This article is Part 8 of a multi-part series explaining the recently issued white paper on data protection in India. The responses to the white paper will help in the formulation of India’s future data protection laws. You can read Part 1, Part 2, Part 3, Part 4, Part 5, Part 6 and Part 7.
For the protection of data, it isn’t enough to ensure that the data controller has collected data with the people’s consent, or that the use of the data is legitimate. It is equally important to ensure that the quality of the data in the possession of the controller is maintained. For this, a data protection law imposes obligations on entities in the form of privacy principles of storage limitation and data quality. Along with these, people can also play their part, in the form of rights to access and rectification.
The principle of storage limitation imposes restrictions on the amount of data that is stored with a data controller. This is also closely linked to the purpose specification principle, that was discussed previously in Part 6 of this series. This principle ensures a limit on the data collected, and therefore subsequently stored, for the purpose specified.
Another aspect of this principle is the limit on the time for which this data is stored. Most data protection laws impose such restrictions. The Indian IT laws also often contain such restrictions, such as the requirement under the IT (Safeguards for Interception and Monitoring) Rules, 2009, to destroy interception and monitoring records within 6 months. This is an important rule, given practices like widespread surveillance, databanks like the CIDR, data broking and data analytics.
Along with limiting the amount of data stored by the data controller, it is also important to ensure that the data that is stored, is accurate. This data is, after all, used for making key decisions on the individual in future. For example, consider the practice of credit scoring, which uses the data on an individual in the possession of financial institutions to determine if they are eligible for facilities like loans, and the impact of an error in this data. Alternative credit scoring using data from new financial technology, such as mobile wallets, payment banks or small finance banks, has also become popular, demonstrating the importance of ensuring data quality with even smaller institutions.
Individual participation rights
Under data protection laws, individuals have been given a set of rights known as individual participation rights. These have been given to ensure greater participation of an individual with the decision-making process involving his or her data, beyond the basic granting of consent.
Together, these are considered to be among the most important safeguards for an individual, since they allow the processing of your data to be transparent to you, and allow you to influence the manner in which it is used. For data quality, the rights of access, confirmation and rectification play a crucial role.
Right to Access and Confirmation
This is the right of an individual to gain access to the data that an entity has on him, and the right to confirm whether his personal data is being processed by that entity. This includes the right to access information on the types of data being processed, the purpose for which it is being processed, who receives his data, etc. This right is crucial considering the myriad uses to which data is being put these days, as seen in Part 6 of this series on big data.
However, this right is also typically subject to certain restrictions, such as when granting access to the data is cost prohibitive for the entity or the disclosure can threaten the life or privacy of another. Data that is crucial to an organisation, such as trade secrets, will also be restricted. Care must be taken in framing these to ensure that the exercise of the right remains relevant despite the restrictions.
Right to Rectification
This is a right to rectify the data that the entity has on him. If the data is inaccurate, irrelevant, not up-to-date or excessive, the individual can approach the entity or the courts to have the data erased, modified or rectified. Another important aspect of this right is that it allows people to get data which an organisation is no longer authorised to hold, such as by exceeding the time limits for storage, removed.
Challenges with implementation
Apart from granting these rights, it is also important to take into account the practical challenges with implementation. The suitability of these rights, the extent to which they should be granted and the restrictions to them are factors that need to be taken into consideration.
Moreover, methods need to be devised to allow these rights to be exercised without overburdening the entities involved. Considering India’s huge start-up sector and small businesses, this is a factor that needs to be considered. At the same time, neither should people’s privacy be put at risk by allowing data collection yet reducing obligations.
One solution is to make the two proportional to each other, i.e., determining different levels of obligations for different levels of data collection. The extent of use by an entity would be determined by their ability to adhere to a certain level of obligations.
Some of the key challenges are as follows:
Cost: Cost is one of the key issues with implementation of these rights. While the fees charged for an access and rectification request is minimal, it could cost the data controller, for example in the UK, anywhere between £50-550, depending on the sector. This cost may be difficult for smaller enterprises to bear. Frivolous requests only add to the burden of the data controller.
Technical: Another challenge is the technical aspect of handling the volumes of data in the possession of the data controller. For example, consider data like e-mails, where a single organisation may have millions of e-mails containing data on individuals. The same issue applies to governmental organisations as well.
Automated decisions: A number of decisions based on data are being taken using automated decision making, which uses a logical algorithm, and involves no human intervention. Access to the logic behind these decisions is one of the rights provided in the EU, but it is being argued that this is not enough to protect individuals from the outcome of automated decisions. For example, while explaining why a credit card application was rejected, a person may be told that his credit history, age and postcode was taken into account. The actual reason for rejection, or the logic behind the automated decision, may go unspecified, since its revelation may be restricted due to reasons like protecting trade secrets.
Limited exercise of rights: A very limited exercise of rights has been found in other jurisdictions. This may be because people are unaware of their rights or because they are unaware of the consequences of handing their personal data over to an organisation.
Key questions raised in the White Paper
Provisionally, the White Paper is in support of the inclusion of these rights and obligations for ensuring data quality, subject to their streamlining in the Indian context. It has presently sought comments on the following key questions with respect to ensuring the quality of data and the rights to access and correction:
- What are your views on the principles of data quality and storage limitation?
- On whom should the primary onus of ensuring the accuracy of this data lie?
- What time-limits should be prescribed for storing data? Thereafter should the data be erased or anonymised?
- Should there be a one-size-fits-all kind of regulation?
- What are your views on the individual participation rights to be granted?
- What exceptions should be granted?
- What restrictions should be imposed on the right to access information? What is the scope of the right to rectify? Should a fee be imposed?
- Should access to the logic behind automated decisions be granted?
- Should a time limit be fixed for responding to these requests?
- Any other views?
Part I of the series explores the definitions of personal data and sensitive personal data, Part II of the series examines the jurisdiction and territorial scope of data protection laws, Part III of the series explores cross-border data flows and data localisation, Part IV deals with exemptions to data protection law, Part V deals with notice and consent, Part VI deals with the big data challenge to privacy principles, and Part VII deals with processing of sensitive personal data.
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.
Updated Date: Dec 08, 2017 12:40 PM