A government committee headed by Infosys co-founder has suggested that non-personal data generated in the country be allowed to be harnessed by various domestic companies and entities.

Practice question for mains:

Q.What is Non-Personal Data? Discuss its utility and various privacy concerns associated with it.

What is non-personal data?

• In its most basic form, non-personal data is any set of data which does not contain personally identifiable information.
• This, in essence, means that no individual or living person can be identified by looking at such data.
• For example, while order details collected by a food delivery service will become non-personal data if the identifiers such as name and contact information are taken out.
• The government committee, which submitted its report, has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.

Types of non-personal data

Depending on the source of the data and whether it is anonymised in a way that no individual can be re-identified from the data set, the three categories have been divided:

1) Public

All the data collected by government and its agencies such as census, data collected by municipal corporations on the total tax receipts in a particular period or any information collected during execution of all publicly funded works have been kept under the umbrella of public non-personal data.

2) Community

Any data identifiers about a set of people who have the same geographic location, religion, job, or other common social interests will form the community non-personal data. For example, the metadata collected by ride-hailing apps, telecom companies, electricity distribution companies among others have been put under the community non-personal data category by the committee.

3) Private

Private non-personal data can be defined as those which are produced by individuals which can be derived from the application of proprietary software or knowledge.

How sensitive can non-personal data be?

• Unlike personal data, which contains explicit information about a person’s name, age, gender, sexual orientation, biometrics and other genetic details, non-personal data is more likely to be in an anonymised form.
• However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if provided in anonymised form can be dangerous.
• Similarly, even if the data is about the health of a community or a group of communities, though it may be in anonymised form, it can still be dangerous, the committee opined.
• Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature.
• Therefore, the non-personal data arising from such sensitive personal data may be considered as sensitive non-personal data.

What are the global standards on non-personal data?

• In May 2019, the EU came out with a regulatory framework for the free flow of non-personal data.
• It suggested that member states of the union would cooperate with each other when it came to data sharing.
• Such data, the EU had then ruled would be shared by member states without any hindrances.
• The authorities must inform the commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement.
• The regulation, however, had not defined what non-personal data constituted of and had simply said all data which is not personal would be under its category.

What areas does India’s non-personal data draft miss?

• Though the non-personal data draft is a pioneer in identifying the power, role, and usage of anonymised data, there are certain aspects such as community non-personal data, where the draft could have been clearer.
• Non-personal data often constitute protected trade secrets and often raises significant privacy concerns.
• The paper proposes the nebulous concept of community data while failing to adequately provide for community rights.
• Other experts also believe that the final draft of the non-personal data governance framework must clearly define the roles for all participants, such as the data principal, the data custodian, and data trustees.

Conclusion

• Regulation must be clear, and concise to provide certainty to its market participants, and must demarcate the roles and responsibilities of participants in the regulatory framework.
• The report is unclear on these counts and requires public consultation and more deliberation.

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now