The Ministry of Information and Technology recently released the draft Digital Personal Data Protection Bill, 2022, which has now become the talk of the town in the privacy world. This first draft is out for public consultations till 17th December 2022. Debate, viewpoints, criticism, and discussion around the bill are commonplace now. To understand the bill better and deeply, along with its prospective implications, it becomes imperative to understand the basic pillars on which the stature of the bill stands. Once the same is understood, anyone can easily understand the obligations and provisions of the bill in light of the principles envisioned by its framers. This article aims to pursue further address the seven pillars of the bill.
The ministry has, in addition to the bill, set out an explanatory note which elucidates the seven core pillars. The note says that the bill is set out on the principles of data economy. To understand the principles, it is important to understand two legal jargon as defined in the bill. The bill has defined Data Fiduciary and Data Principal in the following manner-
“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data;
“Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
1) Lawfulness and Transparency
Usage of the data collected by organizations must be done lawfully and fairly. The organization must maintain transparency of such usage with the data principal. Lawfulness and transparency of data collection involve free consent and legitimate interest.
2) Purpose Limitation
Purpose limitation means that the data should be used only for the purpose for which it was predetermined to be used. It cannot be misappropriated for illegitimate purposes.
3) Data Minimisation
The principle of data minimization requires that only those items of personal data should be collected which is required to fulfill the objective for which it is collected. Additional data which holds no or little relevance should be collected. For example, for signing up for an online newsletter, only your email address and first name will be important, other data like phone number, birth date, etc are irrelevant and hence should not be collected.
The fourth principle states that a reasonable effort must be made by the data fiduciary that the data collected is updated from time to time so that it does not lose its accuracy and relevance, if a particular data is inaccurate it may prove to be harmful to the organizations and research as it may bring distorted results. Inaccurate data must be removed from the systems.
5) Storage Limitation
The fifth principle of storage limitation states that data once collected cannot be perpetually stored. The data should be only stored for the duration that is necessary for the fulfillment of the pre-decided purpose. Such limitations should be pre-decided and known to the data principal. The limitation should be reasonable
The sixth principle states that suitable precautions are put in place to prevent the unauthorized acquisition or processing of personal data. This is done to avoid the theft of personal information. Accountability indicates that the organization will be held accountable for all stages of data processing. Organizations must document and justify every move to achieve the greatest degree of accountability practice.
7) Reasonable Safeguards
The sixth principle states that suitable precautions are put in place to prevent the unauthorized acquisition or storage of personal data. This is done to avoid the theft of personal information. It is the data fiduciary’s obligation to safeguard the acquired data so that it is not mismanaged, mistakenly lost, or corrupted.
These principles have served as the foundation for personal data protection legislation in a number of nations. The principles are very similar to the principles adopted in the GDPR. The practical application of such regulations has allowed for the formation of a more sophisticated view of personal data protection that balances individual rights, public interest, and convenience of doing business, particularly for startups. While these fundamentals may appear undefined or unclear in comparison to the actual legislative bill, they should form the foundation of any organization’s data privacy compliance program.
We at Tsaaro are conscious of the compliance, unavoidable risk of exploitation and misuse of operational, confidential data that comes along with such involvement and the importance of working with compliance for a firm to run properly. Get in touch with us at email@example.com If you want to run an audit of your consent practices, check out our Regulatory Compliance Service, and Schedule a call with our experts by clicking here.