Personal Data Protection Act…2.. RTI Act amended

Posted on July 27, 2018 by Vijayashankar Na

The much awaited Data Protection Act of India has finally come to the open with a copy of the draft now being available. This appears as a text of the Bill and needs to be passed by the Parliament, approved by the President and notified in the Gazette before it becomes a law. This is part of a series of articles on the new Bill which when it becomes an Act will bring several changes to the Privacy and Data Protection scenario in India.

[This is the second of a series of articles that will be published on this topic…Naavi]

Presently the Section 8(1)(j) of Right to Information Act 2005 stated as follows:

 “information which relates to personal information the disclosure of which has not relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.”

Now this has been replaced with :

“information which relates to personal data which is likely to cause harm to a data principal, where such harm outweighs the public interest in accessing such information having due regard to the common good of promoting transparency and accountability in the functioning of the public authority;

Provided, disclosure of information under this clause shall be notwithstanding anything contained in the Personal Data Protection Act, 2018;

Provided further, that the information, which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Explanation. —For the purpose of this section, the terms „personal data‟, „data principal‟, and „harm‟ shall have the meaning assigned to these terms in the Personal Data Protection Act, 2018.”

The change is consequential. However it requires an interpretation of “likely to cause harm” if disclosed and that such harm outweighs the public interest.

This means that before any personal information is disclosed the Information officer should quantify and document the “Likely hood of harm” and “Public Interest” before arriving at a decision to allow or disallow the release of the information.

Naavi

A Copy of the Proposed Bill is available here (67 pages)

A more detailed Report of the Srikrishna Committee is available here (213 pages)

Posted in Cyber Law | Tagged , | Leave a comment

Personal Data Protection Act 2018…1….Section 43A goes

Posted on July 27, 2018 by Vijayashankar Na

The much awaited Data Protection Act of India has finally come to the open with a copy of the draft now being available. This appears as a text of the Bill and needs to be passed by the Parliament, approved by the President and notified in the Gazette before it becomes a law. This is part of a series of articles on the new Bill which when it becomes an Act will bring several changes to the Privacy and Data Protection scenario in India.

[This is the first of a series of articles that will be published on this topic…Naavi]

The first important thing we notice is that Section 43A of ITA 2008 has been omitted completely.  The “Reasonable Security Practice” mentioned under Section 87 of the principal Act in sub-section 2(ob) has also been omitted.

It may be noted that the Intermediary Guidelines under Section 79, it had been mentioned that

“the intermediaries shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011.”

As a result we need a modification in these rules and removal of the words “ as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal Information) Rules, 2011″

Since PDPA 2018 is anyway covering the requirements of Sensitive Personal Data Protection in greater detail, this may be an attempt to avoid overlapping provisions.

We shall go through the draft bill in greater detail and continue our discussions.

Naavi

A Copy of the Proposed Bill is available here (67 pages)

A more detailed Report of the Srikrishna Committee is available here (213 pages)

Posted in Cyber Law | Tagged , | 1 Comment

An Unprecedented Technical Revolution in Health Sector is in the offing in India…

Posted on July 27, 2018 by Vijayashankar Na

The Ayushman Bharat scheme also referred to as the Modi Care program is an ambitious welfare scheme which Mr Modi is implementing. Under this scheme it is expected that 1.5 lakh health and wellness centers offering  preventive and primary care would be operating ont he supply side and over 10 crore plus households would be provided a health insurance of Rs 5 lakhs per family.  The idea is to promote both the supply and demand side of health care service.

The ambitious plan which could transform the country in terms of public welfare is likely to also provide an unprecedented boost to the technology suppliers who specialize in the health care sector as the Government is unleashing a visionary digital framework usable by all stake holders in the Ayushman Bharat scheme in the form of the proposed “National Heath Stack” (NHS).

NHS is envisaged to be a holistic platform that supports multiple health verticals and integrates future IT solutions so that by 2022, digital health records of all citizens would be available on the platform.

It is clear that the challenge in terms of the sheer size of the required digital network along with the support features of connectivity, security etc would be providing an opportunity of unprecedented scale to the IT industry in India.

It is time for our businessmen to sit up and take notice of this development and start planning ahead for harnessing the opportunities that may be unleashed under NHS. It is expected that the grand announcement would be made about the roll out of the scheme on August 15 when Mr Modi makes his Independence Day speech which could be the last such occasion before the next election.

The occasion and opportunity is big enough to think that the 2019 Loksabha election could be actually a vote for and against Modi Care program.

While the political minds may keep scratching their heads on the pros and cons of NHS in the political environment, it is time for Cyber Security and Privacy Professionals should focus on the NHS document which has been placed for public comments for which the last date for submission is August 1, 2018.

In case you are yet to take a look at the document, kindly refer to ” National Health Stack Plan… This is the Digital Health Aadhaar Scheme…Available for Public Comment” and ensure that your comments if any is sent by e-mail to healthstackniti@gmail.com

Indian Academy of Data Protection Professionals (Proposed National Conglomerate of  Data Protection Professionals promoted by Naavi) is planning to conduct a Webinar on NHS on this Sunday, the 29th July 2018. Contact Naavi for details.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Offline verification of Aadhaar data.. Is it feasible?

Posted on July 26, 2018 by Vijayashankar Na

According to the Caravan report about the proposed new Data Protection Act /Privacy Protection Act which the Srikrishna Panel has tabled, a suggestion has been made for amendment of the Aadhaar Act to introduce what is called “Offline Authentication”.

A discussion has already ensured in the professional circles, how the “Offline” authentication can be done without a copy of the Aadhaar data being kept outside the CIDR and whether it will introduce new data breach risks.

