The Kris Gopalakrishna Committee (KGC) considers that data is valuable and must be regulated in an appropriate manner for which a clear definition of Non-Personal Data (NPD) and the Key roles in the NPD eco system must be articulated.
Definition of Non Personal Data
The KGC has identified that Data can be categorized in many different ways
Category I: Personal Data
a) Arising from the subject of data
b) In relation to its purpose
c) Sector to which it belongs
d) Level of processing
e) Based on the extent of involvement of stakeholders
Category II: Non Personal Data
Non Personal Data where data is not “Personal Data” as defined under the PDPB/PDPA
Category III: Non Personal data according to Origin
a) Data that never related to an identified or indientifiable natural person
b) Data which were initially personal data but were ater made anonymous
Category IV: Different types of Anonymous Data
Based on the types of anonymization techniques
Considering the need o have a clear single definition of Non Personal data,(NPD) the Committee has recommended three kinds of NPD
- Public NPD
- Community NPD
- Private NPD
The Committee has also further categorized NPD into
a) Non-Sensitive NPD
b) Sensitive NPD
i) relating to national security or strategic interests
ii) related to sensitivity of business and confidentiality
iii) Anonymous data bearing the risk of re-identification
Public NPD consists of data such as data generated by Government excluding those which have been afforded confidential treatment under law, and includes land records, public health information, vehicle registration data etc
Community NPD consists of data generated by any group of people bound by common interests and purposes including anonymised personal data, electricity usage, telephone usage etc, excluding the derived insights (profiling).
Private Non Personal data includes inferred or derived data, global data set pertaining to non-Indians etc
It is interesting to note that the GKC brought the concept of “Sensitivity” to Non Personal Data also to take care of such data that is related to national security and strategic interests, bearing the risk of collective harm to a group, etc.
GKC also recognized the limitations of Anonymization techniques and flagged the possibility of re-identification of anonymized data in terms of classifying them as “Sensitive NPD”.
“that Non-Personal Data inherits the sensitivity characteristic of the underlying Personal Data from which the Non-Personal Data is derived”
In the light of the above GKC recommends
Consent should be obtained from data principals even for “Anonymisation”.
This suggestion may be incorporated in the PDPB. Even if PDPB does not consider it necessary to add this in the current version and leave it to the new act which may be drafted for regulation of NPD,
this would be adopted as one of the implementation specifications under the PDPSI (Personal Data Protection Standard of India)