NEW DELHI: Information related to caste, racial or ethnic origin, philosophical beliefs, membership of political associations and sexual orientation of an individual are likely to be kept under the category of Sensitive Personal Data, according to an expert committee appointed by the government working on a data protection law.
The committee believes that “information about the caste of an individual falls within the zone where there is a higher expectation of privacy and it could be a reason for discrimination as well. These point to the fact that information about caste should be included in sensitive data.”
A committee has been set up under the chairmanship of former Justice B N Srikrishna to study issues on data protection and suggest a draft Data Protection Bill. The committee has come out with a white paper on data protection framework and the objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected”.
Explaining the difference between caste and surname, the white paper said it is important to distinguish information about caste from information from which caste of a person may be surmised such as a surname. “The name of a person, even if it reveals his or her caste or religion cannot be the basis for treating the name itself as sensitive personal data,” it said.
While personal data refers to information about a person‘s identity, there are matters in which there is a higher expectation of privacy. Unauthorised use of such information may have severe consequences, observed the committee.
According to the white paper, the core categories identified in 2011 for protection as “sensitive personal data” were passwords, financial information (bank accounts or credit or debit card or other payment instrument details), physical, physiological and mental health condition, sexual orientation, medical records and history and biometric information. Racial or ethnic origin, philosophical beliefs, membership of political groups and trade unions are all missing from this list. “A fresh assessment would have to be carried out to ascertain whether such information should be included in the category of sensitive personal data,” it said.
The guidelines inlclude that data that is processed ought to be minimal and necessary for the purposes for which data is sought and other compatible purposes beneficial for the data subject and the data controller shall be held accountable for any processing of data. Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms, and penalties for wrongful processing must be adequate to ensure deterrence.
The white paper suggests the data protection framework must not hamper innovation. It said enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity and penalties on wrongful processing must be adequate to ensure deterrence.
Guiding principles for Data Protection
Law must be technology agnostic and flexible for changing technologies and standards of compliance
Must apply to private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.
Consent is an expression of human autonomy. For it to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.