The Report by the Committee of Experts on Non-Personal Data Governance Framework has been submitted to MEITY in July.
MEITY has called for the feedback on the framework.These are the gaps identified by us on the Framework.
Initially it was supposed to be open for feedback till 13th Aug. Now it has been extended up to 13th Sep.
Feedback on Non Personal Data Governance Framework
1. Feedback on Non Personal Data Governance Framework
Nanda Mohan Shenoy D
CAIIB,DBM-Part I,, NSE Certified Market Professional Level-1 ,P G Diploma in IRPM, PG Diploma in
EDP and Computer Management, DIM,LA ISO 9001,LA ISO 27001 NISM empaneled CPE Trainer
Director
2. Summary of Gaps in the Framework-1/3
2
# Gap Impact Remedy Addl. Info –Sec/Page
Slide No
G1 Contradictory Jargons Used :Re-
identification in place of De-
anonymisation
Total Confusion Substitute the word De-
anonymisation wherever
De-identification is used
Multiple places -22
occasions
5
G2 Lack of Clarity in Anonymised data
definition
Total Confusion Give explanation Sec 4.6 Pg17 & Pg11
6
G3 Contradictory views on Anonymisation Interpretation Clarify the same or
explanation required
Sec 4.5.iii Pg16 & Pg44
7
G4 Appendix 3- Out of Context Conflict with PDP Bill Delete this appendix and
refer to PDP Bill
Sections
Appnedix-3 Pg59
8
G5 Data Principal Consent is out of Context Conflict with PDP Delete this and refer to
PDP Bill Sections
Sec 4.6 Pg17
9
G6 Sensitive Non Personal Data Definition
not specific
Interpretation Specifics to be given
similar to PDP Bill
Sec 4.5.iii Pg16
10
3. Summary of Gaps in the Framework-2/3
# Gap Impact Remedy Addl. Info –Sec/Page
Slide No
G7 Public Non Personal Data definition not
clear
Confusion &
Interpretation
Redraft the definition Sec 4.2.ii Pg-14
11
G8 Overlap between Community & Private
Non Personal Data
Confusion &
Interpretation
More clarity and
bifurcation required
Sec 4.3.ii Pg-15
12
G9 Global Data Set –No Clarity Confusion &
Interpretation
More clarity required Sec 4.4.i Pg-15
13
G10 Ambiguity in Data Principal Definition Confusion & Different
Interpretation
More Clarity Required Sec 4.7 Pg-19
14
G11 Difference between Data Trust ,
Custodian & Principal is not very clear
Confusion & Different
Interpretation
More clarity with
specific examples
required
Sec 4.8 Pg-19
15
G12 Difference between Data Trustee &
Data Custodian
Confusion & Different
Interpretation
One single example to
be given from end to
end
Sec 4.9 Pg-20
16
3
4. Summary of Gaps in the Framework-3/3
# Gap Impact Remedy Addl. Info –Sec/Page
Slide No
G13 Ambiguity in the role of Data Trust Confusion &
Interpretation
Redraft the same Sec 4.10 Pg-21
17
G14 Contradiction in sharing Data
Voluntarily and Mandatorily
Confusion &
Interpretation
Redraft the same Sec 4.10 Pg-21
18
G15 Legal Basis for Public Non Personal
Data not defined
Lack of clarity can lead
to confusion
Add the legal basis for
the same
Sec 5.1 Pg-23
19
G16 Overlaps and Contradictions with
Personal Data Protection Bill (PDPB)
Utter Confusion for the
layman
Contradictory clauses to
be removed and cross
reference to PDPB
Sec 5.4 Pg-26
20
G17 Linkages of Data Business with other
roles like Custodian etc not
established
Utter Confusion for the
layman
Establish the
relationship between the
two
Sec 6 Pg-27
21
G18 One regulator for Data protection
both Personal and Non Personal
Cost of Compliance /
Contradictory views
Uni-regulator
22
4
5. G1-Re-identified Data
Definitions as per PDPB
(2)"anonymisation" in relation to
personal data, means such irreversible
process of transforming or converting
personal data to a form in which a data
principal cannot be identified, which
meets the standards of irreversibility
specified by the Authority
(6)"de-identification" means the process
by which a data fiduciary or data
processor may remove, or mask
identifiers from personal data, or
replace them with such other fictitious
name or code that is unique to an
individual but does not, on its own,
directly identify the data principal;
(34) "re-identification" means the
process by which a data fiduciary or
data processor may reverse a process
Some of the examples out of the 22 where re-identification
is used wrongly
(1)Page-16 Para 4.5.iii
” It is anonymised data, that bears a risk of re-
identification”
(2) Page-17 Para 4.6.ii
“any subsequent harms arising from re-identification”
(3) Page-17 Para 4.6.v
“any subsequent harms arising from re-identification”
(4) Page-41 Para 8.2.ii
“so that issues around data sharing,competition, re-
identification or collective privacy are harmoniously
dealt with.”
