While deliberating on the DPDPA rules, I have been suggesting that the Government needs to set up a “National Personal Data Archive” so that “unclaimed personal data” and “personal data under dispute” may be shifted out of the custody of the Data Fiduciary so that they can be retrieved if required on a later date subject to an appropriate legal process.
One of the prime benefits of this system is that when the processing of data with a data fiduciary has completed the process for which the data was collected but the consent may not be renewed after DPDPA 2023 becomes effective either because the contact cannot be established with the data principal or the data principal cannot be properly identified or the transfer back is legally disputed for some reason, the data fiduciary can get rid of the custody of the data instead of carrying the dead burden which he cannot use nor delete.
When I discuss this proposition with experts many have expressed distrust with a Government machinery having control of such data because it can be misused for surveillance. Though the Government will have the power to call for any information for National Security purpose which includes certain basic level of surveillance, the fear that the data may be misused by the corrupt system cannot be ruled out.
We may however discuss separately if it is more safe to leave the data with the private sector data fiduciary even after he no longer requires the data for processing but would like to holds onto it under some excuse, than transfer it to the sovereign state which any way is the owner of all unclaimed properties.
For the time being we may however discuss and elicit the views of the experts on whether there is no way that a data base of Personal Data of Citizens can be kept secure against misuse.
In the past, we have discussed a concept of “Regulated Anonymity” . With the advent of DPDPA 2023 every personal data store manager is also a data fiduciary with his own responsibilities which also applies to a Government managed national archive of personal data. The central idea of the suggestion was “Distributed Ownership of Custody” of a data base.
This concept has been well developed in the ICANN system of both Internet Governance and Domain Name Root Server administration.
Refer : https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/
A similar system can be managed to secure this National Archive of Personal Data. This system requires
a) Strong Encryption of Data at rest
b) Distributed key control with an administration team
c) Administration team to consist of non Government persons
d) Some of the members of the administrative team to be elected by digitally identified Netizens through a democratic process.
I want experts to debate on creation of such secure data base and put pressure on the Government to introduce the National Personal Data Archive.
Naavi
