Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-2

(This is a continuation of the previous article)

The Kris Gopalakrishna Committee (KGC) considers that data is valuable and must be regulated in an appropriate manner for which a clear definition of Non-Personal Data (NPD) and the Key roles in the NPD eco system must be articulated.

Definition of Non Personal Data

The KGC has identified that Data can be categorized in many different ways

Category I: Personal Data

a) Arising from the subject of data

b) In relation to its purpose

c) Sector to which it belongs

d) Level of processing

e) Based on the extent of involvement of stakeholders

Category II: Non Personal Data

Non Personal Data where data is not “Personal Data” as defined under the PDPB/PDPA

Category III: Non Personal data according to Origin

a) Data that never related to an identified or indientifiable natural person

b) Data which were initially personal data but were ater made anonymous

Category IV: Different types of Anonymous Data

Based on the types of anonymization techniques

Considering the need o have a clear single definition of Non Personal data,(NPD)  the Committee has recommended three kinds of NPD

  1. Public NPD
  2. Community NPD
  3. Private NPD

The Committee has also further categorized NPD into

a) Non-Sensitive NPD

b) Sensitive NPD

i) relating to national security or strategic interests

ii) related to sensitivity of business and confidentiality

iii) Anonymous data bearing the risk of re-identification

Public NPD consists of data such as data generated by Government excluding those which have been afforded confidential treatment under law, and includes land records, public health information, vehicle registration data etc

Community NPD consists of data generated by any group of people bound by common interests and purposes including anonymised personal data, electricity usage, telephone usage etc, excluding the derived insights (profiling).

Private Non Personal data includes inferred or derived data, global data set pertaining to non-Indians etc

It is interesting to note that the GKC brought the concept of “Sensitivity” to Non Personal Data also to take care of such data that is related to national security and strategic interests, bearing the risk of collective harm to a group, etc.

GKC also recognized the limitations of Anonymization techniques and flagged the possibility of re-identification of anonymized data in terms of classifying them as “Sensitive NPD”.

GKC recommends

“that Non-Personal Data inherits the sensitivity characteristic of the underlying Personal Data from which the Non-Personal Data is derived”

In the light of the above GKC recommends

Consent should be obtained from data principals even for “Anonymisation”.

This suggestion may be incorporated in the PDPB. Even if PDPB does not consider it necessary to add this in the current version and leave it to the new act which may be drafted for regulation of NPD,

this would be adopted as one of the implementation specifications under the PDPSI (Personal Data Protection Standard of India)

(…Continued)

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.