PDPSI framework to incorporate measures for treatment of Personal Data of Deceased Data Principals

We had earlier discussed certain issues concerning handling of personal data after the death of the data principal in our article titled “Digital Assets of the Deceased…Need for a legislative Change”.

Some views were also expressed through the following webinar in the FDPPI’s Jnaana Vardhini Series.

Following this webinar, FDPPI has set up a task force to develop a recommendatory white paper on the handling of Personal data of deceased data principals under the PDPB 2019 which will come up for further discussion in the Parliament during the next session. The task force recommendation would be taken up with FDPPI’s PDP Advisory Board for developing a broader policy at the national level. Also FDPPI’s PDP Code Committee will develop the code of practice for Data Fiduciaries to develop the policy document applicable for Data Fiduciaries on handling the personal data of the deceased customers.

The problem of determining how to handle personal data of deceased persons has many complications. Personal Data is often the key to access data lying with a Data service provider (Eg: E Mail service provider or a hosting company). The data lying within the account space of a service provider can be identified as an intellectual property coming under  “Copyright”. A software code developed by an individual may have copyright and also patent rights. In such cases the “Property character” of the data is well established and what is required is a “Claim Process” to enable the legal heirs to inherit the rights on the intellectual property.

However, “Personal Data” which includes the “Password” used for accessing the account is not clearly recognized as a “Property” and the right on individually identifiable data elements required as a password or to re-set the password cannot be assigned like the ownership of a “Intellectual Property”. In order to ease the claim process for settlement of a deceased person’s data property, if we start recognizing personal data as “Property” then during the life time of the data principal, we must agree for alienation of the personal data as a property.

In the “Non Personal Data” scenario, it is possible to recognize data as an alienable property and a “Sale” or “Licensing” or “Assignment” can be recognized as a means of transferring the property. But in the case of “Personal Data” Indian PDPB and GDPR may prefer to avoid the term “Sale” and use only “Assignment of Rights” as a means of transfer of any beneficial interest.

The Singapore PDPA which has extended the rights under the PDPA-2012 (Sg) to the personal information of deceased persons for 10 years or the HIPAA which has extended certain obligations of the covered entity to protect the EPHI for 50 years have looked at the “Personal Data of the deceased persons” as a “Commodity”. Though “Rights of Privacy” have no significance after death even under these laws, the laws expect “Protection” including non-disclosure to unauthorized person to continue for the state time period.

It is only in CCPA that the prospect of “Personal Data” being capable of being “Sold” has been discussed without any reservations.

Though Indian law has not spoken of “Transfer of Personal Data” from one person to another, the concept of “Consent Manager” used in the Act indicate that a Data Principal can transfer the right to “give consent” or “withdraw consent” to the consent manager. Just as the collection of personal data from a data principal to a data fiduciary is supported by a “Consent” in accordance with the Indian contract Act, the provision of the right to “Give or withdraw consent” is given by the Data Principal based on the “Consent to appoint a Consent Manager”.

Unfortunately the “Consent” which is a “Contract” does not survive the death of the Data Principal and hence on receipt of the knowledge of death of the consent giver, the data fiduciary should freeze the transactions in the account. Where the basis for collection and processing was not consent (say in GDPR) then, there would be a “Legitimate Interest” which survives the death of the data principal.

Hence the legal basis of collection and processing can have an impact on the right of the data fiduciary to continue processing of a deceased data principal’s personal data.

One solution which would have resolved this issue was to have introduced a “Nomination” facility for “Personal Data”. This has to be done with a new statutory provision and perhaps the PDPB 2019 itself is an opportunity to introduce the provision of “Nomination”.

In case the JPC has not suggested any provision in this regard, this can be introduced as an additional amendment when the Bill is introduced in the Parliament. This requires introduction of a definition of “Nomination of Personal Data” in Section 3 and also an additional sub section under Section 14 ( Processing of personal data for other reasonable purposes”.

The detailed procedures under this clause may include

a) Sending an annual confirmation request (similar to balance confirmation in Bank overdraft accounts) for validating the privacy policy.

b) If no reply is received to the confirmation request, sending a second request with a notice that the account would be de-activated and tagged as “Dormant” after a period of say 6 months

c) If no reply is received, for 6 months, sending a final notice and transferring the account along with the personal data to an arvhive.

d) If no re-activation request is received for 2 years ( Or say 6 years as in the case of  HIPAA), transferring the personal data and the data lying in the account to a Government Repository, which can be created by the DPA itself, by adding a new function of DPA under Section 49(2).

The PDPSI framework will be immediately incorporating this suggestion as a recommended implementation specification within Implementation Specification (IS17) on Notice and Consent form, and related implementation specifications such as Classification (IS 33),  Access Control (IS 36), Data Storage and Security (IS 37), Data Destruction (IS 43) etc.

In the absence of the available guidance from the DPA and the PDPB 2019, PDPSI will incorporate some controls which may be modified after the PDPB 2019 becomes a law.

PDPSI will therefore be the first framework for PDP-CMS which would address this contentious issue as a part of the compliance.

Naavi

 

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.