An expert panel recommends a comprehensive law and changes in the existing legal framework to protect the right to privacy. By V. VENKATESAN
THE Indian citizen’s right to privacy is under threat from the increasing efforts to collect data about individuals for various purposes, but there is no specific legislation to regulate any such action. In October last year, a Group of Experts on Privacy (comprising 12 experts) constituted by the Planning Commission under the chairmanship of a former Chief Justice of the Delhi High Court, Ajit Prakash Shah, submitted its report making specific recommendations to the government in order to formulate a suitable framework for a Privacy Act. The group agreed that such a piece of legislation must apply both to the government and the private sector.
The report has noted that with the initiation of national programmes such as Unique Identification Number, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Networking Systems (CCTNS), Rashtriya Swasthya Bima Yojana (RSBY—a health insurance scheme), DNA profiling, privileged communications and brain mapping, most of which will be implemented through ICT (Information, Communication and Technology) platforms, concerns have emerged on their impact on the privacy of persons. The government collects data relating to citizens’ health, travel, taxes, religion, education, financial status, employment, disability, living situation, wealth, citizenship, marriage, crime record, and so on, without an overarching policy. This, according to the report, has led to ambiguity over who is allowed to collect data, what data can be collected, what are the rights of the individual, and how the right to privacy will be protected. The report has further observed that the extent of personal information being held by various service providers, especially the enhanced potential for convergence that digitisation carries with it, is a matter that raises issues about privacy.
The report has enunciated nine fundamental privacy principles to form the bedrock of the proposed Privacy Act. These are based on the need to hold the data controller accountable for the collection, processing and use to which the data are put, thereby ensuring that the privacy of the data subject is guaranteed. The nine principles are as follows:
1. A data controller shall give simple-to-understand notice of its information practices to all individuals before any personal information is collected from them.
2. A data controller shall give individuals choices with regard to providing their personal information and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose to third parties such information, except in the case of authorised agencies. The data subject shall, at any time while availing himself/herself of the services or otherwise, also have the option to withdraw his/her consent given earlier to the data controller.
3. A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent taken. Such collection shall be through lawful and fair means.
4. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking the consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose, it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles (NPPs).
5. Individuals shall have access to personal information about them held by a data controller; shall be able to seek correction, amendments, or deletion of such information where it is inaccurate; be able to confirm that a data controller holds or is processing information about them; be able to obtain from the data controller a copy of the personal data.
6. A data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure. Third parties are bound to adhere to relevant and applicable privacy principles. A data controller shall not make personal information public.
7. A data controller shall put in place the necessary technical, administrative and physical safeguards for protecting personal information in his/her custody from unauthorised use, destruction, modification, access, and retention, etc.—both from insiders and outsiders.
8. The data controllers shall make their privacy policies, practices, systems, and related developments open, transparent and accessible to individuals through mechanisms such as providing information in multiple languages, and adopting an open standard/accessible format for the disabled.
9. The data controllers shall be accountable to the individual subject, privacy commissioner, and other stakeholders for compliance with all NPPs.
The report has observed that currently, privacy protection in India is piecemeal and does not uphold these principles in a systematic manner. An overarching Privacy Act, which specifically incorporates these principles and sets up an enforcement mechanism to ensure compliance, is an immediate necessity, the report suggests. The report is significant for making a detailed analysis of existing and proposed legislation by applying the NPPs. These include the draft DNA Profiling Bill, 2012; the Citizenship Act, 1955 and Rules, 2003; the Collection of Statistics Act, 2008, and the Collection of Statistics Rules, 2011; the National Identification Authority of India Bill, 2010; and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. The report has revealed that these pieces of legislation lack many provisions which ought to have been incorporated in conformity with the NPPs or they have provisions which conflict with the NPPs.
The report has recommended that the proposed Privacy Act must articulate the constitutional basis of privacy as a fundamental right deriving from Article 21 of the Constitution. It has suggested national security; public order; disclosure in the public interest; prevention, detection, investigation, and prosecution of criminal offences; protection of the individual or of the rights and freedoms of others; and historical and scientific research and journalistic purposes as possible exceptions to the right to privacy. To measure the extent and validity of an exception, the report suggests that it should be in proportion to the harm that has been caused or will be caused and the objective of the limitation. Secondly, the limitation on the right to privacy should be in accordance with the laws in force and should extend only to that aspect which is necessary in a democratic state, it says.
The report has found that there are at least 50 laws, rules, regulations and executive orders that articulate privacy principles and practices. The proposed Privacy Act, it says, will be used to harmonise, but not homogenise, these different policy documents in order to ensure that there is consistency and compliance with the NPPs. Once the Privacy Act becomes law, other laws with privacy implications may be amended to ensure broad harmonisation and compliance with the NPPs, the report suggests.