2 minute read
Personal Data, Individual Privacy, and Data Governance: A Primer
Definition of ‘Personal Data’
The European Union’s General Data Protection Regulation (GDPR), one of the most comprehensive frameworks on data privacy, defines Personal Data as “any information relating to an identified or unidentified natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” Similarly, the proposed Personal Data Protection Bill in India defines personal data as “any information that renders an individual identifiable”. The bill also identifies a special category of personal data that can be more sensitive, and therefore requires a higher level of protection. According to the bill, these sensitive personal data types include passwords, financial data, health data, sovereign identifiers, caste or tribe, genetic and biometric data, race and ethnic origin, political opinions, sex life and sexual orientations, criminal convictions and offenses, religious, and philosophical beliefs. Many enterprises store and use data in an anonymised or pseudonymised form to ensure data security. The anonymisation of personal data is typically defined as an irreversible process through which personal data is transformed (wholly encrypted or completely removed) such that the individual to whom the data belongs cannot be identified. Therefore, currently, fully anonymised datasets are not treated as personal data. The partial anonymisation of data is termed as “pseudonymisation” wherein personally identifiable data (e.g., birth date or 16-digit credit card number) is replaced or masked with artificial identifiers. Since the masked information can be tied back to the individual in the presence of additional relevant data, it requires additional data security measures. At present, pseudonymised data is treated as personal data.
Individual privacy and data ethics: An Indian perspective
The Indian constitution guarantees a fundamental Right to Privacy, which has become increasingly relevant, and often contentious in today’s digital age. With the increasing individual awareness of risks from loss of privacy, the debate has gathered steam globally, and in India.
Defining Informational Privacy
Our report primarily focuses on “informational privacy”, which can be defined as the right of the individual to determine when, how, and to what extent personal data is collected or used by state and enterprises. It is essentially a right to control access and have an agency of personal data.
The Context for Data Ethics
As Big Data analytics and AI gain prominence in India, organisations and society at large not only need to selectively focus on data privacy, security, or protection, but also on evolving a common societal framework on the overarching ethics of data (covering all stages of data value chain spanning data creation, collection, usage, storage, processing, and disposal).
