Naavi.org

Recently the Supreme Court released a comprehensive guidance on the use of AI in Judiciary for which comments were filed by Naavi/FDPPI ( Copy of  comments ) , after many articles here. 

Some time back, Naavi.org had reported about the Bhattacharya Committee having published its report on “Framework for Responsible and Ethical Enablement of AI, referred to briefly as  -FREE-AI).

Now RBI has adopted the recommendations and released a draft guideline for public comments, copy of which is available here.

 Draft Guidelines for AI for  Public Comments

According to the Press release, comments can be submitted by public till July 24, 2026

The comments / feedback may be submitted through the link under the ‘Connect 2 Regulate’ Section available on RBI’s website or alternatively be forwarded to:

The Chief General Manager, Operational Risk Group
Department of Regulation, Central Office
Reserve Bank of India
Shahid Bhagat Singh Marg, Fort
Mumbai – 400 001

Or

By e-mail with the subject line ‘Feedback on Guidance on Regulatory Principles for Model Risk Management’

According to the Press release, the objectives of this document  is as follows:

The Reserve Bank had issued the draft “Regulatory Principles for Management of Model Risks in Credit” on August 05, 2024, with a view to strengthen governance and risk management practices relating to use of models in credit, followed by report of the Committee on Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) on August 13, 2025. Considering model usage has expanded significantly and regulated entities are increasingly using models, including those employing Artificial Intelligence / Machine Learning (AI / ML), across various business and decision-making processes; weaknesses in their governance, oversight, risk management and controls may expose the regulated entities to financial, operational, compliance, and reputational risks. Recognising this, the Reserve Bank has today released draft ‘Guidance on Regulatory Principles for Model Risk Management’ which provides holistic and broad regulatory expectations for model risk management across the model lifecycle. The Guidance is applicable to all models used by regulated entities, including third party models and models employing AI / ML.

To facilitate  public to formulate their views, some comments shall be provided here in a series of articles. Hope it would be of use.

Naavi

Reserve Bank had issued the draft Reserve Bank of India (Responsible Business Conduct) Third Amendment Directions, 2026 on March 6, 2026 for seeking feedback from stakeholders. The draft Amendment Directions inter alia proposed to enhance the scope of existing instructions on limiting liability of customers in unauthorised electronic banking transactions to cover other categories of fraudulent electronic banking transactions, reduce the time taken by banks to process complaints related to fraudulent electronic banking transactions, and introduce a compensation mechanism for small value fraudulent electronic banking transactions.

Refer the Press release Dated June 24, 2026, here

These instructions will be effective from January 1, 2027.

This is for general  information of Bank customers.

Interested persons are requested to peruse the directions available below.

1. Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026
2. Reserve Bank of India (Small Finance Banks – Responsible Business Conduct) Third Amendment Directions, 2026
3. Reserve Bank of India (Payments Banks – Responsible Business Conduct) Second Amendment Directions, 2026
4. Reserve Bank of India (Local Area Banks – Responsible Business Conduct) Third Amendment Directions, 2026
5. Reserve Bank of India (Regional Rural Banks – Responsible Business Conduct) Third Amendment Directions, 2026
6. Reserve Bank of India (Urban Co-operative Banks – Responsible Business Conduct) Third Amendment Directions, 2026
7. Reserve Bank of India (Rural Co-operative Banks – Responsible Business Conduct) Third Amendment Directions, 2026

Key points to be noted are the insertion of definition of Negligence by Bank and negligence by customer.

Accordingly the following two directions have been inserted.

(20B) Negligence by a bank inter alia includes the following actions by the bank:

(i) not putting in place the mandated systems and procedures to ensure safety and security of EBTs; or

(ii) not sending mandatory alerts for EBTs; or

(iii) not providing 24×7 channels for reporting of fraudulent EBTs or loss of debit / credit card; or

(iv) not acting diligently upon a customer notification regarding unauthorised EBT(s) or loss of debit / credit card; or

(v) system malfunctions / security breaches / internal frauds leading to unauthorised EBTs.

