Introduction
The Ministry of Electronics and Information Technology (MEITY) on 25th May, 2022, released a revised Draft National Data Governance Framework Policy (“NDGFP”) for public consultation.
The Draft NDGFP is released with the purpose of modernizing processes and systems of the Government of India for data collection and management. This is done with the aim of encouraging data-driven governance and supporting the growth of an AI ecosystem and fuel the research and start-up ecosystems of India.
NDGFP shall govern non personal data of all central Government departments and entities. The State Governments shall also be encouraged to adopt NDGFP. As part of the framework, a platform – India Datasets Program will be designed consisting of anonymized non-personal datasets from across Government entities collected from Indian citizens or those in India. This platform shall process requests and provide access to the non-personal anonymized datasets to Indian researchers and start-ups. For Government-to-Government data access, a separate standard mechanism shall be developed under NDGFP. Although NDGFP does not apply to the private players per se, they can voluntarily contribute their datasets to the data repository made under NDGFP. For implementation of NDGFP, an Indian Data Management Office shall be set up under the MEITY. The new draft does not envisage provisions of data monetisation as proposed in the precursor Draft India Data Accessibility and Use Policy, 2022 which was released for consultation in February 2022 permitting the licensing and sale of public data by the Government to the private sector.
Applicability of National Data Governance Framework Policy
NDGFP is proposed to cover:
- all non-personal datasets and data and platform, rules, standards governing its access and use by researchers and start-ups.
- all data collected and being managed by any government entity.
NDGFP will be applicable to:
- all government departments and entities.
- state governments shall be encouraged to adopt the provisions of the Policy and rules, standards, and protocols as applicable.
Comments and Concerns The term “non-personal data” (“NPD”) is not defined in the NDGFP or in any other law or policy that is currently in force. It is only defined in government reports[1] or draft legislation.[2] Notably, that definition is itself predicated upon a well-defined conception of “personal data”, which is not defined in the NDGFP. The terms “researchers and start-ups” are not defined in the draft policy. Clarity on whether the definition of “start-ups” would be treated as that defined by The Department for Promotion of Industry and Internal Trade will be helpful. NDGFP allows stakeholders including “researchers and start-ups” to access non personal data and anonymised data and evidently, by virtue of this clause, all can access the non-personal data available with the Government. While such data may be used to promote innovation, it is imperative to have clear guidelines as to what is acceptable and unacceptable including ethical guidelines to inform those uses. There is limited discussion on whether the NDGFP will also lead to covered public entities sharing NPD collected from private entities that contains commercially confidential or business sensitive information or in which such private entities hold intellectual property rights. There is a risk, therefore, that information provided to public entities by private entities during joint collaborations could get categorised as NPD to which the NDGFP applies. Suggestions · Within the overall scope, the NDGFP should apply to non-personal data collected from private entities or individuals after adequate technical and organisational measures are implemented to ensure that any data containing information that is commercially confidential, business sensitive, or protected by intellectual property law is not shared. In this regard, we also suggest that these exclusions be specifically stated in the NDGFP. · We recommend addition of the definition of the terms “non-personal data”, “researchers” and “start-ups” in order to ensure clarity on the scope of the policy and concerned entities. |
Data Privacy & Security
The NDGFP directs that all standards and rules made under the Policy shall ensure data security and informational privacy.
Institutional Framework – Who will be responsible for the National Data Governance Framework ?
