Policy on use of data held by government: Fourth time’s the charm?

In February, the Ministry of Electronics and Information Technology came up with a proposal for use and access to data held by government agencies. The draft policy attracted instant criticism, especially for considering monetisation of data through sale and licensing to private entities.

The criticism initially resulted in at least three different versions of the policy, and then finally a complete withdrawal.

The way the earlier policy was drafted literally made it clear that revenue generation was the main motive behind it and that was among the main reasons for the backlash, said Anushka Jain of Internet Freedom Foundation.

Now, a new proposal called the draft National Data Governance Framework has been released. It’s aimed at governing the use of anonymised non-personal data held by government agencies and making it accessible for AI and data research, and improving governance.

The experts BQ Prime spoke with welcomed the improvement in the language, which dilutes the focus on monetisation of data. But, they said, more clarity is required on three aspects:

The manner in which the goals articulated in the policy will be achieved.
The composition of the Indian Data Management Office, which will frame the guidelines for use and processing of data by government entities.

The latest draft defines the purpose of the policy as collection, processing, storage, access and use of government data. To that end, it merely outlines a broad architecture:

Standardised data management and security standards across the government.

Building a platform that will decide on requests for data and its processing.

Set quality standards and promote expansion of India datasets program and overall non-personal datasets ecosystems.
The framework will be applicable to all government departments and state governments will be encouraged to adopt the provisions of the policy.

The lack of details in the proposal makes it difficult to give feedback to the government, Jain said. For instance, at one place, the policy states the standards and rules will ensure data security and informational privacy. But it does not say how it will be achieved, she pointed out.

You have to show how would you do it. Probably, that is left to some future guidelines or SOPs, but how can we give comments on this policy or expect the stakeholders to assess it, if it is not known how it is going to work and how it is going to ensure data protection.

The main purpose of the policy is still not ideal, said Raman Cheema of Access Now while welcoming the overall shift from the earlier aim of monetisation of data for profit.

We believe it is crucial to focus on truly ensuring that government data efforts are aimed at making sure citizens are truly aware and in charge of their data, and that data efforts are built on the spirit of the RTI movement.

IDMO’s Composition
The fine print of the rules, standards, and guidelines under the policy will be published periodically by a body called the Indian Data Management Office. The agency will function under the IT Ministry and frame the rules in consultation with the ministry, state governments and industry.

The IDMO will also design and manage the India datasets platform that will process data requests and provide access to researchers and start-ups.

The independence of the authority, however, is still an area of concern. The IDMO, as per the proposal, will be under the Ministry of Electronics and Information Technology.

The independence of the IDMO is important. The government does not own the citizen data and is only one of the stakeholders. The IDMO is going to be the office which is responsible for protecting citizen rights and it is important that such an office is independent. Currently, the decision between the government’s needs and citizen’s rights will be taken by a body that is under a central government ministry and that is the issue.

Anushka Jain, Internet Freedom Foundation.

Further, the proposal fails to specify how the public data office would address the possible overlap with the Data Protection Authority envisaged under the data protection law, Cheema said.

The draft Data Protection Bill has been in the works for over four years now and the data protection authority is supposed to be the nodal agency for implementing the provisions of the bill.

Plan For Anonymisation?

The draft policy leaves it to the IDMO to prescribe rules and standards for anonymisation of data by the government and private agencies.

IDMO will set and publish data-anonymisation standards and rules to ensure information privacy is maintained, says the proposal.

The policy does not explain what the anonymisation standards will be and leaving that to the IDMO is not the correct approach, said Jain.

The issue is that they have not taken into account that data non-anonymisation and re-identification is extremely easy to do. Without these standards being made available for a third party review, it is difficult to give feedback on the policy.
Anushka Jain, Internet Freedom Foundation

It is important to have robust standards which can be analysed by independent parties, but the policy does not tell anything about these standards, she added.

The government has invited feedback on the policy framework by June 11. Bloomberg