First on DNA: IT ministry drafts data protection law

In the first draft of Data Protection and Governance Act, the Union IT and electronics ministry has proposed to put all digital data captured through handheld, desktop or systems manually or through biometric and point of sale (PoS) devices, card swiping machines among others under the ambit of the proposed Act.

Currently, there is no law/Act for data protection in India.

DNA had reported in the July 20 edition that the central government has decided to bring in a standalone data protection law for the country.

The draft clearly mentions personal data kept by an individual and concerned only with the management of his personal, family of household affairs or kept by an individual only for recreational purposes will be exempted from the Act.

Besides, personal data consisting of information required by law to make available to the public or authorised authorities will also not come under the purview of the Act.

Data governance authorities, to be set up once the Act is finalised, will formulate policies for the protection of digital data as per guidelines issued by the government.

"Privacy is a fundamental right defined in the universal declaration of human rights," the draft said.

The development comes at a time when the Supreme Court verdict on whether the right to privacy constitutes a fundamental right under the Constitution is expected soon. A nine-judge Constitution bench had reserved its verdict on the issue on August 2 after voicing concerns over possible misuse of personal information in public domain.

DNA Money has accessed a copy of the draft of 'The Data Governance and Protection Act, 2017, which 'has been prepared by National Informatics Centre (NIC), a division under the Ministry of IT and Electronics.

This draft will form the basis for the committee headed by Justice B N Srikrishna, former Judge, Supreme Court, which will deliberate on a data protection framework for the country.

The committee with 10 experts formed earlier this month will also identify key data protection issues in India and recommend methods of addressing them. The draft will be taken by the committee for giving final shape to the Act.

With increased digitisation across the country, there is a need for firm safeguards to secure the surge in digital data besides provisions for handling the data protection, according to experts.

After demonetization, there has been an increase in digital payments, and with a thrust of the government to move towards a digital economy cyber security has gained utmost importance, they said.

In the present world of digital global economies, it is vital to ensure legal ownership of data and legal recognition of digital rights for privacy and security of data. Data governance is pre-requisite for the protection of data. Data governance programmers facilitate the definition of ownership and rules for storing, sharing and assess the quality of data, experts said. "A comprehensive Data Protection and Protection Act is very much needed in the country," the draft said.

However, the draft Act said the personal data in the ownership of the minister or the ministers for defence/home affairs kept for the purpose of safeguarding the security of the state, and personal data consisting of information that the person is keeping the data required by law to make available to the public or authorised authorities will not come under its purview.

There are also provisions for penalty/imprisonments for leakage of personal data. Knowingly or unknowingly if somebody leaks personal data or data owned by other will be punishable with imprisonment up to three years with fine which may extend up to Rs 2 lakh or with both, as per the draft. There are various provisions for retention/stealing/sharing/encryption of data.

NIC's centre for data governance will undertake research to develop indigenous technologies, electronic tools, digital platforms, procedures and processes for data governance and protection.

NIC will build a data governance platform with the budgetary support of the government to facilitate the creation of Indian digital assets.

A central data governance authority will be set up at the national level which will register and coordinate with state data governance authorities. These state authorities will work with district data governance authorities. For each organisation (managing digital data), there will be a data governance authority as well. The minimum size of digital data and other criteria of registering data governance authorities will be officially notified by the government, as per the draft.

A data governance authority will define ownerships, roles responsibilities of people managing data assets, define processes for compliance, ensuring quality, master data management, data masking, data security, data sharing and archiving activities among others.

PROTECTING PRIVACY

• Data governance authorities will formulate policies for the protection of digital data
   
• Final shape to the Act will be given by a committee
   
• The draft has been prepared by National Informatics Centre