The essential part of the recommendations of the Kris Gopalakrishna Committee (KGC) is to ensure an effective “Data Sharing” mechanism in which “Non Personal Data” is recognized for its potential value and harnessed for the benefit of the people.
Data sharing as recommended by KGC refers to the provision of “controlled access” to private sector data, public sector data and community data to individuals and organisations for “defined purposes” and with “appropriate safeguards” in place.
The Committee has preferred an “Open Access” to “Meta data” and “Regulated access” to underlying data of Data Businesses with establishment of appropriate mechanisms to support data requests and data sharing.
One of the key recommendations there fore is the definition of the Data Sharing purpose. The Committee recognizes three purposes namely
a) Sovereign Purpose
b) Core Public Interest Purpose
c) Economic Purpose
Under this concept, data may be requested for national security, law enforcement, legal or regulatory purposes.
Core Public Interest Purpose
Under this concept, data may be requested for Community uses/benefits for public goods, research and innovation, for policy development, better delivery of public-services, etc.
It is recognized that certain data held with the private sector, when combined with public sector data or otherwise, may be useful for policy making, improving public service, devising public programs, infrastructure etc which needs to be enabled through law.
It is recommended that the Country should specify a new class of data at a national level “High -Value Dataset” like health, geospatial and/or transport data and such data should be used for research purposes.
GKC has specifically mentioned that Health Sector is a pilot use-case for Non-Personal Data Governance Framework and anonymized health data should be shared for the specified purposes.
GKC makes yet another interesting recommendation that Data may be requested in order to encourage competition and provide a level playing field or encourage innovation through start-up activities (economic welfare purpose), or for a fair
monetary consideration as part of a well-regulated data market, etc.
Considering the noises being made by some legal professionals and activists about Section 91 of the PDPB 2019 which empowered such a possibility for public policy, this recommendation would be considered as one of the key recommendations under KGC which may go into a big debate.
Data Sharing Mechanisms
The GKC recommends that the implementation of this sharing mechanism would require setting up data and cloud innovation labs and research centers to develop, test and implement new digital solutions, which should be an attractive thought for IT companies. It is recommended that such data should be available as training data for AI/ML systems.
The Data Sharing Mechanisms are expected to provide access to meta data about data collected by different Data Businesses. This is expected to help identification of opportunities to develop innovative solutions, products and services.
Such a mechanism has to involve a “Data Request Mechanism”, “Data Custodian”, “Data Disclosure Mechanism” , “Safeguards” , “Handling of complaints of non disclosure by data custodians”, “Appropriate Checks and Blances” etc as part of a new regulation.
It is expected that “Experts” would be recognized to evaluate data probing tools, and guide the industry regulation. They would focus on Cloud vulnerabilities, Cloud security systems etc.
The current crop of CISOs may find a new area of specialization to develop their careers threatened by the advent of DPOs under the PDPA.
An Academic-Industry Advisory body has also been hinted at by the GKC.
GKC has also hinted that there could be liabilities associated with the implementation of the regulations, for which a Non-Personal Data Regulatory Authority is envisaged.
(To Be Continued)