However, I feel that just like the introduction of the Virtual Aadhaar ID which stepped up the security of the Aadhaar data by several notches and took the wind out of the anti-Aadhaar lobby, it is likely that this “Offline Authentication” system may also turn out to be a good practical suggestion that can ensure that Aadhaar system survives the critical scrutiny of the Supreme Court.

Just to think of one of the measures by which this system can be introduced, we can envisage that UIDAI may authorize “Identity Certification Agencies”.

This could be  part of the Digi Locker scheme and Digital Certificate Scheme run under the CCA. In such a scheme certain agencies may be licensed to make verification based on “Virtual Aadhaar ID” submitted by the Aadhaar user (Global KYC agents can perhaps use the real Aadhaar ID itself) and maintain a mirror identification data base of “Members of its service”.

These agencies could be be similar to the “Data Trusts” which Naavi had proposed earlier. Individuals could deposit their ID information with these agencies who may be private sector agencies who may have access to technology which they claim are better than that of UIDAI. Their data base may be maintained on the basis of their membership and the linked Virtual Aadhaar ID.

If there is any data breach at these “Trusted Intermediaries”, then UIDAI cannot be blamed. Also the loss can be recouped with the change of the Virtual Aadhaar ID.

Hence this move will both address the issue of insulating the CIDR from too much of access by public and also silence the critics by challenging them to be the secure repositories of the data if they are capable rather than blaming the Government all the time.

For the positively minded, this is an additional opportunity to create a business out of the need to secure personal data.

It is therefore time for the Critics of Aadhaar to accept the challenge thrown at them by the Srikrishna panel and find solutions to make offline Aadhaar authentication feasible without the fear of personal data breach.

Naavi

Posted in Cyber Law | 2 Comments

Another leak of the Srikrishna Committee Report on Data Protection

Posted on July 26, 2018 by Vijayashankar Na

Even while the Srikrishna Panel has expressed dissatisfaction at TRAI coming up with its own Privacy Protection regulation and a consequential need for revision by the Panel of its draft, Caravan has released a report about a draft copy of the proposed act containing 15 chapters which it has gained access to and released some of its views.

The Caravan article is here

Also see: Economic Times

This article  focusses on  some suggestions reported to have been made by the committee on Aadhaar Act and RTI Act.

It would be appropriate for us to wait for the official release of the draft to make serious comments.

However for the sake of records we can recount the remarks of Caravan.

  1. It is said that the draft proposes amendment to Aadhaar act and an “Offline Verification” for Aadhaar.
  2. It is also said that the RTI Act is also proposed to be amended with the need for the following three conditions to be fullfilled for the release of Personal data(a) the personal data relates to a function, action or any other activity of the public authority in which transparency is required to be maintained having regard to larger public interest in the accountability of the working of the public authority;(b) if such disclosure is necessary to achieve the object of transparency referred to in clause (a); and

    (c) any harm likely to be caused to data principal by the disclosure is outweighed by the interest of the citizen in obtaining such personal data having regard to the object of transparency referred to in clause (a).

We shall wait for further information to come forth instead of speculating on the above measures as there are more fundamental aspects of the law which may need attention rather than these peripheral issues.

Naavi

Posted in Cyber Law | Tagged , , | 2 Comments

Ethical E- Expression Consortium

Posted on July 25, 2018 by Vijayashankar Na

The media has been reporting many incidences of lynchings in India apparently caused by spread of rumours through the WhatsApp messaging system. Some of these may be “Fake” news and some may even be “Genuine” information which has evoked violent reactions due to the emotional content of the messages.

There was also a recent confusion created by news report that “Forwarding of a Message is equivalent to endorsing of a message”, arising due to a wrong interpretation of a Court decision.

In the light of the above, there have been some indications that WhatsApp itself may be introducing some changes into its system such as “Restricting forwards” or “Flagging a Forward” etc.  Such measures are welcome.

However, the solution to the problem may not lie in merely restricting the forwards to five or indicating that a “forward is actually a forward”.

It is clear from the developments that many of the lynchings that occurred in recent days had a political over tone meant to discredit the current regime and build up a narrative for the forthcoming elections. Media which is biased in favour of the opposition is hand in glove with building of such a narrative. Hence in many instances, the forwarding of a message or publishing of a message is only an “Excuse” for a “Crime already contemplated”.

Since in many cases, the investigations are also biased, truth might not have come out.

While WhatsApp or Bolo may try to find their own methods to improve reliability of messages it is necessary for persons using different means of expression on the Electronic media to ensure that they follow certain ethical principles.

While every person who originates a message can take care at his personal level to be ethical and avoid deliberate false messages, we cannot rule out the need for forwarding of messages of doubtful veracity either to check if it is true or to fore-warn if there is a potential risk if the message is ignored. Hence some “Conditional Forwarding” should be possible without attracting the wrath of the law.

Flagging a forward as “Forwarded as Received, Authenticity not Checked or Guaranteed” could be a good disclaimer that can protect a person in law.

But over and above this, I propose that a voluntary “Ethical E  Expression Consortium” (EEE Consortium) be formed which provide a “Virtual Editor” service to the individual publishers. The members should be able to load their expressions which may be blog articles or twitter messages or Facebook posts into the forum repository in the form of a link and let some body else review the comment and suggest their removal if it is necessary. The authors may either post their message and then seek a review or wait for a while before publishing their messages so that some reviewer can alert them if they are going overboard.

This would be a self regulation for bloggers before the Government comes up with its own regulation which all of us may later criticise as “An Assault on Free Expression”.

Naavi

 

Posted in Cyber Law | Leave a comment