- A core component of NDGFP is the formation of an India Data Management Office (“IDMO”) under Digital India Corporation (“DIC”) under MEITY.[3]
- IDMO shall be staffed at DIC by a dedicated government data management and analytics unit.[4]
- Every Ministry/Department shall have Data Management Units (“DMUs”) headed by a designated CDO who shall work closely with the IDMO for ensuring implementation of the Policy.[5]
- State Governments would be encouraged to designate/appoint State-Level Data Officers.[6]
IDMO responsibilities
- Rulemaking: IDMO shall be responsible for –
- Framing, managing and periodically reviewing and revising the [7]
- Developing rules, standards, and guidelines under the [8]
- Formulating all data/datasets/metadata rules, standards, and guidelines in consultation with ministries, state governments, and industry.[9]
- Conducting at least two semi-annual consultations and report carding for this purpose with representation from state governments and industry.[10]
- Rules on data storage & retention: A comprehensive and evolving set of standards and rules would be developed and provided by IDMO, including on the cloud – to help Ministries/Departments define their data storage and retention framework.[11]
- Rules on Datasets access and availability: Notify protocols for sharing non-personal datasets while ensuring privacy, security and trust. IDMO will notify rules to provide data on priority/ exclusively to Indian/ India based requesting entities. IDMO will also judge the genuineness and validity of data usage requests, for datasets other than those already made available on Open Data portal.[12]
- Identification of Datasets: Prescribe rules and standards including anonymization standards for all entities (Government and private) that deal with data that will cause every Government Ministry / Department / Organisation to identify and classify available datasets and build a vibrant, diverse and large base of datasets for research and innovation. Private companies can also create Datasets and contribute to India Datasets Program.[13]
- Data Anonymisation: Set and publish data anonymization standards and rules to ensure informational privacy is maintained.[14]
- Creation of India Datasets Program: IDMO shall –
- Enable and build the India Datasets Program, which will consist of non-personal and anonymized datasets from the Government entities that have collected data from Indian citizens or those in India.[15]
- Encourage private entities to share such data.[16]
- Design and manage the India Datasets platform that will process requests and provide access to the non-personal and/or anonymized datasets to Indian researchers and start-ups.[17]
- Accelerate inclusion of non-personal datasets housed with ministries and private companies into the India Datasets Program.[18]
- Data Quality & Meta-Data Standards: Finalise meta-data and data standards that cut across sectors and oversee the publishing of and compliance to domain-specific meta-data and data quality standards by line Ministries/Departments. These standards will be finalized in consultation with ministries and CDOs.[19]
- Datasets access platforms: Design, operate and manage the Datasets access platform for “whole of Government”. All datasets in the India Datasets Program can only be accessed through this and/or any other IDMO designated and authorized platforms.[20]
- Limits to Data Requests: Retain the rights to decide whether requesting entities may be allowed access to full databases/ datasets or combinations thereof, for their use cases.[21]
- Capacity building: IDMO shall –
- Coordinate closely with line Ministries, State Governments, and other schematic programs to standardize data management by building up capacity and capabilities in each Ministry.[22]
- Encourage and foster the data and AI-based research, start-up eco-systems by working with the Digital India Start-up Hub (the erstwhile MSH).[23]
- State Governments also would be encouraged to designate/appoint State- Level Data Officers and IDMO shall provide all assistance including training in this regard.[24]
- Government-to-Government Data Access: IDMO shall –
- Inclusion of private companies
- The NDGFP has launched non-personal data based India Datasets Program under which IDMO will address the methods and rules to ensure that non-personal data and anonymized data from both Government and private entities are safely accessible by research and innovation eco-system.[27]
- The NDGFP aims to accelerate inclusion of non-personal datasets housed with ministries and private companies into the India Datasets program.[28]
- IDMO shall enable and build the India Datasets Program, which will consist of non-personal and anonymized datasets from the Government entities that have collected data from Indian citizens or those in India.[29] Private entities are encouraged to share such data.[30]
- IDMO can prescribe rules and standards including anonymization standards for all Government and private entities that deal with data to identify and classify available datasets and build a vibrant, diverse and large base of datasets for research and innovation. [31]
- Private companies can also create datasets and contribute to India Datasets Program.[32]
We believe that the Policy’s success will depend upon how the balance is struck between improving data access, enhancing data quality, facilitating data reuse, and mitigating risks to privacy or security. With the aim of striking this balance, we offer below certain suggestions. Our submission covers the following:
Comments and Concerns Composition of IDMO There is no clarity in the NDGFP on the composition of IDMO which shall frame the guidelines/standards/rules for use and processing of data by Government entities and ensure implementation. We suggest incorporation of a guiding directive on the composition of this organisation within the Policy. Policy overlap It is likely that the NDGFP will impact the operation of existing laws on government records and existing open data policies currently in force mostly notably the National Data Sharing and Accessibility Policy (NDSAP).[33] It is likely that the NDGFP will impact the operation of existing laws on government records, such as the Public Records Act of 1993. It will also overlap with several existing open data policies currently in force at the Central and State level, mostly notably the NDSAP, which is similar in both objectives and scope. The scope of the NDSAP is currently larger – covering “all data or information” held within government bodies, not just non-personal data. There is no clarity on whether the NDGFP will replace the NDSAP or complement it as a parallel effort. If the NDGFP will replace the NDSAP, then the NDGFP should discuss how it addresses the gaps identified with the latter and the future goals set out as a replacement policy. However, if the NDGFP will coexist with the NDSAP, then definitional or procedural overlaps should be avoided. Beyond this, there are also existing projects at the Central Government level that may overlap with those set up under the NDGFP, such as the India Urban Data Exchange (IUDX) under the Smart Cities Mission. Suggestions In this context, we suggest that the interplay between the NDGFP and the NDSAP/other similar data policies/guidelines should be clarified in terms of scope and implementation. Any overlaps and duplicity of efforts should be minimised. Enforceability The experience with the NDSAP has demonstrated the difficulties with not having clarity on how to incentivise compliance or penalise non-compliance. Researchers have noted that the lack of any clear method to enforce the NDSAP has meant that it has not been implemented consistently or to its fullest potential.[34] The issues with NDSAP may be repeated with the NDGFP if the question of enforceability is not sufficiently discussed. There is a need for clarity on how the IDMO will deal with practices that do not adhere to the policy. This may require bestowing the IDMO with the power to take corrective measures, including punitive action and directions to covered public entities, and to explore novel strategies to incentivise compliance. Suggestions IDMO should be given powers to take corrective measures, including punitive action and directions to covered public entities, and other strategies may be devised and incorporated to incentivise compliance. Legal status of IDMO The NDGFP does not clarify the legal status of the IDMO. It is not clear whether it will be an attached office, autonomous body, or an independent statutory authority. The hierarchy between the IDMO and the DMU is not clearly laid out. The NDGFP also does not clearly allocate responsibilities between such entities. Though there are general directions, it is unclear how disagreements will be resolved or how accountability and responsibility for policy monitoring and enforcement will be distributed between them. Furthermore, it is difficult to achieve a satisfactory outcome without any backing legislative framework. At present, the NDGFP does not clearly indicate whether such a legislative framework will be developed. Though it is not touched upon, it may be worth considering a dedicated “open data” legislation, such as the Open Data Directive in the European Union. Suggestions · The legal character of the IDMO should be expressly clarified in the NDGFP. · The NDGFP should clarify the division of responsibilities and functions and the hierarchies across the envisaged institutional framework. · The NDGFP should examine new legislative solutions that can incentivise compliance by covered public entities with the NDGFP’s obligations. Complementary measures and safeguards There is very limited discussion in the NDGFP on how different privacy and digital security risks will be addressed during data sharing beyond the use of anonymisation. This may not be sufficient. While we do not discuss the various safeguards and frameworks that may be needed from a digital security perspective, it is worth noting that, from a privacy perspective, anonymisation as a means of protection may not be sufficient as a standalone solution. Anonymisation should be complemented with other technical and organisational measures, such as contractual agreements that bind data recipients to data security and disclosure practices, the use of reidentification risk assessments, or the use of newer privacy preserving technologies such as distributed machine learning, differential privacy, and homomorphic encryption (that is, encryption that allows processing of encrypted data without revealing its embedded information). Further, as a general principle, “release-and-forget” models of data sharing should be avoided.[35] This should be reflected in policy monitoring and enforcement efforts through subsequent audits and review processes. India does not yet have a comprehensive personal data protection law and existing data privacy obligations in law are only applicable to body corporates. Given these legal lacunae, the lack of analysis as to why these proposals in the NDGFP will be sufficient to protect privacy and security is wanting. Suggestions The NDGFP would benefit from a more detailed discussion on additional privacy preserving technologies, as well as other technical and organisational measures to avoid “release-and-forget” models of data sharing may be employed to further reassure citizens of privacy and digital security risks being minimised. Setting of anonymisation standards, tools and frameworks The NDGFP intends for the proposed IDMO to prescribe anonymisation standards – a task that is entrusted to the proposed Data Protection Authority of India to be set up by the Data Protection Bill 2021. Given the importance of anonymisation to both frameworks and the need for harmonisation and certainty, there should be a singular authority setting out such standards. We submit that this function should be entrusted to the Data Protection Authority as the primary authority intended to ensure the protection of personal data across sectors and data categories. Suggestions The function of setting anonymisation standards should be entrusted to the Data Protection Authority. Government-to-Government Data Access The creation of federated and integrated government-to-government data sharing infrastructures can create apprehensions of significant profiling of citizens, leading to a loss of their privacy, if sufficient care is not taken to ensure that such infrastructures do not involve the sharing of identifying information and measures are put in place to reduce the risks of identification of persons through linking and triangulation. Suggestions In Government-to-Government Data Access, measures should be put in place to reduce the risks of identification and profiling of persons through linking and