(20C) Negligence by a customer inter alia includes the following actions by the customer:

(i) failing to exercise reasonable care in usage of credentials such as PIN, password, OTP or other details (e.g., providing credentials for carrying out transactions to another person, whether intentionally or otherwise, writing down and storing the PIN with a debit / credit card, etc.); or

(ii) not notifying the bank promptly after finding out about a fraudulent EBT, or loss of a debit / credit card; or

(iii) not paying attention to specific, directed and clear warnings from the bank that a prospective transaction is likely a scam; or

(iv) downloading malicious apps; or

(v) failing to update her / his registered mobile number / email address with the bank in case of change.”.

Third party breach has been defined as under:

26.1A Third-party breach means a situation where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and includes deficiency on the part of an intermediary such as a Third-Party Application Provider (TPAP), Payment Aggregator (PA), Payment Gateway (PG), Telecom Service Provider (TSP), etc

For full details kindly refer to the links provided above in the press release.

Naavi

The basic objective of the Digital Personal Data Protection Act (DPDPA) is to give individuals a right to protect their privacy through the regulated management of personal data while it is processed by third parties. How we arrived at that objective is itself a story of how our understanding of data has evolved — and that evolution is the key to seeing why hospitals are different.

In the first generation, personal data was understood technically: a set of binary data which the perceiver is able to read as information belonging to an identifiable individual. The concern of that era was the preservation of Confidentiality, Integrity and Availability — the familiar CIA triad of information security. Data was qualified as “sensitive” only when its loss could harm the individual, and protection meant securing the bits.

The second generation reframed data as money. As organizations searched for monetization strategies, digital marketing companies built their business on profiling data principals and linking that profile to advertising. Data became an asset to be valued and traded. It was at this stage that privacy protection surfaced as a public concern, and laws such as the DPDPA emerged to address it.

Because “privacy” is notoriously difficult to define, the DPDPA wisely declined to define it. Instead it prescribed certain measurable obligations on the processing of personal data and enforced them through a stringent penalty system. These are the obligations of the Data Fiduciary — the organization that, by determining the purpose and means of processing, is recognized as a trustee and is expected to take micro-level decisions in that fiduciary character. The Fiduciary’s journey therefore begins with a Notice that explains the purpose of collection and how the data will be used, followed by the capture of the data principal’s Consent.

The DGPSI frameworks recognized this changing perception and introduced Data Valuation as a key parameter in their compliance strategies. And it is precisely the question of valuation that brings us to the third generation — and to hospitals.

In a hospital, the personal data of a patient is not simply personal data that has a value to be monetized. It is representative of life itself. Any misuse or breach does not end in financial loss; it could endanger the life of the patient. Hence the axiom “Data is Money” is not valid for the healthcare sector. Here we need to treat Data as Life.

Note that valuation does not disappear in this third generation — it changes its denomination. The value of patient data is no longer measured in rupees of monetization but in the severity of harm to life. DGPSI’s Data Valuation parameter therefore remains central to healthcare compliance; only the currency changes.

This matters all the more because the DPDPA deliberately abandoned the category of “sensitive personal data” that earlier Indian rules had recognized. The statute applies a single, uniform standard to all personal data and refuses to place health data on a special pedestal. If the law will not elevate health data, then governance must. The responsibility of restoring the special status of patient data falls on the compliance framework, not on the statute.

This is the reasoning behind a deliberate DGPSI decision. The DPDPA grades the “significance” of a Data Fiduciary largely by scale — the volume and sensitivity of data and the breadth of risk to data principals — and leaves the designation of a Significant Data Fiduciary to government notification. But harm to life cannot be graded by scale. One life lost is not less significant than many lives lost. A small nursing home that endangers a single patient through a data breach has caused a harm no less grave than a large hospital chain. The volume-based test of significance, sensible for commercial data, is the wrong yardstick for life.

DGPSI therefore treats every hospital as a Significant Data Fiduciary — regardless of its size, the number of patients it serves, or whether the government has notified it as such. Under DGPSI, the threshold question “Am I a Significant Data Fiduciary?” has only one answer for a hospital: yes.