On 22 occasions the word re-identification is used
On 6 occasions the word de- anonymised/de-
anonymisation is used (with U.S English and Indian
English being used )
5Back to Summary
6. G2-Clarity on Anonymisation of data
Sec 4.6 Consent for Anonymised Data (page 17 )
“iv. Therefore, the Committee recommends that the data principal should also provide consent for
anonymisation and usage of this anonymised data while providing consent for collection and usage of his/her
Personal Data.(pag-17)
v. The Committee also recommends that appropriate standards of anonymisation be defined to prevent /
minimize the risks of re-identification”
Key Take away –(page -11)
iv. To address privacy concerns, including from re-identification of anonymised personal data, preventing
collective harms arising from processing of Non-Personal Data, and to examine the concept of collective
privacy(page-11 in the key take away)
Q1-No clarity whether this anonymisation , as mentioned in 4.6 ,is of the Personal data or Non Personal data. It
is assumed/interpreted to be that of Personal Data as in key take away ,in page 11 , is talking about Personal
Data
Q2If it is referring to only Personal data anonymisation the PDPB 2019 already addresses the same and needs
to be cross referred to in this framework as the same is covered as per definition below:
– (2)"anonymisation" in relation to personal data, means such irreversible process of transforming or
converting personal data to a form in which a data principal cannot be identified, which meets the
standards of irreversibility specified by the Authority
6
7. G3-Contradictory views on Anonymisation
Contradiction 1 : Within the Framework
Sec 4.5.iii pg16
The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as well, from the
following perspectives(page-16)
– It relates to national security or strategic interests;
– It bears risk of collective harm to a group (collective privacy etc.);
– It is business sensitive or confidential information;
– It is anonymised data, that bears a risk of re-identification
Sec 9 –page 44 & 45
“Prevent de-anonymization – Best of breed Differential Privacy algorithms”- page 44 and page 45
Q1. If best of breed Differential Privacy Algorithm is used where is the risks of de-identification?
Q2. In case the best of breed is used what is the purpose of classification of such data as Sensitive Non-
Personal data, as below?
At the most call it simply “Anonymised personal data” throughout the document as standardisation as a
class of data
7
8. G4-Appendix 3 -Out of Context
It is assumed that the Appendix 3(Page 52) is pertaining to
anonymisation of Personal Data
Issue 1: If it is about anonymisation of Personal data this appendix is not
related to this framework
If that is so this appendix has to be deleted as S50 of the PDPB Bill
addresses the method of anonymisation as below:
Sec 50 (6) (m)
(6) The code of practice under this Act may include the following matters, namely:—
(m) methods of de-identification and anonymisation;
Issue 2: Mix up between algorithms and tools.
– 1,2,3,4 & 9 are algorithms
– 5,6,7 & 8 are tools
8Back to Summary
9. G5-Data Principal Consent is out of Context
Sec 4.6 page 17
iii. Under the PDP Bill, consent is necessary for the collection and processing of Personal Data. Since the conditions
of ‘specific’ and ‘capable of being withdrawn’, as specified in PDP Bill Chapter II, 11 (2), do not apply to Non-
Personal Data, we cannot assume that consent provided for Personal Data applies automatically to Non-Personal
Data.
iv. Therefore, the Committee recommends that the data principal should also provide consent for anonymisation and
usage of this anonymised data while providing consent for collection and usage of his/her Personal Data.
• The two sections are redundant here and can be addressed in the PDP bill through Sec 7 Notice or
S-50 Code of Practice by DPAI.
Sec 50 (6) (m)
(6) The code of practice under this Act may include the following matters, namely:—
(m) methods of de-identification and anonymisation;
Further, In case of Anonymised personal Data the data principal rights of right to erasure /right to be
forgotten etc cannot be exercised needs to be explicitly mentioned in the Notice and consent (Sec 7 &
Sec 8 og PDP)
Also Sec 91 in the PDP has the right for the Government to call for the anonymised data, hence it is
more appropriate there
– This will have to be naturally covered under Sec 50 (6) (m) 9Back to Summary
10. G6-Sensitive Non Personal Data Definition not specific
Sec 4.5.iii pg16
The Committee felt that it is important to bring in the concept of sensitivity to Non-Personal Data as
well, from the following perspectives(page-16)
• It relates to national security or strategic interests;
• It bears risk of collective harm to a group (collective privacy etc.);
• It is business sensitive or confidential information;
• It is anonymised data, that bears a risk of re-identification
Issues :
– Just because Personal Data is classified as sensitive does not mean that Non Personal data
also needs to be classified.
