On 26^th May 2022, the Ministry of Electronics and Information Technology (“MeitY”) published the Draft National Data Governance Framework Policy (“NDGFP”) for public consultation. The last date for submission of comments is 11th June 2022. The Preamble of the Draft NDGFP highlights the rapid growth of the economy and digitization of governance in India. It notes the value of data-driven governance during the COVID-19 era while recognising the accelerating rate of digitization and the volume and velocity of data generated in present times. The Draft NDGFP has been published with the aim to utilise this data to improve citizens’ experience and engagement with the government.

Applicability:

This Policy shall be applicable to:

• All Government departments and entities and rules and standards prescribed will cover all data collected and being managed by any Government entity
• All non-personal datasets and data and platform, rules, standards governing its access and use by researchers and Start-ups.
• State Governments shall be encouraged to adopt the provisions of the Policy and rules, standards, and protocols as applicable.

Objectives & Purpose:

This Policy shall be applicable to:

• To accelerate Digital Governance by standardizing data management and security standards and promote transparency, accountability, and ownership in non-personal data and Datasets access.
• To accelerate creation of common standard based public digital platforms where Dataset requests may be received and processed, while ensuring privacy, safety, and trust.
• To build Digital Government goals, capacity, knowledge and competency in Government departments and entities
• To set quality standards, standard APls and other tech standards and promote expansion of India Datasets program and overall non-personal Datasets Ecosystem.
• To ensure greater citizen awareness, participation, and engagement.
• As a security standard, the NDGFP aims to ensure data security and informational privacy

Introduction of a India Data Management Office: The Draft NDGFP aims to set up a “India Data Management Office” (“IDMO”) under the “Digital India Corporation” (“DIC”) under MeitY’s regime to frame, manage and periodically review and revise the Draft Policy. It would carry out the following activities:

• Accelerate inclusion of non-personal datasets housed with ministries and private companies into the India Datasets program: Every Ministry/Department shall have Data Management Units (“DMUs”) headed by a designated Chief Data Officer who shall work closely with the IDMO for ensuring implementation of the Policy. The IDMO shall be staffed at DIC by a dedicated government data management and analytics unit.
• Standard Setting and Implementation: IDMO shall set standards inter alia for data storage, data anonymisation, data retention, meta data. Additionally, it shall formulate disclosure norms for data collected/stored/shared and accessed over a certain threshold. The IDMO shall also release toolkits, manuals, implementation guidelines and undertake capacity building initiatives for the proper implementation of the NDGFP.
• Assessment in Relation to Data Access: IDMO will notify rules to provide data on priority/exclusively to Indian/India based requesting entities and will also decide the degree of access to data sets by requesting entities and judge the genuineness and validity of data usage request for datasets not available on the Open Data portal.
• Data Sets: IDMO will enable creation of the India Datasets Program and create rules that shall further enable the identification and classification of such datasets. Additionally it shall design and operate the Datasets Access Platform for the Government.
• Usage of Data: Standard mechanism for inter-government data access shall be developed by the IDMO. Additionally IDMO may ensure that data usage rights along with permissioned purposes are available with the Data Principal.
• Redressal Mechanism: The IDMO shall develop a redressal mechanism where citizens can register grievances and establish responsibility of DMUs.
• User Charges: The IDMO may decide to charge User charges/Fees for its maintenance services.

Our Take:

The Draft NDGFP is an attempt to standardise data storage and accessibility norms across Government Platforms. While the NDGFP primarily concerns itself with making the Government bodies better equipped at handling data, it does not expressly keep private entities out of the purview of the Framework. The framework aims to include non-personal datasets housed with ministries and private companies into the India Datasets program, encouraging private entities to share such data with the IDMO for further use by other requesting entities.

The Draft NDGFP also doesn’t expand on the technicalities involved in how such data shall be stored and the measures that may be undertaken to ensure the safety of such data. As pointed out by the Joint Parliamentary Committee Report reviewing the Data Protection Bill 2021, it is possible for anonymised data to be re-anonymised.

This may have potential data protection and privacy related issues since non-personal data, though stripped of any identifiable characteristics may be business confidential information or may have information that may be proprietary to private entities. Therefore, as was the concern with the “Draft India Data Accessibility and Use Policy” there is a need for a proper legislation for non-personal data instead of a policy as framed by the Central Govt., and such legislation for non-personal data will also have to fulfil the threefold requirements which apply to all restraints on privacy as mandated by the Supreme Court in KS Puttaswamy and Another v. Union of India and Others.

Additionally, the issue of potential privacy/data protection related risks with the erstwhile “Draft India Data Accessibility and Use Policy” persists since the implementation of the Draft Policy before the enactment of the DP Bill 2021 is pre-mature. Accordingly, legal accountability, legal framework or any regulatory mechanism in case of leakage or breach of personal data or business confidential information as shared with requesting entities or in the Open Data Portal will need to be addressed first through the enactment of the DP Bill 2021 which also includes non-personal data within its ambit and provides privacy related safeguards.

This article was first published on Saikrishna&Associates