That elevation has a direct governance consequence. For an ordinary company, one can argue for a lean compliance team. The DPDPA makes a Data Protection Officer (DPO) a mandatory statutory function only for a Significant Data Fiduciary, while leaving the Chief Information Security Officer (CISO) as a best-practice function. On that footing, a general company could let the DPO be made responsible for DPDPA compliance and allow the CISO to continue focusing on what he is presently doing.

A hospital cannot be governed so simply. Once every hospital is treated as a Significant Data Fiduciary, the DPO becomes a full, mandatory function in each one. But the DPO cannot be placed on the pedestal of data protection responsibilities alone, because a hospital has a third officer whose role cannot be subordinated — the Patient Safety Officer (PSO).

The PSO’s functions are quasi-legal. They often protect the hospital and its doctors from liabilities arising out of unfortunate adverse events. This authority cannot be allowed to be pushed down by the DPO. One may debate whether the CISO can still be pushed down and the compliance left to the DPO and the PSO together. After giving weight to these sensitivities of governance, DGPSI has decided to retain a triumvirate — the DPO, the CISO and the PSO — as the compliance team in a hospital.

The wisdom of insisting on all three becomes obvious the moment a breach occurs. A single data breach in a hospital can trigger two clocks at once: the CISO must report the cyber incident to CERT-In within six hours, while the DPO must notify the Data Protection Board and the affected patients within seventy-two hours under the DPDP Rules. (The moment the data breach report is triggered the Patient  Safety event also gets triggered.) Two timelines, two regulators and two reporting formats have to be coordinated under pressure — which is exactly the coordination the triumvirate exists to provide. Leave one officer out, and the clock keeps running while the others stitch the response together.

The DGPSI-Hospital governance structure therefore retains an apex DPDPA governance body — which includes other stakeholders such as the CFO and the CMO, and is led by an Independent Director — with the triumvirate functioning as its sub-committee. Accountability to the regulator rests with the fiduciary through this apex body; the triumvirate is the coordinating engine beneath it, not a diffusion of responsibility. Externally, each of the three members maintains a distinct line of exposure: the DPO to the Data Protection Board (DPB), the CISO to CERT-In, and the PSO to the NABH accreditation authorities.

As regards the PSO’s remaining obligations, the call is for cooperation rather than competition. The PSO has to coordinate with the CISO and the CIO to establish a compliance architecture for NABH accreditation, without interfering with the DPO’s requirements under the DPDPA.

These distinctions grow sharper as hospitals adopt artificial intelligence. AI-assisted diagnosis, clinical decision support and the profiling of patient data fold the safety question and the data-protection question into a single question: an erroneous or biased model can endanger life exactly as a breach can. Governing such systems needs the safety lens of the PSO, the security lens of the CISO and the data-protection lens of the DPO acting together.

These changes need to be reflected in DGPSI-Hospital as an improvement to the framework — DGPSI-FULL with AI.

Naavi

In corporate governance, Independent Directors play an important role in protecting shareholder interests. One of their core responsibilities is to oversee risks that may adversely affect the financial position and sustainability of the company.

Traditionally, this responsibility has been interpreted in the context of financial reporting, internal controls, statutory compliance, and operational risks. However, in today’s data-driven economy, such an interpretation is no longer sufficient.

Now, Data has emerged as one of the most valuable assets of modern enterprises. In many organizations, data is accumulated, processed, analyzed, and monetized long before its value is reflected in the financial statements. Consequently, Independent Directors can no longer limit their oversight to the integrity of financial reports. They must also understand the value, ownership, control, and governance of the organization’s data assets.

An unscrupulous management may undervalue, transfer, misuse, or otherwise compromise data assets in a manner that may not immediately appear as a financial irregularity. Yet the impact on shareholder value can be as significant as fraud, asset stripping, or money laundering. Unfortunately, many boards and Independent Directors are yet to recognize this dimension of governance.

The history of CIBIL provides an example worthy of study. The transfer of control over a valuable national data asset through changes in shareholding raised questions regarding the valuation and stewardship of data that had been contributed by Indian financial institutions. At the time, concerns were raised regarding the long-term implications for the banking sector and the country. However, the governance implications of transferring control over a strategic data asset did not receive the attention that a comparable transfer of tangible assets or financial resources might have attracted.