– In case of Sensitive Personal Data it is mutually exclusive and very explicit. Here there can
be overlaps of sensitive data across , Government, Community & Private Data and
segregation will be difficult unless explicitly defined by the framrwork
– How will it be segregated needs clarity
10Back to Summary
11. G7-Public Non Personal Data definition not clear
Ambiguity in 4.2.ii (Page-14)
• Anonymised data of land records, public health information, vehicle registration data etc.
• Issues
– Anonymised data of land records-
• What is anonymized ? Is it the name of the holder of land ,his age , his occupation etc. .Nothing is
clear
– Vehicle registration data
• Currently evahan API & SMS gives full details of the vehicle including the name of the owner .Is the
name of the vehicle owner Personal data?
• Is the entire data set personal data?
• May be the National Industries Code or the GST Code(HSAC) can be used for the same.
– http://mospi.nic.in/classification/national-industrial-classification/alphabetic-index-5digit
– HSN/SAC Code of GST
Clarity required on both fronts
11Back to Summary
12. G8-Overlap -Community & Private Non Personal Data
Sec 4.3.ii (Page-15)
Community Non-Personal Data means Non-Personal Data, including anonymized personal data, and non-
personal data about inanimate and animate things or phenomena – whether natural, social or artefactual, whose
source or subject pertains to a community of natural persons. Provided that such data shall not include Private
Non-Personal Data.
– For instance, besides datasets collected by the municipal corporations and public electric utilities,
datasets comprising user-information collected even by private players like telecom, e-commerce, ride-
hailing companies., should be considered Community Data
Issue 1:
Ride hailing companies like Ola & Uber will it come under Private Non Personal data or community Non
Personal Data
Issue 2:
Is community data a subset of the Private Non personal data ?
Issue 3:
Telecom provider – for e.g. BSNL/MTNL data will it be Public Non Personal data . If no then it has to be
reworded private telecom operators, similarly with Airlines , Banks etc. .The list will increase.
Clarity required
12Back to Summary
13. G9-Global Data Set –No Clarity
Sec 4.4.i (Page-15)
• It may also include such data in a global dataset that pertains to non-Indians and
which is collected in foreign jurisdictions (other than India).
• Issues:
– Cant this data be collected by Government Bodies ?
– What if this data is collected by Private organisations outside India ?
– Will one ever come to know ?
– Why Global Dataset only for Private Non personal Data?
– Who will share?
– Under which law of land can one ask for these data and from whom?
– Are these organisation obligated to share this data that too of Non Indians?
13Back to Summary
14. 4.7. Data Principal (page 19)
i. However, in case of Non-Personal Data, the definition of a data principal is related to the type of Non-Personal Data
- Public, Community and Private data, as well as based on different possible kinds of subjects of data.1
ii. In case of Public Non-Personal Data:
o Government may collect data pertaining to citizens (like census),companies (like company registration, financial
filings) and communities.
o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data
relates.2
iii. In case of Private Non-personal Data:o Private sector may collect data pertaining to citizens (like customer
surveys), companies (like vendor registration, vendor product information) and communities.
o The data principal will be the corresponding entities (individuals,companies, communities) to whom the data
relates.2
iv. In case of Community Non-Personal Data:o A community, that is the source and/or subject of community data and
as defined in Section 4.3 , may be treated as the data principal for such data, and should be able to exercise key
rights, including economic rights, to this data.
1- What is meant by different possible kinds of subjects of Data ? (people may confuse with Data Subject of
GDPR)- need more clarity
2- Data Relates -not at all clear-totally confusing –it is interpreted as if it is the person from whom the same is
collected
G10- Ambiguity in Data Principal Definition
14Back to Summary
15. G11-Difference - Data Trust, Custodian& Principal
4.8. Data Custodian (Page 19)
4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best interest of the
data principal.
ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as per the interest
of data principal/group/community.
4.10. i Data trusts are the institutional structures, comprising specific rules and protocols for containing and sharing a given set of
data.
Issue :
1. Strike off /group/community..The principal is already defined in Sec4.7. If required mention like
“ii. The data custodian may also be considered as data fiduciary, subject to certain directions and control and acting as
per the interest of data principal as defined in Sec 4.7.”
