Legal action on personal data misuse

Legal action on personal data misuse

New Delhi: In what may change the way banks and cellphone companies as well as official agencies collect and process information about individuals, the government is proposing legislation that will empower citizens with sweeping rights to legal recourse against any misuse of personal data.

The first draft of the proposed legislation has been released for public debate by the department of personnel and training (DoPT).

The main aim of the umbrella legislation will be to make sure that confidential personal information disclosed by any individual is not revealed to third parties without the person’s consent.

The legislation will ensure that sufficient safeguards are adopted in the process of collecting, processing and storing such information.

“It is imperative, if the aim is to create a regime where data is protected in this country, that a clear legislation is drafted that spells out the nature of the rights available to individuals and the consequences that an organization will suffer if it breaches these rights," says the draft.

Loading video...

The proposed legislation was drafted after a group of officials was constituted to develop a conceptual framework around concerns on privacy, data protection and security, as reported by Mint on 20 June.

However, the privacy legislation will provide for exceptions in the event of a likely conflict between the need to protect individual privacy and the interest of national security, which will take precedence.

The proposed law comes in the context of projects such as Aadhaar, which aims to give a unique identity number to every resident of the country, and Natgrid, which will enable investigating agencies to get real-time access to various government databases that will be interlinked for the project.

The proposal has reasoned that since data pertaining to citizens has until now been stored in a decentralized manner, privacy has so far not been a concern. However, as more and more government and private agencies sign on to the UID project, the UID number will become the common thread that links all those databases.

“Such a vast interlinked public information database is unprecedented in India. It is imperative that appropriate steps be taken to protect personal data before the vast government storehouses of private data are linked up and the threat of data security breach becomes real," says the draft.

The draft has been prepared by the founding partner of law firm Trilegal, Rahul Matthan, with inputs from Kamlesh Bajaj, chief executive, Data Security Council of India, after a discussion by the committee of officials.

The committee was headed by Shantanu Consul, former secretary (personnel) in DoPT. Its members included home secretary G.K. Pillai, finance secretary Ashok Chawla and former secretary in the department of information technology, R. Chandrashekhar (now secretary, department of telecom).

“The private sector is the largest underserved area in terms of jurisprudence and invasion of privacy is a serious concern there," said Matthan explaining how data is being generated for a range of activities, from bank accounts and cellphone connections to magazine subscriptions.

While it is a step in the right direction and will help control the growing menace of unsolicited calls, text messages and emails along with misuse of data, “its implementation could be a challenge", says Akhilesh Tuteja, executive director, IT advisory, at consulting firm KPMG.

While the draft has clearly mentioned that the legislation will only intend to protect individual privacy and will not cover corporate entities, it has called for a line to be drawn between “personal information" and “sensitive personal information".

Most nations that have privacy laws that classify information such as racial or ethnic origin, political affiliations, physical or mental health conditions and criminal records as sensitive personal information. In the Indian context, such information will include a person’s caste identity as well as biometrics.

To ensure compliance and accountability, a regulator would be appointed, who would have “the power to prescribe standards, both technological and operational that could mould the manner in which the legislation is implemented".

To avoid instances where individuals are not even fully aware that their data is being collected and for what purpose, “informed written consent should be a necessary prerequisite for collection of data".

But there will be some exceptions such as collection of data for investigation of criminal offences and matters pertaining to national security.

Individuals would be allowed access to information about themselves so they can correct or update it; the data controller will be accountable for the safety of the information.

The draft legislation does not state the penalties in case of violations.

“It is a draft so far, which will be finalized soon. The penalties will be decided when the final legislation is scripted," Matthan said.