triangulation. Identification and classification of data The NDGFP covers public entities identifying and classifying non-personal and/or anonymised datasets available to them. IDMO is mandated to prescribe rules and standards including anonymization standards for all Government and private entities. However, the NDGFP does not provide any criteria or procedure that can ensure standardisation in classification of datasets across different covered public entities. There is no identification or classification of categories of data such as open, restricted, or non-shareable. Due to this lack of classification criteria or procedure, there is a possibility that the classification of datasets will follow existing frameworks that are designed for different ends – such as those to ensure security, for example the classification frameworks contained in the National Information Security Policy and Guidelines which requires Ministries and Departments to classify documents into “secret”, “top secret” and “confidential” documents.[36] More specificity would be necessity to ensure that the ends of the NDGFP are met – for instance, the Open Data Directive in the European Union lays down criteria on the detailed applicability and on the datasets that are outside its scope.[37] Suggestions The objective of ensuring standardisation should be operationalised by setting out criteria and procedures to guide identification and classification exercises. Recourse for classification decisions The NDGFP does not discuss the possibility of any recourse mechanism for stakeholders or citizens to challenge decisions to classify NPD into any restricted/non-shareable/shareable categories of dataset and to deny access to such categories of NPD. A requirement may be incorporated to obligate covered public entities to provide adequate grounds for refusal that are in line with the rest of the guidelines laid down by the IDMO. Suggestions An appeals process may be introduced to address disputes over denials of requests to release certain datasets on grounds that they are restricted or non-shareable. Release of real-time dynamic data There is no mention on whether the NDGFP will also lead to the release of real-time dynamic data. Real-time data (such as sensor or machine generated data) can be particularly useful for research and innovation. For instance, sharing of real-time data of air quality index (AQI) over the years has led to Graded Response Action Plan (GRAP) to combat deteriorating air quality in Delhi-NCR. There are cases where data could be released within stipulated time-periods as well. In this regard, we note that a process stipulating timeline for release of such data needs to be formulated. These stipulated timelines may be reviewed on a periodic basis to improve upon. However, the release of real-time data should not come at the cost of removing confidential or personal information. Further, we suggest that standards be laid down for quality of data shared as well. Such as, what is the expected error rate of such data, how can it be improved, what metadata fields is required, if audit mechanisms are required, transparency and accountability measures to operationalise quality data sharing amongst others. Suggestions Release of real-time dynamic data should be incorporated in the NDGFP. Need for phased implementation NDGFP provides that detailed implementation guidelines including the data sharing toolkit, operational manuals, mechanisms for data anonymization and privacy shall be issued by IDMO. However, the Policy at present, does not discuss strategies on how its proposals will be scaled We suggest that the NDGFP would benefit from a structured implementation plan that scales its proposals in stages. |
[1] See Ministry of Electronics & Information Technology, Report by the Committee of Experts on Non-Personal
Data Governance Framework, (2020), available at https://static.mygov.in/rest/s3fspublic/mygov_160922880751553221.pdf (NPD Report).
[2] A definition of non-personal data is contained in Clause 3(28), (Draft) Data Protection Act of 2021 (DPB 2021). See Committee under chairmanship of Shri P.P. Chaudhary, Seventeenth Lok Sabha, Report of the Joint
Committee on the Personal Data Protection Bill, 2019, (2021), available at
http://loksabhaph.nic.in/Committee/CommitteeInformation.aspx?comm_code=73&tab=1
[3] Clause 5.1 of Draft National Data Governance Framework Policy
[4] Clause 5.9 of Draft National Data Governance Framework Policy
[5] Clause 5.6 of Draft National Data Governance Framework Policy
[6] Clause 5.8 of Draft National Data Governance Framework Policy
[7] Clause 5.1 of Draft National Data Governance Framework Policy
[8] Ibid
[9] Clause 5.2 of Draft National Data Governance Framework Policy
[10] Ibid
[11] Clause 6.1 of Draft National Data Governance Framework Policy
[12] Clause 6.8 of Draft National Data Governance Framework Policy
[13] Clause 6.4 of Draft National Data Governance Framework Policy
[14] Clause 6.5 of Draft National Data Governance Framework Policy
[15] Clause 6.3 of Draft National Data Governance Framework Policy
[16] Ibid
[17] Clause 5.3 of Draft National Data Governance Framework Policy
[18] Ibid
[19] Clause 6.6 of Draft National Data Governance Framework Policy
[20] Clause 6.7 of Draft National Data Governance Framework Policy
[21] Clause 6.9 of Draft National Data Governance Framework Policy
[22] Clause 5.4 of Draft National Data Governance Framework Policy
[23] Clause 5.5 of Draft National Data Governance Framework Policy
[24] Clause 5.8 of Draft National Data Governance Framework Policy
[25] Clause 6.2 of Draft National Data Governance Framework Policy
[26] Ibid
[27] Clause 1.7 of Draft National Data Governance Framework Policy
[28] Clause 5.4 of Draft National Data Governance Framework Policy
[29] Clause 6.3 of Draft National Data Governance Framework Policy
[30] Ibid
[31] Clause 6.4 of Draft National Data Governance Framework Policy
[32] Ibid
[33] https://dst.gov.in/national-data-sharing-and-accessibility-policy-0
[34] See R. Bailey, R. Sane, A missed opportunity, The Hindu, (2020), available at https://www.thehindu.com/opinion/op-ed/a-missed-opportunity/article32507522.ece
[35] https://www.oecd.org/publications/enhancing-access-to-and-sharing-of-data-276aaca8-en.htm
[36]https://www.surveyofindia.gov.in/documents/NATIONAL%20INFORMATION%20SECURITY%20POLICY%20AND%20GUIDELINES.pdf
[37] See Article 1, the Open Data Directive