Introduction to the NDGFP
The progressing modernization and rapidly growing technological advances in India call for the need of digitalization. With this in consideration, the Government of India (“Government”) aims to soon achieve the vision of a “Digital India” [1] As a way forward towards a Digital India, the next focus of the Government is the governance of digitized data, especially in light of the circumstances followed by the COVID-19.
Today, there is inconsistency in the manner that distinct departments of the Government manage and store its data, [2] which is the rationale behind implementing a systematic approach towards organization of the Government data. With this approach in mind, the Ministry of Electronics and Information Technology, Government of India (“MeitY”) had issued the India Data Accessibility and Use Policy (“Data Use Policy”) in February, 2022.
However, it is pertinent to note that, pursuant to the backlash received by the Data Use Policy, the MeitY had introduced the Draft National Data Governance Framework Policy (“NDGFP” or “Policy”) in March, 2022. NDGFP, unlike its predecessor (the Date Use Policy), is not viewed by the general public as a means of monetization for the Government by selling its data to private parties.
Contrary to NDGFP, the Data Use Policy proposed licensing and selling of datasets that have undergone value addition/transformation. This notion, in the opinion of the general public, was contrary to the objective of creating an easy access to organised data. [3] Further, unlike the Data Use Policy, NDGFP doesn’t stipulate any provisions to place restrictions on access to certain classified datasets.
Focus and Applicability of NDGFP
The objective of NDGFP is to establish a systematic and organized manner of management of government data enabling transformation of governmental services provided to the public. [4] In other words, through NDGFP, the Government aims to bring uniformity and improvement in the data collection methods and techniques currently adopted by it.
From a perusal of NDGFP, it is understood that its focal point is to provide the citizens with access to anonymized non-personal data sets. In furtherance, we understand that doing so would contribute towards significant aspects, including without limitation, the healthcare industry, educational endeavours, economic growth, and law and justice. [5]
It is pertinent to note that NDGFP is applicable to all departments and entities of the Government. Moreover, the State Governments and private entities are encouraged to take on the same.
The India Data Management Office
NDGFP calls for establishing and entrusting the India Data Management Office (“IDMO”) with the duty to develop rules, standards, and guidelines in relation to the objective of the Policy. [6] The IDMO, set up under the Digital India Corporation of the MeitY, is also responsible for setting up protocols to share access of databases of the Government. As per the Policy, the IDMO shall be authority entrusted with the decision making right with regards to access to data sets. In addition to the aforesaid, the IDMO shall instil a mechanism for redressal of public grievances in relation to the subject-matter of this Policy.
As part of data governance, the IDMO is also required to design a platform under the India Datasets Program, whereby, the non-personal and anonymized databases created from the Government data collection can be accessed by the Indian public for research and other informational purposes. [7] Upon a perusal of the Policy, it is further understood that for the purpose of access of data on the government-to-government level, a different mechanism is to be developed by the IDMO.
Key Issues with the NDGFP and Suggestions
1.Usage of ambiguous terms
NDGFP has been issued with a view to bring uniformity in collection and storage of non-personal data and anonymised data. However, MeitY has not defined ‘non-personal data’ or ‘anonymised data’ anywhere in the Policy. In fact, the Policy doesn’t even define the term ‘personal data’ let alone non-personal data. The Policy also doesn’t provide for the manner of categorizing and classifying data as anonymised, the absence of which may lead to privacy-related breaches.
It is pertinent to note that, the Indian legislation as it is currently, doesn’t define non-personal data. The only reference to ‘non-personal data’ has been made under the Data Protection Bill, 2019, whereby, it means any data which cannot be used for personal identification of individuals. In order to make sense out of the term ‘non-personal data’ under the Policy, reliance can be placed only on certain “government reports” [8] and the Data Protection Bill, 2019 (“Bill”). [9]
Similarly, reference can be made to the term ‘anonymization’ under the Bill to comprehend “anonymised data” under the Policy. However, reliance on the Bill is not the most accurate way to understand the scope and intention behind the introduction of the Policy as the said Bill has not been enforced as a legislation till date.
In furtherance to the usage of ambiguous terms like ‘non-personal data’ and ‘anonymised data’, the Policy refers to ‘researchers and start-ups’, however, it fails to elaborate on the categorization and applicability of ‘start-ups’. It is unclear whether start-ups refer to those registered and/or those permitted operations in India. In this regard, it is suggested that defining start-ups as that defined by the Department for Promotion of Industry and Internal Trade would provide the clarity sought for. [10] Moreover, the usage of the term ‘start-ups’ excludes all other stakeholders including big Tech companies.
In light of the aforesaid, it is hereby stated that the major drawback of the usage of vague terminology under the Policy is that results in the lack of clarity on the scope of the Policy.
2.Scope of the Policy
The issuance of the Policy has also lead to public interactions and discussions regarding the scope and coverage of the Policy. Private corporate players of the country have expressed concern on whether ‘non-personal data’ shall also include the data collected by public entities from private entities. [11] The concern regarding sharing access to the non-personal data collected from private entities roots from the protection of sensitive and confidential information of commercial nature. It is important for private entities to protect their non-personal data in view of commercial rights of confidentiality and secrecy along with statutory rights like intellectual property rights.
