While the Data Protection professional circles have been discussing the forthcoming DPA 2021, whether it will be taken up for further discussion in the Parliament or scrapped, the MeitY has sprung a surprise by releasing two documents yesterday the February 21.
They are
It appears that the Government was waiting for the release of these documents before taking up the DPA 2021 for further discussion to protect the operational interests of the Government entities which will also be required to be compliant with the new DPA 2021. We are aware that while private companies need to move up in their compliance ladder from the present levels to whatever DPA 2021 expects, Government agencies need to start from the zero level. Hence the challenge before Government institutions and Departments were more than the private sector.
In the light of the above, MeitY has tried to formulate a policy for the Central Government and suggested policy for State Governments in the form of a Framework that can be adopted for Privacy Management. These are likely to be adopted as “Codes of Practice” for Government establishments when the DPA 2021 becomes effective.
This will now have to be incorporated as part of the DPSI or the “Data Protection Standard of India which FDPPI is using for Compliance audits.
The Objectives of the Policy as declared are as follows:
1.Maximising access to and use of quality public sector data
2. Improving policy making, evaluation and monitoring
3.Enhancing the efficiency of service delivery
4. Facilitating the creation of public digital platforms
5. Protecting the privacy and security of Citizens
6. Streamlining inter-government data sharing
7. Promoting transparency, accountability and ownership in data sharing and release
8. Building digital & data capacity, knowledge & competency of Government officials
9. Promoting data interoperability & Integration to enhance data quality and usability
10. Ensuring greater citizen awareness, participation, and engagement with open data
11. Enabling secure pathways to share detailed data sets for research and development
12. Increasing the availability of high value data sets of national importance
13. Improving overall compliance to data sharing policies and standards.
Though the policy makes reference mainly to “Data Sharing”, it would also be the policy for protecting the Privacy of the Citizens.
One of the immediate requirements for the Government agencies is to develop an inventory of “Data Assets” which may have to include both Personal and Non Personal Data of Citizens and Employees. It has to be a federated government wide searchable data base so that duplication is avoided.
An interesting concept is that there will be a new entity called India Data Office (IDO) and every Ministry/Department shall have Data Management Units headed by Chief Data Officers (CDO) which will work closely with the IDO.
Given the responsibilities of the CDO which go beyond the Privacy and Personal Data Protection, it may be necessary for each department to separately identify a Data Protection Officer satisfying the requirements of Section 30 of DPA 2021.
The India Data Officer and the Chief Data Officers will together function as India Data Council (IDC) for coordination. In case the State Governments also join this IDC, it will be like the GST Council and cover all data interests of the nation. However since there are some rogue states which donot believe in being part of the national body, the IDC may remain a Central Government entity. The State Governments can however replicate the system with a State level IDC and State CDO s .
One of the objectives set by this policy is to promote the “Open Data” concept and by default all data of every Government Ministry/Department/Organization will be considered as open.
The exceptions however may be defined and a negative list of data which shall remain restricted would be separately announced.
By focussing on “Data Sharing”, the policy has also considered the possibility of monetization of data available to the Government and a mechanism for Data Pricing and Data Licensing may be developed.
The Policy promotes “Data Anonymisation” and may assist the departments with necessary support including tool kits for data sharing.
In anticipation of the objections from the activists, the policy states that “Any Data sharing shall happen within the legal framework in India, its national policies and legislation as well as the recognized international guidelines” and “All data being shared must ensure compliance to guidelines for legal, security, IPR, Copyrights and Privacy Requirements”.
The policy states that Data shall remain the property of the agency/department/ministry etc and access shall not be in violation of any acts and rules of the Government in force.
The legal framework of this policy will also be aligned with various acts and rules covering data.
We hope the publication of this policy will now clear the path for DPA 2021 being passed.
We welcome the approach of this policy to get ready before the DPA 2021 becomes a law. The policy will require a whole “Data Governance System” to be set up with the IDC, IDO, CDOs and DPOs at the Central Government level and also paving the way for State Governments to adopt a similar module. Interesting developments to watch.
Naavi
