The Ministry of Electronics and Information Technology released the Draft India Data Accessibility and Use Policy 2022 for public feedback on 21st February 2022. The draft policy comes at a time of high activity in the Privacy and data protection realm, be it the Data Protection Bill 2021, guidelines on the collection of Geospatial Data, or the Judicial probe into the Pegasus spyware. A large chunk of public data collected by the government remains unused and several stakeholders have demanded it be utilized. Therefore, the policy proposes that every government department, be it central or state, compulsorily share its data to create a common and robust data-sharing ecosystem. Such data-sharing policies already exist in several countries and encourage innovation and efficient delivery of services.
The background note to the draft policy cites several reasons why it has been proposed. The foremost is that the exponential growth in active internet users in India, the penetration of digitization in rural areas, and increased reliance on digital services offered by the state have generated huge amounts of data. Along with the economic value generated by emerging technologies – this high-value data plays a crucial role in India’s ambitions of becoming a 5 trillion-dollar economy. The note also outlines the path to unlocking the high-value data through robust governance, interoperability of government data, and fostering data skills and data-driven culture. The draft policy builds off the existing National Data Sharing and Accessibility Policy and takes it a step further by making the public data available to private players to increase innovation and improve public service delivery & policymaking.
The policy aims to radically transform India’s ability to use public sector data (Non-Personal data) to catalyze large-scale social change, within the legal framework, national policies, and recognized international guidelines. This will be done by maximizing access and use of public data, promoting transparency & accountability in sharing and accessing data, and promoting interoperability & integration of quality data while protecting the privacy of citizens. The policy will apply to all data collected/generated/archived by the Indian government either directly or indirectly through its various agencies under its ministries or departments. Further, the state governments will be free to implement this policy as applicable. The guiding principles laid down in the draft visualize that there should be equal and non-discriminatory access to open data (Data has been divided into open by default, restricted and negative) by default and the data-sharing practices should be user-centric leading to interoperable and technology agnostic datasets. Further, it emphasizes the need for accountability in data sharing by maintaining operational transparency through regulatory clarity & enforcement and building privacy and security into the system. Even though the policy talks about operational transparency (only mentioned once) and user privacy as its core principles, in the absence of a dedicated data protection bill, the interdepartmental transfer of such huge amounts of public data could lead to a massive breach of privacy and can lead to misuse. A similar bulk data sharing policy developed by the Ministry of Road Transport and Highways (MoRTH) in 2019 was scrapped in 2020 as it allowed MoRTH to “share complete data” with specific agencies, financial institutes, and the automobile industry. Though the data shared was mostly non-personal data like the year of manufacturing, chassis number, and model type amongst others, the ministry itself admitted that the data could allow triangulation. Triangulation refers to taking datasets when viewed individually do not reveal much but when combined could lead to the identification of individuals and dilution of user privacy.
The policy’s Institutional Framework provides for the establishment of an Indian Data Office (IDO) to consolidate and streamline data access and sharing of public data repositories across various government departments and stakeholders. Data management units headed by a chief data officer will be present in every ministry and will work closely with the Indian Data Office for the implementation of the policy. The Indian Data council – comprising of the Indian Data Officer and Chief Data Officers from central and state governments – will work on defining high-value datasets, finalizing data and metadata standards, and reviewing the implementation of the policy. The IDO will also provide access to enriched data to various stakeholders like researchers, startups, and government departments through a mechanism of licensing and valuations. The data as mentioned earlier has been divided into
- Open by default, which includes all the public data which has had no or minimal data processing and will be free for all to access.
- Restricted data (as defined by the concerned department) access will be provided to only trusted users in a controlled environment.
- Negative data includes data assets that are deemed non-shareable due to their confidential nature or are in the interest of the nation’s security.
Open by default data as mentioned, will be free for all to access, and only when there has been a value-addition to that data, will they qualify to be monetized. The framework to identify these “high-value datasets” will be notified by the Indian Data Council. The concerned departments/ministries have been left to decide the pricing policy for their restricted datasets. This proposed monetization of the public data, though welcomed by the private players has been criticized by data privacy advocates as an act of selling the public data for “Perverse Economic incentives”. The policy in its current form only requires the government departments to share their data amongst each other and integrate their data portals through appropriate APIs with the open government data portal and does not include the private sector. The addresses the issues raised with regards to the NPD recommendations, which highlighted that with the government holding such valuable data already, should test the data sharing and governance model within its departments before asking to mandate it for the private sector. This step taken by the MeITY will help build trust not only amongst the private players but also among the citizens that proper precautions are being taken to handle their data and deal with any breaches.
Lastly, it talks about data anonymization standards that the departments need to comply with. Anonymization has been incorrectly defined as an irreversible process in the annexure, whereas published studies point out that unless strict access control provisions are put in place re-identification can be done. Also, the anonymization tools to be provided may not be enough to prevent re-identification. Similarly, several key concepts introduced in the policy have been left to be defined at a later date and are currently vaguely worded. The Supreme court in Shreya Singhal vs Union of India struck down Sec 66A of IT act, 2000 because it a vaguely worded and hence void. The data accessibility policy suffers from being susceptible to overbroad and harmful interpretations as well.
The Data Accessibility and Use Policy is a step in the right direction as it aims to utilize the potentially valuable data the government holds. The private sector could utilize these datasets to create innovative products and technologies leading to better living standards. The government itself could take advantage of the data it receives from the different departments within, say a state, to make better policies and help the people at grass-root levels. But as it currently stands the policy is riddled with issues and will have little relevance unless safeguards are built in to protect people’s privacy and hold the government accountable for any misuse.
Author(s) Name: Akshit Chaudhary (Faculty of Law, Delhi University)