The Draft National Data Governance Framework Policy

Comments and Concerns

The term “non-personal data” (“NPD”) is not defined in the NDGFP or in any other law or policy that is currently in force. It is only defined in government reports[1] or draft legislation.[2] Notably, that definition is itself predicated upon a well-defined conception of “personal data”, which is not defined in the NDGFP. The terms “researchers and start-ups” are not defined in the draft policy. Clarity on whether the definition of “start-ups” would be treated as that defined by The Department for Promotion of Industry and Internal Trade will be helpful.

NDGFP allows stakeholders including “researchers and start-ups” to access non personal data and anonymised data and evidently, by virtue of this clause, all can access the non-personal data available with the Government. While such data may be used to promote innovation, it is imperative to have clear guidelines as to what is acceptable and unacceptable including ethical guidelines to inform those uses.

There is limited discussion on whether the NDGFP will also lead to covered public entities sharing NPD collected from private entities that contains commercially confidential or business sensitive information or in which such private entities hold intellectual property rights. There is a risk, therefore, that information provided to public entities by private entities during joint collaborations could get categorised as NPD to which the NDGFP applies.

Suggestions

·       Within the overall scope, the NDGFP should apply to non-personal data collected from private entities or individuals after adequate technical and organisational measures are implemented to ensure that any data containing information that is commercially confidential, business sensitive, or protected by intellectual property law is not shared. In this regard, we also suggest that these exclusions be specifically stated in the NDGFP.

·       We recommend addition of the definition of the terms “non-personal data”, “researchers” and “start-ups” in order to ensure clarity on the scope of the policy and concerned entities. 

Comments and Concerns

Composition of IDMO

There is no clarity in the NDGFP on the composition of IDMO which shall frame the guidelines/standards/rules for use and processing of data by Government entities and ensure implementation. We suggest incorporation of a guiding directive on the composition of this organisation within the Policy.

Policy overlap

It is likely that the NDGFP will impact the operation of existing laws on government records and existing open data policies currently in force mostly notably the National Data Sharing and Accessibility Policy (NDSAP).[33] It is likely that the NDGFP will impact the operation of existing laws on government records, such as the Public Records Act of 1993. It will also overlap with several existing open data policies currently in force at the Central and State level, mostly notably the NDSAP, which is similar in both objectives and scope. The scope of the NDSAP is currently larger – covering “all data or information” held within government bodies, not just non-personal data. There is no clarity on whether the NDGFP will replace the NDSAP or complement it as a parallel effort. If the NDGFP will replace the NDSAP, then the NDGFP should discuss how it addresses the gaps identified with the latter and the future goals set out as a replacement policy. However, if the NDGFP will coexist with the NDSAP, then definitional or procedural overlaps should be avoided.

Beyond this, there are also existing projects at the Central Government level that may overlap with those set up under the NDGFP, such as the India Urban Data Exchange (IUDX) under the Smart Cities Mission.

Suggestions

In this context, we suggest that the interplay between the NDGFP and the NDSAP/other similar data policies/guidelines should be clarified in terms of scope and implementation. Any overlaps and duplicity of efforts should be minimised.

Enforceability

The experience with the NDSAP has demonstrated the difficulties with not having clarity on how to incentivise compliance or penalise non-compliance. Researchers have noted that the lack of any clear method to enforce the NDSAP has meant that it has not been implemented consistently or to its fullest potential.[34]

The issues with NDSAP may be repeated with the NDGFP if the question of enforceability is not sufficiently discussed. There is a need for clarity on how the IDMO will deal with practices that do not adhere to the policy. This may require bestowing the IDMO with the power to take corrective measures, including punitive action and directions to covered public entities, and to explore novel strategies to incentivise compliance.

Suggestions

IDMO should be given powers to take corrective measures, including punitive action and directions to covered public entities, and other strategies may be devised and incorporated to incentivise compliance.

Legal status of IDMO

The NDGFP does not clarify the legal status of the IDMO. It is not clear whether it will be an attached office, autonomous body, or an independent statutory authority. The hierarchy between the IDMO and the DMU is not clearly laid out. The NDGFP also does not clearly allocate responsibilities between such entities. Though there are general directions, it is unclear how disagreements will be resolved or how accountability and responsibility for policy monitoring and enforcement will be distributed between them.

Furthermore, it is difficult to achieve a satisfactory outcome without any backing legislative framework. At present, the NDGFP does not clearly indicate whether such a legislative framework will be developed. Though it is not touched upon, it may be worth considering a dedicated “open data” legislation, such as the Open Data Directive in the European Union.

Suggestions

·       The legal character of the IDMO should be expressly clarified in the NDGFP.

·       The NDGFP should clarify the division of responsibilities and functions and the hierarchies across the envisaged institutional framework.

·       The NDGFP should examine new legislative solutions that can incentivise compliance by covered public entities with the NDGFP’s obligations.

