Background
In February, the Ministry of Electronics and Information Technology (MeitY) came up with a draft policy ‘India Data Accessibility and Use Policy 2022 (IDAU)’ for the access and usage of data held by various government agencies. The policy immediately attracted criticism, especially for allowing the monetisation of data by way of sale or licensing to private enterprises. The way the policy was drafted depicted that revenue generation was the major motive behind the policy. The criticisms of the data policy resulted in three different versions of the policy being released, and later a complete withdrawal of the policy. Now, once again, The Ministry of Electronics and Information Technology (MeitY) has come up with a new proposal called the draft ‘National Data Governance Framework (NDGF)’, a replacement for the earlier policy. The objective has been defined to govern the use of anonymised non-personal data held by government agencies and make it accessible for artificial intelligence and data research, and also improve governance. The language of the policy has been improved and the purpose of monetisation of data has been diluted. However, many concerns and criticisms remain. Will this fourth renewed attempt work in the favour Government?
Need for Data Policy
The Indian Government has been increasingly digitising its processes in recent years. However, the Government’s existing infrastructure is not equipped to deal with the volume and the speed at which data is generated. Currently, such data is spread across departments and stored in a way that prevents the adoption of a data-driven governance approach and is rendering such data unusable for data science and artificial intelligence. Therefore, with the draft data policy, the Government wants to bring together anonymised non-personal datasets on one platform to generate insights that can be used by Government and also researchers.
What is non-personal data?
According to the draft policy, non-personal data is a set of information that doesn’t have any personal details that can be traced to the person it is related to. Meanwhile, the Draft Data Protection Bill 2019 defined it as ‘any data other than personal data. Non-personal data can be of three types — private, community, and public. Data collected by private entities through applied knowledge or algorithms is Private non-personal data. Meanwhile, raw and unprocessed information sourced from a community are termed Community non-personal data. The third type of non-personal data is data collected by government agencies during their public work which is covered under public non-personal data. The policy also aims to transform and modernise data collection and management through guidelines for sourcing, processing, storage, access and use, to improve government services.
How is the data proposed to be collected and accessed?
The draft policy proposes an ‘India Datasets Programme’ — a central repository of datasets collected by Government agencies. Firstly, the datasets programme will be set up, designed and managed by a newly formed agency ‘India Data Management Office’ (IDMO). The IDMO will create protocols for sharing non-personal datasets via the programme ensuring privacy. The data would allow access to the data through a common central platform and other designated platforms.
Secondly, the data would be sourced from various stakeholders. The policy will mandatorily apply to all Central Government ministries and departments. State Governments are also being encouraged to adopt the policy provisions. Even private entities can voluntarily share the data collected by them on Indian citizens and residents with this central repository. The platform will receive and process any requests for non-personal data.
Thirdly, to ensure proper implementation of the policy, each ministry and department will be required to set up a data management unit (DMU) which will closely work with the IDMO. At the State-level, governments will be encouraged to designate data officers. For redressal, a mechanism will be set up as part of which the DMUs. It will formulate norms for disclosure of data collected, shared, stored or accessed above a certain threshold. The IDMO will also process the data requests and provide access to researchers and start-ups.
The areas of concerns
Data is the future fuel, and also the ammunition. It is important that data collected is stored securely, maintaining privacy and ensuring the integrity of the highest level. The draft data policy does not boast the confidence of the citizens in various aspects.
Independence of the agency – The government does not own the data it collects from the citizens. It is only a stakeholder of the same. The IDMO will function under the Ministry of Electronics and Information Technology (MeitY). It will be responsible for protecting civil rights. However, if it operates under the Government, it may fail to prioritise the citizens’ rights over the government’s needs. The policy also does not explain how the IDMO will work along with ‘Data Protection Agency’, as defined under the Data Protection Policy which has been under consideration for four years.
Anonymisation of the datasets – The draft policy doesn’t prescribe how the data would be anonymised. It entirely leaves it to the IDMO to prescribe rules and standards for the anonymisation of data. There’s no framework for subjecting these rules and standards to a third-party review.
Security and privacy of the datasets – The draft policy states that its standards and rules will ensure data security and information privacy. However, it doesn’t explain the detailed process and safeguards its plans for data privacy. This is once again left to the IDMO and therefore, there is no clarity on the same, although being the most major concern in respect of datasets.
The monetisation of datasets – While the government has dropped the clause about the sale of data (which was a part of the previous draft), the new draft states that the IDMO can charge users fees for the data maintenance and services. Thus, the Government can easily slip the policy through the public eye and later opt for monetisation through IDMO whose independence is already a concern.
Vagueness in drafting the policy – The purpose of the policy has been defined as the collection, processing, storage, access and use of government data. It also says that it will provide ‘standardised data management and security standards across the government, build a platform, set quality standards, etc. The entire policy is full of vague statements and lacks details. The policy states it will ensure data security and informational privacy, however, there is no mention of how it will be achieved. With hacking prevalent even in private enterprises with high-security standards, the government needs to lay out what kind of security standards would be used to protect such large datasets. The vagueness in the policy doesn’t allow one to make much sense of the entire policy and the government’s action plans.