This raises a broader question: Are Independent Directors adequately equipped to oversee data governance risks?

The question assumes greater significance after the enactment of the Digital Personal Data Protection Act, 2023. Non-compliance with DPDPA can result in substantial financial penalties, reputational damage, regulatory action, and loss of stakeholder trust. DPDPA risk is therefore not merely a compliance issue; it is a board-level governance risk.

Schedule IV of the Companies Act, 2013 prescribes a Code for Independent Directors and specifies their roles, functions, and duties. These include safeguarding stakeholder interests, scrutinizing management performance, satisfying themselves regarding the integrity of financial information and risk management systems, and bringing an independent judgment to board deliberations.

Viewed in this context, oversight of DPDPA compliance naturally falls within the governance responsibilities of Independent Directors. They should be asking questions such as:

• Has the organization identified and classified its personal data assets?
• Has a DPDPA risk assessment been undertaken?
• What is the potential financial exposure arising from non-compliance?
• Are adequate governance mechanisms in place for consent management, data principal rights, breach response, and vendor oversight?
• Is the Board receiving periodic reports on privacy and data protection risks?

These questions are now as important as questions relating to financial controls or statutory audits.

Having recently renewed my registration in the Independent Directors’ databank, I found myself reflecting on whether the objectives behind the institution of Independent Directors are being fully realized in the emerging data economy. It is also pertinent to ask whether sufficient emphasis is being placed on DPDPA governance in the training and continuing education programmes conducted for Independent Directors.

Over the last few years, we at FDPPI  have attempted to engage with board members and governance professionals through conferences, symposiums, and awareness programmes. We have consistently emphasized that DPDPA compliance should be viewed as a board responsibility and that Independent Directors should play a leadership role in assessing and monitoring DPDPA-related risks.

If the Independent Directors’ framework administered by the Indian Institute of Corporate Affairs is to remain relevant in the coming decade, it must incorporate data governance, privacy governance, AI governance, and DPDPA risk management as core elements of board oversight.

The institution of Independent Directorship was created to provide objective and independent supervision of management. In the digital economy, independence must extend beyond financial scrutiny to include stewardship of data assets and protection of stakeholder rights.

As someone associated with the Independent Directors’ databank, I consider it my duty to raise these concerns. I hope that the Indian Institute of Corporate Affairs will confirm that adequate steps have been taken to sensitise Independent Directors to DPDPA-related risks and to equip them with the knowledge necessary to discharge their responsibilities effectively in their respective organizations.

Naavi

We have earlier discussed the need to recognize the Governance structure of DPDPA Compliance team including the PSO or the Patient Safety officer as one of the co-owners of the compliance requirements since every data breach is also a Patient Safety event. We therefore suggested that the team of CISO-DPO-PSO will be responsible for DPDPA compliance, NABH compliance and ITA 2000 compliance as an integrated compliance plan.

Another area of complexity that the hospitals find is in establishing the status of the consulting doctors, Subordinate hospitals and diagnostic  centres. Diagnostic centers operate independently and determine the clinical decisions and therefore the Patient Safety  actions.

Many hospitals provide support to subordinate hospitals in terms of telemedicine consultancy and some times remote surgery. In such cases the two entities need to settle their inter-se status as Joint Data Fiduciaries with  a recognized boundary for data responsibilities.

Hospitals also work with consulting doctors who are independent professionals and take independent decisions on how the patient data is processed and disclosed. Some doctors may have “Employment” status while most may not. In such cases the status of who is a data fiduciary and who is a joint data fiduciary is a matter to be taken into account.

Additionally most hospitals work under a brand sharing  program where there could be an umbrella brand that attracts the patients while the service is rendered independently by the franchisee hospitals. In such cases the  possibility of “Super Data Fiduciary” status for the  umbrella brand has to be also considered.

The DGPSI-Hospital framework therefore needs to cover these special situations.

Please send your views on these issues.

Watch out for more discussion.

Naavi