Real cost of data

India needs a privacy law before data use policy

The Draft Data Accessibility & Use Policy, circulated by the Ministry of Electronics and Information Technology for public feedback, lays out how the government intends to streamline data accessibility across its various arms and ministries, and what it intends to share and monetise. Administratively, this is logical. But the draft raises concern about personal privacy, because it could enable pervasive surveillance. It could also lead to battles over intellectual property (IP) rights. The government wishes to set up a regulatory authority, the Indian Data Council (IDC), and an agency, the India Data Office, to review and oversee data in government departments. These bodies will set and enforce a framework of data and metadata standards. After excluding certain data for security reasons, government departments will share the data they possess with other departments and the private sector. They will identify “high-value data sets”, and monetise them. The draft says attention will be paid to anonymisation (removing elements that could identify individuals) to ensure privacy. The IDC will set anonymisation standards and oversee identifying and creating high-value data sets.
 

A common set of standards is useful. This would reduce duplication of effort, and enable better inter-departmental cooperation. It could, in theory, help entrepreneurs build businesses on the back of government data. But serious issues crop up when the details are considered. There is still no data privacy law in place and the proposed draft legislation gives the government sweeping powers to collect data for broad purposes. If government departments readily share data and metadata with each other, surveillance powers increase. The creation of high-value data sets, which are to be monetised, gives an incentive to collect even more data. Also, though the current draft only deals with government departments, the government has awarded itself the powers to requisition private data when it chooses, in other draft legislation. This could lead to complex issues centred on IP. The private sector could buy high-value data sets and build businesses by adding more value. That would propel growth in the digital economy, which is one of the stated goals. However, the IP, which a private firm brings to such a digital business, may be vulnerable because the government could re-requisition that company’s data and perhaps, resell it.

Another issue lies with anonymisation standards. A data set containing the sensitive private data of individuals can be anonymised by removing fields of identifiers. But this is difficult in practice and anonymised data can often be de-anonymised. This is especially likely when there are many data sets and metadata available and connected to each other, as this draft says will be the case. For example, one department may know “someone” contacted a health care clinic, another department may know “someone” took a blood-sugar test, a third may know the exact location at given times of “someone”, and a fourth may know “someone’s” health insurance status. Any of these given data sets may be anonymised. But if the sets are connected to each other, it would be possible to identify the individual and deduce sensitive personal data. In effect, it is hard to anonymise connected sets of high-value data sets in a fool-proof way and there is also a strong commercial incentive to de-anonymise. This draft policy should wait on the passage of the draft personal data protection Bill, and it is also necessary to consider the broader implications of this policy carefully. As it stands, the downsides could outweigh the possible benefits.