In this regard, it is suggested that prior to collection and providing access to non-personal data related to private entities or individuals, the Government shall conduct a detailed analysis of the impact of applicability of the Policy on such non-personal data. Thereafter, collective measures should be taken by the Government and the respective private entities to protect the legitimate concerns of the stakeholders involved.
3.Concerns of Data Privacy Protection
NDGFP states that the Policy aims to set standards and rules for data protection with respect to privacy concerns that may arise. [12] Nonetheless, the Policy fails to explain the manner of achieving privacy and security of datasets in the absence of any enforceable data protection laws in the country. In other words, the extent and standards of privacy and protection provided to the databases is, firstly, unclear and, secondly, unrealistic in consideration of the currently available legislation in India. Moreover, the lack of the MeitY to lay back on data protection laws is seen as a hindrance in the voluntary implementation of the Policy by private entities.
In addition to the aforementioned, it is pertinent to note that the information technology laws of the country are not equipped to tackle the violations brought by advancing technologies.
In light of the above, it is suggested that while establishing rules and guidelines for data privacy and protection, the extent of protection granted under the Policy is also clearly highlighted. At the same time, in consideration of the objectives of the Policy, the demand for data protection laws in the country has multiplied.
4.Constitution and Legal Status of IDMO
It is pertinent to note that the Policy is extremely elaborate in relation to the wide range of responsibilities laid on the IDMO, however, the Policy has failed to provide details on the appointment and composition of the IDMO. The Policy lacks crucial information with regards to the constitution of IDMO and this may be to arbitrariness.
In this regard, the provision of information on the composition of the IDMO and consideration of appointment of experts from the fields of information technology, data analysis, and legal background, to name a few, is suggested.
In addition, it is to be noted that the status of the IDMO is not that of a statutory authority. It is merely a division under the Digital India Corporation, a not-for-profit company established by MeitY. However, the Policy fails to address the legal status of the IDMO. It is unclear whether the IDMO is an office of the Government, autonomous body or a statutory authority with independent powers.
5.Overlap with National Data Sharing and Accessibility Policy
Upon the implementation of NDGFP, it is likely to overlap with National Data Sharing and Accessibility Policy (“NDSAP”) currently in force. The NDSAP is applicable to all non-sensitive data of the Government.[14] The purpose of NDSAP is to encourage sharing of data owned by the Government with the aim of achieving national development. It is observed that, although the scope of NDSAP is wider than NDGFP, an overlap between the two is possible.
In this regard, it is not clear whether NDGFP will complement, replace or prevail NDSAP. It is suggested that the impact of NDGFP on NDSAP and any other similar policies, guidelines or projects is addressed by MeitY under the Policy.
Conclusion
Although NDGFP is quite vague and loosely drafted, it is a step forward from the Data Use Policy. The same can be inferred from the stakeholder interaction held on June 14, 2022 with regards to NDGFP, whereby, more than 250 stakeholders from distinct fields including without limited information technology, educational industries and governmental authorities have participated in the discussion.[14] This being said, the Policy is far from being ready for implementation. For a successful implementation of the Policy, MeitY is required to address its key issues as highlighted above.
Author: Megha Sugandhi, Associate.
Disclaimer: The content of this article is intended to provide a general guide to the subject matter and that the same shall not be treated as legal advice. For any queries, the author can be reached at megha@samistilegal.in.
END-NOTES:
[1] It refers to the objective of transforming India into a digitally empowered country.
[2] Ministry of Electronics and Information Technology, Draft National Data Governance Framework Policy (May 27, 2022), https://www.meity.gov.in/writereaddata/files/National%20Data%20Governance%20Framework%20Policy_26%20May%202022.pdf.
[3] Lexology, The Draft National Data Governance Framework Policy (June 8, 2022), https://www.lexology.com/library/detail.aspx?g=2cd332c0-9223-4237-b03a-d238a4bced77.
[4] Supra at [2].
[5] Id.
[6] Id.
[7] Id.
[8] Ministry of Electronics Information Technology, Report by the Committee of Experts on Non-Personal Data Governance Framework (Dec. 16, 2020), https://static.mygov.in/rest/s3fs-public/mygov_160922880751553221.pdf.
[9] Mason Associates Advocates, The Draft National Data Governance Framework Policy (June 27, 2022), https://mason.co.in/the-draft-national-data-governance-framework-policy/?utm_source=rssutm_medium=rssutm_campaign=the-draft-national-data-governance-framework-policy.
[10] Id.
[11] Id.
[12] Supra at [2].
[13] Ministry of Science and Technology, Government of India, National Data Sharing Accessibility Policy – 2012 (NDSAP – 2012), https://geoportal.mp.gov.in/geoportal/Content/Policies/NDSAP_2012.pdf.
[14] Ministry of Eletronics and Information Technology, Public Consultant on Draft National Data Governance Framework Policy (Jun. 16, 2022, 3:25 PM), https://pib.gov.in/PressReleasePage.aspx?PRID=1834520.
