Internet penetration in India is witnessing a tremendous surge, with the COVID-19 pandemic having accelerated the same as people moved toward digital set-up to stay connected and avail contactless services. Digital platforms have also led to data generation and sharing in exchange for services.
A data-intensive market has also pushed the digitalisation efforts of India to the forefront, where the industries have realised the economic value of data through disruptive technological innovations like artificial intelligence (AI), machine learning, etc. While data is one of the primary drivers of India's trillion-dollar digital economy vision, the call for securing informational privacy is also becoming exigent.
With the advent of the new Digital Personal Data Protection Act (DPDPA), 2023, and the upcoming Digital India Act, the relevance of data privacy, definitions around sensitive personal data and protections for the same need to be discussed. To facilitate that, on 27 September, the Observer Research Foundation and The Dialogue held a roundtable on Immutable Data, discussing forms of sensitive data, including biometrics, financial and health data.
The first panel discussed biometric data. This form of data no longer refers to just fingerprints and iris scans. With facial recognition, eye movement scanning, and finger movement scanning, biometric data is expanding with emerging facial recognition technologies.
Despite the many advantages of biometric data, privacy advocates express concerns about its potential misuse, particularly in mass surveillance and unauthorised access. Furthermore, the secure storage and protection of biometric information pose significant cybersecurity challenges. Unlike passwords, biometric data is not easily changeable, making the loss or breach of such data a severe matter.
Ethical considerations take centre stage as biometric data becomes more integrated into our daily lives. Questions surrounding consent, data ownership, and transparency become increasingly important. Striking a delicate balance between the convenience and security offered by biometrics and the potential threats to privacy and autonomy represents a formidable challenge.
In this panel, speakers brought to light four main points. The first was the importance of definitions, including definitions of sensitive data and consent. The speakers debated the necessity of reports and whether the ambiguity in definitions of sensitive data is helpful or limits the scope of the new DPDPA. The implications of these choices on consent mechanisms are explored.
Further, the conversation explored the need for data fiduciaries and trust mechanisms. Speakers mentioned that data fiduciaries play a pivotal role in data protection. However, clear operational instructions and standardisation of consent processes are needed.
The conversation in this area concluded with a call to the structure of the DPDPA, which draws from the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The need to hold governments as significant data fiduciaries and define the exemptions of storing data for “lawful purposes” overtly were highlighted to be examined in detail.
The next panel discussed personal financial data which includes sensitive information like bank details, credit history records, tax filings, passwords, PIN codes, etc. Some personal financial information is extensively utilised for financial service delivery, which might aid individuals with financial needs. However, exposure to personal financial data also risks financial loss or identity theft if the data is compromised. While operations, collections and use of personal financial data are subjected to sectoral regulations, this roundtable will discuss how the observance of data protection of personal financial data would transform with recent digital policy developments like DPDPA 2023. This roundtable discussed the impact of the DPDPA and intersectional impact and requirements based on industry. In addition, the emerging technologies within the financial sector were also discussed, like alternate credit scoring, telematics data, etc., and how to ensure such technologies balance utility with individual rights to privacy.
In this panel, one of the main conversations was defining the concept of “lawful collection”, as defined by data fiduciaries and regulatory bodies within the financial sector. Speakers highlighted that the same is well-regulated by other governing bodies and authorities, including the Reserve Bank of India (RBI). The panellists highlighted how the new act does not create new obligations not previously outlined. They explored the need for separate consent mechanisms for indirect data. This furthered the discussion of the role of data processors and consent managers in the financial sector. The importance of purpose limitation here was also underscored.
Finally, the panel concluded on the need to embrace technology and the need for enhanced encryption techniques and innovative user consent mechanisms. These are imperative in the financial sector, emphasising the role of emerging technologies and AI.
The final panel discussed health data as immutable and imperative sensitive data. Electronic health records (EHRs) represent the next step in healthcare innovation, providing a comprehensive and secure digital platform for storing and accessing patient information. Besides, India has also pioneered establishing a digital public infrastructure through the National Digital Health Mission to enhance interoperability at scale, primarily through the Unified Health Interface. Similarly, ABHA ID has been introduced to ensure continuity of care within healthcare in India. Complementing the creation of longitudinal healthcare records, the ID is meant to provide seamless access to healthcare services across the country. While the use, collection and transfer of electronic health records are crucial for advancing healthcare delivery, this roundtable will discuss how to ensure such activities are privacy-friendly to minimise the adverse implications of compromise. The roundtable also discussed how DPDPA 2023 will transfer the pattern of using electronic health records and operations of ABHA IDs, which are regulated through various sectoral policies. This roundtable also looked into what institutional aspects would require a shift to realise the safety and security of electronic health records. Finally, the guiding principles for the digital health ecosystem's design, development, deployment, operation, and maintenance were also discussed.
The panellists here noted the importance of classifying health data. This was emphasised due to the absence of a sectoral bill for healthcare data. The classification of such data thus would allow for health data to be protected in the interim till a more comprehensive healthcare data bill can be released. This classification of health data would also assist in more effective management.
Further, the panel discussed the expanding harm definitions and how much harm binaries (referring to harmful or not) fail to understand the full spectrum of harm, resulting in healthcare data and indirect data misuse.
One critical aspect brought up by the panellists was the relevance of minors in healthcare data and privacy. Due to the lack of definitions and the vague language of the bill, children's privacy concerning their healthcare information and the sharing between organisations like hospitals and schools is unregulated. Adding healthcare data guidelines that restrict the unregulated transfer of such data will enhance data privacy for minors.
Panellists also mentioned the challenge presented by the fragmentation of healthcare data policies, suggesting a more comprehensive framework of policies that address healthcare data as a whole, without dependence on the DPDPA alone.
Finally, the panel concluded with a need for emerging technologies integration. Wearable devices and emerging technologies are transforming healthcare. The conference highlighted the need for anonymisation and purpose limitation checkpoints.
In a rapidly evolving digital landscape, protecting sensitive personal data is a complex and pressing issue. Clear definitions, standardised consent processes, technological advancements, and consolidated policies are critical to safeguarding biometric, financial, and health data. As we navigate the data-driven future, the lessons learnt from these discussions will be instrumental in ensuring data privacy and protection for all.
This event report is written by Shravishtha Ajaykumar, Associate Fellow, Centre for Security, Strategy and Technology, Observer Research Foundation; Amoha Basrur, Research Assistant, Centre for Security, Strategy and Technology, Observer Research Foundation; Vaishnavi Sharma, Research Assistant, The Dialogue
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PREV
