This could be one of the key pieces of legislation for which draft was given on 27th of July 2018, this could be key for each organization dealing with citizen / Resident Personal Information (PI) as
• Proactive compliance could build the reputation as 1st among competition to be trustworthy for citizens.
• Big penalties could throw you out of business with the data breach.
Political parties cutting across the spectrum are debating this big time but seem to be keen to get this act fast. The government has already given the commitment to the Supreme Court for faster adoption of Privacy Law. 60+ major countries already have it. Write to firstname.lastname@example.org for further information compliance.
Key Highlights in our understanding are :
1. Coverage of PI data
a. Covers any kind of personal data collected, disclosed, shared or otherwise processed within the territory of India Interpretation: Covers any person’s data that’s collected in India, including Indian, NRI, or Foreign person
b. Data Fiduciaries & Processors are covered (organization, communities or individual)
a. Anonymised is the exception which allows digital economy & Big data, monetization of personal data.
b. PI used for Personal data
c. Small firms by definition ( <INR 25 Lakhs Annual Revenue or <100 PI in any day)
d. Crime / Investigations / Courts
e. Public Interest by Government / National Security
f. Small global org not in India but neither large scale nor capable to harm subjects.
3. What are Data Principal rights?
a. Confirmation / Access: Principal should be able to get confirmation about personal data with the fiduciary / processor. Should be able to get content of personal data.
b. Correction: Principal should be able to get mistakes & omissions fixed, get updates reflected in data.
c. Portability: Principal should be able to get data in the portable machine-readable format for usage by another Fiduciary.
d. sector-specific Standards could be added
e. Forget Data (balanced with interests of Fiduciaries / Processors): Fiduciary should provide the facility for discarding of data once consent is withdrawn in applicable cases.
4. What is the obligation of Data Fiduciary?
a. Fair and reasonable processing
b. Purpose Limitation: Data should be only used for the intended purpose and nothing else.
c. Collection Limitation: Only relevant data should be asked for from Principal.
d. Lawful Processing
e. Notice: All related information about capturing, processing, retention, usage of data in simple terms. Also, how to get data fixed, accessed, consent withdrawn, contacting appropriate authority in Fiduciary for request processing.
f. Data Quality: Fiduciary should ensure data completeness and correctness, updates at its end.
g. Data Storage Limitation / Retention Period: Data should be retained only for the required period, and should be discarded afterward.
h. Accountability: Organization should setup framework for ensuring all requirements laid down in the Data Privacy Act.
a. Breach of PI intimation to Principal is optional which is Data Protection Authority prerogative.
b. Need to be intimated only to DPA.
c. Conditions under which it should be only to DPA / otherwise to Principals also to be defined.
6. Data Localisation (Cross-border Flow)
a. Sensitive data to be kept only in India.
b. PI one copy in India.
c. Green signal by Central government needed for movement of Data outside India.
7. Impact on Aadhar:
a. Reporting to DPA for Breach, UIID answerable to DPA for breach reported by Principal sofar it was UIID or court,
b. UIID responsible for the collection, execution, Maintenance as well as breach, is like reporting to the same org for wrongdoing by itself.
8. Penalties (Financial & Civil) & Damages
a. 15 Cr or 4% of Global group turnover (Sensitive Data Breach).
b. 5 Cr or 2% Global Group Turnover (PI Breach) or
c. 5 Year / 3 years imprisonment to individual responsibility. Non Bailable and cognisable
9. Implementations for Fiduciaries & Processors (Organisations & Individuals):
a. DPO for Significant Fiduciary or Global fiduciary, SPOC for rest of fiduciary.
b. Internal Audit. Trust Scorecard for significant Fiduciary.
c. PI identification & Flow,
d. Privacy Objective,
e. Consent Framework,
g. Internal training,
i. Incident Management & reporting.
10. DPA / Appellate Tribunal / Supreme Court in that order for Grievances Redressal by principal.
11. Major Difference as compared to other Data Protection Acts
a. Financial Data such as that found in gadcapital.com loans & Passwords in Sensitive data is included no other Data protection law has it.
b. Localisation Copy to remain in India, none as stringent (apart from China) though this could be allowed by Central Government
c. Right to be forgotten This could be refused by Fiduciary / Processor if this violates freedom of speech or practically not feasible.