Need for a Data Protection Protocol - Editorial
Photo by Markus Spiske / Unsplash

Need for a Data Protection Protocol - Editorial

The state of Maharashtra, India is at the top of the list severely suffering from these medical data leaks.

· 6 min read

Need for a Data Protection Protocol - Background Context

German cybersecurity organization compiled an assessment report, that mentions medical details of millions of Indian patients disclosed and are freely available without adequate security or any security at all on the Internet is alarming.

The organization enlisted in approx. 1.02 million assessments of patients (mostly Indian) and more than 121 million medical images in different formats, that includes Computer Tomography Scans (CT scans), Magnetic Resonance Imaging (MRI), and even worst, the identity photos of the patients.

Code on computer monitor
Photo by Markus Spiske / Unsplash

What is even more disturbing is that the information repository inclusive of this sensitive data went up by a big notable number in the Indian context, immediately a month after Greenbone’s initial assessment report was produced.

Greenbone’s updated assessment and published report also place, the state of Maharashtra at the top of the list severely suffering from these medical data leaks.

Puttaswamy's judgment (2017) put forward by the Apex Court, the right to privacy is a basic right and it is important and mandatory to safeguard personal data as an important facet of informational and data privacy, however, the expansion of the digital economy is equally important essential to open new prospects of the socio-economic growth.

Risks associated with leakage of data

  1. Digital data is the collection of the wide influx of information that is stored in a computer or spread across a network of data centers. Data is consolidated, sorted, handled, and processed by special entities popularly known as data fiduciaries (trustees).
  2. Whilst, the data fiduciary (trustee) directs how and why information is handled and processed, the procedure of processing and handling itself maybe by a third party or different entity, known as the data processor.
  3. This differentiation is crucial to describe responsibilities as data transact among entities.
  4. The most recent example:  Facebook Inc, US (the data controller) got into the clutches of legal authorities for the actions of the third-party data processor, Cambridge Analytica (collected data of millions of Facebook profiles).
  5. The collected information or data has the greater prospect to be restructured for in-depth data analysis and for analyzing & preparing profiles that may be helpful for social engineering, various kinds of cyber-related crimes, and online infamous identity theft of millions at once, among other illicit activities and illegal operations more prevalent on the availability of such valuable data and information on the Darknet, constricted computer networks or series of connected data banks, which transact data and information using peer-to-peer file sharing.
  6. The primary pretext for the availability of this sensitive & private data and information are the lack of any security practices in the computer servers and communication systems used by medical practitioners & professionals and these systems seem to have been integrated directly into the public Internet domain without any formal data protection policies and infrastructure.
  7. Public data theft and frequent data leaks are not very uncommon in India, rather very frequent from government websites & web portals, freely and shamelessly enabling the download of Aadhaar numeric to electoral data rolls being made available to download in bulk, are few off the list.
  8. Unlike the data privacy, data protection full-proof policies and framework practiced in the North America, Japan, and European Union (EU), India still has insufficiency or non-existent the extensive and solid legal framework and the groundwork to protect the data privacy of millions of Indians.
  9. The most recent, Draft Personal Data Protection Bill 2019 is yet to be put into practice and may allow protection of privacy in India.

The Data Protection Bill, 2019

Recently, in July 2017, the Ministry of Electronics and Information Technology (MeITY) established an expert committee of ten members, led by former Apex Court Judge, Justice B.N. Srikrishna to investigate and identify various gaps (setbacks) from the context of the situation of data protection policies, framework, policies, and the potential possibilities of its implementation in India and also to devise an extensive Data Protection Law.

Fibre optic cable rack
Photo by Lars Kienle / Unsplash

The commit produced the draft report titled A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.

The report mentions, specifically, the Puttaswamy verdict and pinpointed that the scope of privacy anticipates or encompasses the right to protect individual identity at every level.

The Bill comprises freedom (exclusion or dispensation) for scenarios of processing data without an ones’ agreement (permission or authorization) for “reasonable purposes”, which covers situations concerning national security, noticing or spotting of any unlawful activity or potential fraud, very importantly whistleblowing about major situations, any form of medical emergencies, individual credit (financial) results (scoring), operation and activities related to search engines and managing & handling of publicly available information or data.

The bill acknowledges the key actuality that all data and information about any individual or group of individuals is basically (constitutionally) their own, and thus, one holds the right or freedom to communicate his/her concerned information to the outside world or may choose to maintain it for themselves.

The internal aspect of the informational & data privacy: To maintain ones’ right of self-governance of the information, and self-determination in the context of the individual personal information, and thus should be the main concern of any data & information privacy and protection framework in practice.

Principal, Fiduciary (Trustee), and Processor from CONTEXT OF DATA

Data Principal

Data principal ideally denotes, an individual to whom the personal information or data relates.

Data Fiduciary

Any individual, comprising the state, an organization or company, any constitutional or administrative body (unit), or any person (alone or in collaboration with other entities) decides and governs the actuality and controls the channels of operations performed on personal data & information.

Data Processor

Any individual, comprising the State, an organization or company, any constitutional or administrative body (unit), or any person who handles personal data & information on account of a data fiduciary (Trustee).

Data Localisation

It can be considered as an act of classifying, ranking, or compartmentalization of data & information, maintained (retained) on any gadget physically within the national borders.

Storage (Retention) of Data, definitely not on Rights-Based Approach

Government identifies the storage of individual data & information for the national interest of public good and unwelcomed rights-based approach.

This allows government and its establishment & institutions, the exclusive (within constitutional bondage) authority to use, engage in monetization, and make most of the data as they desire, so long as it safeguards (protects) against occurrences or events such as infringement (violations) and unwarranted or unapproved access.

Photo by Claudio Schwarz / Unsplash

This thought process of the government has authorized or permitted, the selling or giving away of sensitive personal data and information by the curators or depositors to a third party (completely independent entity) in the Data Privacy and Data Protection Bill of 2019.

The committee aims to bridge the gap and integrate the system between, individuals and firms/state establishments as one among “data principals” (whose data & information are gathered) and data fiduciaries (trustees) (those manipulating and handling the data & information) so that privacy is safeguarded by design.


Whilst, the 2019 draft of the Bill seeks to retain the purpose or objective and many of the suggestions of the Justice Srikrishna committee, the committee had also reduced and lowered a few provisions or facilities...

Data Fiduciary (Data handler or Trustee) needs to take prior consent of the Data Principal (Data Originator or Owner) for informal communication and in an informed manner. At the same time, removing the provision, selling or transacting, or transferring sensitive personal data & information by the data fiduciary to the independent entity or third party is a criminal offense. There are considerable flaws associated with the bill, similar to the one excluding government institutions and establishments from taking consent from the data owner in order to process or handle the sensitive data.

However, considering the details of the medical data & information leak, India urgently requires the fundamental morality-based data & information protection protocol, including the following …

  • Collective surveillance reform restrains mass surveillance
  • Provisions for the official administration mechanism
  • Forbid selling or transferring of individuals data & information

Taking into account, the way public information is juggled across private and government institutions, the collective, comprehensive, detail-oriented, scalable, and exclusive Data Protection Act is the urgent need of the time.