2.What is the co-relation between Custodian and Trust ?
3.How is the Custodian Different from Principal ? Both are collecting the data
As per 4.7.2 “ii. In case of Public Non-Personal Data: Government may collect data pertaining to citizens (like
census),companies (like company registration, financial filings) and communities.”
The data principal will be the corresponding entities (individuals, companies, communities) to whom the data relates”
4Who will share the Data to the Trust the Custodian or the Trustee or the Principal ?
5 Should Custodian be registered or Data Trust be registered like registration of significant data fiduciaries as is
envisaged in the PDPB?
15Back to Summary
16. G12- Data Trustee Vs Data Custodian
4.9.Data Trustees (Page 20)
ii. The Ministry of Health and Family Welfare, Government of India can be the trustee for data on diabetes among
Indian citizens
v .For example, the data regulator may work with the government transport department(playing the role of a data
trustee)
Issues:
4.9.ii
1.Who is the Custodian for the example given above? Taking one example all roles have to be clarified
2.Whether every Non personal data have a Custodian as well as Trustee?
3. Is Custodian as well as Trustee mutually exclusive ?
4.Can Trustee and Custodian be same ? Is it following the same principle of Data Fiduciary and Data processor?{it
cannot be so because 4.8.i. mentions as follows: “ The data custodian undertakes collection, storage, processing,
use, etc. of data in a manner that is in the best interest of the data principal.”}
5. Is data Custodian applicable only to Community Non Personal data?
4.9.v
6. Who is the Custodian for the example given above?
16Back to Summary
17. G13- Ambiguity in the role of Data Trust
4.10. Data Trust (Page 21)
ii. Data trusts can contain data from multiple sources, custodians, etc. that is relevant to a particular sector,
and required for providing a set of digital or data services.
iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come
forward to share data held by them. Another important source of data pooled into these common data
trusts will be from public organizations producing and holding various public data.
Issues:
1.What is multiple sources ?Should it not be any specific entity like custodians/Trustee etc? Strike off multiple
sources
2.By the very definition of Data Custodian
“4.8.i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the
best interest of the data principal.
The public organisation producing and holding various Public data will also be custodian .Hence it is strongly
recommended that “Another important source of data pooled into these common data trusts will be from
public organizations producing and holding various public data” be deleted
17Back to Summary
18. G14 Sharing Data Voluntarily and Mandatorily
4.10. Data Trust (Page 21)
iii. Data custodians may voluntarily share data in these data trusts, as many private organizations may come
forward to share data held by them. Another important source of data pooled into these common data trusts will be
from public organizations producing and holding various public data.
iv. Governments / data trustees may also seek mandatory sharing of important data for a sector for specific
purposes, which would also be managed and provided by such data trusts. It may also consist of both mandatorily
and voluntarily shared data.
Issue
1.Are Governments not custodians by the very definition of Data Custodian? Why
separate?
Delete Governments /
2.How can Data Trustees decide whether the same should be shared voluntarily or
mandatorily?
3.Conditons of mandatory and voluntary sharing should be clearly laid out
18Back to Summary
19. G15- Legal basis-Public Non Personal Data
5.1. Legal basis for establishing rights over Non-Personal Data (Page 23)
iii The rights over community Non-Personal Data collected in India should vest with the trustee of that
community, with the community being the beneficial owner, and such data should be utilized in the best interest
of that community.
Issues
1: It is silent about Public Non Personal Data. The same also need to be defined
2: What about Private Non Personal Data?
3.As per 5.1.iii
“In case of Non-Personal Data derived from personal data of an individual, the data principal for personal data
will continue to be the data principal for the Non-Personal Data, which should be utilized in the best interest of
that individual.”
This is directly contradicting G10 where the Data Principal is defined.
Once the data is anonymised and shared it is next to impossible to exercise his right. Hence this
needs to be stricken off
19Back to Summary
20. G16-Overlaps and Contradictions with PDP Bill
5.4 Private Data (Page 26)
i. In the “Private Non-Personal Data”, as defined in Section 4.4., only such raw /factual data pertaining to a
community, that is collected by a private organization may need to be shared, subject to the well-defined
grounds (refer to Recommendation 5)at no remuneration”
The PDPB bill clause is as follows:
91. (1) Nothing in this Act shall prevent the Central Government from framing of any policy for the digital
economy, including measures for its growth, security, integrity, prevention of misuse, insofar as such policy do
not govern personal data.
(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data
processor to provide any personal data anonymised or other non-personal data to enable better targeting of
delivery of services or formulation of evidence-based policies by the Central Government, in such manner as
may be prescribed.
