The Government of India reportedly released a draft guidelines on Data Anonymisation for public comments before September 21. Public comments may be sent by Email to Shubhanshu Gupta, Principal Technical Officer at CDAC: shubhanshug[at]cdac[dot]in. with copy the following email address when making your submission: headits[at]stqc[dot]gov[dot]in.
This guideline will be part of the compliance requirements for Personal Data Protection since “Anonymisation” is a means of de-linking privacy risks from the personal data.
This has to be read as part of the “Reasonable Security Practices” under Section 43A of ITA 2000.
Though not mandatory, they shall be considered as part of “Due Diligence” and the DPCSI (Data Protection Compliance Standard of India) will take note of this.
We therefore feel that it is important for the public to send their comments.
According to the Medianama article the draft guidelines have been taken out of the MeitY website since September 6th. We donot know the reasons for the taking down of the guidelines and whether it should be considered as “withdrawn”.
One immediate observation that can be made is that “Fear of Re-identification” need not be a constraint to adopt the guideline since “RE-identification” constitutes an offence under Section 66 of ITA 2000 (Diminishing the value of information residing inside a computer) and hence it is wrong to assume that in the absence of Data Protection Act, anonymisation guideline has no meaning.
It should be emphasised that “Anonymisation” is more than “De-identification” or Pseudonymization since it involves irrecoverable destruction of the mapping information between anonymised and identified data sets.
Just as any encryption or access control measure could be defeated by hackers, anonymisation may also be defeated with criminal effort. Law can only define some standards and prescribe deterrence which is available in ITA 2000 as regards Anonymisation. Hence De-anonymisation is a technology risk that should be absorbed in law.
However, in view of the importance of the guideline, it is suggested that comments can be sent as indicated above.