Need for a Data Protection Protocol - Editorial

Need for a Data Protection Protocol - Background Context

German cybersecurity organization compiled an assessment report, that mentions medical details of millions of Indian patients disclosed and are freely available without adequate security or any security at-all on the Internet is alarming.

The organization enlisted in approx. 1.02 million assessment of patients (mostly Indian) and more than 121 million medical images in different formats, that includes Computer Tomography Scans (CT Scan), Magnetic Resonance Imaging (MRI) and even worst, the identity photos of the patients.

Need for a Data Protection Protocol

What is even more disturbing is that the information repository inclusive of this sensitive data went up the by a big notable number in the Indian context, immediately a month after Greenbone’s initial assessment report was produced.

Greenbone’s updated assessment and published report also place, the state of Maharashtra at the top of the list severely suffering from this medical data leaks.

 Puttaswamy judgement (2017) put forward by the Apex Court, the right to privacy is the basic right and it is important and mandatory to safeguard personal data as an important facet of informational and data privacy, however the expansion of the digital economy is equally important essential to open new prospects of the socio-economic growth.

Risks associated with leakage of data

  1. Digital data is the collection of wide influx of information that is stored in a computer or on spread across the network of data centres. Data is consolidated, sorted, handled and processed by special entities popularly known as data fiduciaries (trustees).
  2. Whilst, the data fiduciary (trustee) direct how and why information is handled and processed, the procedure of processing and handling itself maybe by a third party or different entity, known as the data processor.
  3. This differentiation is crucial to describe responsibilities as data transact among entities.
  4. The most recent example:  Facebook Inc, US (data controller) got into the clutches of legal authorities for the actions of the third-party data processor, Cambridge Analytica (collected data of millions Facebook profile).
  5. The collected information or data has the greater prospect to be restructured for in-depth data analysis and for analysing & preparing profiles that may be helpful for social engineering, various kinds of cyber related crimes and online infamous identity theft of millions at once, among other illicit activities and illegal operations more prevalent on the availability of such valuable data and information on the Darknet, constricted computer networks or series of connected data banks, which transact data and information using peer-to-peer file sharing.
  6. The primary pretext for the availability of this sensitive & private data and information are the lack of any security practices in the computer servers and communication systems used by medical practitioners' & professionals and these systems seem to have been integrated directly to the public Internet domain without any formal data protection policies and infrastructure.
  7. Public data theft and frequent data leaks is not very uncommon in India, rather very frequent from government websites & web portal, freely and shamelessly enabling the download of Aadhaar numeric to electoral data rolls being made available to downloaded in bulk, are few off the list.
  8. Unlike the data privacy, data protection full-proff policies and framework practiced in the North Amrica, Japan and European Union (EU), India still has insufficiency or non-existent of extensive and solid legal framework and the groundwork to protect data privacy of million of Indians.
  9. The most recent, Draft Personal Data Protection Bill 2019 is yet to be put into practice, and may allow protection of privacy in India.

The Data Protection Bill, 2019

Recently, in July 2017, Ministry of Electronics and Information Technology (MeITY) established an expert committee of ten members, led by former Apex Court Judge, Justice B.N. Srikrishna to investigate and identify various gaps (setbacks) from the context of situation of data protection policies, framework, policies and its potential possibilities of its implementation in India and also to devise an extensive Data Protection Law.

The committed produced the draft report titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.

The report mentions, specifically, the Puttaswamy verdict and pinpointed that the scope of privacy anticipates or encompasses the right to protect individual identity at every level.

The Bill comprises freedom (exclusion or dispensation) for scenarios of processing data without an ones’ agreement (permission or authorisation) for “reasonable purposes”, that covers situation concerning national security, noticing or spotting of any unlawful activity or potential fraud, very importantly whistleblowing about major situations, any form of medical emergencies, individual credit (financial) results (scoring), operation and activities related to search engines and managing & handling of publicly available information or data.

The bill acknowledges the key actuality that all data and information about any individual or group of individuals is basically (constitutionally) their own, and thus, one holds the right or freedom to communicate his/her concerned information to the outside world or may choose to maintain it for themselves.

The internal aspect of the informational & data privacy: To maintain ones’ right of self-governance of the information, and self-determination in the context of the individual personal information, and thus should be the main concern of the any data & information privacy and protection framework in practice.

Principal, Fiduciary (Trustee) and Processor from CONTEXT OF DATA

Data Principal: Data principal ideally denotes, an individual to whom the personal information or data relates.

Data Fiduciary: Any individual, comprising the state, an organization or company, any constitutional or administrative body (unit) or any person (alone or in collaboration with others entities) decides and governs the actuality and controls the channels of operations performed on personal data & information.

Data Processor: Any individual, comprising the State, an organization or company, any constitutional or administrative body (unit) or any person who handles personal data & information on account of a data fiduciary (Trustee).

Data Localisation: It can be considered as an act of classifying, ranking or compartmentalization of data & information, maintained (retained) on any gadget physically within the national borders.

Storage (Retention) of Data, definitely not on Rights-Based Approach

Government identifies the storage of individual data & information for the national interest of public good and unwelcomed rights-based approach.

This allows government and its establishment & institutions, the exclusive (within constitutional bondage) authority to use, engage in monetisation and make most of the data as they desire, so long as it safeguards (protects) against occurrences or events such as infringement (violations) and unwarranted or unapproved access.

This thought process of the government has authorised or permitted, selling or giving away sensitive personal data and information by the curators or depositors to a third party (completely independent entity) in the Data Privacy and Data Protection Bill of 2019.

The committee aims to bridge the gap and integrate the system between, individuals and firms/state establishments as one among “data principals” (whose data & information is gathered) and data fiduciaries (trustees) (those manipulating and handling the data & information) so that privacy is safeguarded by design.


Whilst, the 2019 draft of the Bill seeks to retain the purpose or objective and many of the suggestions of the Justice Srikrishna committee, the committee had also reduced and lowered few provisions or facilities...

Data Fiduciary (Data handler or Trustee) need to take prior consent of the Data Principal (Data Originator or Owner) in the formal communication and informed manner. At the same time, removed the provision, selling or transacting or transferring of sensitive personal data & information by the data fiduciary to the independent entity or third party is a criminal offence. There are considerable flaws associated with the bill, similar to the one excluding government institution and establishments from taking consents from the data owner in order to process or handle the sensitive data.

However, considering the details of the medical data & information leak, India urgently requires for the fundamental morality-based data & information protection protocol, to include the following …

  • Collective surveillance reform restrains mass surveillance
  • Provisions for the official administration mechanism
  • Forbid selling or transferring of individuals data & information

Taking into account, the way public information is juggled across private and government institutions, the collective, comprehensive, detail oriented, scalable and exclusive Data Protection Act is urgent need of the time.

Post a Comment

Please do not enter any spam link in the comment box. Thank you.

Previous Post Next Post