Explanation.—For the purposes of this sub-section, the expression "non-personal data" means the data other
than personal data.
Issue
1. As per the definition of Data Fiduciary ,the State (i.e. the Government ) is included
. Where as 5.4.i of this framework is restricted to Private Non Personal data only
and not applicable to other 2 classes of data. Needs to be standardized
2. Remuneration is silent in PDP Bill Sec 91 whereas it is mentioned here as with no
remuneration.This contradiction to be removed.
3. Sec 5.4.i should cross refer to Sec 91 of PDPB as well
20Back to Summary
21. G17-Data Business
6 Data Business (Page 27)
Create a new category / taxonomy of business called ‘Data Business’ that collects, process, store, or otherwise manages
data, and meets certain threshold criteria.
4.8. Data Custodian (Page 19)
i. The data custodian undertakes collection, storage, processing, use, etc. of data in a manner that is in the best
interest of the data principal.
4.10. Data Trusts (Pag 21)
i. Data trusts are the institutional structures, comprising specific rules and protocols for containing collecting and
sharing a given set of data.
Issues:
1. In 4.10.i there is a typo error. It should have been collecting and not containing as highlighted above.
2. In page 17 four types of Data Roles are defined viz .1) Data Principal 2) Data Custodian 3) Data Trustees and 4) Data
Trusts.The Data Business belongs to which role is not clear ? The Data custiodian also collects the data, Data Trust
also collects the data, the data business also collects the data.
3. Is Data Trust like an NGO (Not for Profit ) and Data Business Like a company ? Need clarity
4. Is data Business like Significant Data Fiduciary of PDP Bill and Data Custodian the super set?
5. The Data sharing also has lot of impacts based on this clarity a Data sharing refers only to data custodian and not data
business
“iv. If the data custodian refuses to share the request, the request is made to the Non-Personal Data Authority (refer to
Chapter 8). The authority evaluates the…”-page 37
It can be interpreted as Data Business need not share the information
6. The national Industries Code be used defining the various data businesses
21Back to Summary
22. G18- Uni-regulator
Sec 8.2 (Page 40)
• 8.2. Ultimately, the Committee felt that the best option is to create a separate Non-Personal Data Authority.
Issues
1.The PDPB is defining the regulator “ Data Protection Authority of India”
• This definition is broad and not bifurcating between Personal data and Non Personal Data
• Hence it is strongly recommended that we have only one regulator.
• It is tax savers money wasted for nothing
Other Industry Experience
• FMC and SEBI. From Day 1 ,I have been harping upon the need for a uni regulator and after
10 years the commodity derivatives moved to SEBI
• Another example is the Appellate Tribunal for IT Act which was merged with TDSAT after ₹ 27
Crores down the drain.(https://thewire.in/banking/tragic-comedic-functioning-indias-cyber-appellate-tribunal)
22Back to Summary
23. Background of Nanda Mohan Shenoy
• Nanda Mohan Shenoy is Certified Data
Privacy Solutions Engineer (CDPSE & CISA-
both from USA).He also possess the Banking
qualification CAIIB from India , and is also
a Lead Auditor for ISO 27001:2013.
• Banking & Information Security Professional
with more than 30+ Years BFSI Experience with
deep understanding of Business, Operations,
Technology Information/Cyber Security &
Privacy.
• Held leadership positions in three different
banks-BNP Paribas India, Global Trust Bank and
Bharat Overseas Bank.
• One of the latest assignment in the area of
Privacy was supporting , Bureau Veritas India,
the certification body as a Subject Matter
expert for the ISO Standard 27701 :2019,the
Privacy Management Information Systems (
PIMS) certification for Infosys
• International Speaker Contact : nmds@bestfitsolutions.in
• Had submitted the feedback in Sep 2018 version
• Was also part of NASSCOM Committee in Mumbai
• Following three recommendations were accepted
• (14) "data principal" means the natural person to whom
the personal data referred to in sub-clause (28) relates;
• (26) “Official identifier” means any number, code, or
other identifier, including Aadhaar number, assigned to
a data principal under a law made by Parliament or any
State Legislature which may be used for the purpose of
verifying the identity of a data principal
• (23) "in writing" includes any communication in
electronic format as defined in clause (r) of sub-section
(1) of section 2 of the Information Technology Act, 2000-
this definition was added
• Submitted 31 gaps to the Parliamentary Committee on
PDPB 2019
• https://www.slideshare.net/NandaMohanShenoy/feedback-on-personal-data-protection-bill-
2019
23