National Data Governance Framework Policy and the road ahead

The Draft National Data Governance Framework Policy was recently issued by the Union Ministry of Electronics and Information Technology (MEITY) immediately after scrapping the India Data Accessibility and Use Policy, which had created a stir over licensing and selling of data by the government to the private sector.

It is pertinent to mention that unlike the India Data Accessibility and Use Policy, there is no data monetisation provision under the Data Governance Policy. Moreover, the phrase "making data open by default" used in the former Policy didn’t have any underlying value or objectives stated in the policy document. The absence of proposals for creating a legal framework or an independent regulatory body led to the eradication of the former Policy, as it could have dismantled the very foundation of data governance.

The National Data Governance Framework Policy focuses on providing access to non-personal data sets and anonymized data sets. As the Policy focuses on non-personal data (data that does not contain personally identifiable data), there are fewer chances of privacy breaches. But the point is, are we depending on the explanation of non-personal data embodied in the Data Protection Bill, which is not yet a law? Moreover, can the identification and classification of already existing datasets trigger a disbalance in the domain of federalism? Also, will data which is generated, processed, stored or disseminated be able to comply with interoperability standards and share the revenue equitably generated by it?

The question about interoperability arises as the Policy mentions cooperation and coordination mechanisms between centralized authority and the states. The notion that anonymized data could assure higher standards of privacy protection is a bit unrealistic, as we hardly have any protection granted by a data protection authority under a law.

The Policy takes the initiative of setting up the India Datasets Program, inclusive of non-personal and anonymized data sets about Indian citizens owned by both the government and the private sector. Though the Policy is confidently considering the inclusion of the private sector, companies may not be voluntarily willing to share non-personal data without benefits. This may further invoke implications regarding trade and intellectual property issues. The success of the implementation of the Policy depends on a consistent glossary for data, a framework that ensures quality, accuracy, confidentiality and consistency, making data assets discoverable, effective methodologies and best practices for data asset management, striking a balance between objectives of Policy and legal regulations, etc.

The Policy supports the building of large repositories of India-specific data which can be used by researchers and start-ups. While this may facilitate research, one must not ignore the ethical principle of beneficence, which requires that researchers do no harm and concentrate on only maximizing benefits and minimizing losses. One more principle that must be incorporated as the essence of the Policy concerns distributive justice, which would require equitable distribution of benefits and burdens. It must be ensured that the samples of data distributed for purposes of research are not be selected just because of their easy availability and ease of manipulation.

The Policy propels the use of Artificial Intelligence (AI) based and data-led research. The objective is to improve the government’s data collection techniques and upgrade the data governance. The point of reference is again about exposing the citizens' data to these emerging disruptive technologies without any data protection regulations or the law. There is a possibility of the State-sponsored mass surveillance, and concerns may also arise regarding the scientific analysis and authentication of results achieved by these tools along with availability and expenditure for such technology. Moreover, when we decide to depend or make an effort to imbibe these technologies into our matrix, we often forget that India is still lagging behind in providing a legislative framework for regulating breaches by AI-led machines. The current Information Technology law is not sufficient to deal with the intricacies embedded in these emerging technologies.

The Policy provides for the India Data Management Office (IDMO), set up by MEITY's Digital India Corporation. The IDMO plays a critical role in the framework provided and is responsible for varied functions such as maintaining data security and informational privacy by formulating rules, principles, standards, disclosure norms for proper implementation of the Policy, notifying protocols for facilitating sharing of non-personal data assets etc. The IDMO can impose a limit to several requests for access to datasets and facilitate inter-governmental data access.

IDMO, while taking care of privacy concerns, must consider the argument of informed consent of subjects whose data will be processed and used. Imbibing the concept of informed consent into the framework will be enormous; in the absence of it, the framework may appear meaningless, and check-the-box consent must not be appreciated as an understanding of agreement to share data.

The appointment and composition of IDMO must not be cited ambiguously in the Policy, as this may lead to arbitrariness. The composition of IDMO must consider the representation of experts including information technology experts, data protection officers, data analysts, legal professionals etc.

Although IDMO has been entrusted with the duty to review, it is suggested that an institutional review board may be set up to conduct an unbiased assessment and audit of risk and benefits to understand whether the vulnerabilities to which the data owners will be exposed could be justified on a legal basis. Also, as the IDMO is responsible for listing out ethics and principles of fair use, it must consider the international CRAFT (Choice, Responsibility, Accountability, Fairness and Transparency) Framework which is one of the suggestive models to follow when it comes to working on a data governance model. Though the CRAFT framework is non-binding, a framework with a spine of ethical principles often creates a community of common values.

The National Data Governance Framework Policy appears to be more functional and achievable than its predecessor, but still, the firm foundation of data governance in the country cannot be laid down without a data protection law.

Prof GS Bajpai is Vice-Chancellor and Dr Ivneet Kaur Walia is an Associate Professor at at Rajiv Gandhi National University of Law (RGNUL), Punjab.