Complementary measures and safeguards

There is very limited discussion in the NDGFP on how different privacy and digital security risks will be addressed during data sharing beyond the use of anonymisation. This may not be sufficient. While we do not discuss the various safeguards and frameworks that may be needed from a digital security perspective, it is worth noting that, from a privacy perspective, anonymisation as a means of protection may not be sufficient as a standalone solution. Anonymisation should be complemented with other technical and organisational measures, such as contractual agreements that bind data recipients to data security and disclosure practices, the use of reidentification risk assessments, or the use of newer privacy preserving technologies such as distributed machine learning, differential privacy, and homomorphic encryption (that is, encryption that allows processing of encrypted data without revealing its embedded information). Further, as a general principle, “release-and-forget” models of data sharing should be avoided.[35] This should be reflected in policy monitoring and enforcement efforts through subsequent audits and review processes.

India does not yet have a comprehensive personal data protection law and existing data privacy obligations in law are only applicable to body corporates. Given these legal lacunae, the lack of analysis as to why these proposals in the NDGFP will be sufficient to protect privacy and security is wanting.

Suggestions

The NDGFP would benefit from a more detailed discussion on additional privacy preserving technologies, as well as other technical and organisational measures to avoid “release-and-forget” models of data sharing may be employed to further reassure citizens of privacy and digital security risks being minimised.

Setting of anonymisation standards, tools and frameworks

The NDGFP intends for the proposed IDMO to prescribe anonymisation standards – a task that is entrusted to the proposed Data Protection Authority of India to be set up by the Data Protection Bill 2021. Given the importance of anonymisation to both frameworks and the need for harmonisation and certainty, there should be a singular authority setting out such standards. We submit that this function should be entrusted to the Data Protection Authority as the primary authority intended to ensure the protection of personal data across sectors and data categories.

Suggestions

The function of setting anonymisation standards should be entrusted to the Data Protection Authority.

Government-to-Government Data Access

The creation of federated and integrated government-to-government data sharing infrastructures can create apprehensions of significant profiling of citizens, leading to a loss of their privacy, if sufficient care is not taken to ensure that such infrastructures do not involve the sharing of identifying information and measures are put in place to reduce the risks of identification of persons through linking and triangulation.

Suggestions

In Government-to-Government Data Access, measures should be put in place to reduce the risks of identification and profiling of persons through linking and triangulation.

Identification and classification of data

The NDGFP covers public entities identifying and classifying non-personal and/or anonymised datasets available to them. IDMO is mandated to prescribe rules and standards including anonymization standards for all Government and private entities. However, the NDGFP does not provide any criteria or procedure that can ensure standardisation in classification of datasets across different covered public entities. There is no identification or classification of categories of data such as open, restricted, or non-shareable. Due to this lack of classification criteria or procedure, there is a possibility that the classification of datasets will follow existing frameworks that are designed for different ends – such as those to ensure security, for example the classification frameworks contained in the National Information Security Policy and Guidelines which requires Ministries and Departments to classify documents into “secret”, “top secret” and “confidential” documents.[36] More specificity would be necessity to ensure that the ends of the NDGFP are met – for instance, the Open Data Directive in the European Union lays down criteria on the detailed applicability and on the datasets that are outside its scope.[37]

Suggestions

The objective of ensuring standardisation should be operationalised by setting out criteria and procedures to guide identification and classification exercises.

Recourse for classification decisions

The NDGFP does not discuss the possibility of any recourse mechanism for stakeholders or citizens to challenge decisions to classify NPD into any restricted/non-shareable/shareable categories of dataset and to deny access to such categories of NPD. A requirement may be incorporated to obligate covered public entities to provide adequate grounds for refusal that are in line with the rest of the guidelines laid down by the IDMO.

Suggestions

An appeals process may be introduced to address disputes over denials of requests to release certain datasets on grounds that they are restricted or non-shareable.

Release of real-time dynamic data

There is no mention on whether the NDGFP will also lead to the release of real-time dynamic data. Real-time data (such as sensor or machine generated data) can be particularly useful for research and innovation. For instance, sharing of real-time data of air quality index (AQI) over the years has led to Graded Response Action Plan (GRAP) to combat deteriorating air quality in Delhi-NCR. There are cases where data could be released within stipulated time-periods as well. In this regard, we note that a process stipulating timeline for release of such data needs to be formulated. These stipulated timelines may be reviewed on a periodic basis to improve upon. However, the release of real-time data should not come at the cost of removing confidential or personal information. Further, we suggest that standards be laid down for quality of data shared as well. Such as, what is the expected error rate of such data, how can it be improved, what metadata fields is required, if audit mechanisms are required, transparency and accountability measures to operationalise quality data sharing amongst others.

Suggestions

Release of real-time dynamic data should be incorporated in the NDGFP.

Need for phased implementation

NDGFP provides that detailed implementation guidelines including the data sharing toolkit, operational manuals, mechanisms for data anonymization and privacy shall be issued by IDMO. However, the Policy at present, does not discuss strategies on how its proposals will be scaled We suggest that the NDGFP would benefit from a structured implementation plan that scales its proposals in stages.