Srikrishna Committee - White Paper on Data Protection Framework
iasparliament
November 28, 2017
Why in news?
Srikrishna Committee recently released a white paper as part of its mandate to draft a data protection and privacy Bill.
What is the need?
The Committee was set up by the Ministry of Electronics and IT following the decision to make Aadhaar compulsory for many government services.
Private entities are also increasingly using Aadhaar for the purpose of authentication and financial transactions.
Notably, the Aadhaar is being issued by the UIDAI after collecting individual's personal and biometric data.
Despite an obligation to adopt adequate security safeguards, no database is 100 per cent secure.
Evidently, despite UIDAI's various in-built data protection mechanisms, it is not bound to inform an individual in cases of misuse or theft of his or her data.
Thus, the interplay between any proposed data protection framework and the existing Aadhaar framework will have to be analysed.
What are the highlights?
The committee has identified seven key principles for the data protection law, which include:
Technology agnosticism - flexibility of the law for adapting to changing technologies and standards of compliance.
Holistic application - governing both private sector entities and the government; differential obligations for certain legitimate state aims.
Informed consent - informed and meaningful consent of the individual must be ensured by the law.
Data minimization - Data that is processed ought to be minimal, only for targeted and other compatible purposes.
Controller accountability - The data controller shall be held accountable for any processing of data.
Structured enforcement - There should be a high-powered statutory authority with sufficient capacity and decentralized mechanisms for enforcement of the data protection framework.
Deterrent penalties - Penalties on wrongful processing of data must be adequate to ensure deterrence.
SPDI - The white paper has laid down for the protection of sensitive personal data or information (SPDI) by which a person is identifiable.
This essentially means that any social media site, search engine, telecom operator or government agency cannot sell or disclose SPDI of individuals.
It has identified health and genetic information, religious beliefs and affiliation, sexual orientation, and racial and ethnic origin as SPDI.
It has also placed caste and financial information in this category.
The committee prescribes punishments in case of violations of regulations in using SPDI.
At present, the IT Act rules on security practices and sensitive personal data are applicable only to private or corporate entities.
Data Breaches - The law may require that individuals be notified of data breaches where there is a likelihood of privacy harms.
However the paper noted that fixing too short a time period for individual notifications might be too onerous on smaller organisations.
As, such an organisation may not have the necessary information about the breach and its likely consequences.
Thus it is suggested that both government and the private entities be brought under the ambit of the proposed law.
Exemptions - The Committee has made certain exemptions in relation to collecting information.
This is in reference to investigating a crime, apprehension or prosecution of offenders, and maintaining national security and public order.
But, the committee also insists on devising an effective review mechanism.
Penalty - A civil penalty of a specific amount may be imposed on the data controller for each day of violation.
Besides, it suggested setting up a data protection authority, data audit, registration of data collectors, enacting provisions for protecting children’s personal data, etc.
