The new authority will be on the lines of the Data Protection Authority, envisaged in the Personal Data Protection Bill of 2019. (File)
Entities such as hospitals, banks, and other industries which collect, store, process or manage data in any form must also register themselves as a ‘data business’ once they cross a certain data collection and storage threshold, a nine-member committee on non-personal data governance framework has suggested in its report.
The aim of this data-sharing regulation is to shift data’s “economic benefits for citizens and communities in India” as well as help the government in policy making and service delivery.
“It is important for such a business to register as a ‘data business’ once it reaches a certain data-related threshold. This will be applicable to not only commercial organisations, but also governments and other non-government organizations that collect, process or otherwise manage data,” the panel, headed by Infosys co-founder Kris Gopalakrishnan, said in its ‘Report by the Committee of Experts on Non-Personal Data Governance Framework’. They are accepting public comments till August 13.
Such entities must also declare their businesses, the various elements of the data the collect, the mechanism for the same and whether the data is stored in a secure facility. Meta directories for such data points collected by these businesses may be made, and open access for other companies in India could be provided to such directories, the panel suggested.
Though the Gopalakrishnan-headed committee has not defined what the maximum threshold of such data collection would be after which companies would have to register themselves as data businesses, it has said that the same should be decided by a regulator called the non-personal data authority.
The new authority will be on the lines of the Data Protection Authority, envisaged in the Personal Data Protection Bill of 2019. It should have powers to regulate all data businesses and adjudicate if any mandatory sharing of data is not done by entities collecting or managing such information.
Non-personal data, the committee said, would be any data that does have any personally identifiable information such as data on weather conditions or collected from sensors installed on industrial machines.
Data points, which were initially personal, but later made anonymous such as land records, public health information or vehicle registration number can also be categorised as non-personal data, the committee said. Information about a community or a group of people, such as those collected by the municipal corporations, or even private entities shall constitute non-private data. “Here, the ‘raw or factual data’, without any processing or derived insights, may be characterised as the community data,”it said.
These regulations, however, would be effective only if the central government comes out with a new national law to regulate the use of non-personal data,it said.
“Allowing the possibility of data monopolies, in a large consumer market such as India, could lead to the creation of imbalances in bargaining power … Therefore, the government’s role is to catalyse the data businesses in a manner that maximizes overall welfare,” it said.