the Data Trustee would be resolved, or how the Data Custodian remains accountable to the Data Trustee.

Handling consent in Non-personal data:

Another instance that bears further elaboration is the issue of consent in processing of non-personal data. The policy specifies that consent should be collected for processing anonymized data at the point of collection of personal data, therefore providing consent for processing non-personal data that may pertain to a Data Principal. How this operates along with the framework of Data Trustees is an interesting question – it is not evident that Data Trustees may be able to revoke consent on behalf of their representative community. The policy does explain the concept of a “policy switch” that allows Trustees a platform to set access controls, but no mention of revocation of permission/data has been addressed in the document.

Tags assigned to this article: