From UPSC perspective, the following things are important :
Prelims level : Non-personal data
Mains level : Data privacy issues
A government committee headed by Infosys co-founder has suggested that non-personal data generated in the country be allowed to be harnessed by various domestic companies and entities.
Practice question for mains:
Q.What is Non-Personal Data? Discuss its utility and various privacy concerns associated with it.
What is non-personal data?
- In its most basic form, non-personal data is any set of data which does not contain personally identifiable information.
- This, in essence, means that no individual or living person can be identified by looking at such data.
- For example, while order details collected by a food delivery service will become non-personal data if the identifiers such as name and contact information are taken out.
- The government committee, which submitted its report, has classified non-personal data into three main categories, namely public non-personal data, community non-personal data and private non-personal data.
Types of non-personal data
Depending on the source of the data and whether it is anonymised in a way that no individual can be re-identified from the data set, the three categories have been divided:
All the data collected by government and its agencies such as census, data collected by municipal corporations on the total tax receipts in a particular period or any information collected during execution of all publicly funded works have been kept under the umbrella of public non-personal data.
Any data identifiers about a set of people who have the same geographic location, religion, job, or other common social interests will form the community non-personal data. For example, the metadata collected by ride-hailing apps, telecom companies, electricity distribution companies among others have been put under the community non-personal data category by the committee.
Private non-personal data can be defined as those which are produced by individuals which can be derived from the application of proprietary software or knowledge.
How sensitive can non-personal data be?
- Unlike personal data, which contains explicit information about a person’s name, age, gender, sexual orientation, biometrics and other genetic details, non-personal data is more likely to be in an anonymised form.
- However, in certain categories such as data related to national security or strategic interests such as locations of government laboratories or research facilities, even if provided in anonymised form can be dangerous.
- Similarly, even if the data is about the health of a community or a group of communities, though it may be in anonymised form, it can still be dangerous, the committee opined.
- Possibilities of such harm are obviously much higher if the original personal data is of a sensitive nature.
- Therefore, the non-personal data arising from such sensitive personal data may be considered as sensitive non-personal data.
What are the global standards on non-personal data?
- In May 2019, the EU came out with a regulatory framework for the free flow of non-personal data.
- It suggested that member states of the union would cooperate with each other when it came to data sharing.
- Such data, the EU had then ruled would be shared by member states without any hindrances.
- The authorities must inform the commission of any draft act which introduces a new data localisation requirement or makes changes to an existing data localisation requirement.
- The regulation, however, had not defined what non-personal data constituted of and had simply said all data which is not personal would be under its category.
What areas does India’s non-personal data draft miss?
- Though the non-personal data draft is a pioneer in identifying the power, role, and usage of anonymised data, there are certain aspects such as community non-personal data, where the draft could have been clearer.
- Non-personal data often constitute protected trade secrets and often raises significant privacy concerns.
- The paper proposes the nebulous concept of community data while failing to adequately provide for community rights.
- Other experts also believe that the final draft of the non-personal data governance framework must clearly define the roles for all participants, such as the data principal, the data custodian, and data trustees.
- Regulation must be clear, and concise to provide certainty to its market participants, and must demarcate the roles and responsibilities of participants in the regulatory framework.
- The report is unclear on these counts and requires public consultation and more deliberation.