advertisement
NITI Aayog has presented a draft policy that allows individuals to “seamlessly and securely access their data and share it with third party institutions.”
The new draft policy, titled ‘Data Empowerment And Protection Architecture’ (DEPA) argues “India needs a paradigm shift in personal data management” and proposes a consent framework that would allow individuals and small businesses to “access, control and share personal data” with third party institutions.
The reports seeks to enable organisations to share the personal data of an individual with one another through the concept of “consent managers” - that will manage people’s consent for data sharing.
This draft policy comes hot on the heels of other data-related policies such as the Non-Personal Data Governance Framework and the National Digital Health Mission. NITI Aayog has stated that the policy will be publicly launched and operationalised in 2020 itself and is currently seeking comments on the draft till 1 October.
The reports identifies the problem of India’s digital economy as being held back by personal data of an individual lying across silos.
It argues that the “The problem is not that companies are benefiting from individuals’ data; the problem is that individuals and small firms do not benefit,” the draft states.
This report flows from the Centre’s overarching position that data is primarily an economic good. This is reflected in the Personal Data Protection Bill (currently tabled in Parliament), the Economic Survey of India in 2019 and 2020 as well as the decision of ministries to sell the data of citizens without consent to generate revenue and most recently in the Non-Personal Data Governance Framework published 13 July.
However, the proposed goal of maximising economic value from personal data is possible if action is taken to ensure ease of data flows between silos such as banks, NBFCs, insurance companies, government department with user consent.
This policy, published by NITI Aayog and set to launch in 2020, involves four regulators across banking, securities, insurance, and pensions - RBI, SEBI, IRDAI, PFRDA - and the Ministry of Finance coming together to implement this model.
iSpirt products include India Health Stack, National Health Stack and OCEN ( APIs for interaction between lender and Loan Service Provider)
The report has also received inputs from “individual thought leaders” including Nandan Nilekani, Justice Srikrishna (who headed the committee on personal data protection bill), former SBI chairperson Arundathi Bhatacharya, and lawyer Rahul Matthan.
DEPA “as a layer of secure digital data sharing through consent” forms the final layer of India Stack
The other key layers of India Stack include the ‘identity layer’ (Aadhaar, launched 2010), and a ‘payments layer’ for digital payments (the Unified Payments Interface, launched 2016). DEPA will form a part of the ‘data empowerment’ layer “to enable secure sharing of data” as the NITI Aayog describes it.
DEPA identifies three building blocks in order to facilitate this new model of data sharing.
DEPA has been positioned as a policy that seeks to empower “Indians with opportunities to improve their own lives.” How does it seek to do so?
According to this draft, “DEPA is founded on the premise that individuals themselves are the best judges of the ‘right’ uses of their personal data, rather than competing institutional interests.”
DEPA seeks to move away from an organisation-centric system of personal data sharing to an individual-centric approach where a person provides consent to, say a bank to share her data with a credit company or a tax/GST platform to share data with a wealth management company.
The policy outlines two incentives to individuals in consenting to her data being shared.
For small businesses and kirana businesses, if a shop owner can digitally share proof of the business’ GST payments or receivables, “a bank could design and offer regular small ticket working capital loans based on demonstrated ability to repay rather than only offering bank loans backed by assets or collateral.”
In view of the treatment of personal data as an economic good, the policy advocates for the creation of “a new class of institutions” called ‘consent managers’ that will act as a conduit between individuals (data principals), institutions in possession of the individual’s personal data (data fiduciary) and a business that seeks access to that personal data.
The concept of consent managers was introduced in the Personal Data Protection Bill. This new class of institution will manage an individual’s consent for data sharing with businesses through an accessible and interoperable platform.
DEPA policy states that these consent managers are ‘data blind’ and will not see or use personal data themselves; rather they will serve as a conduit for encrypted data flows.
These Consent Managers in the financial sector will be known as Account Aggregators. A non-profit collective or alliance of these players will be created called the DigiSahamati Foundation (‘Sahamati‘).
A number of concerns arise from a privacy, transparency and accountability perspective.
First, DEPA is yet another data policy that comes in the absence of a law to protect the personal data of citizens. However, the Personal Data Protection Bill, which is tabled in the Lok Sabha, provides the “consent philosophy” for DEPA, according to this draft report.
Second, a recurring issue with the development of data-related policies is regarding the transparency and accountability of private players who are intrinsic to the preparation of policies and digital infrastructure.
Third, while the draft policy has been presented for comments from the public till 1 October, another recurring issue has been the lack of consultations with all the relevant stakeholders prior to the development of such policies. While DEPA seeks to empower individuals with control over her personal data, there was no prior involvement of the public in shaping this policy.
The National Digital Health Mission which has come under fierce criticism for being rolled out in a rush in the middle of a pandemic will collect, process and store massive amount of sensitive health data of citizens. However, the government had initially given just a week for public comments. This has now been extended by another week to 10 September.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Published: 09 Sep 2020,06:03 PM IST