Public Comments on Data Anonymisation Guidelines

Posted on September 9, 2022 by Vijayashankar Na

The Government of India reportedly released a draft guidelines on Data Anonymisation for public comments before September 21. Public comments may be sent by  Email to Shubhanshu Gupta, Principal Technical Officer at CDAC: shubhanshug[at]cdac[dot]in. with copy the following email address when making your submission: headits[at]stqc[dot]gov[dot]in.

A PDF of the guideline can be accessed here.

This guideline will be part of the compliance requirements for Personal Data Protection since “Anonymisation” is a means of de-linking privacy risks from the personal data.

This has to be read as part of the “Reasonable Security Practices” under Section 43A of ITA 2000.

Though not mandatory, they shall be considered as part of “Due Diligence” and the DPCSI (Data Protection Compliance Standard of India) will take note of this.

We therefore feel that it is important for the public to send their comments.

According to the Medianama article the draft guidelines have been taken out of the MeitY website since September 6th. We donot know the reasons for the taking down of the guidelines and whether it should be considered as “withdrawn”.

One immediate observation that can be made is that “Fear of Re-identification” need not be a constraint to adopt the guideline since “RE-identification” constitutes an offence under Section 66 of ITA 2000 (Diminishing the value of information residing inside a computer) and hence it is wrong to assume that in the absence of Data Protection Act, anonymisation guideline has no meaning.

It should be emphasised that “Anonymisation” is more than “De-identification” or Pseudonymization since it involves irrecoverable destruction of the mapping information between anonymised and identified data sets.

Just as any encryption or access control measure could be defeated by hackers, anonymisation may also be defeated with criminal effort. Law can only define some standards and prescribe deterrence which is available in ITA 2000 as regards Anonymisation. Hence De-anonymisation is a technology risk that should be absorbed in law.

However, in view of the importance of the guideline, it is suggested that comments can be sent as indicated above.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.